diff options
author | Oleksandr Suvorov <oleksandr.suvorov@toradex.com> | 2020-04-06 14:40:16 +0300 |
---|---|---|
committer | Oleksandr Suvorov <oleksandr.suvorov@toradex.com> | 2020-04-06 14:41:48 +0300 |
commit | 96fda21809edc7094f0c4d3f46e3ac4d39f7c9f5 (patch) | |
tree | 8a2030d254100efe63a78709dca7f89db9105d0d | |
parent | 25c008952d3a61c9c402126d4ba7424ef8132f90 (diff) |
Bluetooth: Fix possible NULL pointer dereference
Backport of the upstreamed and not merged patch [1].
It fixes the crash like [2].
If we disconnect a device before completing the connection, connection
will no longer be available in connection list, thus conn will be NULL.
[1] https://www.spinics.net/lists/linux-bluetooth/msg70764.html
[2]
[ 4960.112410] Unable to handle kernel NULL pointer dereference at virtual address 0000001a
[ 4961.120795] Mem abort info:
[ 4961.128933] Exception class = DABT (current EL), IL = 32 bits
[ 4961.140189] SET = 0, FnV = 0
[ 4961.148719] EA = 0, S1PTW = 0
[ 4961.157065] Data abort info:
[ 4961.165047] ISV = 0, ISS = 0x00000004
[ 4961.173975] CM = 0, WnR = 0
[ 4961.181934] user pgtable: 4k pages, 48-bit VAs, pgd = ffff80084f467000
[ 4961.193579] [000000000000001a] *pgd=0000000000000000
[ 4961.201942] Internal error: Oops: 96000004 [#1] PREEMPT SMP
[ 4961.210271] Modules linked in: veth xt_nat xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack libcrc32c br_netfilter bridge stp overlay crc32_ce crct10dif_ce mwifiex_pcie mwifiex cdc_acm galcore(O)
[ 4961.255701] Process kworker/u13:0 (pid: 12632, stack limit = 0xffff00002e5e8000)
[ 4961.268662] CPU: 3 PID: 12632 Comm: kworker/u13:0 Tainted: G O 4.14.159-4.0.0-devel+git.fff496c2a1bd #1
[ 4961.284881] Hardware name: Toradex Apalis iMX8QM/QP on Apalis Evaluation Board (DT)
[ 4961.298330] Workqueue: hci0 hci_rx_work
[ 4961.307903] task: ffff80084faa8d80 task.stack: ffff00002e5e8000
[ 4961.319611] PC is at hci_connect_le_scan_cleanup+0x14/0x128
[ 4961.330986] LR is at create_le_conn_complete+0xec/0x108
Signed-off-by: Thomas Gagneret <tgagneret@xxxxxxxxxxx>
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
-rw-r--r-- | net/bluetooth/hci_conn.c | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 1d085eed72d0..c7b909a5aaec 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -723,20 +723,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, u8 status, u16 opcode) hci_dev_lock(hdev); conn = hci_lookup_le_connect(hdev); + if (!conn) + goto done; if (!status) { hci_connect_le_scan_cleanup(conn); - goto done; + } else { + BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", + status); + hci_le_conn_failed(conn, status); } - BT_ERR("HCI request failed to create LE connection: status 0x%2.2x", - status); - - if (!conn) - goto done; - - hci_le_conn_failed(conn, status); - done: hci_dev_unlock(hdev); } |