From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Aug 2022 15:35:57 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v5.15.61~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cc73688c9e044201e9d9b246e0b764a32fca6bf6;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
---

diff --git a/queue-4.14/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch b/queue-4.14/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
new file mode 100644
index 00000000000..a6e315f907c
--- /dev/null
+++ b/queue-4.14/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
@@ -0,0 +1,56 @@
+From 332f1795ca202489c665a75e62e18ff6284de077 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 1 Aug 2022 13:52:07 -0700
+Subject: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 332f1795ca202489c665a75e62e18ff6284de077 upstream.
+
+The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
+by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
+static checker warning:
+
+        net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
+        error: we previously assumed 'c' could be null (see line 1996)
+
+Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1804,11 +1804,11 @@ static struct l2cap_chan *l2cap_global_c
+ 						   bdaddr_t *dst,
+ 						   u8 link_type)
+ {
+-	struct l2cap_chan *c, *c1 = NULL;
++	struct l2cap_chan *c, *tmp, *c1 = NULL;
+ 
+ 	read_lock(&chan_list_lock);
+ 
+-	list_for_each_entry(c, &chan_list, global_l) {
++	list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
+ 		if (state && c->state != state)
+ 			continue;
+ 
+@@ -1827,11 +1827,10 @@ static struct l2cap_chan *l2cap_global_c
+ 			dst_match = !bacmp(&c->dst, dst);
+ 			if (src_match && dst_match) {
+ 				c = l2cap_chan_hold_unless_zero(c);
+-				if (!c)
+-					continue;
+-
+-				read_unlock(&chan_list_lock);
+-				return c;
++				if (c) {
++					read_unlock(&chan_list_lock);
++					return c;
++				}
+ 			}
+ 
+ 			/* Closest match */
diff --git a/queue-4.14/series b/queue-4.14/series
index 0bf2e388760..05ad6625cab 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -172,3 +172,4 @@ kvm-x86-avoid-theoretical-null-pointer-dereference-in-kvm_irq_delivery_to_apic_f
 tcp-fix-over-estimation-in-sk_forced_mem_schedule.patch
 scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch
 revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch
+bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch