Prevent an illegal state transition from BT_DISCONN to BT_CONFIG. L2CAP_CONN_RSP and L2CAP_CREATE_CHAN_RSP events should be ignored for BT_DISCONN state according to the Bluetooth Core v5.3 p.1096. It is found by BTFuzz, a modified version of syzkaller. Signed-off-by: Sungwoo Kim <iam@xxxxxxxxxxxx> --- net/bluetooth/l2cap_core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 2c9de67da..a15d64b13 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -4307,6 +4307,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, } } + if (chan->state == BT_DISCONN) + goto unlock; + err = 0; l2cap_chan_lock(chan); -- 2.25.1
