Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3894rwb; Mon, 26 Sep 2022 13:49:18 -0700 (PDT) X-Google-Smtp-Source: AMsMyM76VCkaa1BVyRuaEo6EdsU8iDhOIN7iUB4ODvhP4eY46EYms7WU/QXhLoGIXTWfXBCvQVmO X-Received: by 2002:a17:902:d2c7:b0:176:c8a4:2f2 with SMTP id n7-20020a170902d2c700b00176c8a402f2mr23939113plc.119.1664225358283; Mon, 26 Sep 2022 13:49:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664225358; cv=none; d=google.com; s=arc-20160816; b=Bwm769o4D/pBp0Gm3kMXq6QYc+kv9TEm7jZ1RjTrtWUmEwwJATgl0p6cqOE2+pC6La VPZ9PjfUkgIiQ2PI8fAjoLB8zs5I/ebzjApB5HSyQ8JmoGtsr+NBoAQmfx4lzi6ir/OW fJA4y+uY8wP2+lG5pr7KD4B+jA5ce4Cqe9r3wnbfaMsUjfbf7Q7N6XJ4+ZLwv6jOR9PN Eg3Wa/XuBzBPgTibUXR8ObZ7zx8NUIOo5aa/K3r6jB+kcq8tGNbhtV5jWfloXbwWRS7+ WltzVbCyd2XEclfo/dO5y4t31QcqZDv1BSiW3D1GiWmfO2QJMsEj/KMATaNpqVq1uCIE oERg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:content-transfer-encoding:mime-version :message-id:date:subject:cc:from; bh=faa5y7qBR+UreIMx8m63IdwyTJaEPpyMFVUYsgBqw10=; b=rXO7QX7apisrdPkRMzPv1yD5WwNQCGEWYlmmMeQlxdd+bVyk2aFV10KUGR1e1OYFYq 6wPZ8vM12upYkM7PUT7HGafEuQVgVTuB1+352L4T5GAND3z70JRFadqqtmwJMqb1U2oT cSlJTsGYh238POyxo9e11VDfgHE7Av3BcIS3lYltGFl8scuXqykCt92cgHpAlpVqMYcM Qvqdt3zh6rqT6VxcrfMa2/kVCiLHauvUkxC4q3+nHe3U/Q2oBcsTJ5gsyx5rI7IiRWzY 3Z3N9TaA4DZblWKtwdtKdDlXsc4xl2dG6cXrERTmxRI/XDGEddpcpYL6eFp+3N/2nFcR Y9ZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a1-20020a170902ecc100b001769b63ec65si14317747plh.483.2022.09.26.13.48.22; Mon, 26 Sep 2022 13:49:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230472AbiIZUsC (ORCPT + 99 others); Mon, 26 Sep 2022 16:48:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229711AbiIZUsB (ORCPT ); Mon, 26 Sep 2022 16:48:01 -0400 Received: from mail-io1-f54.google.com (mail-io1-f54.google.com [209.85.166.54]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE030A6C6A; Mon, 26 Sep 2022 13:47:59 -0700 (PDT) Received: by mail-io1-f54.google.com with SMTP id p202so6246982iod.6; Mon, 26 Sep 2022 13:47:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=faa5y7qBR+UreIMx8m63IdwyTJaEPpyMFVUYsgBqw10=; b=iD+KSdS9wJ0+tBHuKR3iPyul3DGyZ7cSsdx9WiLUoPpUnzpuSp9f4CgWfGLPTr0+aq BWNPp2hHs0Wy4CUHPCaRNJJmGfkA4ZxsdlY47mvPWk4ICJEWuquvn9igcawiv8LMsBgL AtZVH5xTtTOBqmsHr4J0ELev9dZ4s1ZHUJcPnW1pBnIKWhcSO3hB5NbABRXdZR5ctDck J8Dkwu+123wLlgLDauLTN8fM8QPpckJ7+3tsj7oGPd3cUycRQwE0+8bV7Ds7jqYIvHWa /HGs+IJa4O2QQluDeRoRkWsak1R4/5PHjNbmOUUIfVggR4SoAjqqWnyhOBWZgso509kp 5igQ== X-Gm-Message-State: ACrzQf0HAzwntkcy2b/9uPJ9Ik70B/Uwn8m6p0FI79JWbGn6muwYyVUE 6Pa2I2Ah4bebHhQxcsnndwI= X-Received: by 2002:a05:6638:3821:b0:35a:1973:ae9 with SMTP id i33-20020a056638382100b0035a19730ae9mr11897859jav.313.1664225279054; Mon, 26 Sep 2022 13:47:59 -0700 (PDT) Received: from noodle.cs.purdue.edu (switch-lwsn2133-z1r11.cs.purdue.edu. [128.10.127.250]) by smtp.googlemail.com with ESMTPSA id c14-20020a023b0e000000b0035a8d644a31sm7336423jaa.117.2022.09.26.13.47.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Sep 2022 13:47:58 -0700 (PDT) From: Sungwoo Kim Cc: syzkaller@googlegroups.com, Sungwoo Kim , Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] Bluetooth: L2CAP: fix an illegal state transition from BT_DISCONN Date: Mon, 26 Sep 2022 16:46:58 -0400 Message-Id: <20220926204657.3147968-1-iam@sung-woo.kim> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Prevent an illegal state transition from BT_DISCONN to BT_CONFIG. L2CAP_CONN_RSP and L2CAP_CREATE_CHAN_RSP events should be ignored for BT_DISCONN state according to the Bluetooth Core v5.3 p.1096. It is found by BTFuzz, a modified version of syzkaller. Signed-off-by: Sungwoo Kim --- net/bluetooth/l2cap_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 2c9de67da..a15d64b13 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4307,6 +4307,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, } } + if (chan->state == BT_DISCONN) + goto unlock; + err = 0; l2cap_chan_lock(chan); -- 2.25.1