Commit dcb9cfaa authored by Johan Hovold's avatar Johan Hovold Committed by Marcel Holtmann

Bluetooth: hci_intel: add missing tty-device sanity check

Make sure to check the tty-device pointer before looking up the sibling
platform device to avoid dereferencing a NULL-pointer when the tty is
one end of a Unix98 pty.

Fixes: 74cdad37 ("Bluetooth: hci_intel: Add runtime PM support")
Fixes: 1ab1f239 ("Bluetooth: hci_intel: Add support for platform driver")
Cc: stable <stable@vger.kernel.org>     # 4.3
Cc: Loic Poulain <loic.poulain@intel.com>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 95065a61
...@@ -307,6 +307,9 @@ static int intel_set_power(struct hci_uart *hu, bool powered) ...@@ -307,6 +307,9 @@ static int intel_set_power(struct hci_uart *hu, bool powered)
struct list_head *p; struct list_head *p;
int err = -ENODEV; int err = -ENODEV;
if (!hu->tty->dev)
return err;
mutex_lock(&intel_device_list_lock); mutex_lock(&intel_device_list_lock);
list_for_each(p, &intel_device_list) { list_for_each(p, &intel_device_list) {
...@@ -379,6 +382,9 @@ static void intel_busy_work(struct work_struct *work) ...@@ -379,6 +382,9 @@ static void intel_busy_work(struct work_struct *work)
struct intel_data *intel = container_of(work, struct intel_data, struct intel_data *intel = container_of(work, struct intel_data,
busy_work); busy_work);
if (!intel->hu->tty->dev)
return;
/* Link is busy, delay the suspend */ /* Link is busy, delay the suspend */
mutex_lock(&intel_device_list_lock); mutex_lock(&intel_device_list_lock);
list_for_each(p, &intel_device_list) { list_for_each(p, &intel_device_list) {
...@@ -899,6 +905,8 @@ static int intel_setup(struct hci_uart *hu) ...@@ -899,6 +905,8 @@ static int intel_setup(struct hci_uart *hu)
list_for_each(p, &intel_device_list) { list_for_each(p, &intel_device_list) {
struct intel_device *dev = list_entry(p, struct intel_device, struct intel_device *dev = list_entry(p, struct intel_device,
list); list);
if (!hu->tty->dev)
break;
if (hu->tty->dev->parent == dev->pdev->dev.parent) { if (hu->tty->dev->parent == dev->pdev->dev.parent) {
if (device_may_wakeup(&dev->pdev->dev)) { if (device_may_wakeup(&dev->pdev->dev)) {
set_bit(STATE_LPM_ENABLED, &intel->flags); set_bit(STATE_LPM_ENABLED, &intel->flags);
...@@ -1066,6 +1074,9 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb) ...@@ -1066,6 +1074,9 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)
BT_DBG("hu %p skb %p", hu, skb); BT_DBG("hu %p skb %p", hu, skb);
if (!hu->tty->dev)
goto out_enqueue;
/* Be sure our controller is resumed and potential LPM transaction /* Be sure our controller is resumed and potential LPM transaction
* completed before enqueuing any packet. * completed before enqueuing any packet.
*/ */
...@@ -1082,7 +1093,7 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb) ...@@ -1082,7 +1093,7 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)
} }
} }
mutex_unlock(&intel_device_list_lock); mutex_unlock(&intel_device_list_lock);
out_enqueue:
skb_queue_tail(&intel->txq, skb); skb_queue_tail(&intel->txq, skb);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment