Bluetooth: Fix NULL pointer dereference with hu->proto

Set the bit HCI_UART_PROTO_SET after successful completion of hci_ uart_set_proto. In case of incoming packet before HCIUARTSETPROTO is completed, hci_uart_tty_receive returns after testing bit HCI_UART_PROTO_SET avoiding NULL pointer dereference. Change-Id: If6b4545148282f8bf03ec22b0e700ef307b51ca8 CRs-Fixed: 286489 Signed-off-by: Ankit Verma <ankitv@codeaurora.org>
2024-11-06 23:17:41 +00:00 · 2011-05-11 18:33:49 +05:30 · 2011-05-11 18:33:49 +05:30 · 21bb0a0ddd
commit 21bb0a0ddd
parent 0389df18a8
2 changed files with 12 additions and 4 deletions
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@ -2,9 +2,9 @@
 *
 *  Bluetooth HCI UART driver
 *
- *  Copyright (C) 2000-2001  Qualcomm Incorporated
 *  Copyright (C) 2002-2003  Maxim Krasnyansky <maxk@qualcomm.com>
 *  Copyright (C) 2004-2005  Marcel Holtmann <marcel@holtmann.org>
+ *  Copyright (c) 2000-2001, 2010-2011, Code Aurora Forum. All rights reserved.
 *
 *
 *  This program is free software; you can redistribute it and/or modify
@ -470,11 +470,18 @@ static int hci_uart_tty_ioctl(struct tty_struct *tty, struct file * file,

 	switch (cmd) {
 	case HCIUARTSETPROTO:
-		if (!test_and_set_bit(HCI_UART_PROTO_SET, &hu->flags)) {
+		if (!test_and_set_bit(HCI_UART_PROTO_SET_IN_PROGRESS,
+			&hu->flags) && !test_bit(HCI_UART_PROTO_SET,
+				&hu->flags)) {
 			err = hci_uart_set_proto(hu, arg);
 			if (err) {
-				clear_bit(HCI_UART_PROTO_SET, &hu->flags);
+				clear_bit(HCI_UART_PROTO_SET_IN_PROGRESS,
+						&hu->flags);
 				return err;
+			} else {
+				set_bit(HCI_UART_PROTO_SET, &hu->flags);
+				clear_bit(HCI_UART_PROTO_SET_IN_PROGRESS,
+						&hu->flags);
 			}
 		} else
 			return -EBUSY;
--- a/drivers/bluetooth/hci_uart.h
+++ b/drivers/bluetooth/hci_uart.h
@ -73,7 +73,8 @@ struct hci_uart {
 };

 /* HCI_UART proto flag bits */
-#define HCI_UART_PROTO_SET	0
+#define HCI_UART_PROTO_SET			0
+#define HCI_UART_PROTO_SET_IN_PROGRESS		1

 /* TX states  */
 #define HCI_UART_SENDING	1