[PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
@ 2026-02-26 20:43 Luiz Augusto von Dentz
  2026-02-26 20:48 ` Luiz Augusto von Dentz
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-26 20:43 UTC (permalink / raw)
  To: linux-bluetooth

From: Christian Eggers <ceggers@arri.de>

Core 6.0, Vol 3, Part A, 3.4.3:
"... If the payload size of any K-frame exceeds the receiver's MPS, the
receiver shall disconnect the channel..."

This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
0x0027 -V le_public -I 100').

Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
Note: due to lack of L2CAP CoC segmentation support in bthost the following
test as expected to fail:

L2CAP LE Client - Read 32k Success
L2CAP LE Client - RX Timestamping 32k

 net/bluetooth/l2cap_core.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f550ceceb618..14131e427efd 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -6669,6 +6669,13 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
 		return -ENOBUFS;
 	}
 
+	if (skb->len > chan->mps) {
+		BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
+		       chan->mps);
+		l2cap_send_disconn_req(chan, ECONNRESET);
+		return -ENOBUFS;
+	}
+
 	chan->rx_credits--;
 	BT_DBG("chan %p: rx_credits %u -> %u",
 	       chan, chan->rx_credits + 1, chan->rx_credits);
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
  2026-02-26 20:43 [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Luiz Augusto von Dentz
@ 2026-02-26 20:48 ` Luiz Augusto von Dentz
  2026-02-27 15:44   ` Christian Eggers
  2026-02-26 21:26 ` [v2] " bluez.test.bot
                   ` (2 subsequent siblings)
  3 siblings, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-02-26 20:48 UTC (permalink / raw)
  To: linux-bluetooth, Christian Eggers

Hi Christian,

On Thu, Feb 26, 2026 at 3:44 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Christian Eggers <ceggers@arri.de>
>
> Core 6.0, Vol 3, Part A, 3.4.3:
> "... If the payload size of any K-frame exceeds the receiver's MPS, the
> receiver shall disconnect the channel..."
>
> This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
>
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> Note: due to lack of L2CAP CoC segmentation support in bthost the following
> test as expected to fail:
>
> L2CAP LE Client - Read 32k Success
> L2CAP LE Client - RX Timestamping 32k

I didn't have to introduce any new fields btw since the above tests
confirm the MPS is working. I reverted to just using chan->mps, remote
mps is tracked by remote_mps field and I check that the remote cannot
actually set our own MPS. I wonder if something else was at play or if
there is some specific requirement for L2CAP/LE/CFC/BV-27-C (e.g.
reconfigure?)

>
>  net/bluetooth/l2cap_core.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index f550ceceb618..14131e427efd 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -6669,6 +6669,13 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
>                 return -ENOBUFS;
>         }
>
> +       if (skb->len > chan->mps) {
> +               BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
> +                      chan->mps);
> +               l2cap_send_disconn_req(chan, ECONNRESET);
> +               return -ENOBUFS;
> +       }
> +
>         chan->rx_credits--;
>         BT_DBG("chan %p: rx_credits %u -> %u",
>                chan, chan->rx_credits + 1, chan->rx_credits);
> --
> 2.52.0
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
  2026-02-26 20:48 ` Luiz Augusto von Dentz
@ 2026-02-27 15:44   ` Christian Eggers
  0 siblings, 0 replies; 6+ messages in thread
From: Christian Eggers @ 2026-02-27 15:44 UTC (permalink / raw)
  To: linux-bluetooth, Luiz Augusto von Dentz

Hi Luiz,

On Thursday, 26 February 2026, 21:48:48 CET, Luiz Augusto von Dentz wrote:
> Hi Christian,
> 
> On Thu, Feb 26, 2026 at 3:44 PM Luiz Augusto von Dentz
> <luiz.dentz@gmail.com> wrote:
> >
> > From: Christian Eggers <ceggers@arri.de>
> >
> > Core 6.0, Vol 3, Part A, 3.4.3:
> > "... If the payload size of any K-frame exceeds the receiver's MPS, the
> > receiver shall disconnect the channel..."
> >
> > This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> > 0x0027 -V le_public -I 100').
> >
> > Signed-off-by: Christian Eggers <ceggers@arri.de>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > ---
> > Note: due to lack of L2CAP CoC segmentation support in bthost the following
> > test as expected to fail:
> >
> > L2CAP LE Client - Read 32k Success
> > L2CAP LE Client - RX Timestamping 32k
> 
> I didn't have to introduce any new fields btw since the above tests
> confirm the MPS is working. I reverted to just using chan->mps, remote
> mps is tracked by remote_mps field and I check that the remote cannot
> actually set our own MPS. I wonder if something else was at play or if
> there is some specific requirement for L2CAP/LE/CFC/BV-27-C (e.g.
> reconfigure?)

Unfortunately I cannot tell anymore why simply checking chan->mps was not
sufficient for me. I have tested your simplified version and 
L2CAP/LE/CFC/BV-27-C runs fine. So you can add this to bluetooth-next.

BTW: In the description of the other patch 
"LE L2CAP: Disconnect if sum of payload sizes exceed SDU", the PTS test
seem to be wrong:

L2CAP/LE/CFC/BV-27-C --> L2CAP/LE/CFC/BV-28-C

Maybe you would like to fix this in bluetooth-next

regards,
Christian

> 
> >
> >  net/bluetooth/l2cap_core.c | 7 +++++++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> > index f550ceceb618..14131e427efd 100644
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -6669,6 +6669,13 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
> >                 return -ENOBUFS;
> >         }
> >
> > +       if (skb->len > chan->mps) {
> > +               BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
> > +                      chan->mps);
> > +               l2cap_send_disconn_req(chan, ECONNRESET);
> > +               return -ENOBUFS;
> > +       }
> > +
> >         chan->rx_credits--;
> >         BT_DBG("chan %p: rx_credits %u -> %u",
> >                chan, chan->rx_credits + 1, chan->rx_credits);
> > --
> > 2.52.0
> >
> 
> 
> 





^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
  2026-02-26 20:43 [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Luiz Augusto von Dentz
  2026-02-26 20:48 ` Luiz Augusto von Dentz
@ 2026-02-26 21:26 ` bluez.test.bot
  2026-02-27 16:30 ` [PATCH v2] " Christian Eggers
  2026-02-27 18:40 ` patchwork-bot+bluetooth
  3 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-02-26 21:26 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 3549 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1058650

---Test result---

Test Summary:
CheckPatch                    PENDING   0.51 seconds
GitLint                       PENDING   0.41 seconds
SubjectPrefix                 PASS      0.06 seconds
BuildKernel                   PASS      26.47 seconds
CheckAllWarning               PASS      28.77 seconds
CheckSparse                   WARNING   32.37 seconds
BuildKernel32                 PASS      25.65 seconds
TestRunnerSetup               PASS      572.31 seconds
TestRunner_l2cap-tester       FAIL      33.20 seconds
TestRunner_iso-tester         FAIL      43.43 seconds
TestRunner_bnep-tester        PASS      6.53 seconds
TestRunner_mgmt-tester        FAIL      115.20 seconds
TestRunner_rfcomm-tester      PASS      9.37 seconds
TestRunner_sco-tester         FAIL      14.74 seconds
TestRunner_ioctl-tester       PASS      10.20 seconds
TestRunner_mesh-tester        FAIL      12.42 seconds
TestRunner_smp-tester         PASS      8.53 seconds
TestRunner_userchan-tester    PASS      6.57 seconds
IncrementalBuild              PENDING   0.81 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSparse - WARNING
Desc: Run sparse tool with linux kernel
Output:
net/bluetooth/l2cap_core.c:7792:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7793:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7795:1: error: bad constant expressionnet/bluetooth/l2cap_core.c:7796:1: error: bad constant expression
##############################
Test: TestRunner_l2cap-tester - FAIL
Desc: Run l2cap-tester with test-runner
Output:
Total: 96, Passed: 94 (97.9%), Failed: 2, Not Run: 0

Failed Test Cases
L2CAP LE Client - Read 32k Success                   Timed out    2.371 seconds
L2CAP LE Client - RX Timestamping 32k                Timed out    1.896 seconds
##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.718 seconds
Mesh - Send cancel - 2                               Timed out    1.991 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
  2026-02-26 20:43 [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Luiz Augusto von Dentz
  2026-02-26 20:48 ` Luiz Augusto von Dentz
  2026-02-26 21:26 ` [v2] " bluez.test.bot
@ 2026-02-27 16:30 ` Christian Eggers
  2026-02-27 18:40 ` patchwork-bot+bluetooth
  3 siblings, 0 replies; 6+ messages in thread
From: Christian Eggers @ 2026-02-27 16:30 UTC (permalink / raw)
  To: linux-bluetooth, Luiz Augusto von Dentz

On Thursday, 26 February 2026, 21:43:57 CET, Luiz Augusto von Dentz wrote:
> From: Christian Eggers <ceggers@arri.de>
> 
> Core 6.0, Vol 3, Part A, 3.4.3:
> "... If the payload size of any K-frame exceeds the receiver's MPS, the
> receiver shall disconnect the channel..."
> 
> This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
> 
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> Note: due to lack of L2CAP CoC segmentation support in bthost the following
> test as expected to fail:
> 
> L2CAP LE Client - Read 32k Success
> L2CAP LE Client - RX Timestamping 32k
> 
>  net/bluetooth/l2cap_core.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index f550ceceb618..14131e427efd 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -6669,6 +6669,13 @@ static int l2cap_ecred_data_rcv(struct l2cap_chan *chan, struct sk_buff *skb)
>  		return -ENOBUFS;
>  	}
>  
> +	if (skb->len > chan->mps) {
> +		BT_ERR("Too big LE L2CAP MPS: len %u > %u", skb->len,
> +		       chan->mps);
> +		l2cap_send_disconn_req(chan, ECONNRESET);
> +		return -ENOBUFS;
> +	}
> +
>  	chan->rx_credits--;
>  	BT_DBG("chan %p: rx_credits %u -> %u",
>  	       chan, chan->rx_credits + 1, chan->rx_credits);
> 

Tested-by: Christian Eggers <ceggers@arri.de>




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
  2026-02-26 20:43 [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Luiz Augusto von Dentz
                   ` (2 preceding siblings ...)
  2026-02-27 16:30 ` [PATCH v2] " Christian Eggers
@ 2026-02-27 18:40 ` patchwork-bot+bluetooth
  3 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-02-27 18:40 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 26 Feb 2026 15:43:57 -0500 you wrote:
> From: Christian Eggers <ceggers@arri.de>
> 
> Core 6.0, Vol 3, Part A, 3.4.3:
> "... If the payload size of any K-frame exceeds the receiver's MPS, the
> receiver shall disconnect the channel..."
> 
> This fixes L2CAP/LE/CFC/BV-27-C (running together with 'l2test -r -P
> 0x0027 -V le_public -I 100').
> 
> [...]

Here is the summary with links:
  - [v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS
    https://git.kernel.org/bluetooth/bluetooth-next/c/cb75c9a0505b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-02-27 18:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-26 20:43 [PATCH v2] Bluetooth: L2CAP: CoC: Disconnect if received packet size exceeds MPS Luiz Augusto von Dentz
2026-02-26 20:48 ` Luiz Augusto von Dentz
2026-02-27 15:44   ` Christian Eggers
2026-02-26 21:26 ` [v2] " bluez.test.bot
2026-02-27 16:30 ` [PATCH v2] " Christian Eggers
2026-02-27 18:40 ` patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox