[PW_SID:1075938] [v5,1/3] Bluetooth: SMP: force responder MITM requirements before building the pairing response by BluezTestBot · Pull Request #3439 · BluezTestBot/bluetooth-next

BluezTestBot · 2026-04-01T16:06:15Z

smp_cmd_pairing_req() currently builds the pairing response from the
initiator auth_req before enforcing the local BT_SECURITY_HIGH
requirement. If the initiator omits SMP_AUTH_MITM, the response can
also omit it even though the local side still requires MITM.

tk_request() then sees an auth value without SMP_AUTH_MITM and may
select JUST_CFM, making method selection inconsistent with the pairing
policy the responder already enforces.

When the local side requires HIGH security, first verify that MITM can
be achieved from the IO capabilities and then force SMP_AUTH_MITM in the
response before build_pairing_cmd(). This keeps the responder auth bits
and later method selection aligned.

Fixes: `2b64d15` ("Bluetooth: Add MITM mechanism to LE-SMP")
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com
Signed-off-by: Oleh Konko security@1seal.org
Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com

v5: Address the comments on
https://sashiko.dev/#/patchset/bt-smp-v4-ea63d24bfcd1416f9da279190fab15fc%401seal.org?patch=14762

net/bluetooth/smp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>

… pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response before build_pairing_cmd(). This keeps the responder auth bits and later method selection aligned. Fixes: 2b64d15 ("Bluetooth: Add MITM mechanism to LE-SMP") Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com> Signed-off-by: Oleh Konko <security@1seal.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

…state The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated. Fixes: fff3490 ("Bluetooth: Fix setting correct authentication information for SMP STK") Cc: stable@vger.kernel.org Signed-off-by: Oleh Konko <security@1seal.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

If FLAG_PENDING_SECURITY is already set it means SMP pairing process is in progress and hcon->pending_sec_level shouldn't be changed since it may require to change pairing requirements (MITM), which may not be supported depending on stage of the pairing procedure, and may result in a security level that don't match with the pairing keys authentication (e.g. upgrading to BT_SECURITY_HIGH without setting MITM requirements). To fix tis problem the code will now return -EINPROGRESS if a process call setsockopt(BT_SECURITY) and set FLAG_PENDING_SECURITY it needs to await the socket to resume and clear the flag before it can update the security level again. Fixes: bbb69b3 ("Bluetooth: Add return check for L2CAP security level set") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

github-actions · 2026-04-01T16:09:57Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.32 seconds
Result: PENDING

github-actions · 2026-04-01T16:09:58Z

GitLint
Desc: Run gitlint
Duration: 0.29 seconds
Result: PENDING

github-actions · 2026-04-01T16:09:59Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.40 seconds
Result: PASS

github-actions · 2026-04-01T16:10:30Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 25.80 seconds
Result: PASS

github-actions · 2026-04-01T16:11:03Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 28.42 seconds
Result: PASS

github-actions · 2026-04-01T16:11:34Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.16 seconds
Result: PASS

github-actions · 2026-04-01T16:12:04Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.12 seconds
Result: PASS

github-actions · 2026-04-01T16:21:29Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 564.24 seconds
Result: PASS

github-actions · 2026-04-01T16:21:58Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 27.98 seconds
Result: PASS

github-actions · 2026-04-01T16:22:36Z

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 37.67 seconds
Result: PASS

github-actions · 2026-04-01T16:22:44Z

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 6.35 seconds
Result: PASS

github-actions · 2026-04-01T16:24:38Z

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 113.95 seconds
Result: FAIL
Output:

Total: 494, Passed: 488 (98.8%), Failed: 2, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.105 seconds
LL Privacy - Start Discovery 2 (Disable RL)          Failed       0.177 seconds

github-actions · 2026-04-01T16:24:49Z

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 9.42 seconds
Result: PASS

github-actions · 2026-04-01T16:25:04Z

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 14.23 seconds
Result: FAIL
Output:

WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0

github-actions · 2026-04-01T16:25:15Z

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 10.27 seconds
Result: PASS

github-actions · 2026-04-01T16:25:28Z

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 12.52 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.695 seconds
Mesh - Send cancel - 2                               Timed out    1.998 seconds

github-actions · 2026-04-01T16:25:37Z

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 8.54 seconds
Result: PASS

github-actions · 2026-04-01T16:25:45Z

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 6.67 seconds
Result: PASS

github-actions · 2026-04-01T16:25:46Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 0.63 seconds
Result: PENDING

tedd-an and others added 4 commits March 31, 2026 17:43

github-actions bot force-pushed the workflow branch 7 times, most recently from f07ea67 to 9a108c6 Compare April 8, 2026 14:22

Conversation

BluezTestBot commented Apr 1, 2026

Fixes: 2b64d15 ("Bluetooth: Add MITM mechanism to LE-SMP") Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com Signed-off-by: Oleh Konko security@1seal.org Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

github-actions bot commented Apr 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Fixes: `2b64d15` ("Bluetooth: Add MITM mechanism to LE-SMP")
Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz luiz.dentz@gmail.com
Signed-off-by: Oleh Konko security@1seal.org
Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com