From: Griffin Kroah-Hartman <griffin@xxxxxxxxx> commit 538fd3921afac97158d4177139a0ad39f056dbb2 upstream. hci_conn_params_add() never checks for a NULL value and could lead to a NULL pointer dereference causing a crash. Fixed by adding error handling in the function. Cc: Stable <stable@xxxxxxxxxx> Fixes: 5157b8a503fa ("Bluetooth: Fix initializing conn_params in scan phase") Signed-off-by: Griffin Kroah-Hartman <griffin@xxxxxxxxx> Reported-by: Yiwei Zhang <zhan4630@xxxxxxxxxx> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/bluetooth/mgmt.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -2913,6 +2913,10 @@ static int pair_device(struct sock *sk, * will be kept and this function does nothing. */ p = hci_conn_params_add(hdev, &cp->addr.bdaddr, addr_type); + if (!p) { + err = -EIO; + goto unlock; + } if (p->auto_connect == HCI_AUTO_CONN_EXPLICIT) p->auto_connect = HCI_AUTO_CONN_DISABLED; Patches currently in stable-queue which might be from griffin@xxxxxxxxx are queue-4.19/bluetooth-mgmt-add-error-handling-to-pair_device.patch