[thirdparty/kernel/stable-queue.git] / releases / 6.8.6 / bluetooth-btintel-fix-null-ptr-deref-in-btintel_read.patch

From 5e7e8ad42892f43c935a6d96034b024d3ade2d1f Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Thu, 18 Jan 2024 12:40:34 +0800
Subject: Bluetooth: btintel: Fix null ptr deref in btintel_read_version

From: Edward Adam Davis <eadavis@qq.com>

[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ]

If hci_cmd_sync_complete() is triggered and skb is NULL, then
hdev->req_skb is NULL, which will cause this issue.

Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bluetooth/btintel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index cdc5c08824a0a..e5b043d962073 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
 	struct sk_buff *skb;
 
 	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
 		bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);
-- 
2.43.0
Commit	Line	Data
335f7cc0 SL	1	From 5e7e8ad42892f43c935a6d96034b024d3ade2d1f Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <sashal@kernel.org>
	3	Date: Thu, 18 Jan 2024 12:40:34 +0800
	4	Subject: Bluetooth: btintel: Fix null ptr deref in btintel_read_version
	5
	6	From: Edward Adam Davis <eadavis@qq.com>
	7
	8	[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ]
	9
	10	If hci_cmd_sync_complete() is triggered and skb is NULL, then
	11	hdev->req_skb is NULL, which will cause this issue.
	12
	13	Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
	14	Signed-off-by: Edward Adam Davis <eadavis@qq.com>
	15	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	16	Signed-off-by: Sasha Levin <sashal@kernel.org>
	17	---
	18	drivers/bluetooth/btintel.c \| 2 +-
	19	1 file changed, 1 insertion(+), 1 deletion(-)
	20
	21	diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
	22	index cdc5c08824a0a..e5b043d962073 100644
	23	--- a/drivers/bluetooth/btintel.c
	24	+++ b/drivers/bluetooth/btintel.c
	25	@@ -435,7 +435,7 @@ int btintel_read_version(struct hci_dev hdev, struct intel_version ver)
	26	struct sk_buff *skb;
	27
	28	skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
	29	- if (IS_ERR(skb)) {
	30	+ if (IS_ERR_OR_NULL(skb)) {
	31	bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
	32	PTR_ERR(skb));
	33	return PTR_ERR(skb);
	34	--
	35	2.43.0
	36