From b6cfdb3fd93604c611ec54a012f0ea3ae36c6596 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Wcis=C5=82o?= <marcin.wcislo@conclusive.pl>
Date: Sat, 25 Jan 2025 19:22:00 +0100
Subject: [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

jira VULN-205
cve CVE-2022-42896
commit-author Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit f937b758a188d6fd328a81367087eddbb2fce50f

l2cap_global_chan_by_psm shall not return fixed channels as they are not
meant to be connected by (S)PSM.

	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
(cherry picked from commit f937b758a188d6fd328a81367087eddbb2fce50f)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
---
 net/bluetooth/l2cap_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index e1bea969f94b5..8ee8cf0e96338 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1960,7 +1960,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
 			continue;
 
-		if (c->psm == psm) {
+		if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
 			int src_match, dst_match;
 			int src_any, dst_any;