Bluetooth: hci_ldisc: Ensure hu->hdev set to NULL before freeing hdev

When hci_register_dev() fails, hu->hdev should be set to NULL before
freeing hdev. This avoids potential use of hu->hdev after it has been
freed.

This commit sets hu->hdev to NULL before calling hci_free_dev() in error
handling scenarios in hci_uart_init_work() and hci_uart_register_dev().

Signed-off-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 1166e3f5682d76e86f2f2b4c08260edbe442567f..b1096d1ab30edc55ecbb00d0dd5993d313cabed5 100644 (file)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -177,6 +177,7 @@ static void hci_uart_init_work(struct work_struct *work)
 {
        struct hci_uart *hu = container_of(work, struct hci_uart, init_ready);
        int err;
+       struct hci_dev *hdev;
 
        if (!test_and_clear_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
                return;
@@ -184,8 +185,9 @@ static void hci_uart_init_work(struct work_struct *work)
        err = hci_register_dev(hu->hdev);
        if (err < 0) {
                BT_ERR("Can't register HCI device");
-               hci_free_dev(hu->hdev);
+               hdev = hu->hdev;
                hu->hdev = NULL;
+               hci_free_dev(hdev);
                hu->proto->close(hu);
                return;
        }
@@ -603,6 +605,7 @@ static int hci_uart_register_dev(struct hci_uart *hu)
 
        if (hci_register_dev(hdev) < 0) {
                BT_ERR("Can't register HCI device");
+               hu->hdev = NULL;
                hci_free_dev(hdev);
                return -ENODEV;
        }