Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Johan Hedberg says: ==================== pull request: bluetooth 2016-02-20 Here's an important patch for 4.5 which fixes potential invalid pointer access when processing completed Bluetooth HCI commands. Please let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2016-02-21 22:46:26 -0500
committer: David S. Miller <davem@davemloft.net> 2016-02-21 22:46:26 -0500
commit: 9ca69b705486a6fd5c3ecf0558b2203c376ec048 (patch)
tree: 862474f29f9899888801f4dc015cf425aa961892
parent: b5a099c67a1c36b91356624ce86eb3f9f48a82c7 (diff)
parent: 3bd7594e69bd97c962faa6a5ae15dd8c6c082636 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 47bcef754796..883c821a9e78 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4112,8 +4112,10 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
                        break;
                }
-                *req_complete = bt_cb(skb)->hci.req_complete;
+                if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
-                *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
+                        *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
+                else
+                        *req_complete = bt_cb(skb)->hci.req_complete;
                kfree_skb(skb);
        }
        spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
author	David S. Miller <davem@davemloft.net>	2016-02-21 22:46:26 -0500
committer	David S. Miller <davem@davemloft.net>	2016-02-21 22:46:26 -0500
commit	9ca69b705486a6fd5c3ecf0558b2203c376ec048 (patch)
tree	862474f29f9899888801f4dc015cf425aa961892
parent	b5a099c67a1c36b91356624ce86eb3f9f48a82c7 (diff)
parent	3bd7594e69bd97c962faa6a5ae15dd8c6c082636 (diff)