* [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
@ 2026-05-26 10:51 Zhenghang Xiao
2026-05-26 14:46 ` bluez.test.bot
2026-05-26 17:50 ` [PATCH bluetooth] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Zhenghang Xiao @ 2026-05-26 10:51 UTC (permalink / raw)
To: marcel, luiz.dentz; +Cc: linux-bluetooth, Zhenghang Xiao
l2cap_ecred_reconf_rsp() returns early on success without clearing
chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
successful transaction to prevent the channel from matching subsequent
responses with the recycled ident value.
A remote attacker that completed a reconfiguration as the peer can
replay a failure response with the stale ident, causing the kernel to
match and destroy the already-established channel via
l2cap_chan_del(chan, ECONNRESET).
Clear chan->ident for all matching channels on success, and harden the
failure path by using l2cap_chan_hold_unless_zero() consistent with
other L2CAP handlers (l2cap_le_command_rej, __l2cap_get_chan_by_ident).
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
---
net/bluetooth/l2cap_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 7701528f1167..08c70caf24d4 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5458,14 +5458,20 @@ static inline int l2cap_ecred_reconf_rsp(struct l2cap_conn *conn,
BT_DBG("result 0x%4.4x", result);
- if (!result)
+ if (!result) {
+ list_for_each_entry(chan, &conn->chan_l, list) {
+ if (chan->ident == cmd->ident)
+ chan->ident = 0;
+ }
return 0;
+ }
list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
if (chan->ident != cmd->ident)
continue;
- l2cap_chan_hold(chan);
+ if (!l2cap_chan_hold_unless_zero(chan))
+ continue;
l2cap_chan_lock(chan);
l2cap_chan_del(chan, ECONNRESET);
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-05-26 10:51 [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Zhenghang Xiao
@ 2026-05-26 14:46 ` bluez.test.bot
2026-05-26 17:50 ` [PATCH bluetooth] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-26 14:46 UTC (permalink / raw)
To: linux-bluetooth, kipreyyy
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1100882
---Test result---
Test Summary:
CheckPatch PASS 0.77 seconds
VerifyFixes PASS 0.14 seconds
VerifySignedoff PASS 0.14 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.15 seconds
BuildKernel PASS 24.89 seconds
CheckAllWarning PASS 27.98 seconds
CheckSparse PASS 26.57 seconds
BuildKernel32 PASS 24.68 seconds
TestRunnerSetup PASS 524.16 seconds
TestRunner_l2cap-tester PASS 59.46 seconds
IncrementalBuild PASS 23.70 seconds
https://github.com/bluez/bluetooth-next/pull/243
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
2026-05-26 10:51 [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Zhenghang Xiao
2026-05-26 14:46 ` bluez.test.bot
@ 2026-05-26 17:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-26 17:50 UTC (permalink / raw)
To: Zhenghang Xiao; +Cc: marcel, luiz.dentz, linux-bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Tue, 26 May 2026 18:51:52 +0800 you wrote:
> l2cap_ecred_reconf_rsp() returns early on success without clearing
> chan->ident. Every other L2CAP response handler (l2cap_ecred_conn_rsp,
> l2cap_le_connect_rsp, l2cap_config_rsp) clears chan->ident after a
> successful transaction to prevent the channel from matching subsequent
> responses with the recycled ident value.
>
> A remote attacker that completed a reconfiguration as the peer can
> replay a failure response with the stale ident, causing the kernel to
> match and destroy the already-established channel via
> l2cap_chan_del(chan, ECONNRESET).
>
> [...]
Here is the summary with links:
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
https://git.kernel.org/bluetooth/bluetooth-next/c/3149687089e0
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-26 17:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-26 10:51 [PATCH bluetooth] Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success Zhenghang Xiao
2026-05-26 14:46 ` bluez.test.bot
2026-05-26 17:50 ` [PATCH bluetooth] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox