* [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
@ 2026-02-25 17:07 Christian Eggers
2026-02-25 17:07 ` [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Christian Eggers
` (5 more replies)
0 siblings, 6 replies; 10+ messages in thread
From: Christian Eggers @ 2026-02-25 17:07 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Christian Eggers
Core 6.0, Vol 3, Part A, 3.4.3:
"If the SDU length field value exceeds the receiver's MTU, the receiver
shall disconnect the channel..."
This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').
Signed-off-by: Christian Eggers <ceggers@arri.de>
---
net/bluetooth/l2cap_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2dcc5bb907b8..ddac5b9270bf 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6664,6 +6664,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (chan->imtu < skb->len) {
BT_ERR("Too big LE L2CAP PDU");
+ l2cap_send_disconn_req(chan, ECONNRESET);
return -ENOBUFS;
}
@@ -6690,6 +6691,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (sdu_len > chan->imtu) {
BT_ERR("Too big LE L2CAP SDU length received");
+ l2cap_send_disconn_req(chan, ECONNRESET);
err = -EMSGSIZE;
goto failed;
}
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
@ 2026-02-25 17:07 ` Christian Eggers
2026-02-25 17:24 ` Luiz Augusto von Dentz
2026-02-25 17:07 ` [PATCH 3/4] Bluetooth: L2CAP: CoC: Disconnect if sum of payload sizes exceed SDU Christian Eggers
` (4 subsequent siblings)
5 siblings, 1 reply; 10+ messages in thread
From: Christian Eggers @ 2026-02-25 17:07 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Christian Eggers
Core 6.0, Vol 3, Part A, 3.4.3:
"... If the payload size of any K-frame exceeds the receiver's MPS, the
receiver shall disconnect the channel..."
This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').
Signed-off-by: Christian Eggers <ceggers@arri.de>
---
Maybe the naming of 'mps_orig_le' could be improved...
include/net/bluetooth/l2cap.h | 1 +
net/bluetooth/l2cap_core.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 010f1a8fd15f..c6744cce75b1 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -552,6 +552,7 @@ struct l2cap_chan {
__u16 retrans_timeout;
__u16 monitor_timeout;
__u16 mps;
+ __u16 mps_orig_le;
__u16 tx_credits;
__u16 rx_credits;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ddac5b9270bf..c9555b0a3461 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -568,6 +568,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
chan->tx_credits = tx_credits;
/* Derive MPS from connection MTU to stop HCI fragmentation */
chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
+ chan->mps_orig_le = chan->mps;
chan->rx_credits = l2cap_le_rx_credits(chan);
skb_queue_head_init(&chan->tx_q);
@@ -580,6 +581,7 @@ static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
/* L2CAP implementations shall support a minimum MPS of 64 octets */
if (chan->mps < L2CAP_ECRED_MIN_MPS) {
chan->mps = L2CAP_ECRED_MIN_MPS;
+ chan->mps_orig_le = L2CAP_ECRED_MIN_MPS;
chan->rx_credits = l2cap_le_rx_credits(chan);
}
}
@@ -6662,7 +6664,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
return -ENOBUFS;
}
- if (chan->imtu < skb->len) {
+ if (chan->mps_orig_le < skb->len || chan->imtu < skb->len) {
BT_ERR("Too big LE L2CAP PDU");
l2cap_send_disconn_req(chan, ECONNRESET);
return -ENOBUFS;
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 3/4] Bluetooth: L2CAP: CoC: Disconnect if sum of payload sizes exceed SDU
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
2026-02-25 17:07 ` [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Christian Eggers
@ 2026-02-25 17:07 ` Christian Eggers
2026-02-25 17:07 ` [PATCH 4/4] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy Christian Eggers
` (3 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Christian Eggers @ 2026-02-25 17:07 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Christian Eggers
Core 6.0, Vol 3, Part A, 3.4.3:
"... If the sum of the payload sizes for the K-frames exceeds the
specified SDU length, the receiver shall disconnect the channel."
This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
0x0027 -V le_public').
Signed-off-by: Christian Eggers <ceggers@arri.de>
---
net/bluetooth/l2cap_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c9555b0a3461..69a57b956895 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6729,6 +6729,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
if (chan->sdu->len + skb->len > chan->sdu_len) {
BT_ERR("Too much LE L2CAP data received");
+ l2cap_send_disconn_req(chan, ECONNRESET);
err = -EINVAL;
goto failed;
}
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 4/4] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
2026-02-25 17:07 ` [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Christian Eggers
2026-02-25 17:07 ` [PATCH 3/4] Bluetooth: L2CAP: CoC: Disconnect if sum of payload sizes exceed SDU Christian Eggers
@ 2026-02-25 17:07 ` Christian Eggers
2026-02-25 17:14 ` [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Luiz Augusto von Dentz
` (2 subsequent siblings)
5 siblings, 0 replies; 10+ messages in thread
From: Christian Eggers @ 2026-02-25 17:07 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Christian Eggers
The last test step ("Test with Invalid public key X and Y, all set to
0") expects to get an "DHKEY check failed" instead of "unspecified".
Signed-off-by: Christian Eggers <ceggers@arri.de>
---
net/bluetooth/smp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index bf61e8841535..6b35645e0996 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2743,7 +2743,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
!crypto_memneq(key, smp->local_pk, 64)) {
bt_dev_err(hdev, "Remote and local public keys are identical");
- return SMP_UNSPECIFIED;
+ return SMP_DHKEY_CHECK_FAILED;
}
memcpy(smp->remote_pk, key, 64);
--
2.44.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
` (2 preceding siblings ...)
2026-02-25 17:07 ` [PATCH 4/4] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy Christian Eggers
@ 2026-02-25 17:14 ` Luiz Augusto von Dentz
2026-02-25 18:17 ` [1/4] " bluez.test.bot
2026-02-25 20:00 ` [PATCH 1/4] " patchwork-bot+bluetooth
5 siblings, 0 replies; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-25 17:14 UTC (permalink / raw)
To: Christian Eggers
Cc: Marcel Holtmann, Johan Hedberg, linux-bluetooth, linux-kernel
Hi Christian,
On Wed, Feb 25, 2026 at 12:07 PM Christian Eggers <ceggers@arri.de> wrote:
>
> Core 6.0, Vol 3, Part A, 3.4.3:
> "If the SDU length field value exceeds the receiver's MTU, the receiver
> shall disconnect the channel..."
>
> This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
>
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> ---
> net/bluetooth/l2cap_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2dcc5bb907b8..ddac5b9270bf 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -6664,6 +6664,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
>
> if (chan->imtu < skb->len) {
> BT_ERR("Too big LE L2CAP PDU");
> + l2cap_send_disconn_req(chan, ECONNRESET);
> return -ENOBUFS;
> }
>
> @@ -6690,6 +6691,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
>
> if (sdu_len > chan->imtu) {
> BT_ERR("Too big LE L2CAP SDU length received");
> + l2cap_send_disconn_req(chan, ECONNRESET);
We might want to update the error to something like ...SDU %d > %d
disconnecting... so it more descriptive by informing what it received,
what the maximum expected value is, and that it will disconnect
because of the error.
> err = -EMSGSIZE;
> goto failed;
> }
> --
> 2.44.4
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
2026-02-25 17:07 ` [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Christian Eggers
@ 2026-02-25 17:24 ` Luiz Augusto von Dentz
2026-02-25 17:34 ` Christian Eggers
0 siblings, 1 reply; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-25 17:24 UTC (permalink / raw)
To: Christian Eggers
Cc: Marcel Holtmann, Johan Hedberg, linux-bluetooth, linux-kernel
Hi Christian,
On Wed, Feb 25, 2026 at 12:07 PM Christian Eggers <ceggers@arri.de> wrote:
>
> Core 6.0, Vol 3, Part A, 3.4.3:
> "... If the payload size of any K-frame exceeds the receiver's MPS, the
> receiver shall disconnect the channel..."
>
> This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
>
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> ---
> Maybe the naming of 'mps_orig_le' could be improved...
>
> include/net/bluetooth/l2cap.h | 1 +
> net/bluetooth/l2cap_core.c | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> index 010f1a8fd15f..c6744cce75b1 100644
> --- a/include/net/bluetooth/l2cap.h
> +++ b/include/net/bluetooth/l2cap.h
> @@ -552,6 +552,7 @@ struct l2cap_chan {
> __u16 retrans_timeout;
> __u16 monitor_timeout;
> __u16 mps;
> + __u16 mps_orig_le;
Hmm, I wonder if it wouldn't make more sense to have imps/mps_rx and
omps/mps_tx? I guess that is why you need a separate field; otherwise,
the MPS is updated with the remote MPS, causing us to accept the
packets as valid. That said it would need to change quite a few more
places it seems
>
> __u16 tx_credits;
> __u16 rx_credits;
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index ddac5b9270bf..c9555b0a3461 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -568,6 +568,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
> chan->tx_credits = tx_credits;
> /* Derive MPS from connection MTU to stop HCI fragmentation */
> chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
> + chan->mps_orig_le = chan->mps;
> chan->rx_credits = l2cap_le_rx_credits(chan);
>
> skb_queue_head_init(&chan->tx_q);
> @@ -580,6 +581,7 @@ static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
> /* L2CAP implementations shall support a minimum MPS of 64 octets */
> if (chan->mps < L2CAP_ECRED_MIN_MPS) {
> chan->mps = L2CAP_ECRED_MIN_MPS;
> + chan->mps_orig_le = L2CAP_ECRED_MIN_MPS;
> chan->rx_credits = l2cap_le_rx_credits(chan);
> }
> }
> @@ -6662,7 +6664,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
> return -ENOBUFS;
> }
>
> - if (chan->imtu < skb->len) {
> + if (chan->mps_orig_le < skb->len || chan->imtu < skb->len) {
> BT_ERR("Too big LE L2CAP PDU");
> l2cap_send_disconn_req(chan, ECONNRESET);
> return -ENOBUFS;
> --
> 2.44.4
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
2026-02-25 17:24 ` Luiz Augusto von Dentz
@ 2026-02-25 17:34 ` Christian Eggers
0 siblings, 0 replies; 10+ messages in thread
From: Christian Eggers @ 2026-02-25 17:34 UTC (permalink / raw)
To: Luiz Augusto von Dentz
Cc: Marcel Holtmann, Johan Hedberg, linux-bluetooth, linux-kernel
Hi Luiz,
On Wednesday, 25 February 2026, 18:24:16 CET, Luiz Augusto von Dentz wrote:
> Hi Christian,
>
> On Wed, Feb 25, 2026 at 12:07 PM Christian Eggers <ceggers@arri.de> wrote:
> >
> > Core 6.0, Vol 3, Part A, 3.4.3:
> > "... If the payload size of any K-frame exceeds the receiver's MPS, the
> > receiver shall disconnect the channel..."
> >
> > This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> > 0x0027 -V le_public -I 100').
> >
> > Signed-off-by: Christian Eggers <ceggers@arri.de>
> > ---
> > Maybe the naming of 'mps_orig_le' could be improved...
> >
> > include/net/bluetooth/l2cap.h | 1 +
> > net/bluetooth/l2cap_core.c | 4 +++-
> > 2 files changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
> > index 010f1a8fd15f..c6744cce75b1 100644
> > --- a/include/net/bluetooth/l2cap.h
> > +++ b/include/net/bluetooth/l2cap.h
> > @@ -552,6 +552,7 @@ struct l2cap_chan {
> > __u16 retrans_timeout;
> > __u16 monitor_timeout;
> > __u16 mps;
> > + __u16 mps_orig_le;
>
> Hmm, I wonder if it wouldn't make more sense to have imps/mps_rx and
> omps/mps_tx? I guess that is why you need a separate field; otherwise,
> the MPS is updated with the remote MPS, causing us to accept the
> packets as valid.
I can confirm that I needed to introduce the new member because of this.
> That said it would need to change quite a few more
> places it seems
I feel that I don't have enough oversight for fixing this everywhere (but of
course I could try). I just did the minimum amount of changes to fix this
particular test.
Could you eventually take this over and propose a patch?
Thanks,
Christian
>
> >
> > __u16 tx_credits;
> > __u16 rx_credits;
> > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > index ddac5b9270bf..c9555b0a3461 100644
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -568,6 +568,7 @@ static void l2cap_le_flowctl_init(struct l2cap_chan *chan, u16 tx_credits)
> > chan->tx_credits = tx_credits;
> > /* Derive MPS from connection MTU to stop HCI fragmentation */
> > chan->mps = min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SIZE);
> > + chan->mps_orig_le = chan->mps;
> > chan->rx_credits = l2cap_le_rx_credits(chan);
> >
> > skb_queue_head_init(&chan->tx_q);
> > @@ -580,6 +581,7 @@ static void l2cap_ecred_init(struct l2cap_chan *chan, u16 tx_credits)
> > /* L2CAP implementations shall support a minimum MPS of 64 octets */
> > if (chan->mps < L2CAP_ECRED_MIN_MPS) {
> > chan->mps = L2CAP_ECRED_MIN_MPS;
> > + chan->mps_orig_le = L2CAP_ECRED_MIN_MPS;
> > chan->rx_credits = l2cap_le_rx_credits(chan);
> > }
> > }
> > @@ -6662,7 +6664,7 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
> > return -ENOBUFS;
> > }
> >
> > - if (chan->imtu < skb->len) {
> > + if (chan->mps_orig_le < skb->len || chan->imtu < skb->len) {
> > BT_ERR("Too big LE L2CAP PDU");
> > l2cap_send_disconn_req(chan, ECONNRESET);
> > return -ENOBUFS;
> > --
> > 2.44.4
> >
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
` (3 preceding siblings ...)
2026-02-25 17:14 ` [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Luiz Augusto von Dentz
@ 2026-02-25 18:17 ` bluez.test.bot
2026-02-25 19:15 ` Luiz Augusto von Dentz
2026-02-25 20:00 ` [PATCH 1/4] " patchwork-bot+bluetooth
5 siblings, 1 reply; 10+ messages in thread
From: bluez.test.bot @ 2026-02-25 18:17 UTC (permalink / raw)
To: linux-bluetooth, ceggers
[-- Attachment #1: Type: text/plain, Size: 3829 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1057934
---Test result---
Test Summary:
CheckPatch PENDING 0.61 seconds
GitLint PENDING 0.39 seconds
SubjectPrefix PASS 0.22 seconds
BuildKernel PASS 26.19 seconds
CheckAllWarning PASS 29.05 seconds
CheckSparse WARNING 32.68 seconds
BuildKernel32 PASS 25.67 seconds
TestRunnerSetup PASS 566.33 seconds
TestRunner_l2cap-tester FAIL 32.80 seconds
TestRunner_iso-tester PASS 98.12 seconds
TestRunner_bnep-tester PASS 6.43 seconds
TestRunner_mgmt-tester FAIL 117.95 seconds
TestRunner_rfcomm-tester PASS 9.52 seconds
TestRunner_sco-tester FAIL 14.51 seconds
TestRunner_ioctl-tester PASS 10.38 seconds
TestRunner_mesh-tester FAIL 12.51 seconds
TestRunner_smp-tester PASS 8.73 seconds
TestRunner_userchan-tester PASS 6.78 seconds
IncrementalBuild PENDING 0.99 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expression
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0
Failed Test Cases
L2CAP LE Client - Read 32k Success Timed out 2.507 seconds
L2CAP LE Client - RX Timestamping 32k Timed out 1.890 seconds
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.108 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 2.702 seconds
Mesh - Send cancel - 2 Timed out 1.987 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
2026-02-25 18:17 ` [1/4] " bluez.test.bot
@ 2026-02-25 19:15 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 10+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-25 19:15 UTC (permalink / raw)
To: linux-bluetooth; +Cc: ceggers
Hi Chirstian,
On Wed, Feb 25, 2026 at 1:18 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1057934
>
> ---Test result---
>
> Test Summary:
> CheckPatch PENDING 0.61 seconds
> GitLint PENDING 0.39 seconds
> SubjectPrefix PASS 0.22 seconds
> BuildKernel PASS 26.19 seconds
> CheckAllWarning PASS 29.05 seconds
> CheckSparse WARNING 32.68 seconds
> BuildKernel32 PASS 25.67 seconds
> TestRunnerSetup PASS 566.33 seconds
> TestRunner_l2cap-tester FAIL 32.80 seconds
> TestRunner_iso-tester PASS 98.12 seconds
> TestRunner_bnep-tester PASS 6.43 seconds
> TestRunner_mgmt-tester FAIL 117.95 seconds
> TestRunner_rfcomm-tester PASS 9.52 seconds
> TestRunner_sco-tester FAIL 14.51 seconds
> TestRunner_ioctl-tester PASS 10.38 seconds
> TestRunner_mesh-tester FAIL 12.51 seconds
> TestRunner_smp-tester PASS 8.73 seconds
> TestRunner_userchan-tester PASS 6.78 seconds
> IncrementalBuild PENDING 0.99 seconds
>
> Details
> ##############################
> Test: CheckPatch - PENDING
> Desc: Run checkpatch.pl script
> Output:
>
> ##############################
> Test: GitLint - PENDING
> Desc: Run gitlint
> Output:
>
> ##############################
> Test: CheckSparse - WARNING
> Desc: Run sparse tool with linux kernel
> Output:
> net/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7785:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7786:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7788:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7789:1: error: bad constant expression
> ##############################
> Test: TestRunner_l2cap-tester - FAIL
> Desc: Run l2cap-tester with test-runner
> Output:
> Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0
>
> Failed Test Cases
> L2CAP LE Client - Read 32k Success Timed out 2.507 seconds
> L2CAP LE Client - RX Timestamping 32k Timed out 1.890 seconds
L2CAP LE Client - Read 32k Success - run
Connect in progress
Client connect CID 0x0040 handle 0x0001
Successfully connected to CID 0x0040
Bluetooth: Too big LE L2CAP MPS: len 672 > 188
It looks like something is not quite right with the tests above, we
are getting more data than expected per MPS. Anyway, here are some
changes I've made locally:
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 69a57b956895..a187be90e74a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6664,8 +6664,16 @@ static int l2cap_ecred_data_rcv(struct
l2cap_chan *chan, struct sk_buff *skb)
return -ENOBUFS;
}
- if (chan->mps_orig_le < skb->len || chan->imtu < skb->len) {
- BT_ERR("Too big LE L2CAP PDU");
+ if (skb->len > chan->imtu) {
+ BT_ERR("Too big LE L2CAP PDU: len %u > %u", skb->len,
+ chan->imtu);
+ l2cap_send_disconn_req(chan, ECONNRESET);
+ return -ENOBUFS;
+ }
+
+ if (skb->len > chan->mps_orig_le) {
+ BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
+ chan->mps_orig_le);
l2cap_send_disconn_req(chan, ECONNRESET);
return -ENOBUFS;
}
Perhaps the bthost isn't checking the actual MPS to chunk it properly,
but it probably worth fixing so we don't leave these tests failing.
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
` (4 preceding siblings ...)
2026-02-25 18:17 ` [1/4] " bluez.test.bot
@ 2026-02-25 20:00 ` patchwork-bot+bluetooth
5 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+bluetooth @ 2026-02-25 20:00 UTC (permalink / raw)
To: Christian Eggers
Cc: marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 25 Feb 2026 18:07:25 +0100 you wrote:
> Core 6.0, Vol 3, Part A, 3.4.3:
> "If the SDU length field value exceeds the receiver's MTU, the receiver
> shall disconnect the channel..."
>
> This fixes L2CAP/LE/CFC/BV-26-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
>
> [...]
Here is the summary with links:
- [1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU
(no matching commit)
- [2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
(no matching commit)
- [3/4] Bluetooth: L2CAP: CoC: Disconnect if sum of payload sizes exceed SDU
https://git.kernel.org/bluetooth/bluetooth-next/c/0911d455d881
- [4/4] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
https://git.kernel.org/bluetooth/bluetooth-next/c/85e59519f724
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-02-25 19:59 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-25 17:07 [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Christian Eggers
2026-02-25 17:07 ` [PATCH 2/4] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Christian Eggers
2026-02-25 17:24 ` Luiz Augusto von Dentz
2026-02-25 17:34 ` Christian Eggers
2026-02-25 17:07 ` [PATCH 3/4] Bluetooth: L2CAP: CoC: Disconnect if sum of payload sizes exceed SDU Christian Eggers
2026-02-25 17:07 ` [PATCH 4/4] Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy Christian Eggers
2026-02-25 17:14 ` [PATCH 1/4] Bluetooth: L2CAP: CoC: Disconnect if received packet's SDU exceeds IMTU Luiz Augusto von Dentz
2026-02-25 18:17 ` [1/4] " bluez.test.bot
2026-02-25 19:15 ` Luiz Augusto von Dentz
2026-02-25 20:00 ` [PATCH 1/4] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox