From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Aug 2024 07:37:31 +0000 (+0200)
Subject: 6.6-stable patches
X-Git-Tag: v6.1.107~54
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06fa372533e94aa15f582c9b397d2bf29c6dff06;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	bluetooth-mgmt-add-error-handling-to-pair_device.patch
---

diff --git a/queue-6.6/bluetooth-mgmt-add-error-handling-to-pair_device.patch b/queue-6.6/bluetooth-mgmt-add-error-handling-to-pair_device.patch
new file mode 100644
index 00000000000..1da3301914f
--- /dev/null
+++ b/queue-6.6/bluetooth-mgmt-add-error-handling-to-pair_device.patch
@@ -0,0 +1,37 @@
+From 538fd3921afac97158d4177139a0ad39f056dbb2 Mon Sep 17 00:00:00 2001
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+Date: Thu, 15 Aug 2024 13:51:00 +0200
+Subject: Bluetooth: MGMT: Add error handling to pair_device()
+
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+
+commit 538fd3921afac97158d4177139a0ad39f056dbb2 upstream.
+
+hci_conn_params_add() never checks for a NULL value and could lead to a NULL
+pointer dereference causing a crash.
+
+Fixed by adding error handling in the function.
+
+Cc: Stable <stable@kernel.org>
+Fixes: 5157b8a503fa ("Bluetooth: Fix initializing conn_params in scan phase")
+Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
+Reported-by: Yiwei Zhang <zhan4630@purdue.edu>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3449,6 +3449,10 @@ static int pair_device(struct sock *sk,
+ 		 * will be kept and this function does nothing.
+ 		 */
+ 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
++		if (!p) {
++			err = -EIO;
++			goto unlock;
++		}
+ 
+ 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
+ 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
diff --git a/queue-6.6/series b/queue-6.6/series
index 304f9deba4f..f7ccae29ed1 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -291,3 +291,4 @@ drm-msm-mdss-handle-the-reg-bus-icc-path.patch
 drm-msm-fix-the-highest_bank_bit-for-sc7180.patch
 mmc-mmc_test-fix-null-dereference-on-allocation-fail.patch
 smb-client-ignore-unhandled-reparse-tags.patch
+bluetooth-mgmt-add-error-handling-to-pair_device.patch