Commit 4a3692a5 authored by Pauli Virtanen's avatar Pauli Virtanen Committed by Jialin Zhang
Browse files

Bluetooth: fix connection setup in l2cap_connect 

mainline inclusion
from mainline-v6.10-rc4
commit c695439d198d30e10553a3b98360c5efe77b6903
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6ZJK
CVE: CVE-2024-38620

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c695439d198d30e10553a3b98360c5efe77b6903



--------------------------------

The amp_id argument of l2cap_connect() was removed in
commit 84a4bb6548a2 ("Bluetooth: HCI: Remove HCI_AMP support")

It was always called with amp_id == 0, i.e. AMP_ID_BREDR == 0x00 (ie.
non-AMP controller).  In the above commit, the code path for amp_id != 0
was preserved, although it should have used the amp_id == 0 one.

Restore the previous behavior of the non-AMP code path, to fix problems
with L2CAP connections.

Fixes: 84a4bb6548a2 ("Bluetooth: HCI: Remove HCI_AMP support")
Signed-off-by: default avatarPauli Virtanen <pav@iki.fi>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parent 4dc6243f

net/bluetooth/l2cap_core.c

+2 −2
Original line number Diff line number Diff line
@@ -3985,8 +3985,8 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, 
				status = L2CAP_CS_AUTHOR_PEND;

				chan->ops->defer(chan);

			} else {

				l2cap_state_change(chan, BT_CONNECT2);

				result = L2CAP_CR_PEND;

				l2cap_state_change(chan, BT_CONFIG);

				result = L2CAP_CR_SUCCESS;

				status = L2CAP_CS_NO_INFO;

			}

		} else {