diff options
| author | Johan Hovold <johan@kernel.org> | 2017-03-29 12:15:28 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-05-20 08:28:41 -0400 |
| commit | 6e7de39ef9a4fde0a9dd712e7cc4c923a76212ae (patch) | |
| tree | 636853d754452ab6f2743e5a8ba8324ab1847421 | |
| parent | f2f6d77fabe250965b3a5a097ccea7766db0a457 (diff) | |
Bluetooth: hci_intel: add missing tty-device sanity check
commit dcb9cfaa5ea9aa0ec08aeb92582ccfe3e4c719a9 upstream.
Make sure to check the tty-device pointer before looking up the sibling
platform device to avoid dereferencing a NULL-pointer when the tty is
one end of a Unix98 pty.
Fixes: 74cdad37cd24 ("Bluetooth: hci_intel: Add runtime PM support")
Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver")
Cc: Loic Poulain <loic.poulain@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/bluetooth/hci_intel.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c index 9e271286c5e5..73306384af6c 100644 --- a/drivers/bluetooth/hci_intel.c +++ b/drivers/bluetooth/hci_intel.c | |||
| @@ -307,6 +307,9 @@ static int intel_set_power(struct hci_uart *hu, bool powered) | |||
| 307 | struct list_head *p; | 307 | struct list_head *p; |
| 308 | int err = -ENODEV; | 308 | int err = -ENODEV; |
| 309 | 309 | ||
| 310 | if (!hu->tty->dev) | ||
| 311 | return err; | ||
| 312 | |||
| 310 | mutex_lock(&intel_device_list_lock); | 313 | mutex_lock(&intel_device_list_lock); |
| 311 | 314 | ||
| 312 | list_for_each(p, &intel_device_list) { | 315 | list_for_each(p, &intel_device_list) { |
| @@ -379,6 +382,9 @@ static void intel_busy_work(struct work_struct *work) | |||
| 379 | struct intel_data *intel = container_of(work, struct intel_data, | 382 | struct intel_data *intel = container_of(work, struct intel_data, |
| 380 | busy_work); | 383 | busy_work); |
| 381 | 384 | ||
| 385 | if (!intel->hu->tty->dev) | ||
| 386 | return; | ||
| 387 | |||
| 382 | /* Link is busy, delay the suspend */ | 388 | /* Link is busy, delay the suspend */ |
| 383 | mutex_lock(&intel_device_list_lock); | 389 | mutex_lock(&intel_device_list_lock); |
| 384 | list_for_each(p, &intel_device_list) { | 390 | list_for_each(p, &intel_device_list) { |
| @@ -889,6 +895,8 @@ done: | |||
| 889 | list_for_each(p, &intel_device_list) { | 895 | list_for_each(p, &intel_device_list) { |
| 890 | struct intel_device *dev = list_entry(p, struct intel_device, | 896 | struct intel_device *dev = list_entry(p, struct intel_device, |
| 891 | list); | 897 | list); |
| 898 | if (!hu->tty->dev) | ||
| 899 | break; | ||
| 892 | if (hu->tty->dev->parent == dev->pdev->dev.parent) { | 900 | if (hu->tty->dev->parent == dev->pdev->dev.parent) { |
| 893 | if (device_may_wakeup(&dev->pdev->dev)) { | 901 | if (device_may_wakeup(&dev->pdev->dev)) { |
| 894 | set_bit(STATE_LPM_ENABLED, &intel->flags); | 902 | set_bit(STATE_LPM_ENABLED, &intel->flags); |
| @@ -1056,6 +1064,9 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb) | |||
| 1056 | 1064 | ||
| 1057 | BT_DBG("hu %p skb %p", hu, skb); | 1065 | BT_DBG("hu %p skb %p", hu, skb); |
| 1058 | 1066 | ||
| 1067 | if (!hu->tty->dev) | ||
| 1068 | goto out_enqueue; | ||
| 1069 | |||
| 1059 | /* Be sure our controller is resumed and potential LPM transaction | 1070 | /* Be sure our controller is resumed and potential LPM transaction |
| 1060 | * completed before enqueuing any packet. | 1071 | * completed before enqueuing any packet. |
| 1061 | */ | 1072 | */ |
| @@ -1072,7 +1083,7 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb) | |||
| 1072 | } | 1083 | } |
| 1073 | } | 1084 | } |
| 1074 | mutex_unlock(&intel_device_list_lock); | 1085 | mutex_unlock(&intel_device_list_lock); |
| 1075 | 1086 | out_enqueue: | |
| 1076 | skb_queue_tail(&intel->txq, skb); | 1087 | skb_queue_tail(&intel->txq, skb); |
| 1077 | 1088 | ||
| 1078 | return 0; | 1089 | return 0; |