* [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
@ 2026-02-19 18:33 Luiz Augusto von Dentz
2026-02-19 19:41 ` [v2] " bluez.test.bot
2026-02-19 23:27 ` [PATCH v2] " kernel test robot
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-19 18:33 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
In order for L2CAP_ECRED_CONN_REQ the given MTU shall be checked
against the suggested MTU of the listening socket as that is required
by the likes of PTS L2CAP/ECFC/BV-27-C test which expects
L2CAP_CR_LE_UNACCEPT_PARAMS if the MTU is lowers than socket omtu.
In order to be able to set chan->omtu the code now allows setting
setsockopt(BT_SNDMTU), but it is only allowed when connection has not
been stablished.
Link: https://github.com/bluez/bluez/issues/1895
Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/l2cap_core.c | 8 ++++++++
net/bluetooth/l2cap_sock.c | 11 +++++++----
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 9452c6179acb..90676ca0e92b 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -5117,6 +5117,14 @@ static inline int l2cap_ecred_conn_req(struct l2cap_conn *conn,
goto unlock;
}
+ /* Check if the listening channel has set an output MTU then the
+ * requested MTU shall be less than or equal to that value.
+ */
+ if (pchan->omtu && mtu < pchan->omtu) {
+ result = L2CAP_CR_LE_UNACCEPT_PARAMS;
+ goto unlock;
+ }
+
result = L2CAP_CR_LE_SUCCESS;
for (i = 0; i < num_scid; i++) {
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 62ceda979f39..04afc92561cb 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1029,10 +1029,13 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- /* Setting is not supported as it's the remote side that
- * decides this.
- */
- err = -EPERM;
+ /* Only allow setting output MTU when not connected */
+ if (sk->sk_state == BT_CONNECTED) {
+ err = -EISCONN;
+ break;
+ }
+
+ chan->omtu = mtu;
break;
case BT_RCVMTU:
--
2.52.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
2026-02-19 18:33 [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ Luiz Augusto von Dentz
@ 2026-02-19 19:41 ` bluez.test.bot
2026-02-19 23:27 ` [PATCH v2] " kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-02-19 19:41 UTC (permalink / raw)
To: linux-bluetooth, luiz.dentz
[-- Attachment #1: Type: text/plain, Size: 2961 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1055632
---Test result---
Test Summary:
CheckPatch PENDING 0.49 seconds
GitLint PENDING 0.36 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 26.24 seconds
CheckAllWarning PASS 28.52 seconds
CheckSparse WARNING 32.23 seconds
BuildKernel32 PASS 25.55 seconds
TestRunnerSetup PASS 561.44 seconds
TestRunner_l2cap-tester PASS 28.54 seconds
TestRunner_iso-tester PASS 84.74 seconds
TestRunner_bnep-tester PASS 6.67 seconds
TestRunner_mgmt-tester FAIL 130.03 seconds
TestRunner_rfcomm-tester PASS 9.55 seconds
TestRunner_sco-tester FAIL 14.78 seconds
TestRunner_ioctl-tester PASS 10.26 seconds
TestRunner_mesh-tester FAIL 11.55 seconds
TestRunner_smp-tester PASS 8.65 seconds
TestRunner_userchan-tester PASS 8.80 seconds
IncrementalBuild PENDING 0.77 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/l2cap_core.c:7773:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7774:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7776:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7777:1: error: bad constant expression
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.107 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.821 seconds
Mesh - Send cancel - 2 Timed out 1.991 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
2026-02-19 18:33 [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ Luiz Augusto von Dentz
2026-02-19 19:41 ` [v2] " bluez.test.bot
@ 2026-02-19 23:27 ` kernel test robot
1 sibling, 0 replies; 3+ messages in thread
From: kernel test robot @ 2026-02-19 23:27 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth; +Cc: llvm, oe-kbuild-all
Hi Luiz,
kernel test robot noticed the following build warnings:
[auto build test WARNING on bluetooth-next/master]
[also build test WARNING on bluetooth/master linus/master v6.19 next-20260219]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-L2CAP-Fix-not-checking-output-MTU-is-acceptable-on-L2CAP_ECRED_CONN_REQ/20260220-023511
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
patch link: https://lore.kernel.org/r/20260219183343.3167089-1-luiz.dentz%40gmail.com
patch subject: [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
config: loongarch-randconfig-001-20260220 (https://download.01.org/0day-ci/archive/20260220/202602200748.VaqQIrnz-lkp@intel.com/config)
compiler: clang version 23.0.0git (https://github.com/llvm/llvm-project e86750b29fa0ff207cd43213d66dabe565417638)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260220/202602200748.VaqQIrnz-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202602200748.VaqQIrnz-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> net/bluetooth/l2cap_sock.c:1038:16: warning: variable 'mtu' is uninitialized when used here [-Wuninitialized]
1038 | chan->omtu = mtu;
| ^~~
net/bluetooth/l2cap_sock.c:889:9: note: initialize the variable 'mtu' to silence this warning
889 | u16 mtu;
| ^
| = 0
1 warning generated.
vim +/mtu +1038 net/bluetooth/l2cap_sock.c
878
879 static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
880 sockptr_t optval, unsigned int optlen)
881 {
882 struct sock *sk = sock->sk;
883 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
884 struct bt_security sec;
885 struct bt_power pwr;
886 struct l2cap_conn *conn;
887 int err = 0;
888 u32 opt, phys;
889 u16 mtu;
890 u8 mode;
891
892 BT_DBG("sk %p", sk);
893
894 if (level == SOL_L2CAP)
895 return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
896
897 if (level != SOL_BLUETOOTH)
898 return -ENOPROTOOPT;
899
900 lock_sock(sk);
901
902 switch (optname) {
903 case BT_SECURITY:
904 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
905 chan->chan_type != L2CAP_CHAN_FIXED &&
906 chan->chan_type != L2CAP_CHAN_RAW) {
907 err = -EINVAL;
908 break;
909 }
910
911 sec.level = BT_SECURITY_LOW;
912
913 err = copy_safe_from_sockptr(&sec, sizeof(sec), optval, optlen);
914 if (err)
915 break;
916
917 if (sec.level < BT_SECURITY_LOW ||
918 sec.level > BT_SECURITY_FIPS) {
919 err = -EINVAL;
920 break;
921 }
922
923 chan->sec_level = sec.level;
924
925 if (!chan->conn)
926 break;
927
928 conn = chan->conn;
929
930 /* change security for LE channels */
931 if (chan->scid == L2CAP_CID_ATT) {
932 if (smp_conn_security(conn->hcon, sec.level)) {
933 err = -EINVAL;
934 break;
935 }
936
937 set_bit(FLAG_PENDING_SECURITY, &chan->flags);
938 sk->sk_state = BT_CONFIG;
939 chan->state = BT_CONFIG;
940
941 /* or for ACL link */
942 } else if ((sk->sk_state == BT_CONNECT2 &&
943 test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) ||
944 sk->sk_state == BT_CONNECTED) {
945 if (!l2cap_chan_check_security(chan, true))
946 set_bit(BT_SK_SUSPEND, &bt_sk(sk)->flags);
947 else
948 sk->sk_state_change(sk);
949 } else {
950 err = -EINVAL;
951 }
952 break;
953
954 case BT_DEFER_SETUP:
955 if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
956 err = -EINVAL;
957 break;
958 }
959
960 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
961 if (err)
962 break;
963
964 if (opt) {
965 set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
966 set_bit(FLAG_DEFER_SETUP, &chan->flags);
967 } else {
968 clear_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
969 clear_bit(FLAG_DEFER_SETUP, &chan->flags);
970 }
971 break;
972
973 case BT_FLUSHABLE:
974 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
975 if (err)
976 break;
977
978 if (opt > BT_FLUSHABLE_ON) {
979 err = -EINVAL;
980 break;
981 }
982
983 if (opt == BT_FLUSHABLE_OFF) {
984 conn = chan->conn;
985 /* proceed further only when we have l2cap_conn and
986 No Flush support in the LM */
987 if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
988 err = -EINVAL;
989 break;
990 }
991 }
992
993 if (opt)
994 set_bit(FLAG_FLUSHABLE, &chan->flags);
995 else
996 clear_bit(FLAG_FLUSHABLE, &chan->flags);
997 break;
998
999 case BT_POWER:
1000 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED &&
1001 chan->chan_type != L2CAP_CHAN_RAW) {
1002 err = -EINVAL;
1003 break;
1004 }
1005
1006 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
1007
1008 err = copy_safe_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
1009 if (err)
1010 break;
1011
1012 if (pwr.force_active)
1013 set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1014 else
1015 clear_bit(FLAG_FORCE_ACTIVE, &chan->flags);
1016 break;
1017
1018 case BT_CHANNEL_POLICY:
1019 err = copy_safe_from_sockptr(&opt, sizeof(opt), optval, optlen);
1020 if (err)
1021 break;
1022
1023 err = -EOPNOTSUPP;
1024 break;
1025
1026 case BT_SNDMTU:
1027 if (!bdaddr_type_is_le(chan->src_type)) {
1028 err = -EINVAL;
1029 break;
1030 }
1031
1032 /* Only allow setting output MTU when not connected */
1033 if (sk->sk_state == BT_CONNECTED) {
1034 err = -EISCONN;
1035 break;
1036 }
1037
> 1038 chan->omtu = mtu;
1039 break;
1040
1041 case BT_RCVMTU:
1042 if (!bdaddr_type_is_le(chan->src_type)) {
1043 err = -EINVAL;
1044 break;
1045 }
1046
1047 if (chan->mode == L2CAP_MODE_LE_FLOWCTL &&
1048 sk->sk_state == BT_CONNECTED) {
1049 err = -EISCONN;
1050 break;
1051 }
1052
1053 err = copy_safe_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
1054 if (err)
1055 break;
1056
1057 if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
1058 sk->sk_state == BT_CONNECTED)
1059 err = l2cap_chan_reconfigure(chan, mtu);
1060 else
1061 chan->imtu = mtu;
1062
1063 break;
1064
1065 case BT_PHY:
1066 if (sk->sk_state != BT_CONNECTED) {
1067 err = -ENOTCONN;
1068 break;
1069 }
1070
1071 err = copy_safe_from_sockptr(&phys, sizeof(phys), optval,
1072 optlen);
1073 if (err)
1074 break;
1075
1076 if (!chan->conn)
1077 break;
1078
1079 conn = chan->conn;
1080 err = hci_conn_set_phy(conn->hcon, phys);
1081 break;
1082
1083 case BT_MODE:
1084 if (!enable_ecred) {
1085 err = -ENOPROTOOPT;
1086 break;
1087 }
1088
1089 BT_DBG("sk->sk_state %u", sk->sk_state);
1090
1091 if (sk->sk_state != BT_BOUND) {
1092 err = -EINVAL;
1093 break;
1094 }
1095
1096 if (chan->chan_type != L2CAP_CHAN_CONN_ORIENTED) {
1097 err = -EINVAL;
1098 break;
1099 }
1100
1101 err = copy_safe_from_sockptr(&mode, sizeof(mode), optval,
1102 optlen);
1103 if (err)
1104 break;
1105
1106 BT_DBG("mode %u", mode);
1107
1108 err = l2cap_set_mode(chan, mode);
1109 if (err)
1110 break;
1111
1112 BT_DBG("mode 0x%2.2x", chan->mode);
1113
1114 break;
1115
1116 default:
1117 err = -ENOPROTOOPT;
1118 break;
1119 }
1120
1121 release_sock(sk);
1122 return err;
1123 }
1124
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-19 23:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-19 18:33 [PATCH v2] Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ Luiz Augusto von Dentz
2026-02-19 19:41 ` [v2] " bluez.test.bot
2026-02-19 23:27 ` [PATCH v2] " kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox