Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp556279imi; Fri, 22 Jul 2022 04:57:48 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uomonbQYHfkxXldj89FTWjz0jFfN3+ioDgShxrCdt+SgoVx5rNsGr1A+xldS3F8pFCUg42 X-Received: by 2002:a05:6402:2b88:b0:43a:6c58:6c64 with SMTP id fj8-20020a0564022b8800b0043a6c586c64mr280825edb.348.1658491067815; Fri, 22 Jul 2022 04:57:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658491067; cv=none; d=google.com; s=arc-20160816; b=KWZCqV7EbgxiVrG4nOEjZfec0/86aVA7q38y21sRvY4bSf2BIH5edFeWVKptrzsIP1 Cmdg4kBeUIXvZH92YZ9JDBtxsKFRlOGtrzmLzh8JufGcO1sfREC50VUxiVZ53dp3f9uk I/60hz+lWX7Q2sZRertcSb88SyInyfzjjEgNJTkm1yzdvTFzHdZ2HAVyQp5OSEr788f2 K7oXlY20dZ4Shnv06EgeVMSj8V8KK9dZzymG2B/1lamfS996gNh2lT0ddSFL1udxzZf7 t/KYe1ggsFspeW6hlkkU56dgBonYhu8WYk9bZpmsTqeGzE43iAs9zmrwhVTAcuK4EUoe ZnDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=IknZveUBlMRkM0WZXNCgcgfIMBi/x10m8LDXgoDHxmI=; b=nzo68TYhWpPQvwik4bwD+/dXXFDjmESJd3wAaj8oNNBStbJmSEbgx/4ICky5Adgxuy xL/Spx9VwKSPzJ2NTdzxWjY1wCav6BFcGSQOsTLVwzjosci6cfIFZmCXF6WE6zmHLl3a RqRahRu32hk8gcAXnPjRTarlzhC9QhDjjfA5k+gzIbcupZtn/SoxBaZUbQPKWCoxrOFM kdbTxFmoUPa83UsqHq59xC0USveAtJWXGdOdHRrJV4YJmDpJzWvlNJWMoCPtZ3rt+woS UIpsDrH/txwqFKFZ/mskiNUJtBMHGJ9AWioErlm+sIecjStb8VktQqy+CjiYvtHFIxSm zXfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i7-20020a1709063c4700b0072f1f3ec581si5075849ejg.264.2022.07.22.04.57.07; Fri, 22 Jul 2022 04:57:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229992AbiGVLyH (ORCPT + 99 others); Fri, 22 Jul 2022 07:54:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50024 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229704AbiGVLyG (ORCPT ); Fri, 22 Jul 2022 07:54:06 -0400 Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A796EBB200 for ; Fri, 22 Jul 2022 04:54:03 -0700 (PDT) Received: (qmail 4462 invoked by uid 990); 22 Jul 2022 11:54:01 -0000 Authentication-Results: giacobini.uberspace.de; auth=pass (plain) From: Soenke Huster To: Marcel Holtmann , Johan Hedberg , Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org, Soenke Huster Subject: [PATCH] Bluetooth: Fix null pointer deref on unexpected status event Date: Fri, 22 Jul 2022 13:53:07 +0200 Message-Id: <20220722115307.243056-1-soenke.huster@eknoes.de> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Bar: / X-Rspamd-Report: BAYES_HAM(-2.999999) R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1) MID_CONTAINS_FROM(1) SUSPICIOUS_RECIPS(1.5) X-Rspamd-Score: -0.099999 Received: from unknown (HELO unkown) (::1) by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Fri, 22 Jul 2022 13:54:00 +0200 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org __hci_cmd_sync returns NULL if the controller responds with a status event. This is unexpected for the commands sent here, but on occurrence leads to null pointer dereferences and thus must be handled. Signed-off-by: Soenke Huster --- net/bluetooth/aosp.c | 15 ++++++++++++--- net/bluetooth/msft.c | 15 ++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/aosp.c b/net/bluetooth/aosp.c index 432ae3aac9e3..1d67836e95e1 100644 --- a/net/bluetooth/aosp.c +++ b/net/bluetooth/aosp.c @@ -54,7 +54,10 @@ void aosp_do_open(struct hci_dev *hdev) /* LE Get Vendor Capabilities Command */ skb = __hci_cmd_sync(hdev, hci_opcode_pack(0x3f, 0x153), 0, NULL, HCI_CMD_TIMEOUT); - if (IS_ERR(skb)) { + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + skb = ERR_PTR(-EIO); + bt_dev_err(hdev, "AOSP get vendor capabilities (%ld)", PTR_ERR(skb)); return; @@ -152,7 +155,10 @@ static int enable_quality_report(struct hci_dev *hdev) skb = __hci_cmd_sync(hdev, BQR_OPCODE, sizeof(cp), &cp, HCI_CMD_TIMEOUT); - if (IS_ERR(skb)) { + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + skb = ERR_PTR(-EIO); + bt_dev_err(hdev, "Enabling Android BQR failed (%ld)", PTR_ERR(skb)); return PTR_ERR(skb); @@ -171,7 +177,10 @@ static int disable_quality_report(struct hci_dev *hdev) skb = __hci_cmd_sync(hdev, BQR_OPCODE, sizeof(cp), &cp, HCI_CMD_TIMEOUT); - if (IS_ERR(skb)) { + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + skb = ERR_PTR(-EIO); + bt_dev_err(hdev, "Disabling Android BQR failed (%ld)", PTR_ERR(skb)); return PTR_ERR(skb); diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c index 14975769f678..bee6a4c656be 100644 --- a/net/bluetooth/msft.c +++ b/net/bluetooth/msft.c @@ -120,7 +120,10 @@ static bool read_supported_features(struct hci_dev *hdev, skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp, HCI_CMD_TIMEOUT); - if (IS_ERR(skb)) { + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + skb = ERR_PTR(-EIO); + bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)", PTR_ERR(skb)); return false; @@ -319,8 +322,11 @@ static int msft_remove_monitor_sync(struct hci_dev *hdev, skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp, HCI_CMD_TIMEOUT); - if (IS_ERR(skb)) + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + return -EIO; return PTR_ERR(skb); + } return msft_le_cancel_monitor_advertisement_cb(hdev, hdev->msft_opcode, monitor, skb); @@ -432,8 +438,11 @@ static int msft_add_monitor_sync(struct hci_dev *hdev, HCI_CMD_TIMEOUT); kfree(cp); - if (IS_ERR(skb)) + if (IS_ERR_OR_NULL(skb)) { + if (!skb) + return -EIO; return PTR_ERR(skb); + } return msft_le_monitor_advertisement_cb(hdev, hdev->msft_opcode, monitor, skb); -- 2.37.1