Patch "Bluetooth: hci_conn: Fix crash on hci_create_cis_sync" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 09:21:27 -0500

This is a note to let you know that I've just added the patch titled

    Bluetooth: hci_conn: Fix crash on hci_create_cis_sync

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-hci_conn-fix-crash-on-hci_create_cis_sync.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 44dc8f3b9212678f58cd3a254010cbc6a4696bab
Author: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Date:   Mon Dec 5 17:11:57 2022 -0800

    Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
    
    [ Upstream commit 50757a259ba78c4e938b5735e76ffec6cd0c942e ]
    
    When attempting to connect multiple ISO sockets without using
    DEFER_SETUP may result in the following crash:
    
    BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
    Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
    
    CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
    6.0.0-rc7-02243-gb84a13ff4eda #4373
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
    BIOS 1.16.0-1.fc36 04/01/2014
    Workqueue: hci0 hci_cmd_sync_work
    Call Trace:
     <TASK>
     dump_stack_lvl+0x19/0x27
     kasan_report+0xbc/0xf0
     ? hci_create_cis_sync+0x18b/0x2b0
     hci_create_cis_sync+0x18b/0x2b0
     ? get_link_mode+0xd0/0xd0
     ? __ww_mutex_lock_slowpath+0x10/0x10
     ? mutex_lock+0xe0/0xe0
     ? get_link_mode+0xd0/0xd0
     hci_cmd_sync_work+0x111/0x190
     process_one_work+0x427/0x650
     worker_thread+0x87/0x750
     ? process_one_work+0x650/0x650
     kthread+0x14e/0x180
     ? kthread_exit+0x50/0x50
     ret_from_fork+0x22/0x30
     </TASK>
    
    Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index f26ed278d9e3..67360444eee6 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1817,7 +1817,7 @@ static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
 			continue;
 
 		/* Check if all CIS(s) belonging to a CIG are ready */
-		if (conn->link->state != BT_CONNECTED ||
+		if (!conn->link || conn->link->state != BT_CONNECTED ||
 		    conn->state != BT_CONNECT) {
 			cmd.cp.num_cis = 0;
 			break;






