* [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
@ 2026-03-19 15:15 Hyunwoo Kim
2026-03-19 16:40 ` bluez.test.bot
2026-03-19 17:32 ` [PATCH] " Luiz Augusto von Dentz
0 siblings, 2 replies; 4+ messages in thread
From: Hyunwoo Kim @ 2026-03-19 15:15 UTC (permalink / raw)
To: marcel, johan.hedberg, luiz.dentz; +Cc: linux-bluetooth, imv4bel
l2cap_config_req() accepts CONFIG_REQ when the channel is already in
BT_CONNECTED state. This causes l2cap_ertm_init() to be called a
second time, re-initializing tx_q, srej_q, srej_list, and
retrans_list without freeing the previous allocations, and setting
chan->sdu to NULL without freeing the existing skb. This leaks all
previously allocated ERTM resources.
Additionally, l2cap_parse_conf_req() does not validate the minimum
value of remote_mps derived from the RFC max_pdu_size option. A zero
value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
causing the while loop to never terminate since len is never
decremented, exhausting all available memory.
Fix by removing BT_CONNECTED from the allowed states in
l2cap_config_req() and adding a pdu_len zero check in
l2cap_segment_sdu() as a safeguard.
Fixes: 96298f640104 ("Bluetooth: L2CAP: handle l2cap config request during open state")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
net/bluetooth/l2cap_core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ad98db9632fd..a6ce09781083 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2381,6 +2381,9 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
/* Remote device may have requested smaller PDUs */
pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
+ if (!pdu_len)
+ return -EINVAL;
+
if (len <= pdu_len) {
sar = L2CAP_SAR_UNSEGMENTED;
sdu_len = 0;
@@ -4267,8 +4270,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
return 0;
}
- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
- chan->state != BT_CONNECTED) {
+ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
chan->dcid);
goto unlock;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
2026-03-19 15:15 [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Hyunwoo Kim
@ 2026-03-19 16:40 ` bluez.test.bot
2026-03-19 17:32 ` [PATCH] " Luiz Augusto von Dentz
1 sibling, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-03-19 16:40 UTC (permalink / raw)
To: linux-bluetooth, imv4bel
[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1069346
---Test result---
Test Summary:
CheckPatch PENDING 0.67 seconds
GitLint PENDING 0.50 seconds
SubjectPrefix PASS 0.05 seconds
BuildKernel PASS 26.37 seconds
CheckAllWarning PASS 28.52 seconds
CheckSparse PASS 27.38 seconds
BuildKernel32 PASS 25.35 seconds
TestRunnerSetup PASS 564.19 seconds
TestRunner_l2cap-tester PASS 27.33 seconds
TestRunner_iso-tester FAIL 29.99 seconds
TestRunner_bnep-tester PASS 6.30 seconds
TestRunner_mgmt-tester FAIL 112.94 seconds
TestRunner_rfcomm-tester PASS 9.29 seconds
TestRunner_sco-tester FAIL 14.23 seconds
TestRunner_ioctl-tester PASS 13.73 seconds
TestRunner_mesh-tester FAIL 11.48 seconds
TestRunner_smp-tester PASS 8.37 seconds
TestRunner_userchan-tester PASS 6.66 seconds
IncrementalBuild PENDING 0.70 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.105 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.938 seconds
Mesh - Send cancel - 2 Timed out 1.995 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
2026-03-19 15:15 [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Hyunwoo Kim
2026-03-19 16:40 ` bluez.test.bot
@ 2026-03-19 17:32 ` Luiz Augusto von Dentz
2026-03-19 18:18 ` Luiz Augusto von Dentz
1 sibling, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-19 17:32 UTC (permalink / raw)
To: Hyunwoo Kim; +Cc: marcel, johan.hedberg, linux-bluetooth
Hi Hyunwoo,
On Thu, Mar 19, 2026 at 11:15 AM Hyunwoo Kim <imv4bel@gmail.com> wrote:
>
> l2cap_config_req() accepts CONFIG_REQ when the channel is already in
> BT_CONNECTED state. This causes l2cap_ertm_init() to be called a
> second time, re-initializing tx_q, srej_q, srej_list, and
> retrans_list without freeing the previous allocations, and setting
> chan->sdu to NULL without freeing the existing skb. This leaks all
> previously allocated ERTM resources.
>
> Additionally, l2cap_parse_conf_req() does not validate the minimum
> value of remote_mps derived from the RFC max_pdu_size option. A zero
> value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
> causing the while loop to never terminate since len is never
> decremented, exhausting all available memory.
>
> Fix by removing BT_CONNECTED from the allowed states in
> l2cap_config_req() and adding a pdu_len zero check in
> l2cap_segment_sdu() as a safeguard.
This part is not clerarm it should be allowed to change the MTU while connected.
> Fixes: 96298f640104 ("Bluetooth: L2CAP: handle l2cap config request during open state")
> Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> ---
> net/bluetooth/l2cap_core.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ad98db9632fd..a6ce09781083 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -2381,6 +2381,9 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
> /* Remote device may have requested smaller PDUs */
> pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
>
> + if (!pdu_len)
> + return -EINVAL;
> +
> if (len <= pdu_len) {
> sar = L2CAP_SAR_UNSEGMENTED;
> sdu_len = 0;
> @@ -4267,8 +4270,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
> return 0;
> }
>
> - if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
> - chan->state != BT_CONNECTED) {
> + if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
> cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
> chan->dcid);
> goto unlock;
> --
> 2.43.0
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
2026-03-19 17:32 ` [PATCH] " Luiz Augusto von Dentz
@ 2026-03-19 18:18 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-19 18:18 UTC (permalink / raw)
To: Hyunwoo Kim; +Cc: marcel, johan.hedberg, linux-bluetooth
Hi Hyunwoo,
On Thu, Mar 19, 2026 at 1:32 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Hyunwoo,
>
> On Thu, Mar 19, 2026 at 11:15 AM Hyunwoo Kim <imv4bel@gmail.com> wrote:
> >
> > l2cap_config_req() accepts CONFIG_REQ when the channel is already in
> > BT_CONNECTED state. This causes l2cap_ertm_init() to be called a
> > second time, re-initializing tx_q, srej_q, srej_list, and
> > retrans_list without freeing the previous allocations, and setting
> > chan->sdu to NULL without freeing the existing skb. This leaks all
> > previously allocated ERTM resources.
> >
> > Additionally, l2cap_parse_conf_req() does not validate the minimum
> > value of remote_mps derived from the RFC max_pdu_size option. A zero
> > value propagates to l2cap_segment_sdu() where pdu_len becomes zero,
> > causing the while loop to never terminate since len is never
> > decremented, exhausting all available memory.
> >
> > Fix by removing BT_CONNECTED from the allowed states in
> > l2cap_config_req() and adding a pdu_len zero check in
> > l2cap_segment_sdu() as a safeguard.
>
> This part is not clerarm it should be allowed to change the MTU while connected.
Looks like AI agree with me (Second point, first point is probably not
possible):
https://sashiko.dev/#/patchset/abwTCkavRurEcEGO%40v4bel
>
> > Fixes: 96298f640104 ("Bluetooth: L2CAP: handle l2cap config request during open state")
> > Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
> > ---
> > net/bluetooth/l2cap_core.c | 6 ++++--
> > 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > index ad98db9632fd..a6ce09781083 100644
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -2381,6 +2381,9 @@ static int l2cap_segment_sdu(struct l2cap_chan *chan,
> > /* Remote device may have requested smaller PDUs */
> > pdu_len = min_t(size_t, pdu_len, chan->remote_mps);
> >
> > + if (!pdu_len)
> > + return -EINVAL;
> > +
> > if (len <= pdu_len) {
> > sar = L2CAP_SAR_UNSEGMENTED;
> > sdu_len = 0;
> > @@ -4267,8 +4270,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
> > return 0;
> > }
> >
> > - if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
> > - chan->state != BT_CONNECTED) {
> > + if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
> > cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
> > chan->dcid);
> > goto unlock;
> > --
> > 2.43.0
> >
>
>
> --
> Luiz Augusto von Dentz
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-19 18:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-19 15:15 [PATCH] Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop Hyunwoo Kim
2026-03-19 16:40 ` bluez.test.bot
2026-03-19 17:32 ` [PATCH] " Luiz Augusto von Dentz
2026-03-19 18:18 ` Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.