Bluetooth: hci_uart: Fix dereferencing of ERR_PTR

If h4_recv_buf() return ERR_PTR instead sk_buff pointer, it should be
cleared once PTR_ERR is completed for the further dereference such as
h4_recv(), or h4_close().

Signed-off-by: Chan-yeol Park <chanyeol.park@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/drivers/bluetooth/hci_ath.c b/drivers/bluetooth/hci_ath.c
index ec8fa0e..6da5e4c 100644 (file)
--- a/drivers/bluetooth/hci_ath.c
+++ b/drivers/bluetooth/hci_ath.c
@@ -192,6 +192,7 @@ static int ath_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(ath->rx_skb)) {
                int err = PTR_ERR(ath->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               ath->rx_skb = NULL;
                return err;
        }
 

diff --git a/drivers/bluetooth/hci_bcm.c b/drivers/bluetooth/hci_bcm.c
index e4d66b6..aa3c9ac 100644 (file)
--- a/drivers/bluetooth/hci_bcm.c
+++ b/drivers/bluetooth/hci_bcm.c
@@ -188,6 +188,7 @@ static int bcm_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(bcm->rx_skb)) {
                int err = PTR_ERR(bcm->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               bcm->rx_skb = NULL;
                return err;
        }
 

diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c
index f7190f0..57faddc 100644 (file)
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -133,6 +133,7 @@ static int h4_recv(struct hci_uart *hu, const void *data, int count)
        if (IS_ERR(h4->rx_skb)) {
                int err = PTR_ERR(h4->rx_skb);
                BT_ERR("%s: Frame reassembly failed (%d)", hu->hdev->name, err);
+               h4->rx_skb = NULL;
                return err;
        }