From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 21 Mar 2026 08:08:36 +0000 (+0100)
Subject: 6.18-stable patches
X-Git-Tag: v6.1.167~61
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dadd1e8fd4df90993397cb91d5142a2a8d76a8d1;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
---

diff --git a/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch b/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
new file mode 100644
index 0000000000..a234f110b8
--- /dev/null
+++ b/queue-6.18/bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch
@@ -0,0 +1,59 @@
+From 5b3e2052334f2ff6d5200e952f4aa66994d09899 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 3 Mar 2026 13:29:53 -0500
+Subject: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 5b3e2052334f2ff6d5200e952f4aa66994d09899 upstream.
+
+Currently the code attempts to accept requests regardless of the
+command identifier which may cause multiple requests to be marked
+as pending (FLAG_DEFER_SETUP) which can cause more than
+L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
+causing an overflow.
+
+The spec is quite clear that the same identifier shall not be used on
+subsequent requests:
+
+'Within each signaling channel a different Identifier shall be used
+for each successive request or indication.'
+https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d
+
+So this attempts to check if there are any channels pending with the
+same identifier and rejects if any are found.
+
+Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode")
+Reported-by: Yiming Qian <yimingqian591@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5045,7 +5045,7 @@ static inline int l2cap_ecred_conn_req(s
+ 	u16 mtu, mps;
+ 	__le16 psm;
+ 	u8 result, rsp_len = 0;
+-	int i, num_scid;
++	int i, num_scid = 0;
+ 	bool defer = false;
+ 
+ 	if (!enable_ecred)
+@@ -5057,6 +5057,14 @@ static inline int l2cap_ecred_conn_req(s
+ 		result = L2CAP_CR_LE_INVALID_PARAMS;
+ 		goto response;
+ 	}
++
++	/* Check if there are no pending channels with the same ident */
++	__l2cap_chan_list_id(conn, cmd->ident, l2cap_ecred_list_defer,
++			     &num_scid);
++	if (num_scid) {
++		result = L2CAP_CR_LE_INVALID_PARAMS;
++		goto response;
++	}
+ 
+ 	cmd_len -= sizeof(*req);
+ 	num_scid = cmd_len / sizeof(u16);
diff --git a/queue-6.18/series b/queue-6.18/series
index 9e98c61633..f2ffb8546e 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -94,3 +94,4 @@ drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch
 drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch
 drm-xe-oa-allow-reading-after-disabling-oa-stream.patch
 drm-xe-open-code-ggtt-mmio-access-protection.patch
+bluetooth-l2cap-fix-accepting-multiple-l2cap_ecred_conn_req.patch