From 96fda21809edc7094f0c4d3f46e3ac4d39f7c9f5 Mon Sep 17 00:00:00 2001 From: Oleksandr Suvorov Date: Mon, 6 Apr 2020 14:40:16 +0300 Subject: Bluetooth: Fix possible NULL pointer dereference Backport of the upstreamed and not merged patch [1]. It fixes the crash like [2]. If we disconnect a device before completing the connection, connection will no longer be available in connection list, thus conn will be NULL. [1] https://www.spinics.net/lists/linux-bluetooth/msg70764.html [2] [ 4960.112410] Unable to handle kernel NULL pointer dereference at virtual address 0000001a [ 4961.120795] Mem abort info: [ 4961.128933] Exception class = DABT (current EL), IL = 32 bits [ 4961.140189] SET = 0, FnV = 0 [ 4961.148719] EA = 0, S1PTW = 0 [ 4961.157065] Data abort info: [ 4961.165047] ISV = 0, ISS = 0x00000004 [ 4961.173975] CM = 0, WnR = 0 [ 4961.181934] user pgtable: 4k pages, 48-bit VAs, pgd = ffff80084f467000 [ 4961.193579] [000000000000001a] *pgd=0000000000000000 [ 4961.201942] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 4961.210271] Modules linked in: veth xt_nat xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack libcrc32c br_netfilter bridge stp overlay crc32_ce crct10dif_ce mwifiex_pcie mwifiex cdc_acm galcore(O) [ 4961.255701] Process kworker/u13:0 (pid: 12632, stack limit = 0xffff00002e5e8000) [ 4961.268662] CPU: 3 PID: 12632 Comm: kworker/u13:0 Tainted: G O 4.14.159-4.0.0-devel+git.fff496c2a1bd #1 [ 4961.284881] Hardware name: Toradex Apalis iMX8QM/QP on Apalis Evaluation Board (DT) [ 4961.298330] Workqueue: hci0 hci_rx_work [ 4961.307903] task: ffff80084faa8d80 task.stack: ffff00002e5e8000 [ 4961.319611] PC is at hci_connect_le_scan_cleanup+0x14/0x128 [ 4961.330986] LR is at create_le_conn_complete+0xec/0x108 Signed-off-by: Thomas Gagneret Signed-off-by: Oleksandr Suvorov --- net/bluetooth/hci_conn.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) (limited to 'net') diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 1d085eed72d0..c7b909a5aaec 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -723,20 +723,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode) hci_dev_lock(hdev); conn = hci_lookup_le_connect(hdev); + if (!conn) + goto done; if (!status) { hci_connect_le_scan_cleanup(conn); - goto done; + } else { + BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", + status); + hci_le_conn_failed(conn, status); } - BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", - status); - - if (!conn) - goto done; - - hci_le_conn_failed(conn, status); - done: hci_dev_unlock(hdev); } -- cgit v1.2.3