Hi,
On Wed, Jan 12, 2022 at 2:17 AM <gav@xxxxxxxxxxxxxx> wrote:
>
> From: Gavin Li <git@xxxxxxxxxxxxxx>
>
> After creating a socket(AF_INET, SOCK_STREAM, BTPROTO_L2CAP) socket and
> connect()'ing to a LE device with default settings (no setsockopt), upon
> the first sendmsg, the following BUG occurs because chan->mode==L2CAP_MODE_ERTM,
> causing l2cap_ertm_send() -> __set_retrans_timer() -> schedule_delayed_work()
> on l2cap_chan.retrans_timer, which was never initialized because
> l2cap_ertm_init() was never called to initialize it.
>
> Call Trace:
> queue_delayed_work_on+0x36/0x40
> l2cap_ertm_send.isra.0+0x14d/0x2d0 [bluetooth]
> l2cap_tx+0x361/0x510 [bluetooth]
> l2cap_chan_send+0xb26/0xb50 [bluetooth]
> l2cap_sock_sendmsg+0xc9/0x100 [bluetooth]
> sock_sendmsg+0x5e/0x60
> sock_write_iter+0x97/0x100
> new_sync_write+0x1d3/0x1f0
> vfs_write+0x1b4/0x270
> ksys_write+0xaf/0xe0
> do_syscall_64+0x33/0x40
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> This patch ensures that when connecting to a LE device, chan->mode will
> always be corrected to L2CAP_MODE_LE_FLOWCTL if it is invalid for LE.
>
> Signed-off-by: Gavin Li <git@xxxxxxxxxxxxxx>
> ---
> net/bluetooth/l2cap_sock.c | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
> index 160c016a5dfb9..58c06ef32656c 100644
> --- a/net/bluetooth/l2cap_sock.c
> +++ b/net/bluetooth/l2cap_sock.c
> @@ -78,6 +78,17 @@ static int l2cap_validate_le_psm(u16 psm)
> return 0;
> }
>
> +static bool l2cap_mode_supports_le(u8 mode)
> +{
> + switch (mode) {
> + case L2CAP_MODE_LE_FLOWCTL:
> + case L2CAP_MODE_EXT_FLOWCTL:
> + return true;
> + default:
> + return false;
> + }
> +}
> +
> static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
> {
> struct sock *sk = sock->sk;
> @@ -161,7 +172,7 @@ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
> break;
> }
>
> - if (chan->psm && bdaddr_type_is_le(chan->src_type))
> + if (chan->psm && bdaddr_type_is_le(la.l2_bdaddr_type) && !l2cap_mode_supports_le(chan->mode))
> chan->mode = L2CAP_MODE_LE_FLOWCTL;
>
> chan->state = BT_BOUND;
> @@ -240,7 +251,7 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
> return -EINVAL;
> }
>
> - if (chan->psm && bdaddr_type_is_le(chan->src_type) && !chan->mode)
> + if (chan->psm && bdaddr_type_is_le(la.l2_bdaddr_type) && !l2cap_mode_supports_le(chan->mode))
> chan->mode = L2CAP_MODE_LE_FLOWCTL;
>
> err = l2cap_chan_connect(chan, la.l2_psm, __le16_to_cpu(la.l2_cid),
> --
> 2.34.1
Doesn't apply to bluetooth-next:
https://github.com/bluez/bluez/issues/250
--
Luiz Augusto von Dentz
