On Thu, Sep 10, 2020 at 01:49:18PM +0300, Dan Carpenter wrote:

On Thu, Sep 10, 2020 at 10:04:24AM +0530, Anmol Karn wrote:

quoted

Prevent hci_phy_link_complete_evt() from dereferencing 'hcon->amp_mgr'
as NULL. Fix it by adding pointer check for it.

Reported-and-tested-by: syzbot+0bef568258653cff272f@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=0bef568258653cff272f
Signed-off-by: Anmol Karn <redacted>
---
 net/bluetooth/hci_event.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4b7fc430793c..871e16804433 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c

@@ -4936,6 +4936,11 @@ static void hci_phy_link_complete_evt(struct hci_dev *hdev,
 		return;
 	}
 
+	if (IS_ERR_OR_NULL(hcon->amp_mgr)) {

It can't be an error pointer.  Shouldn't we call hci_conn_del() on this
path?  Try to find the Fixes tag to explain how this bug was introduced.

(Don't rush to send a v2.  The patch requires quite a bit more digging
and detective work before it is ready).

quoted

+		hci_dev_unlock(hdev);
+		return;
+	}
+
 	if (ev->status) {
 		hci_conn_del(hcon);
 		hci_dev_unlock(hdev);

regards,
dan carpenter

Sure sir, will  work on it, thanks for your review.

Anmol Karn