On Thu, 2017-05-18 at 12:49 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Johan Hovold <johan@xxxxxxxxxx>
>
> commit 95065a61e9bf25fb85295127fba893200c2bbbd8 upstream.
>
> Make sure to check the tty-device pointer before looking up the sibling
> platform device to avoid dereferencing a NULL-pointer when the tty is
> one end of a Unix98 pty.
>
> Fixes: 0395ffc1ee05 ("Bluetooth: hci_bcm: Add PM for BCM devices")
> Cc: Frederic Danis <frederic.danis@xxxxxxxxxxxxxxx>
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>
> ---
> drivers/bluetooth/hci_bcm.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> --- a/drivers/bluetooth/hci_bcm.c
> +++ b/drivers/bluetooth/hci_bcm.c
> @@ -287,6 +287,9 @@ static int bcm_open(struct hci_uart *hu)
>
> hu->priv = bcm;
>
> + if (!hu->tty->dev)
> + goto out;
> +
> mutex_lock(&bcm_device_lock);
> list_for_each(p, &bcm_device_list) {
> struct bcm_device *dev = list_entry(p, struct bcm_device, list);
> @@ -307,7 +310,7 @@ static int bcm_open(struct hci_uart *hu)
> }
>
> mutex_unlock(&bcm_device_lock);
> -
> +out:
> return 0;
> }
I'm a bit sceptical that this is fixing a real bug, but if it is -
surely bcm_open() should fail if the tty device is not the right type?
bcm_setup() would certainly fail after this.
Ben.
--
Ben Hutchings
Software Developer, Codethink Ltd.