Commit 902fe40b authored by Aurelien DESBRIERES's avatar Aurelien DESBRIERES Committed by Luiz Augusto von Dentz
Browse files

Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized 



When a fault is injected during hci_uart line discipline setup, the
proto open() callback may fail leaving hu->priv as NULL. A subsequent
TIOCSTI ioctl can trigger the recv() callback before priv is
initialized, causing a NULL pointer dereference.

Fix all four affected HCI UART protocol drivers by adding a NULL check
on hu->priv at the start of their recv() callbacks: h4, h5, ath and
bcsp.

Reported-by: default avatar <syzbot+ff30eeab8e07b37d524e@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=ff30eeab8e07b37d524e


Signed-off-by: default avatarAurelien DESBRIERES <aurelien@hackers.camp>
Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 5917dd39

drivers/bluetooth/hci_ath.c

+3 −0
Original line number Diff line number Diff line
@@ -191,6 +191,9 @@ static int ath_recv(struct hci_uart *hu, const void *data, int count) 
{

	struct ath_struct *ath = hu->priv;



	if (!ath)

		return -ENODEV;



	ath->rx_skb = h4_recv_buf(hu, ath->rx_skb, data, count,

				  ath_recv_pkts, ARRAY_SIZE(ath_recv_pkts));

	if (IS_ERR(ath->rx_skb)) {

drivers/bluetooth/hci_bcsp.c

+3 −0
Original line number Diff line number Diff line
@@ -585,6 +585,9 @@ static int bcsp_recv(struct hci_uart *hu, const void *data, int count) 
	if (!test_bit(HCI_UART_REGISTERED, &hu->flags))

		return -EUNATCH;



	if (!bcsp)

		return -ENODEV;



	BT_DBG("hu %p count %d rx_state %d rx_count %ld",

	       hu, count, bcsp->rx_state, bcsp->rx_count);

drivers/bluetooth/hci_h4.c

+3 −0
Original line number Diff line number Diff line
@@ -109,6 +109,9 @@ static int h4_recv(struct hci_uart *hu, const void *data, int count) 
{

	struct h4_struct *h4 = hu->priv;



	if (!h4)

		return -ENODEV;



	h4->rx_skb = h4_recv_buf(hu, h4->rx_skb, data, count,

				 h4_recv_pkts, ARRAY_SIZE(h4_recv_pkts));

	if (IS_ERR(h4->rx_skb)) {

drivers/bluetooth/hci_h5.c

+3 −0
Original line number Diff line number Diff line
@@ -587,6 +587,9 @@ static int h5_recv(struct hci_uart *hu, const void *data, int count) 
	struct h5 *h5 = hu->priv;

	const unsigned char *ptr = data;



	if (!h5)

		return -ENODEV;



	BT_DBG("%s pending %zu count %d", hu->hdev->name, h5->rx_pending,

	       count);