* [PATCH v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
@ 2026-05-26 15:26 Luiz Augusto von Dentz
2026-05-26 17:50 ` patchwork-bot+bluetooth
2026-05-26 18:07 ` [v4] " bluez.test.bot
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-05-26 15:26 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
If dcid is received for an already-assigned destination CID the spec
requires that both channels to be discarded, but calling l2cap_chan_del
may invalidate the tmp cursor created by list_for_each_entry_safe and
in fact it is the wrong procedure as the chan->dcid may be assigned
previously it really needs to be disconnected.
Calling l2cap_chan_clone directly may still lead to l2cap_chan_del so
instead schedule l2cap_chan_timeout with delay 0 to close the channel
asynchronously.
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/l2cap_core.c | 27 ++++++++++++++++++++++-----
1 file changed, 22 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 5668c92b3f58..74a82a547cca 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5262,6 +5262,7 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
cmd_len -= sizeof(*rsp);
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+ struct l2cap_chan *orig;
u16 dcid;
if (chan->ident != cmd->ident ||
@@ -5283,8 +5284,10 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
BT_DBG("dcid[%d] 0x%4.4x", i, dcid);
+ orig = __l2cap_get_chan_by_dcid(conn, dcid);
+
/* Check if dcid is already in use */
- if (dcid && __l2cap_get_chan_by_dcid(conn, dcid)) {
+ if (dcid && orig) {
/* If a device receives a
* L2CAP_CREDIT_BASED_CONNECTION_RSP packet with an
* already-assigned Destination CID, then both the
@@ -5293,10 +5296,24 @@ static inline int l2cap_ecred_conn_rsp(struct l2cap_conn *conn,
*/
l2cap_chan_del(chan, ECONNREFUSED);
l2cap_chan_unlock(chan);
- chan = __l2cap_get_chan_by_dcid(conn, dcid);
- l2cap_chan_lock(chan);
- l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
+
+ /* Check that the dcid channel mode is
+ * L2CAP_MODE_EXT_FLOWCTL since this procedure is only
+ * valid for that mode and shouldn't disconnect a dcid
+ * in other modes.
+ */
+ if (orig->mode == L2CAP_MODE_EXT_FLOWCTL) {
+ l2cap_chan_lock(orig);
+ /* Disconnect the original channel as it may be
+ * considered connected since dcid has already
+ * been assigned; don't call l2cap_chan_close
+ * directly since that could lead to
+ * l2cap_chan_del and then removing the channel
+ * from the list while we're iterating over it.
+ */
+ __set_chan_timer(orig, 0);
+ l2cap_chan_unlock(orig);
+ }
continue;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
2026-05-26 15:26 [PATCH v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Luiz Augusto von Dentz
@ 2026-05-26 17:50 ` patchwork-bot+bluetooth
2026-05-26 18:07 ` [v4] " bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-26 17:50 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 26 May 2026 11:26:50 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> If dcid is received for an already-assigned destination CID the spec
> requires that both channels to be discarded, but calling l2cap_chan_del
> may invalidate the tmp cursor created by list_for_each_entry_safe and
> in fact it is the wrong procedure as the chan->dcid may be assigned
> previously it really needs to be disconnected.
>
> [...]
Here is the summary with links:
- [v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
https://git.kernel.org/bluetooth/bluetooth-next/c/0a39e3eccf85
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread* RE: [v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
2026-05-26 15:26 [PATCH v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Luiz Augusto von Dentz
2026-05-26 17:50 ` patchwork-bot+bluetooth
@ 2026-05-26 18:07 ` bluez.test.bot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-26 18:07 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1101090
---Test result---
Test Summary:
CheckPatch PASS 0.77 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.14 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 25.16 seconds
CheckAllWarning PASS 27.60 seconds
CheckSparse PASS 26.45 seconds
BuildKernel32 PASS 24.58 seconds
TestRunnerSetup PASS 523.22 seconds
TestRunner_l2cap-tester PASS 58.41 seconds
IncrementalBuild PASS 24.30 seconds
https://github.com/bluez/bluetooth-next/pull/245
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-26 18:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 15:26 [PATCH v4] Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Luiz Augusto von Dentz
2026-05-26 17:50 ` patchwork-bot+bluetooth
2026-05-26 18:07 ` [v4] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox