CVE-2023-54038

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link<br /> <br /> hci_connect_sco currently returns NULL when there is no link (i.e. when<br /> hci_conn_link() returns NULL).<br /> <br /> sco_connect() expects an ERR_PTR in case of any error (see line 266 in<br /> sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which<br /> tries to get hcon-&gt;hdev, resulting in dereferencing a NULL pointer as<br /> reported by syzkaller.<br /> <br /> The same issue exists for iso_connect_cis() calling hci_connect_cis().<br /> <br /> Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR<br /> instead of NULL.