summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDean Jenkins <Dean_Jenkins@mentor.com>2017-04-20 18:06:40 +0100
committerMarcel Holtmann <marcel@holtmann.org>2017-04-22 10:28:40 +0200
commita225b8c70af9368cfcb52a3608bc862bc88a7801 (patch)
tree81a84e350a07ff915609bca3d88001f34c73f873
parentcb926520e18e6aecc63614b8aa2e40d431aa29cd (diff)
downloadlinux-stable-a225b8c70af9368cfcb52a3608bc862bc88a7801.tar.gz
linux-stable-a225b8c70af9368cfcb52a3608bc862bc88a7801.tar.bz2
linux-stable-a225b8c70af9368cfcb52a3608bc862bc88a7801.zip
Bluetooth: hci_ldisc: Ensure hu->hdev set to NULL before freeing hdev
When hci_register_dev() fails, hu->hdev should be set to NULL before freeing hdev. This avoids potential use of hu->hdev after it has been freed. This commit sets hu->hdev to NULL before calling hci_free_dev() in error handling scenarios in hci_uart_init_work() and hci_uart_register_dev(). Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-rw-r--r--drivers/bluetooth/hci_ldisc.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 1166e3f5682d..b1096d1ab30e 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -177,6 +177,7 @@ static void hci_uart_init_work(struct work_struct *work)
{
struct hci_uart *hu = container_of(work, struct hci_uart, init_ready);
int err;
+ struct hci_dev *hdev;
if (!test_and_clear_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return;
@@ -184,8 +185,9 @@ static void hci_uart_init_work(struct work_struct *work)
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
- hci_free_dev(hu->hdev);
+ hdev = hu->hdev;
hu->hdev = NULL;
+ hci_free_dev(hdev);
hu->proto->close(hu);
return;
}
@@ -603,6 +605,7 @@ static int hci_uart_register_dev(struct hci_uart *hu)
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ hu->hdev = NULL;
hci_free_dev(hdev);
return -ENODEV;
}