Linux bluetooth development
 help / color / mirror / Atom feed
From: Yinhao Hu <dddddd@hust.edu.cn>
To: marcel@holtmann.org
Cc: luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
	dzm91@hust.edu.cn, hust-os-kernel-patches@googlegroups.com,
	Yinhao Hu <dddddd@hust.edu.cn>
Subject: [PATCH] Bluetooth: btrtl: set error code when RTL_SEC_PROJ read fails
Date: Sat, 20 Jun 2026 03:56:40 -0700	[thread overview]
Message-ID: <20260620105640.1369098-1-dddddd@hust.edu.cn> (raw)

btrtl_initialize() returns ERR_PTR(ret) at the err_free label, so every
path that jumps there must leave a negative error code in ret.

The RTL_SEC_PROJ register read stored its result in a separate variable
rc and jumped to err_free on failure without updating ret. At that point
ret is still 0 from the previous successful read, so btrtl_initialize()
returns ERR_PTR(0), i.e. NULL. btrtl_setup_realtek() only checks
IS_ERR(), then passes the NULL pointer to btrtl_download_firmware(),
which dereferences it:

Oops: general protection fault
RIP: btrtl_download_firmware+0x39
btrtl_setup_realtek
btusb_setup_realtek
hci_dev_open_sync

Read the register into ret directly and drop the now-redundant rc so the
failure propagates as a negative error pointer.

Fixes: cd8dbd9ef600 ("Bluetooth: btrtl: Avoid loading the config file on security chips")
Signed-off-by: Yinhao Hu <dddddd@hust.edu.cn>
---
 drivers/bluetooth/btrtl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 62f9d4df3a4f..eb6fdf8592c2 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -1073,7 +1073,6 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
 	u16 hci_rev, lmp_subver;
 	u8 hci_ver, lmp_ver, chip_type = 0;
 	int ret;
-	int rc;
 	u8 key_id;
 	u8 reg_val[2];
 
@@ -1185,8 +1184,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
 		goto err_free;
 	}
 
-	rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
-	if (rc < 0)
+	ret = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
+	if (ret < 0)
 		goto err_free;
 
 	key_id = reg_val[0];
-- 
2.43.0


                 reply	other threads:[~2026-06-20 10:57 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260620105640.1369098-1-dddddd@hust.edu.cn \
    --to=dddddd@hust.edu.cn \
    --cc=dzm91@hust.edu.cn \
    --cc=hust-os-kernel-patches@googlegroups.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=luiz.dentz@gmail.com \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox