From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Aug 2024 07:38:38 +0000 (+0200)
Subject: 6.10-stable patches
X-Git-Tag: v6.1.107~53
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2dcc677ca888e54662bf22f5706c1903b954bf74;p=thirdparty%2Fkernel%2Fstable-queue.git

6.10-stable patches

added patches:
	bluetooth-mgmt-add-error-handling-to-pair_device.patch
---

diff --git a/queue-6.10/bluetooth-mgmt-add-error-handling-to-pair_device.patch b/queue-6.10/bluetooth-mgmt-add-error-handling-to-pair_device.patch
new file mode 100644
index 00000000000..871213e63dc
--- /dev/null
+++ b/queue-6.10/bluetooth-mgmt-add-error-handling-to-pair_device.patch
@@ -0,0 +1,37 @@
+From 538fd3921afac97158d4177139a0ad39f056dbb2 Mon Sep 17 00:00:00 2001
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+Date: Thu, 15 Aug 2024 13:51:00 +0200
+Subject: Bluetooth: MGMT: Add error handling to pair_device()
+
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+
+commit 538fd3921afac97158d4177139a0ad39f056dbb2 upstream.
+
+hci_conn_params_add() never checks for a NULL value and could lead to a NULL
+pointer dereference causing a crash.
+
+Fixed by adding error handling in the function.
+
+Cc: Stable <stable@kernel.org>
+Fixes: 5157b8a503fa ("Bluetooth: Fix initializing conn_params in scan phase")
+Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
+Reported-by: Yiwei Zhang <zhan4630@purdue.edu>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3457,6 +3457,10 @@ static int pair_device(struct sock *sk,
+ 		 * will be kept and this function does nothing.
+ 		 */
+ 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
++		if (!p) {
++			err = -EIO;
++			goto unlock;
++		}
+ 
+ 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
+ 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
diff --git a/queue-6.10/series b/queue-6.10/series
index b5b4da4b971..4078049afa0 100644
--- a/queue-6.10/series
+++ b/queue-6.10/series
@@ -220,3 +220,4 @@ s390-boot-avoid-possible-physmem_info-segment-corrup.patch
 s390-boot-fix-kaslr-base-offset-off-by-__start_kerne.patch
 smb-client-ignore-unhandled-reparse-tags.patch
 nvme-move-stopping-keep-alive-into-nvme_uninit_ctrl.patch
+bluetooth-mgmt-add-error-handling-to-pair_device.patch