From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Aug 2022 15:36:37 +0000 (+0200)
Subject: 5.18-stable patches
X-Git-Tag: v5.15.61~23
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=65adde21d2b4cc40248cc1db396b27da83d0b57e;p=thirdparty%2Fkernel%2Fstable-queue.git

5.18-stable patches

added patches:
	bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
---

diff --git a/queue-5.18/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch b/queue-5.18/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
new file mode 100644
index 00000000000..3d0bebabbc9
--- /dev/null
+++ b/queue-5.18/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
@@ -0,0 +1,56 @@
+From 332f1795ca202489c665a75e62e18ff6284de077 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 1 Aug 2022 13:52:07 -0700
+Subject: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 332f1795ca202489c665a75e62e18ff6284de077 upstream.
+
+The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
+by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
+static checker warning:
+
+        net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
+        error: we previously assumed 'c' could be null (see line 1996)
+
+Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1969,11 +1969,11 @@ static struct l2cap_chan *l2cap_global_c
+ 						   bdaddr_t *dst,
+ 						   u8 link_type)
+ {
+-	struct l2cap_chan *c, *c1 = NULL;
++	struct l2cap_chan *c, *tmp, *c1 = NULL;
+ 
+ 	read_lock(&chan_list_lock);
+ 
+-	list_for_each_entry(c, &chan_list, global_l) {
++	list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
+ 		if (state && c->state != state)
+ 			continue;
+ 
+@@ -1992,11 +1992,10 @@ static struct l2cap_chan *l2cap_global_c
+ 			dst_match = !bacmp(&c->dst, dst);
+ 			if (src_match && dst_match) {
+ 				c = l2cap_chan_hold_unless_zero(c);
+-				if (!c)
+-					continue;
+-
+-				read_unlock(&chan_list_lock);
+-				return c;
++				if (c) {
++					read_unlock(&chan_list_lock);
++					return c;
++				}
+ 			}
+ 
+ 			/* Closest match */
diff --git a/queue-5.18/series b/queue-5.18/series
index 52142e88bc0..ada8f4b585b 100644
--- a/queue-5.18/series
+++ b/queue-5.18/series
@@ -1093,3 +1093,4 @@ f2fs-revive-f2fs_ioc_abort_volatile_write.patch
 drm-vc4-change-vc4_dma_range_matches-from-a-global-to-static.patch
 f2fs-fix-null-ptr-deref-in-f2fs_get_dnode_of_data.patch
 io_uring-mem-account-pbuf-buckets.patch
+bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch