6.18-stable patches

added patches:
	bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch

diff --git a/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch b/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
new file mode 100644 (file)
index 0000000..a234f11
--- /dev/null
+++ b/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
@@ -0,0 +1,59 @@
+From 5b3e2052334f2ff6d5200e952f4aa66994d09899 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 3 Mar 2026 13:29:53 -0500
+Subject: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 5b3e2052334f2ff6d5200e952f4aa66994d09899 upstream.
+
+Currently the code attempts to accept requests regardless of the
+command identifier which may cause multiple requests to be marked
+as pending (FLAG_DEFER_SETUP) which can cause more than
+L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
+causing an overflow.
+
+The spec is quite clear that the same identifier shall not be used on
+subsequent requests:
+
+'Within each signaling channel a different Identifier shall be used
+for each successive request or indication.'
+https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d
+
+So this attempts to check if there are any channels pending with the
+same identifier and rejects if any are found.
+
+Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5045,7 +5045,7 @@ static inline int l2cap_ecred_conn_req(s
+       u16 mtu, mps;
+       __le16 psm;
+       u8 result, rsp_len = 0;
+-      int i, num_scid;
++      int i, num_scid = 0;
+       bool defer = false;
+ 
+       if (!enable_ecred)
+@@ -5057,6 +5057,14 @@ static inline int l2cap_ecred_conn_req(s
+               result = L2CAP_CR_LE_INVALID_PARAMS;
+               goto response;
+       }
++
++      /* Check if there are no pending channels with the same ident */
++      __l2cap_chan_list_id(conn, cmd->ident, l2cap_ecred_list_defer,
++                           &num_scid);
++      if (num_scid) {
++              result = L2CAP_CR_LE_INVALID_PARAMS;
++              goto response;
++      }
+ 
+       cmd_len -= sizeof(*req);
+       num_scid = cmd_len / sizeof(u16);

diff --git a/queue-6.18/series b/queue-6.18/series
index 9e98c61633292d669ff466e290b89085e35a2dd3..f2ffb8546e0155abd629b74a7cf0209675d68a2f 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -94,3 +94,4 @@ drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch
 drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch
 drm-xe-oa-allow-reading-after-disabling-oa-stream.patch
 drm-xe-open-code-ggtt-mmio-access-protection.patch
+bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch