From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Howard Chung <howardchung@google.com>,
Marcel Holtmann <marcel@holtmann.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 41/85] Bluetooth: L2CAP: handle l2cap config request during open state
Date: Tue, 29 Sep 2020 13:00:08 +0200 [thread overview]
Message-ID: <20200929105930.282334426@linuxfoundation.org> (raw)
In-Reply-To: <20200929105928.198942536@linuxfoundation.org>
From: Howard Chung <howardchung@google.com>
[ Upstream commit 96298f640104e4cd9a913a6e50b0b981829b94ff ]
According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5,
the incoming L2CAP_ConfigReq should be handled during
OPEN state.
The section below shows the btmon trace when running
L2CAP/COS/CFD/BV-12-C before and after this change.
=== Before ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 ......
< ACL Data TX: Handle 256 flags 0x00 dlen 14 #32
L2CAP: Command Reject (0x01) ident 3 len 6
Reason: Invalid CID in request (0x0002)
Destination CID: 64
Source CID: 65
> HCI Event: Number of Completed Packets (0x13) plen 5 #33
Num handles: 1
Handle: 256
Count: 1
...
=== After ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 .....
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #32
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #33
L2CAP: Configure Request (0x04) ident 3 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #34
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #35
Num handles: 1
Handle: 256
Count: 1
...
Signed-off-by: Howard Chung <howardchung@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f6112f495a36c..f2db50da8ce2e 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4096,7 +4096,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
return 0;
}
- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
+ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
+ chan->state != BT_CONNECTED) {
cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
chan->dcid);
goto unlock;
--
2.25.1
next prev parent reply other threads:[~2020-09-29 11:04 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-29 10:59 [PATCH 4.4 00/85] 4.4.238-rc1 review Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 01/85] af_key: pfkey_dump needs parameter validation Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 02/85] KVM: fix memory leak in kvm_io_bus_unregister_dev() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 03/85] kprobes: fix kill kprobe which has been marked as gone Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 04/85] ftrace: Setup correct FTRACE_FL_REGS flags for module Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 05/85] RDMA/ucma: ucma_context reference leak in error path Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 06/85] mtd: Fix comparison in map_word_andequal() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 07/85] hdlc_ppp: add range checks in ppp_cp_parse_cr() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 08/85] tipc: use skb_unshare() instead in tipc_buf_append() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 09/85] net: add __must_check to skb_put_padto() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 10/85] ip: fix tos reflection in ack and reset packets Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 11/85] serial: 8250: Avoid error message on reprobe Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 12/85] scsi: aacraid: fix illegal IO beyond last LBA Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 13/85] m68k: q40: Fix info-leak in rtc_ioctl Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 14/85] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 15/85] ASoC: kirkwood: fix IRQ error handling Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 16/85] PM / devfreq: tegra30: Fix integer overflow on CPUs freq max out Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 17/85] mtd: cfi_cmdset_0002: dont free cfi->cfiq in error path of cfi_amdstd_setup() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 18/85] mfd: mfd-core: Protect against NULL call-back function pointer Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 19/85] tracing: Adding NULL checks for trace_array descriptor pointer Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 20/85] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 21/85] xfs: fix attr leaf header freemap.size underflow Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 22/85] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 23/85] neigh_stat_seq_next() should increase position index Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 24/85] rt_cpu_seq_next " Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 25/85] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 26/85] ACPI: EC: Reference count query handlers under lock Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 27/85] tracing: Set kernel_stacks caller size properly Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 28/85] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 29/85] Bluetooth: Fix refcount use-after-free issue Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 30/85] mm: pagewalk: fix termination condition in walk_pte_range() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 31/85] Bluetooth: prefetch channel before killing sock Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.4 32/85] skbuff: fix a data race in skb_queue_len() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 33/85] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 34/85] selinux: sel_avc_get_stat_idx should increase position index Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 35/85] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 36/85] drm/omap: fix possible object reference leak Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 37/85] dmaengine: tegra-apb: Prevent race conditions on channels freeing Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 38/85] media: go7007: Fix URB type for interrupt handling Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 39/85] Bluetooth: guard against controllers sending zerod events Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 40/85] drm/amdgpu: increase atombios cmd timeout Greg Kroah-Hartman
2020-09-29 11:00 ` Greg Kroah-Hartman [this message]
2020-09-29 11:00 ` [PATCH 4.4 42/85] media: tda10071: fix unsigned sign extension overflow Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 43/85] tpm: ibmvtpm: Wait for buffer to be set before proceeding Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 44/85] tracing: Use address-of operator on section symbols Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 45/85] serial: 8250_omap: Fix sleeping function called from invalid context during probe Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 46/85] SUNRPC: Fix a potential buffer overflow in svc_print_xprts() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 47/85] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 48/85] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 49/85] mm/filemap.c: clear page error before actual read Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 50/85] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 51/85] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 52/85] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 53/85] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 54/85] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 55/85] atm: fix a memory leak of vcc->user_back Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 56/85] phy: samsung: s5pv210-usb2: Add delay after reset Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 57/85] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 58/85] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 59/85] tty: serial: samsung: Correct clock selection logic Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 60/85] ALSA: hda: Fix potential race in unsol event handler Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 61/85] fuse: dont check refcount after stealing page Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 62/85] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 63/85] e1000: Do not perform reset in reset_task if we are already down Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 64/85] printk: handle blank console arguments passed in Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 65/85] vfio/pci: fix memory leaks of eventfd ctx Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 66/85] perf kcore_copy: Fix module map when there are no modules loaded Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 67/85] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 68/85] ceph: fix potential race in ceph_check_caps Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 69/85] mtd: parser: cmdline: Support MTD names containing one or more colons Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 70/85] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 71/85] vfio/pci: Clear error and request eventfd ctx after releasing Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 72/85] vfio/pci: fix racy on error and request eventfd ctx Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 73/85] s390/init: add missing __init annotations Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 74/85] mwifiex: Increase AES key storage size to 256 bits Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 75/85] batman-adv: bla: fix type misuse for backbone_gw hash indexing Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 76/85] atm: eni: fix the missed pci_disable_device() for eni_init_one() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 77/85] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 78/85] ALSA: asihpi: fix iounmap in error handler Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 79/85] MIPS: Add the missing CPU_1074K into __get_cpu_type() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 80/85] tty: vt, consw->con_scrolldelta cleanup Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 81/85] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 82/85] lib/string.c: implement stpcpy Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 83/85] ata: define AC_ERR_OK Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 84/85] ata: make qc_prep return ata_completion_errors Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.4 85/85] ata: sata_mv, avoid trigerrable BUG_ON Greg Kroah-Hartman
2020-09-29 12:25 ` [PATCH 4.4 00/85] 4.4.238-rc1 review Pavel Machek
2020-09-29 20:45 ` Guenter Roeck
2020-09-30 19:50 ` Shuah Khan
2020-10-01 1:45 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200929105930.282334426@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=howardchung@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox