Re: [PATCH] Bluetooth: L2CAP: fix an illegal state transition from BT_DISCONN
From: Luiz Augusto von Dentz
Date: Mon Sep 26 2022 - 17:33:59 EST
Hi Kim,
On Mon, Sep 26, 2022 at 1:47 PM Sungwoo Kim <iam@xxxxxxxxxxxx> wrote:
>
> Prevent an illegal state transition from BT_DISCONN to BT_CONFIG.
> L2CAP_CONN_RSP and L2CAP_CREATE_CHAN_RSP events should be ignored
> for BT_DISCONN state according to the Bluetooth Core v5.3 p.1096.
> It is found by BTFuzz, a modified version of syzkaller.
>
> Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx>
> ---
> net/bluetooth/l2cap_core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 2c9de67da..a15d64b13 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4307,6 +4307,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
> }
> }
Perhaps it would be better to switch to use l2cap_get_chan_by_scid and
l2cap_get_chan_by_ident, since I suspect this is caused by the socket
being terminated while the response is in course so the chan reference
is already 0 thus why l2cap_chan_hold_unless_zero is probably
preferable instead of checking the state directly.
> + if (chan->state == BT_DISCONN)
> + goto unlock;
> +
> err = 0;
>
> l2cap_chan_lock(chan);
> --
> 2.25.1
>
--
Luiz Augusto von Dentz