From 89fc648f1651500817798165e3dca30576f96356 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 31 Oct 2022 16:10:32 -0700
Subject: [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

jira VULN-204
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit f937b758a188d6fd328a81367087eddbb2fce50f

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
(cherry picked from commit f937b758a188d6fd328a81367087eddbb2fce50f)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
---
 net/bluetooth/l2cap_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 51b1f64a3fc5d..12b1f94e50d88 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1960,7 +1960,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
 			continue;
 
-		if (c->psm == psm) {
+		if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
 			int src_match, dst_match;
 			int src_any, dst_any;