Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp1195025lqm; Thu, 2 May 2024 07:50:40 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWs8z+YJP3q6muEBQQEbevV0h6YvULUOcgQwIFEoRg1wD9MUBQ7prVGrZh4EHSfIjLY5KbNW8qhMiBg1tYw0r+2TkSFBNV9WdIJlwQARA== X-Google-Smtp-Source: AGHT+IFWM6r5tpsnnpr9MAom2se4LOGkyimc9UMOkr8ACAWMkjAkMiN2o1/uFEpK24EgXursOawS X-Received: by 2002:a05:622a:148c:b0:43a:6988:bb80 with SMTP id t12-20020a05622a148c00b0043a6988bb80mr6195806qtx.11.1714661440068; Thu, 02 May 2024 07:50:40 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714661440; cv=pass; d=google.com; s=arc-20160816; b=nHJVVOHpALtTHYOkk41nhqw5ereLZpnB4J2b5qFMvb7G2BtEVR/y2gS5ynZU8AXqYx q8b7TWe7twKwhHyhP+fixeVzTXXOrE4ysUY7N7FCznso7RERCWn9NOEzLF00i1P4b4WY my21sYUVapTDgPBq2w0YFvXrM1ehTCleBeSjdegZKkw5U9YCdF9EOeuwbyQ72/6nCfdI 8SdvtQ/90GxcbLi0NfvwAz88XJ9Y19IH5weaH6ISglGs3mHBm3p29SZIXfs0gwcPJq5m dl2YKFcoFXUOpROLjBmWTVsRHqghu/0aQg+XAxVAHTJ3hgtNQ3n5I+018H0bVG258enx vNcQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=mRjQPMEh9WYGuv2fVT2hmCP4q9X4vdYRgmB1ohryHYo=; fh=wZsCJ3/2tnQzPDUU3cRcR0PxyvJ2iWp7xhRdLCAVq4c=; b=es+YhJO7nuIoSTmyDnV9/mex6NgO+ekbB3s6Y6Gh4QGsr7a1K2/iaEmBAAS4OH/JCq hOOv5RTO1JytN/xS3c0MS7lmMILSP9KOacGzFsRODEqcp3coXtW0Gisv5VSYyMH4UiqL 1tBeHwUiNph3BnnSitQ4JSaZLpN0f8+z+Jk3W/DZYopBAH7lW3LXYq4sloSqNUoGhEtR PEqewHUMeHCvTV77h3lTXrongeCevX+za/Lu35RLAtSqs6wYaPXPRBe55TZG4ASjrOPh LX97VsAf47USsZN+UeZT7XGCEhAZLO3ygUqV1PsM6ScwNCUZ2ifTqt8B1vw+uaxMIqvD xVtA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SyLRx1uQ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-4273-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4273-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id q10-20020a05622a04ca00b0043ae59e5cb3si1142116qtx.379.2024.05.02.07.50.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 May 2024 07:50:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4273-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=SyLRx1uQ; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-4273-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4273-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C6F7D1C22E96 for ; Thu, 2 May 2024 14:50:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AFA2915532D; Thu, 2 May 2024 14:48:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SyLRx1uQ" X-Original-To: linux-bluetooth@vger.kernel.org Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B30015530B; Thu, 2 May 2024 14:48:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.171 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714661310; cv=none; b=HXkYM3Fb1EnbdkjMkrv4hkD+NjjHYyInTr8JhlHdW+b5bGV65PFY0D/3y8cCxAyDGgzc+a4FDiFVlnaY67wr4im3ZxmOlC7W3mwuUXqXc4Lmjzmj1qFRyXVIVU4VCCJYmzjcpppLbrQ6TUmKZ94D7ZLssGZitGWEb+tJ7hLTjvk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714661310; c=relaxed/simple; bh=WuCgS0uaAm6OhtaFz1/h+RBpaEGJPr7XNl603FLh+Kc=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=s3zFGKJAQ/b31diAADXV2s229b2TqNjE0NARTkyfzgGZ4PXiZfKgC/7gkCVlDkBD+z1l+n876YivC7aJEP/J3hO5KWXa/mB6afo382gi724xrjdJFScwKlEvevDJg/vILv7XXg77DwUp42U2908ysvRB1uZSzt7nOla4Df+agx0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SyLRx1uQ; arc=none smtp.client-ip=209.85.208.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f171.google.com with SMTP id 38308e7fff4ca-2db101c11beso95769471fa.0; Thu, 02 May 2024 07:48:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714661306; x=1715266106; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mRjQPMEh9WYGuv2fVT2hmCP4q9X4vdYRgmB1ohryHYo=; b=SyLRx1uQd7eY20cD8qV1uY2992vTzMZZV/U1vYJl7nObpfEwtU3+rZ6rYHPWv5wOzr mNZfsPoo2pGKzBTXDetB0jDLfpUsqXVU1U8xq8WZyrjLShXyAmArcijlfsX2gaz3uEVN ayxauIJbyD1kubv8AUyq5K0TTbMNjFfAEhRTM34LOJNBEue7Qx1XwQ4bSC7JyVKMdczg a5dODbl66F5QUKBVG1SFCNC2R43iHQcoqzMgJbDCJpAdcEY2eIrDsYQUj4gF6l39mh9T VDkGs5XlecOBchtuLNR2CYls46qtnwuiPbXhOAPUfOceUeL0klTNxyTFDDuVQsouVU2f nfsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714661306; x=1715266106; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mRjQPMEh9WYGuv2fVT2hmCP4q9X4vdYRgmB1ohryHYo=; b=ogDWdMqKpoAcceOt2ySeuAwoBBMIPvL9SPYzGKedaZd918XSKMyAV1+bjyKcM0Jq4G np2w8Hm/CuQOcCo0QB9oq8jnZfbbSDk2dlfAQjSwnrs//wYX1d+mXhhm6kpWx12fUPLV /4CpgEyTTGvX3vcBHrVlmg10A+hyAnWZUlzii+jinsFtTa/7eJW929cdfNGglOcEzzn6 EYCgeFiJvXwkXSUn51jUxGxf7c/LZxcvY+ShZb4/Hzkw3nFnKkFhrYHoQxfsDprBcyXT ilTpAUqAOwyNqAgVAcHOmfyTOxi419ripUUaCmW1WeV8TFI/uf6gQ+FEGnigRfYyCN84 NAWw== X-Forwarded-Encrypted: i=1; AJvYcCU6CxGyevpD7qHoC+yPz4FMdBkKzNV6nSnJIsiH0cPzC4Ag+igp2MuWrNKTRyxe+HiH28Oyw10Wv3q1qFdQWrWUXmZTamj8sHr+fOGhKWUZ9JL8zqwFg52Zjk3BHUJVXUU7Sg0YbKOMLl3jo8Ad X-Gm-Message-State: AOJu0Yz0bAFWKGPBiLToiAPlhaT0rEbxqnZwDpvNRjFJbhkxLvXlpmwF VDw6sLTqC98Y9Ic4nV/YJ5bpq2P4Rim5ruQ2Voh8HYP3T68m/rU+/ik/ie5zeokdeCDkP4aOqBT l2N5HcOO63CviBHlGx2H5wF/K1Zo= X-Received: by 2002:a05:651c:235:b0:2d8:59cb:89ef with SMTP id z21-20020a05651c023500b002d859cb89efmr3213273ljn.24.1714661306186; Thu, 02 May 2024 07:48:26 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240502021709.141220-1-iam@sung-woo.kim> In-Reply-To: <20240502021709.141220-1-iam@sung-woo.kim> From: Luiz Augusto von Dentz Date: Thu, 2 May 2024 10:48:13 -0400 Message-ID: Subject: Re: [PATCH] Bluetooth: HCI: Fix potential null-ptr-deref To: Sungwoo Kim Cc: daveti@purdue.edu, benquike@gmail.com, Marcel Holtmann , Johan Hedberg , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Sungwoo, On Wed, May 1, 2024 at 10:22=E2=80=AFPM Sungwoo Kim wrot= e: > > Dear all, Not sure if you are following what I actually enter as patch description, that normally doesn't include things like Dear all, etc. > hci_le_big_sync_established_evt() has a potential null-ptr-deref bug. > > hci_le_big_sync_established_evt() > bis =3D hci_conn_hash_lookup_handle(hdev, handle); > if (!bis) > bis =3D hci_conn_add() <- could fail > /* ... */ > bis =3D hci_conn_hash_lookup_handle(hdev, handle); > set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); <- null-ptr-deref > > There is a missing check after hci_conn_hash_lookup_handle(), which can > return NULL. Especially, if a prior hci_conn_add() fails than > hci_conn_hash_lookup_handle() will return NULL. > > This patch fixes this by adding a check. Nor the one below. > Thanks, > Sungwoo. And by now I'd expect you to start adding the Fixes tag as well. > Signed-off-by: Sungwoo Kim > --- > net/bluetooth/hci_event.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index 4a27e4a17..d72d238c1 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -7037,6 +7037,8 @@ static void hci_le_big_sync_established_evt(struct = hci_dev *hdev, void *data, > u16 handle =3D le16_to_cpu(ev->bis[i]); > > bis =3D hci_conn_hash_lookup_handle(hdev, handle)= ; > + if (!bis) > + continue; > > set_bit(HCI_CONN_BIG_SYNC_FAILED, &bis->flags); > hci_connect_cfm(bis, ev->status); > -- > 2.34.1 > --=20 Luiz Augusto von Dentz