Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a225b8c7 authored by Dean Jenkins's avatar Dean Jenkins Committed by Marcel Holtmann
Browse files

Bluetooth: hci_ldisc: Ensure hu->hdev set to NULL before freeing hdev 



When hci_register_dev() fails, hu->hdev should be set to NULL before
freeing hdev. This avoids potential use of hu->hdev after it has been
freed.

This commit sets hu->hdev to NULL before calling hci_free_dev() in error
handling scenarios in hci_uart_init_work() and hci_uart_register_dev().

Signed-off-by: default avatarDean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent cb926520

drivers/bluetooth/hci_ldisc.c

+4 −1
Original line number Diff line number Diff line
@@ -177,6 +177,7 @@ static void hci_uart_init_work(struct work_struct *work) 
{

	struct hci_uart *hu = container_of(work, struct hci_uart, init_ready);

	int err;

	struct hci_dev *hdev;



	if (!test_and_clear_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))

		return;
@@ -184,8 +185,9 @@ static void hci_uart_init_work(struct work_struct *work) 
	err = hci_register_dev(hu->hdev);

	if (err < 0) {

		BT_ERR("Can't register HCI device");

		hci_free_dev(hu->hdev);

		hdev = hu->hdev;

		hu->hdev = NULL;

		hci_free_dev(hdev);

		hu->proto->close(hu);

		return;

	}
@@ -603,6 +605,7 @@ static int hci_uart_register_dev(struct hci_uart *hu) 


	if (hci_register_dev(hdev) < 0) {

		BT_ERR("Can't register HCI device");

		hu->hdev = NULL;

		hci_free_dev(hdev);

		return -ENODEV;

	}