Bluetooth: hci_ldisc: Fix null pointer derefence in case of early data

HCI_UART_PROTO_SET flag is set before hci_uart_set_proto call. If we receive data from tty layer during this procedure, proto pointer may not be assigned yet, leading to null pointer dereference in rx method hci_uart_tty_receive. This patch fixes this issue by introducing HCI_UART_PROTO_READY flag in order to avoid any proto operation before proto opening and assignment. Signed-off-by: Loic Poulain <loic.poulain@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
author: Loic Poulain <loic.poulain@intel.com> 2016-04-04 04:48:13 -0400
committer: Marcel Holtmann <marcel@holtmann.org> 2016-04-08 12:58:56 -0400
commit: 84cb3df02aea4b00405521e67c4c67c2d525c364 (patch)
tree: 4802172d6283adade1e8299ed851b4b2af8c14d2
parent: 1dbfc59a931495b2e7bdc4e85886162a0b03235b (diff)
2 files changed, 8 insertions, 4 deletions
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index c00168a5bb80..49b3e1e2d236 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -227,7 +227,7 @@ static int hci_uart_flush(struct hci_dev *hdev)
        tty_ldisc_flush(tty);
        tty_driver_flush_buffer(tty);
-        if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
                hu->proto->flush(hu);
        return 0;
@@ -492,7 +492,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
        cancel_work_sync(&hu->write_work);
-        if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
+        if (test_and_clear_bit(HCI_UART_PROTO_READY, &hu->flags)) {
                if (hdev) {
                        if (test_bit(HCI_UART_REGISTERED, &hu->flags))
                                hci_unregister_dev(hdev);
@@ -500,6 +500,7 @@ static void hci_uart_tty_close(struct tty_struct *tty)
                }
                hu->proto->close(hu);
        }
+        clear_bit(HCI_UART_PROTO_SET, &hu->flags);
        kfree(hu);
 }
@@ -526,7 +527,7 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty)
        if (tty != hu->tty)
                return;
-        if (test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (test_bit(HCI_UART_PROTO_READY, &hu->flags))
                hci_uart_tx_wakeup(hu);
 }
@@ -550,7 +551,7 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data,
        if (!hu || tty != hu->tty)
                return;
-        if (!test_bit(HCI_UART_PROTO_SET, &hu->flags))
+        if (!test_bit(HCI_UART_PROTO_READY, &hu->flags))
                return;
        /* It does not need a lock here as it is already protected by a mutex in
@@ -638,9 +639,11 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
                return err;
        hu->proto = p;
+        set_bit(HCI_UART_PROTO_READY, &hu->flags);
        err = hci_uart_register_dev(hu);
        if (err) {
+                clear_bit(HCI_UART_PROTO_READY, &hu->flags);
                p->close(hu);
                return err;
        }
diff --git a/drivers/bluetooth/hci_uart.h b/drivers/bluetooth/hci_uart.h
index 4814ff08f427..839bad1d8152 100644
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@@ -95,6 +95,7 @@ struct hci_uart {
 /* HCI_UART proto flag bits */
 #define HCI_UART_PROTO_SET      0
 #define HCI_UART_REGISTERED     1
+#define HCI_UART_PROTO_READY    2
 /* TX states  */
 #define HCI_UART_SENDING        1
author	Loic Poulain <loic.poulain@intel.com>	2016-04-04 04:48:13 -0400
committer	Marcel Holtmann <marcel@holtmann.org>	2016-04-08 12:58:56 -0400
commit	84cb3df02aea4b00405521e67c4c67c2d525c364 (patch)
tree	4802172d6283adade1e8299ed851b4b2af8c14d2
parent	1dbfc59a931495b2e7bdc4e85886162a0b03235b (diff)