From: kernel test robot <lkp@intel.com>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
linux-bluetooth@vger.kernel.org
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev
Subject: Re: [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
Date: Fri, 20 Feb 2026 07:27:43 +0800 [thread overview]
Message-ID: <202602200748.VaqQIrnz-lkp@intel.com> (raw)
In-Reply-To: <20260219183343.3167089-1-luiz.dentz@gmail.com>
Hi Luiz,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth-next/master]
[also build test WARNING on bluetooth/master linus/master v6.19 next-20260219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-L2CAP-Fix-not-checking-output-MTU-is-acceptable-on-L2CAP_ECRED_CONN_REQ/20260220-023511
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
patch link: https://lore.kernel.org/r/20260219183343.3167089-1-luiz.dentz%40gmail.com
patch subject: [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
config: loongarch-randconfig-001-20260220 (https://download.01.org/0day-ci/archive/20260220/202602200748.VaqQIrnz-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project e86750b29fa0ff207cd43213d66dabe565417638)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260220/202602200748.VaqQIrnz-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602200748.VaqQIrnz-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> net/bluetooth/l2cap_sock.c:1038:16: warning: variable 'mtu' is uninitialized when used here [-Wuninitialized]
1038 | chan->omtu = mtu;
| ^~~
net/bluetooth/l2cap_sock.c:889:9: note: initialize the variable 'mtu' to silence this warning
889 | u16 mtu;
| ^
| = 0
1 warning generated.
vim +/mtu +1038 net/bluetooth/l2cap_sock.c
878
879 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 sockptr_t optval, unsigned int optlen)
881 {
882 struct sock *sk = sock->sk;
883 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 struct bt_security sec;
885 struct bt_power pwr;
886 struct l2cap_conn *conn;
887 int err = 0;
888 u32 opt, phys;
889 u16 mtu;
890 u8 mode;
891
892 BT_DBG("sk %p", sk);
893
894 if (level == SOL_L2CAP)
895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896
897 if (level != SOL_BLUETOOTH)
898 return -ENOPROTOOPT;
899
900 lock_sock(sk);
901
902 switch (optname) {
903 case BT_SECURITY:
904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 chan->chan_type != L2CAP_CHAN_FIXED &&
906 chan->chan_type != L2CAP_CHAN_RAW) {
907 err = -EINVAL;
908 break;
909 }
910
911 sec.level = BT_SECURITY_LOW;
912
913 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914 if (err)
915 break;
916
917 if (sec.level < BT_SECURITY_LOW ||
918 sec.level > BT_SECURITY_FIPS) {
919 err = -EINVAL;
920 break;
921 }
922
923 chan->sec_level = sec.level;
924
925 if (!chan->conn)
926 break;
927
928 conn = chan->conn;
929
930 /* change security for LE channels */
931 if (chan->scid == L2CAP_CID_ATT) {
932 if (smp_conn_security(conn->hcon, sec.level)) {
933 err = -EINVAL;
934 break;
935 }
936
937 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938 sk->sk_state = BT_CONFIG;
939 chan->state = BT_CONFIG;
940
941 /* or for ACL link */
942 } else if ((sk->sk_state == BT_CONNECT2 &&
943 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944 sk->sk_state == BT_CONNECTED) {
945 if (!l2cap_chan_check_security(chan, true))
946 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947 else
948 sk->sk_state_change(sk);
949 } else {
950 err = -EINVAL;
951 }
952 break;
953
954 case BT_DEFER_SETUP:
955 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956 err = -EINVAL;
957 break;
958 }
959
960 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961 if (err)
962 break;
963
964 if (opt) {
965 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966 set_bit(FLAG_DEFER_SETUP, &chan->flags);
967 } else {
968 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970 }
971 break;
972
973 case BT_FLUSHABLE:
974 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975 if (err)
976 break;
977
978 if (opt > BT_FLUSHABLE_ON) {
979 err = -EINVAL;
980 break;
981 }
982
983 if (opt == BT_FLUSHABLE_OFF) {
984 conn = chan->conn;
985 /* proceed further only when we have l2cap_conn and
986 No Flush support in the LM */
987 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988 err = -EINVAL;
989 break;
990 }
991 }
992
993 if (opt)
994 set_bit(FLAG_FLUSHABLE, &chan->flags);
995 else
996 clear_bit(FLAG_FLUSHABLE, &chan->flags);
997 break;
998
999 case BT_POWER:
1000 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001 chan->chan_type != L2CAP_CHAN_RAW) {
1002 err = -EINVAL;
1003 break;
1004 }
1005
1006 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007
1008 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009 if (err)
1010 break;
1011
1012 if (pwr.force_active)
1013 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014 else
1015 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016 break;
1017
1018 case BT_CHANNEL_POLICY:
1019 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020 if (err)
1021 break;
1022
1023 err = -EOPNOTSUPP;
1024 break;
1025
1026 case BT_SNDMTU:
1027 if (!bdaddr_type_is_le(chan->src_type)) {
1028 err = -EINVAL;
1029 break;
1030 }
1031
1032 /* Only allow setting output MTU when not connected */
1033 if (sk->sk_state == BT_CONNECTED) {
1034 err = -EISCONN;
1035 break;
1036 }
1037
> 1038 chan->omtu = mtu;
1039 break;
1040
1041 case BT_RCVMTU:
1042 if (!bdaddr_type_is_le(chan->src_type)) {
1043 err = -EINVAL;
1044 break;
1045 }
1046
1047 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1048 sk->sk_state == BT_CONNECTED) {
1049 err = -EISCONN;
1050 break;
1051 }
1052
1053 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1054 if (err)
1055 break;
1056
1057 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1058 sk->sk_state == BT_CONNECTED)
1059 err = l2cap_chan_reconfigure(chan, mtu);
1060 else
1061 chan->imtu = mtu;
1062
1063 break;
1064
1065 case BT_PHY:
1066 if (sk->sk_state != BT_CONNECTED) {
1067 err = -ENOTCONN;
1068 break;
1069 }
1070
1071 err = copy_safe_from_sockptr(&phys, sizeof(phys), optval,
1072 optlen);
1073 if (err)
1074 break;
1075
1076 if (!chan->conn)
1077 break;
1078
1079 conn = chan->conn;
1080 err = hci_conn_set_phy(conn->hcon, phys);
1081 break;
1082
1083 case BT_MODE:
1084 if (!enable_ecred) {
1085 err = -ENOPROTOOPT;
1086 break;
1087 }
1088
1089 BT_DBG("sk->sk_state %u", sk->sk_state);
1090
1091 if (sk->sk_state != BT_BOUND) {
1092 err = -EINVAL;
1093 break;
1094 }
1095
1096 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1097 err = -EINVAL;
1098 break;
1099 }
1100
1101 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1102 optlen);
1103 if (err)
1104 break;
1105
1106 BT_DBG("mode %u", mode);
1107
1108 err = l2cap_set_mode(chan, mode);
1109 if (err)
1110 break;
1111
1112 BT_DBG("mode 0x%2.2x", chan->mode);
1113
1114 break;
1115
1116 default:
1117 err = -ENOPROTOOPT;
1118 break;
1119 }
1120
1121 release_sock(sk);
1122 return err;
1123 }
1124
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2026-02-19 23:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 18:33 [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ Luiz Augusto von Dentz
2026-02-19 19:41 ` [v2] " bluez.test.bot
2026-02-19 23:27 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202602200748.VaqQIrnz-lkp@intel.com \
--to=lkp@intel.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=luiz.dentz@gmail.com \
--cc=oe-kbuild-all@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox