From: Luiz Augusto von Dentz <[email protected]>
When attempting to connect multiple ISO sockets without using
DEFER_SETUP may result in the following crash:
BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted
6.0.0-rc7-02243-gb84a13ff4eda #4373
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.0-1.fc36 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x19/0x27
kasan_report+0xbc/0xf0
? hci_create_cis_sync+0x18b/0x2b0
hci_create_cis_sync+0x18b/0x2b0
? get_link_mode+0xd0/0xd0
? __ww_mutex_lock_slowpath+0x10/0x10
? mutex_lock+0xe0/0xe0
? get_link_mode+0xd0/0xd0
hci_cmd_sync_work+0x111/0x190
process_one_work+0x427/0x650
worker_thread+0x87/0x750
? process_one_work+0x650/0x650
kthread+0x14e/0x180
? kthread_exit+0x50/0x50
ret_from_fork+0x22/0x30
</TASK>
Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections")
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
---
net/bluetooth/hci_conn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 3287b2ca789e..d3e542c2fc3e 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1879,7 +1879,7 @@ static int hci_create_cis_sync(struct hci_dev *hdev, void *data)
continue;
/* Check if all CIS(s) belonging to a CIG are ready */
- if (conn->link->state != BT_CONNECTED ||
+ if (!conn->link || conn->link->state != BT_CONNECTED ||
conn->state != BT_CONNECT) {
cmd.cp.num_cis = 0;
break;
--
2.37.3
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=702026
---Test result---
Test Summary:
CheckPatch PASS 0.59 seconds
GitLint PASS 0.29 seconds
SubjectPrefix PASS 0.10 seconds
BuildKernel PASS 34.15 seconds
BuildKernel32 PASS 30.43 seconds
TestRunnerSetup PASS 426.68 seconds
TestRunner_l2cap-tester PASS 16.16 seconds
TestRunner_iso-tester PASS 16.19 seconds
TestRunner_bnep-tester PASS 5.58 seconds
TestRunner_mgmt-tester PASS 108.27 seconds
TestRunner_rfcomm-tester PASS 9.54 seconds
TestRunner_sco-tester PASS 8.95 seconds
TestRunner_ioctl-tester PASS 10.44 seconds
TestRunner_mesh-tester PASS 7.01 seconds
TestRunner_smp-tester PASS 8.73 seconds
TestRunner_userchan-tester PASS 5.93 seconds
IncrementalBuild PASS 31.51 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 5 Dec 2022 17:23:23 -0800 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> When attempting to connect multiple ISO sockets without using
> DEFER_SETUP may result in the following crash:
>
> BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0
> Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50
>
> [...]
Here is the summary with links:
- Bluetooth: hci_conn: Fix crash on hci_create_cis_sync
https://git.kernel.org/bluetooth/bluetooth-next/c/a49cd3f381cf
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html