From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Feb 2023 08:17:45 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.14.305~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ea3644b6f82b8364124b9e3168fe0f21077efb0;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch
---

diff --git a/queue-5.4/bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch b/queue-5.4/bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch
new file mode 100644
index 00000000000..f4a10088cff
--- /dev/null
+++ b/queue-5.4/bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch
@@ -0,0 +1,45 @@
+From 3afee2118132e93e5f6fa636dfde86201a860ab3 Mon Sep 17 00:00:00 2001
+From: Soenke Huster <soenke.huster@eknoes.de>
+Date: Fri, 14 Jan 2022 17:44:02 +0100
+Subject: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
+
+From: Soenke Huster <soenke.huster@eknoes.de>
+
+commit 3afee2118132e93e5f6fa636dfde86201a860ab3 upstream.
+
+This event is just specified for SCO and eSCO link types.
+On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
+of an existing LE connection, LE link type and a status that triggers the
+second case of the packet processing a NULL pointer dereference happens,
+as conn->link is NULL.
+
+Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@eng.windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4177,6 +4177,19 @@ static void hci_sync_conn_complete_evt(s
+ 	struct hci_ev_sync_conn_complete *ev = (void *) skb->data;
+ 	struct hci_conn *conn;
+ 
++	switch (ev->link_type) {
++	case SCO_LINK:
++	case ESCO_LINK:
++		break;
++	default:
++		/* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
++		 * for HCI_Synchronous_Connection_Complete is limited to
++		 * either SCO or eSCO
++		 */
++		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
++		return;
++	}
++
+ 	BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
+ 
+ 	hci_dev_lock(hdev);
diff --git a/queue-5.4/series b/queue-5.4/series
index 9b1a8a3d2eb..06273ba726b 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -129,3 +129,4 @@ panic-expose-warn_count-to-sysfs.patch
 docs-fix-path-paste-o-for-sys-kernel-warn_count.patch
 exit-use-read_once-for-all-oops-warn-limit-reads.patch
 ipv6-ensure-sane-device-mtu-in-tunnels.patch
+bluetooth-fix-null-ptr-deref-on-hci_sync_conn_complete_evt.patch