Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp556279imi;
        Fri, 22 Jul 2022 04:57:48 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1uomonbQYHfkxXldj89FTWjz0jFfN3+ioDgShxrCdt+SgoVx5rNsGr1A+xldS3F8pFCUg42
X-Received: by 2002:a05:6402:2b88:b0:43a:6c58:6c64 with SMTP id fj8-20020a0564022b8800b0043a6c586c64mr280825edb.348.1658491067815;
        Fri, 22 Jul 2022 04:57:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658491067; cv=none;
        d=google.com; s=arc-20160816;
        b=KWZCqV7EbgxiVrG4nOEjZfec0/86aVA7q38y21sRvY4bSf2BIH5edFeWVKptrzsIP1
         Cmdg4kBeUIXvZH92YZ9JDBtxsKFRlOGtrzmLzh8JufGcO1sfREC50VUxiVZ53dp3f9uk
         I/60hz+lWX7Q2sZRertcSb88SyInyfzjjEgNJTkm1yzdvTFzHdZ2HAVyQp5OSEr788f2
         K7oXlY20dZ4Shnv06EgeVMSj8V8KK9dZzymG2B/1lamfS996gNh2lT0ddSFL1udxzZf7
         t/KYe1ggsFspeW6hlkkU56dgBonYhu8WYk9bZpmsTqeGzE43iAs9zmrwhVTAcuK4EUoe
         ZnDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=IknZveUBlMRkM0WZXNCgcgfIMBi/x10m8LDXgoDHxmI=;
        b=nzo68TYhWpPQvwik4bwD+/dXXFDjmESJd3wAaj8oNNBStbJmSEbgx/4ICky5Adgxuy
         xL/Spx9VwKSPzJ2NTdzxWjY1wCav6BFcGSQOsTLVwzjosci6cfIFZmCXF6WE6zmHLl3a
         RqRahRu32hk8gcAXnPjRTarlzhC9QhDjjfA5k+gzIbcupZtn/SoxBaZUbQPKWCoxrOFM
         kdbTxFmoUPa83UsqHq59xC0USveAtJWXGdOdHRrJV4YJmDpJzWvlNJWMoCPtZ3rt+woS
         UIpsDrH/txwqFKFZ/mskiNUJtBMHGJ9AWioErlm+sIecjStb8VktQqy+CjiYvtHFIxSm
         zXfg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id i7-20020a1709063c4700b0072f1f3ec581si5075849ejg.264.2022.07.22.04.57.07;
        Fri, 22 Jul 2022 04:57:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229992AbiGVLyH (ORCPT <rfc822;sandmor1220@gmail.com>
        + 99 others); Fri, 22 Jul 2022 07:54:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50024 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229704AbiGVLyG (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 22 Jul 2022 07:54:06 -0400
Received: from giacobini.uberspace.de (giacobini.uberspace.de [185.26.156.129])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A796EBB200
        for <linux-bluetooth@vger.kernel.org>; Fri, 22 Jul 2022 04:54:03 -0700 (PDT)
Received: (qmail 4462 invoked by uid 990); 22 Jul 2022 11:54:01 -0000
Authentication-Results: giacobini.uberspace.de;
        auth=pass (plain)
From:   Soenke Huster <soenke.huster@eknoes.de>
To:     Marcel Holtmann <marcel@holtmann.org>,
        Johan Hedberg <johan.hedberg@gmail.com>,
        Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc:     linux-bluetooth@vger.kernel.org,
        Soenke Huster <soenke.huster@eknoes.de>
Subject: [PATCH] Bluetooth: Fix null pointer deref on unexpected status event
Date:   Fri, 22 Jul 2022 13:53:07 +0200
Message-Id: <20220722115307.243056-1-soenke.huster@eknoes.de>
X-Mailer: git-send-email 2.37.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Rspamd-Bar: /
X-Rspamd-Report: BAYES_HAM(-2.999999) R_MISSING_CHARSET(0.5) MIME_GOOD(-0.1) MID_CONTAINS_FROM(1) SUSPICIOUS_RECIPS(1.5)
X-Rspamd-Score: -0.099999
Received: from unknown (HELO unkown) (::1)
        by giacobini.uberspace.de (Haraka/2.8.28) with ESMTPSA; Fri, 22 Jul 2022 13:54:00 +0200
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
        MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

__hci_cmd_sync returns NULL if the controller responds with a status
event. This is unexpected for the commands sent here, but on
occurrence leads to null pointer dereferences and thus must be
handled.

Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
---
 net/bluetooth/aosp.c | 15 ++++++++++++---
 net/bluetooth/msft.c | 15 ++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/net/bluetooth/aosp.c b/net/bluetooth/aosp.c
index 432ae3aac9e3..1d67836e95e1 100644
--- a/net/bluetooth/aosp.c
+++ b/net/bluetooth/aosp.c
@@ -54,7 +54,10 @@ void aosp_do_open(struct hci_dev *hdev)
 	/* LE Get Vendor Capabilities Command */
 	skb = __hci_cmd_sync(hdev, hci_opcode_pack(0x3f, 0x153), 0, NULL,
 			     HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			skb = ERR_PTR(-EIO);
+
 		bt_dev_err(hdev, "AOSP get vendor capabilities (%ld)",
 			   PTR_ERR(skb));
 		return;
@@ -152,7 +155,10 @@ static int enable_quality_report(struct hci_dev *hdev)
 
 	skb = __hci_cmd_sync(hdev, BQR_OPCODE, sizeof(cp), &cp,
 			     HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			skb = ERR_PTR(-EIO);
+
 		bt_dev_err(hdev, "Enabling Android BQR failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);
@@ -171,7 +177,10 @@ static int disable_quality_report(struct hci_dev *hdev)
 
 	skb = __hci_cmd_sync(hdev, BQR_OPCODE, sizeof(cp), &cp,
 			     HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			skb = ERR_PTR(-EIO);
+
 		bt_dev_err(hdev, "Disabling Android BQR failed (%ld)",
 			   PTR_ERR(skb));
 		return PTR_ERR(skb);
diff --git a/net/bluetooth/msft.c b/net/bluetooth/msft.c
index 14975769f678..bee6a4c656be 100644
--- a/net/bluetooth/msft.c
+++ b/net/bluetooth/msft.c
@@ -120,7 +120,10 @@ static bool read_supported_features(struct hci_dev *hdev,
 
 	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
 			     HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb)) {
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			skb = ERR_PTR(-EIO);
+
 		bt_dev_err(hdev, "Failed to read MSFT supported features (%ld)",
 			   PTR_ERR(skb));
 		return false;
@@ -319,8 +322,11 @@ static int msft_remove_monitor_sync(struct hci_dev *hdev,
 
 	skb = __hci_cmd_sync(hdev, hdev->msft_opcode, sizeof(cp), &cp,
 			     HCI_CMD_TIMEOUT);
-	if (IS_ERR(skb))
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			return -EIO;
 		return PTR_ERR(skb);
+	}
 
 	return msft_le_cancel_monitor_advertisement_cb(hdev, hdev->msft_opcode,
 						       monitor, skb);
@@ -432,8 +438,11 @@ static int msft_add_monitor_sync(struct hci_dev *hdev,
 			     HCI_CMD_TIMEOUT);
 	kfree(cp);
 
-	if (IS_ERR(skb))
+	if (IS_ERR_OR_NULL(skb)) {
+		if (!skb)
+			return -EIO;
 		return PTR_ERR(skb);
+	}
 
 	return msft_le_monitor_advertisement_cb(hdev, hdev->msft_opcode,
 						monitor, skb);
-- 
2.37.1