c94a934f3e1d4ff887d26df3c42b665bf55ef5eccada7955105c649d.patch - chromiumos/third_party/kernel-rebase-patches - Git at Google

 From fcf8f93b9c0c0e6d28a11ad2deb4de82263861d7 Mon Sep 17 00:00:00 2001
 From: Soenke Huster <soenke.huster@eknoes.de>
 Date: Fri, 14 Jan 2022 17:44:02 +0100
 Subject: [PATCH] BACKPORT: FROMGIT: Bluetooth: fix null ptr deref on
  hci_sync_conn_complete_evt

 This event is just specified for SCO and eSCO link types.
 On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
 of an existing LE connection, LE link type and a status that triggers the
 second case of the packet processing a NULL pointer dereference happens,
 as conn->link is NULL.

 Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
 Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

 (cherry picked from commit 3afee2118132e93e5f6fa636dfde86201a860ab3
  https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master)

 Conflicts:
    net/bluetooth/hci_event.c
    bt_dev_dbg() was introduced by (3e54c5890c87 Bluetooth:
    hci_event: Use of a function table to handle HCI events).
    To resolve the conflict, we simply use BT_DBG().

 BUG=b:196661726
 TEST=C reproducer from b/196661726

 Signed-off-by: Ying Hsu <yinghsu@chromium.org>
 Change-Id: I6d0cd892f1f99259fff36c800eb409f8c6694382
 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3513794
 Reviewed-by: Shyh-In Hwang <josephsih@chromium.org>
 Reviewed-by: Archie Pusaka <apusaka@chromium.org>
 ---
  net/bluetooth/hci_event.c | 13 +++++++++++++
  1 file changed, 13 insertions(+)

 diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
 index d540b80d2a5b..43b4a7734b7c 100644
 --- a/net/bluetooth/hci_event.c
 +++ b/net/bluetooth/hci_event.c
 @@ -4680,6 +4680,19 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
  	struct hci_ev_sync_conn_complete *ev = data;
  	struct hci_conn *conn;

 +	switch (ev->link_type) {
 +	case SCO_LINK:
 +	case ESCO_LINK:
 +		break;
 +	default:
 +		/* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
 +		 * for HCI_Synchronous_Connection_Complete is limited to
 +		 * either SCO or eSCO
 +		 */
 +		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
 +		return;
 +	}
 +
  	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);

  	hci_dev_lock(hdev);
 --
 2.35.1.723.g4982287a31-goog
	From fcf8f93b9c0c0e6d28a11ad2deb4de82263861d7 Mon Sep 17 00:00:00 2001
	From: Soenke Huster <soenke.huster@eknoes.de>
	Date: Fri, 14 Jan 2022 17:44:02 +0100
	Subject: [PATCH] BACKPORT: FROMGIT: Bluetooth: fix null ptr deref on
	hci_sync_conn_complete_evt

	This event is just specified for SCO and eSCO link types.
	On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
	of an existing LE connection, LE link type and a status that triggers the
	second case of the packet processing a NULL pointer dereference happens,
	as conn->link is NULL.

	Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
	Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

	(cherry picked from commit 3afee2118132e93e5f6fa636dfde86201a860ab3
	https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master)

	Conflicts:
	net/bluetooth/hci_event.c
	bt_dev_dbg() was introduced by (3e54c5890c87 Bluetooth:
	hci_event: Use of a function table to handle HCI events).
	To resolve the conflict, we simply use BT_DBG().

	BUG=b:196661726
	TEST=C reproducer from b/196661726

	Signed-off-by: Ying Hsu <yinghsu@chromium.org>
	Change-Id: I6d0cd892f1f99259fff36c800eb409f8c6694382
	Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3513794
	Reviewed-by: Shyh-In Hwang <josephsih@chromium.org>
	Reviewed-by: Archie Pusaka <apusaka@chromium.org>
	---
	net/bluetooth/hci_event.c \| 13 +++++++++++++
	1 file changed, 13 insertions(+)

	diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
	index d540b80d2a5b..43b4a7734b7c 100644
	--- a/net/bluetooth/hci_event.c
	+++ b/net/bluetooth/hci_event.c
	@@ -4680,6 +4680,19 @@ static void hci_sync_conn_complete_evt(struct hci_dev hdev, void data,
	struct hci_ev_sync_conn_complete *ev = data;
	struct hci_conn *conn;

	+ switch (ev->link_type) {
	+ case SCO_LINK:
	+ case ESCO_LINK:
	+ break;
	+ default:
	+ /* As per Core 5.3 Vol 4 Part E 7.7.35 (p.2219), Link_Type
	+ * for HCI_Synchronous_Connection_Complete is limited to
	+ * either SCO or eSCO
	+ */
	+ bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
	+ return;
	+ }
	+
	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);

	hci_dev_lock(hdev);
	--
	2.35.1.723.g4982287a31-goog