Bluetooth: hci_uart: Fix dereferencing of ERR_PTR

If h4_recv_buf() return ERR_PTR instead sk_buff pointer, it should be
cleared once PTR_ERR is completed for the further dereference such as
h4_recv(), or h4_close().

Signed-off-by: Chan-yeol Park <chanyeol.park@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
index ec8fa0e0f03630c9646a60b831277477a249b010..6da5e4ca13ea6d925807660582be5957c4903752 100644 (file)
--- a/drivers/bluetooth/hci_ath.c
+++ b/drivers/bluetooth/hci_ath.c
@@ -192,6 +192,7 @@ static int ath_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(ath->rx_skb)) {
                int err = PTR_ERR(ath->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               ath->rx_skb = NULL;
                return err;
        }
 

diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
index e4d66b61cda0e0714d0e927c99b1b4f59c1febb2..aa3c9aca4cb4b6e71a247b2d26a0c24a082d71f5 100644 (file)
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -188,6 +188,7 @@ static int bcm_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(bcm->rx_skb)) {
                int err = PTR_ERR(bcm->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               bcm->rx_skb = NULL;
                return err;
        }
 

diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index f7190f01e1357b764504b0084128804ca87d6a6e..57faddc53645a33fdb7e9e334ffddbadd7c1cb98 100644 (file)
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -133,6 +133,7 @@ static int h4_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(h4->rx_skb)) {
                int err = PTR_ERR(h4->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               h4->rx_skb = NULL;
                return err;
        }