git.ipfire.org Git - thirdparty/kernel/linux.git/commit

Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized

When a fault is injected during hci_uart line discipline setup, the
proto open() callback may fail leaving hu->priv as NULL. A subsequent
TIOCSTI ioctl can trigger the recv() callback before priv is
initialized, causing a NULL pointer dereference.

Fix all four affected HCI UART protocol drivers by adding a NULL check
on hu->priv at the start of their recv() callbacks: h4, h5, ath and
bcsp.

Reported-by: syzbot+ff30eeab8e07b37d524e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ff30eeab8e07b37d524e
Signed-off-by: Aurelien DESBRIERES <aurelien@hackers.camp>
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

author	Aurelien DESBRIERES <aurelien@hackers.camp>
	Tue, 21 Apr 2026 13:53:31 +0000 (15:53 +0200)
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Wed, 6 May 2026 20:21:43 +0000 (16:21 -0400)
commit	902fe40bce7059722f7ffa1c378e577675cf1918
tree	2061022d61838d5efa946ef0aa3596c9df67a1fa	tree \| snapshot
parent	5917dd39db2bfc8b1b4c6ea8ed99adb4badef707	commit \| diff

drivers/bluetooth/hci_ath.c		diff \| blob \| blame \| history
drivers/bluetooth/hci_bcsp.c		diff \| blob \| blame \| history
drivers/bluetooth/hci_h4.c		diff \| blob \| blame \| history
drivers/bluetooth/hci_h5.c		diff \| blob \| blame \| history