This is a note to let you know that I've just added the patch titled Bluetooth: hci_event: Make sure ISO events don't affect non-ISO connections to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 7f8af1bf803f7b8ccc3bd5842b37a66332388599 Author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Date: Mon Sep 19 11:10:17 2022 -0700 Bluetooth: hci_event: Make sure ISO events don't affect non-ISO connections [ Upstream commit ed680f925aea76ac666f34d9923cb40558f4e97b ] ISO events (CIS/BIS) shall only be relevant for connection with link type of ISO_LINK, otherwise the controller is probably buggy or it is the result of fuzzer tools such as syzkaller. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index d6f0e6ca0e7e..ab79a978deb5 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -6778,6 +6778,13 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, goto unlock; } + if (conn->type != ISO_LINK) { + bt_dev_err(hdev, + "Invalid connection link type handle 0x%4.4x", + handle); + goto unlock; + } + if (conn->role == HCI_ROLE_SLAVE) { __le32 interval; @@ -6898,6 +6905,13 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, if (!conn) goto unlock; + if (conn->type != ISO_LINK) { + bt_dev_err(hdev, + "Invalid connection link type handle 0x%2.2x", + ev->handle); + goto unlock; + } + if (ev->num_bis) conn->handle = __le16_to_cpu(ev->bis_handle[0]);