* [PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
@ 2026-05-11 12:26 Michael Bommarito
2026-05-11 14:24 ` bluez.test.bot
2026-05-11 16:30 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Michael Bommarito @ 2026-05-11 12:26 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz, Johan Hedberg,
linux-bluetooth
Cc: Gustavo A. R. Silva, stable, linux-kernel
Commit 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end
warnings") converted the on-stack request PDU in l2cap_ecred_reconfigure()
from an explicit packed struct to DEFINE_RAW_FLEX(), but did not adjust the
size and source-pointer arguments to l2cap_send_cmd():
- struct {
- struct l2cap_ecred_reconf_req req;
- __le16 scid;
- } pdu;
+ DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1);
...
l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
sizeof(pdu), &pdu);
After the conversion, DEFINE_RAW_FLEX() expands to declare an anonymous
union pdu_u plus a local pointer "pdu" pointing at it. Therefore:
- sizeof(pdu) is now sizeof(struct l2cap_ecred_reconf_req *) = 8 on
64-bit (4 on 32-bit), not the 6 bytes of (mtu, mps, scid[1]).
- &pdu is the address of the local pointer's stack storage, not the
address of the request payload.
l2cap_send_cmd() forwards (data, count) to l2cap_build_cmd(), which calls
skb_put_data(skb, data, count). The L2CAP_ECRED_RECONFIGURE_REQ packet
body therefore contains 8 bytes copied from the kernel stack starting at
&pdu -- the 8 bytes overlap the pdu pointer's value, leaking a kernel
stack address to the paired Bluetooth peer. The intended (mtu, mps, scid)
fields are not transmitted at all, so the peer rejects the request as
malformed and the L2CAP_ECRED_RECONFIGURE feature itself has been broken
for the local-side initiator since the introducing commit landed.
The sibling site l2cap_ecred_conn_req() in the same commit was converted
correctly (sizeof(*pdu) + len, pdu); only this site was missed.
Restore the original semantics: pass the full flex-struct size via
struct_size(pdu, scid, 1) and the pdu pointer (the struct address) as
the source.
Validated on a stock 7.0-based host kernel via the real call path:
setsockopt(SOL_BLUETOOTH, BT_RCVMTU, ...) on a BT_CONNECTED
L2CAP_MODE_EXT_FLOWCTL socket emits an L2CAP_ECRED_RECONFIGURE_REQ
whose body is 8 bytes (the on-stack pdu local's value) rather than
the expected 6. Three captures from fresh socket / fresh hciemu peer
on the same host -- low bytes vary per call, high 0xffff confirms a
kernel virtual address (KASLR-randomised stack slot, not a fixed
string):
RECONF_REQ body (ident=0x02 len=8): 42 fb 54 af 0e ca ff ff
RECONF_REQ body (ident=0x02 len=8): 52 3d 2e af 0e ca ff ff
RECONF_REQ body (ident=0x02 len=8): b2 fc 5b af 0e ca ff ff
After this patch the body is 6 bytes carrying the expected
little-endian (mtu, mps, scid).
Cc: stable@vger.kernel.org
Fixes: 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end warnings")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 77dec104a9c3..4773a453b145 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7282,7 +7282,7 @@ static void l2cap_ecred_reconfigure(struct l2cap_chan *chan)
chan->ident = l2cap_get_ident(conn);
l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
- sizeof(pdu), &pdu);
+ struct_size(pdu, scid, 1), pdu);
}
int l2cap_chan_reconfigure(struct l2cap_chan *chan, __u16 mtu)
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
2026-05-11 12:26 [PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Michael Bommarito
@ 2026-05-11 14:24 ` bluez.test.bot
2026-05-11 16:30 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-11 14:24 UTC (permalink / raw)
To: linux-bluetooth, michael.bommarito
[-- Attachment #1: Type: text/plain, Size: 1734 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1092764
---Test result---
Test Summary:
CheckPatch FAIL 0.59 seconds
GitLint PASS 0.23 seconds
SubjectPrefix PASS 0.08 seconds
BuildKernel PASS 25.17 seconds
CheckAllWarning PASS 27.71 seconds
CheckSparse PASS 26.40 seconds
BuildKernel32 PASS 24.56 seconds
TestRunnerSetup PASS 525.11 seconds
TestRunner_l2cap-tester PASS 378.39 seconds
IncrementalBuild PASS 24.25 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#104:
Commit 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end
total: 0 errors, 1 warnings, 0 checks, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14565486.patch has style problems, please review.
NOTE: Ignored message types: UNKNOWN_COMMIT_ID
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluetooth-next/pull/165
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
2026-05-11 12:26 [PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Michael Bommarito
2026-05-11 14:24 ` bluez.test.bot
@ 2026-05-11 16:30 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-11 16:30 UTC (permalink / raw)
To: Michael Bommarito
Cc: marcel, luiz.dentz, johan.hedberg, linux-bluetooth, gustavoars,
stable, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 11 May 2026 08:26:41 -0400 you wrote:
> Commit 1c08108f3014 ("Bluetooth: L2CAP: Avoid -Wflex-array-member-not-at-end
> warnings") converted the on-stack request PDU in l2cap_ecred_reconfigure()
> from an explicit packed struct to DEFINE_RAW_FLEX(), but did not adjust the
> size and source-pointer arguments to l2cap_send_cmd():
>
> - struct {
> - struct l2cap_ecred_reconf_req req;
> - __le16 scid;
> - } pdu;
> + DEFINE_RAW_FLEX(struct l2cap_ecred_reconf_req, pdu, scid, 1);
> ...
> l2cap_send_cmd(conn, chan->ident, L2CAP_ECRED_RECONF_REQ,
> sizeof(pdu), &pdu);
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
https://git.kernel.org/bluetooth/bluetooth-next/c/82b794a4b4df
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-11 16:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-11 12:26 [PATCH] Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Michael Bommarito
2026-05-11 14:24 ` bluez.test.bot
2026-05-11 16:30 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox