From: Johan Hedberg Date: Mon, 6 Jan 2014 16:27:01 +0000 (+0200) Subject: Bluetooth: Fix NULL pointer dereference when disconnecting X-Git-Tag: firefly_0821_release~176^2~4570^2~3^2^2~67^2~7 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8cef8f50d47169b122d7e2dc51fd4370fadd6bfa;p=firefly-linux-kernel-4.4.55.git Bluetooth: Fix NULL pointer dereference when disconnecting When disconnecting it is possible that the l2cap_conn pointer is already NULL when bt_6lowpan_del_conn() is entered. Looking at l2cap_conn_del also verifies this as there's a NULL check there too. This patch adds the missing NULL check without which the following bug may occur: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] bt_6lowpan_del_conn+0x19/0x12a *pde = 00000000 Oops: 0000 [#1] SMP CPU: 1 PID: 52 Comm: kworker/u5:1 Not tainted 3.12.0+ #196 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: hci0 hci_rx_work task: f6259b00 ti: f48c0000 task.ti: f48c0000 EIP: 0060:[] EFLAGS: 00010282 CPU: 1 EIP is at bt_6lowpan_del_conn+0x19/0x12a EAX: 00000000 EBX: ef094e10 ECX: 00000000 EDX: 00000016 ESI: 00000000 EDI: f48c1e60 EBP: f48c1e50 ESP: f48c1e34 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 CR0: 8005003b CR2: 00000000 CR3: 30c65000 CR4: 00000690 Stack: f4d38000 00000000 f4d38000 00000002 ef094e10 00000016 f48c1e60 f48c1e70 c1316bed f48c1e84 c1316bed 00000000 00000001 ef094e10 f48c1e84 f48c1ed0 c1303cc6 c1303c7b f31f331a c1303cc6 f6e7d1c0 f3f8ea16 f3f8f380 f4d38008 Call Trace: [] l2cap_disconn_cfm+0x3f/0x5b [] ? l2cap_disconn_cfm+0x3f/0x5b [] hci_event_packet+0x645/0x2117 [] ? hci_event_packet+0x5fa/0x2117 [] ? hci_event_packet+0x645/0x2117 [] ? __kfree_skb+0x65/0x68 [] ? kfree_skb+0x2b/0x2e [] ? hci_send_to_sock+0x18d/0x199 [] hci_rx_work+0xf9/0x295 [] ? hci_rx_work+0xf9/0x295 [] process_one_work+0x128/0x1df [] ? _raw_spin_unlock_irq+0x8/0x12 [] ? process_one_work+0x128/0x1df [] worker_thread+0x127/0x1c4 [] ? rescuer_thread+0x216/0x216 [] kthread+0x88/0x8d [] ? task_rq_lock+0x37/0x6e [] ret_from_kernel_thread+0x1b/0x28 [] ? __kthread_parkme+0x50/0x50 Code: 05 b8 f4 ff ff ff 8d 65 f4 5b 5e 5f 5d 8d 67 f8 5f c3 57 8d 7c 24 08 83 e4 f8 ff 77 fc 55 89 e5 57 56f EIP: [] bt_6lowpan_del_conn+0x19/0x12a SS:ESP 0068:f48c1e34 CR2: 0000000000000000 Signed-off-by: Johan Hedberg Signed-off-by: Marcel Holtmann --- diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index d84a3776095e..5f0b11d94d95 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -785,7 +785,7 @@ int bt_6lowpan_del_conn(struct l2cap_conn *conn) unsigned long flags; bool last = false; - if (!is_bt_6lowpan(conn->hcon)) + if (!conn || !is_bt_6lowpan(conn->hcon)) return 0; write_lock_irqsave(&devices_lock, flags);