Skip to content

[PW_SID:1100866] [bluetooth-next] Bluetooth: L2CAP: fix list corruption in l2cap_ecred_conn_rsp#242

Open
BluezTestBot wants to merge 1 commit into
workflowfrom
1100866
Open

[PW_SID:1100866] [bluetooth-next] Bluetooth: L2CAP: fix list corruption in l2cap_ecred_conn_rsp#242
BluezTestBot wants to merge 1 commit into
workflowfrom
1100866

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented May 26, 2026

The duplicate DCID handling in l2cap_ecred_conn_rsp() calls
l2cap_chan_del() on the channel found by __l2cap_get_chan_by_dcid(),
which may be the 'tmp' pointer of the enclosing
list_for_each_entry_safe loop. list_del() poisons tmp->list.next with
LIST_POISON1, and the next iteration dereferences it:

KASAN: wild-memory-access in range [0xdead000000000100-0xdead000000000107]
pc : l2cap_recv_frame+0x3b7c/0x7360

Break out of the loop after the duplicate handling to avoid iterating
with the corrupted pointer. Remaining pending channels for the same
ident are not processed; they will time out via the standard L2CAP
channel timeout since the response indicates a misbehaving peer. Add a
NULL check on the second __l2cap_get_chan_by_dcid() call for robustness.

Fixes: 15f02b9 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao kipreyyy@gmail.com

net/bluetooth/l2cap_core.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

@reyn-osec @Vudentz
Bluetooth: L2CAP: fix list corruption in l2cap_ecred_conn_rsp
2ff7554 
The duplicate DCID handling in l2cap_ecred_conn_rsp() calls
l2cap_chan_del() on the channel found by __l2cap_get_chan_by_dcid(),
which may be the 'tmp' pointer of the enclosing
list_for_each_entry_safe loop. list_del() poisons tmp->list.next with
LIST_POISON1, and the next iteration dereferences it:

  KASAN: wild-memory-access in range [0xdead000000000100-0xdead000000000107]
  pc : l2cap_recv_frame+0x3b7c/0x7360

Break out of the loop after the duplicate handling to avoid iterating
with the corrupted pointer. Remaining pending channels for the same
ident are not processed; they will time out via the standard L2CAP
channel timeout since the response indicates a misbehaving peer. Add a
NULL check on the second __l2cap_get_chan_by_dcid() call for robustness.

Fixes: 15f02b9 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.75 seconds
Result: FAIL
Output:

[bluetooth-next] Bluetooth: L2CAP: fix list corruption in l2cap_ecred_conn_rsp
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#103: 
  KASAN: wild-memory-access in range [0xdead000000000100-0xdead000000000107]

total: 0 errors, 1 warnings, 0 checks, 16 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14594665.patch has style problems, please review.

NOTE: Ignored message types: UNKNOWN_COMMIT_ID

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.14 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.14 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

GitLint
Desc: Run gitlint
Duration: 0.34 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.13 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 27.86 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 30.00 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 29.08 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 26.70 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 591.10 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 61.70 seconds
Result: FAIL
Output:

Total: 96, Passed: 95 (99.0%), Failed: 1, Not Run: 0

Failed Test Cases
L2CAP BR/EDR Server - Set PHY 3M                     Failed       0.277 seconds

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 25.95 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:l2cap

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BluezTestBot @reyn-osec