From 3713416763dc03e9011a3146c42411189531446f Mon Sep 17 00:00:00 2001 From: Chan-yeol Park Date: Wed, 17 Jun 2015 21:10:39 +0900 Subject: [PATCH] Bluetooth: hci_uart: Fix dereferencing of ERR_PTR If h4_recv_buf() return ERR_PTR instead sk_buff pointer, it should be cleared once PTR_ERR is completed for the further dereference such as h4_recv(), or h4_close(). Signed-off-by: Chan-yeol Park Signed-off-by: Marcel Holtmann --- drivers/bluetooth/hci_ath.c | 1 + drivers/bluetooth/hci_bcm.c | 1 + drivers/bluetooth/hci_h4.c | 1 + 3 files changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c index ec8fa0e0f036..6da5e4ca13ea 100644 --- a/drivers/bluetooth/hci_ath.c +++ b/drivers/bluetooth/hci_ath.c @@ -192,6 +192,7 @@ static int ath_recv(struct hci_uart *hu, const void *data, int count) if (IS_ERR(ath->rx_skb)) { int err = PTR_ERR(ath->rx_skb); BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err); + ath->rx_skb = NULL; return err; } diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c index e4d66b61cda0..aa3c9aca4cb4 100644 --- a/drivers/bluetooth/hci_bcm.c +++ b/drivers/bluetooth/hci_bcm.c @@ -188,6 +188,7 @@ static int bcm_recv(struct hci_uart *hu, const void *data, int count) if (IS_ERR(bcm->rx_skb)) { int err = PTR_ERR(bcm->rx_skb); BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err); + bcm->rx_skb = NULL; return err; } diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c index f7190f01e135..57faddc53645 100644 --- a/drivers/bluetooth/hci_h4.c +++ b/drivers/bluetooth/hci_h4.c @@ -133,6 +133,7 @@ static int h4_recv(struct hci_uart *hu, const void *data, int count) if (IS_ERR(h4->rx_skb)) { int err = PTR_ERR(h4->rx_skb); BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err); + h4->rx_skb = NULL; return err; } -- 2.20.1