Commit 4543e00c authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Yongqiang Liu
Browse files

Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST 

stable inclusion
from stable-v5.10.212
commit df193568d61234c81de7ed4d540c01975de60277
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8M1
CVE: CVE-2024-27416

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=df193568d61234c81de7ed4d540c01975de60277

--------------------------------

[ Upstream commit 7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865 ]

If we received HCI_EV_IO_CAPA_REQUEST while
HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote
does support SSP since otherwise this event shouldn't be generated.

Link: https://lore.kernel.org/linux-bluetooth/CABBYNZ+9UdG1cMZVmdtN3U2aS16AKMCyTARZZyFX7xTEDWcMOw@mail.gmail.com/T/#t


Fixes: c7f59461 ("Bluetooth: Fix a refcnt underflow problem for hci_conn")
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarRui Xiang <rui.xiang@huawei.com>
parent 5a3aeaf3

net/bluetooth/hci_event.c

+4 −1
Original line number Diff line number Diff line
@@ -4620,9 +4620,12 @@ static void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb) 
	hci_dev_lock(hdev);



	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);

	if (!conn || !hci_conn_ssp_enabled(conn))

	if (!conn || !hci_dev_test_flag(hdev, HCI_SSP_ENABLED))

		goto unlock;



	/* Assume remote supports SSP since it has triggered this event */

	set_bit(HCI_CONN_SSP_ENABLED, &conn->flags);



	hci_conn_hold(conn);



	if (!hci_dev_test_flag(hdev, HCI_MGMT))