[PATCH 0/2] Bluetooth: hci_qca: fix NULL pointer dereferences for non-serdev devices

[PATCH 0/2] Bluetooth: hci_qca: fix NULL pointer dereferences for non-serdev devices

[Zijun Hu]

When a QCA controller is attached via a non-serdev path (e.g. hci_uart
line discipline), hu->serdev is NULL. A couple of code paths dereference
it unconditionally, leading to NULL pointer dereferences.

This series fixes two such cases:

 - qca_setup() dereferences the result of
   serdev_device_get_drvdata(hu->serdev).
 - qca_dmp_hdr() dereferences hu->serdev->dev.driver->name.

Both are fixed by guarding the dereference with a NULL check.

Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
---
Zijun Hu (2):
      Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device
      Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device

 drivers/bluetooth/hci_qca.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)
---
base-commit: 379b101059b44f64f6c5c022724f880a68fed15b
change-id: 20260601-fix_none_serdev-5f0635c21681

Best regards,
-- 
Zijun Hu <zijun.hu@oss.qualcomm.com>

[PATCH 1/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device

[Zijun Hu]

hu->serdev is NULL for hci_uart attached via non-serdev paths, but
qca_setup() unconditionally calls serdev_device_get_drvdata(hu->serdev)
and dereferences the result, causing a NULL pointer dereference.

Fix by guarding the dereference with a NULL check, consistent with the
rest of qca_setup().

Fixes: 22d893eec0d5 ("Bluetooth: hci_qca: Refactor HFP hardware offload capability handling")
Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
---
 drivers/bluetooth/hci_qca.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 34500137df2c..cc7b34a61fa7 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1916,9 +1916,12 @@ static int qca_setup(struct hci_uart *hu)
 	const char *rampatch_name = qca_get_rampatch_name(hu);
 	int ret;
 	struct qca_btsoc_version ver;
-	struct qca_serdev *qcadev = serdev_device_get_drvdata(hu->serdev);
+	struct qca_serdev *qcadev = NULL;
 	const char *soc_name;
 
+	if (hu->serdev)
+		qcadev = serdev_device_get_drvdata(hu->serdev);
+
 	ret = qca_check_speeds(hu);
 	if (ret)
 		return ret;
@@ -1980,7 +1983,7 @@ static int qca_setup(struct hci_uart *hu)
 	case QCA_WCN6750:
 	case QCA_WCN6855:
 	case QCA_WCN7850:
-		if (qcadev->bdaddr_property_broken)
+		if (qcadev && qcadev->bdaddr_property_broken)
 			hci_set_quirk(hdev, HCI_QUIRK_BDADDR_PROPERTY_BROKEN);
 
 		hci_set_aosp_capable(hdev);
@@ -2073,7 +2076,7 @@ static int qca_setup(struct hci_uart *hu)
 	else
 		hu->hdev->set_bdaddr = qca_set_bdaddr;
 
-	if (qcadev->support_hfp_hw_offload)
+	if (qcadev && qcadev->support_hfp_hw_offload)
 		qca_configure_hfp_offload(hdev);
 
 	qca->fw_version = le16_to_cpu(ver.patch_ver);

-- 
2.34.1

[PATCH 2/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device

[Zijun Hu]

hu->serdev is NULL for hci_uart attached via non-serdev paths, but
qca_dmp_hdr() unconditionally dereferences hu->serdev->dev.driver->name,
causing a NULL pointer dereference.

Fix by guarding the dereference with a NULL check and falling back to
"hci_ldisc_qca" for the non-serdev case.

Fixes: 06d3fdfcdf5c ("Bluetooth: hci_qca: Add qcom devcoredump support")
Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
---
 drivers/bluetooth/hci_qca.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index cc7b34a61fa7..244447195619 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1028,7 +1028,7 @@ static void qca_dmp_hdr(struct hci_dev *hdev, struct sk_buff *skb)
 	skb_put_data(skb, buf, strlen(buf));
 
 	snprintf(buf, sizeof(buf), "Driver: %s\n",
-		hu->serdev->dev.driver->name);
+		 hu->serdev ? hu->serdev->dev.driver->name : "hci_ldisc_qca");
 	skb_put_data(skb, buf, strlen(buf));
 }
 

-- 
2.34.1

RE: Bluetooth: hci_qca: fix NULL pointer dereferences for non-serdev devices

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1103979

---Test result---

Test Summary:
CheckPatch                    PASS      1.39 seconds
VerifyFixes                   PASS      0.13 seconds
VerifySignedoff               PASS      0.13 seconds
GitLint                       FAIL      0.64 seconds
SubjectPrefix                 PASS      0.24 seconds
BuildKernel                   PASS      26.00 seconds
CheckAllWarning               PASS      29.06 seconds
CheckSparse                   PASS      27.65 seconds
BuildKernel32                 PASS      25.56 seconds
TestRunnerSetup               PASS      563.62 seconds
IncrementalBuild              PASS      29.33 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
[1/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device

1: T1 Title exceeds max length (91>80): "[1/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device"
[2/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device

1: T1 Title exceeds max length (93>80): "[2/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device"


https://github.com/bluez/bluetooth-next/pull/266

---
Regards,
Linux Bluetooth

Re: [PATCH 0/2] Bluetooth: hci_qca: fix NULL pointer dereferences for non-serdev devices

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 01 Jun 2026 04:30:54 -0700 you wrote:
> When a QCA controller is attached via a non-serdev path (e.g. hci_uart
> line discipline), hu->serdev is NULL. A couple of code paths dereference
> it unconditionally, leading to NULL pointer dereferences.
> 
> This series fixes two such cases:
> 
>  - qca_setup() dereferences the result of
>    serdev_device_get_drvdata(hu->serdev).
>  - qca_dmp_hdr() dereferences hu->serdev->dev.driver->name.
> 
> [...]

Here is the summary with links:
  - [1/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device
    https://git.kernel.org/bluetooth/bluetooth-next/c/7bfdd3d9129c
  - [2/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_dmp_hdr() for non-serdev device
    https://git.kernel.org/bluetooth/bluetooth-next/c/4fcae45539b9

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html