From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Aug 2024 07:36:26 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.107~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=907565ce602da9b269ba0e7e4e9b0764b92599fd;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	bluetooth-mgmt-add-error-handling-to-pair_device.patch
---

diff --git a/queue-6.1/bluetooth-mgmt-add-error-handling-to-pair_device.patch b/queue-6.1/bluetooth-mgmt-add-error-handling-to-pair_device.patch
new file mode 100644
index 00000000000..27bc091e79d
--- /dev/null
+++ b/queue-6.1/bluetooth-mgmt-add-error-handling-to-pair_device.patch
@@ -0,0 +1,37 @@
+From 538fd3921afac97158d4177139a0ad39f056dbb2 Mon Sep 17 00:00:00 2001
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+Date: Thu, 15 Aug 2024 13:51:00 +0200
+Subject: Bluetooth: MGMT: Add error handling to pair_device()
+
+From: Griffin Kroah-Hartman <griffin@kroah.com>
+
+commit 538fd3921afac97158d4177139a0ad39f056dbb2 upstream.
+
+hci_conn_params_add() never checks for a NULL value and could lead to a NULL
+pointer dereference causing a crash.
+
+Fixed by adding error handling in the function.
+
+Cc: Stable <stable@kernel.org>
+Fixes: 5157b8a503fa ("Bluetooth: Fix initializing conn_params in scan phase")
+Signed-off-by: Griffin Kroah-Hartman <griffin@kroah.com>
+Reported-by: Yiwei Zhang <zhan4630@purdue.edu>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -3524,6 +3524,10 @@ static int pair_device(struct sock *sk,
+ 		 * will be kept and this function does nothing.
+ 		 */
+ 		p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type);
++		if (!p) {
++			err = -EIO;
++			goto unlock;
++		}
+ 
+ 		if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT)
+ 			p->auto_connect = HCI_AUTO_CONN_DISABLED;
diff --git a/queue-6.1/series b/queue-6.1/series
index bb3b7c9cedb..ac206888fd7 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -261,3 +261,4 @@ drm-msm-dp-fix-the-max-supported-bpp-logic.patch
 drm-msm-dp-reset-the-link-phy-params-before-link-tra.patch
 drm-msm-dpu-cleanup-fb-if-dpu_format_populate_layout.patch
 mmc-mmc_test-fix-null-dereference-on-allocation-fail.patch
+bluetooth-mgmt-add-error-handling-to-pair_device.patch