summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorOleksandr Suvorov <oleksandr.suvorov@toradex.com>2020-04-06 14:40:16 +0300
committerOleksandr Suvorov <oleksandr.suvorov@toradex.com>2020-04-06 14:41:48 +0300
commit96fda21809edc7094f0c4d3f46e3ac4d39f7c9f5 (patch)
tree8a2030d254100efe63a78709dca7f89db9105d0d /net
parent25c008952d3a61c9c402126d4ba7424ef8132f90 (diff)
Bluetooth: Fix possible NULL pointer dereference
Backport of the upstreamed and not merged patch [1]. It fixes the crash like [2]. If we disconnect a device before completing the connection, connection will no longer be available in connection list, thus conn will be NULL. [1] https://www.spinics.net/lists/linux-bluetooth/msg70764.html [2] [ 4960.112410] Unable to handle kernel NULL pointer dereference at virtual address 0000001a [ 4961.120795] Mem abort info: [ 4961.128933] Exception class = DABT (current EL), IL = 32 bits [ 4961.140189] SET = 0, FnV = 0 [ 4961.148719] EA = 0, S1PTW = 0 [ 4961.157065] Data abort info: [ 4961.165047] ISV = 0, ISS = 0x00000004 [ 4961.173975] CM = 0, WnR = 0 [ 4961.181934] user pgtable: 4k pages, 48-bit VAs, pgd = ffff80084f467000 [ 4961.193579] [000000000000001a] *pgd=0000000000000000 [ 4961.201942] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 4961.210271] Modules linked in: veth xt_nat xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack libcrc32c br_netfilter bridge stp overlay crc32_ce crct10dif_ce mwifiex_pcie mwifiex cdc_acm galcore(O) [ 4961.255701] Process kworker/u13:0 (pid: 12632, stack limit = 0xffff00002e5e8000) [ 4961.268662] CPU: 3 PID: 12632 Comm: kworker/u13:0 Tainted: G O 4.14.159-4.0.0-devel+git.fff496c2a1bd #1 [ 4961.284881] Hardware name: Toradex Apalis iMX8QM/QP on Apalis Evaluation Board (DT) [ 4961.298330] Workqueue: hci0 hci_rx_work [ 4961.307903] task: ffff80084faa8d80 task.stack: ffff00002e5e8000 [ 4961.319611] PC is at hci_connect_le_scan_cleanup+0x14/0x128 [ 4961.330986] LR is at create_le_conn_complete+0xec/0x108 Signed-off-by: Thomas Gagneret <tgagneret@xxxxxxxxxxx> Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/hci_conn.c15
1 files changed, 6 insertions, 9 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 1d085eed72d0..c7b909a5aaec 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -723,20 +723,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode)
hci_dev_lock(hdev);
conn = hci_lookup_le_connect(hdev);
+ if (!conn)
+ goto done;
if (!status) {
hci_connect_le_scan_cleanup(conn);
- goto done;
+ } else {
+ BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
+ status);
+ hci_le_conn_failed(conn, status);
}
- BT_ERR("HCI request failed to create LE connection: status 0x%2.2x",
- status);
-
- if (!conn)
- goto done;
-
- hci_le_conn_failed(conn, status);
-
done:
hci_dev_unlock(hdev);
}