From: Yinhao Hu <dddddd@hust.edu.cn>
To: marcel@holtmann.org
Cc: luiz.dentz@gmail.com, linux-bluetooth@vger.kernel.org,
dzm91@hust.edu.cn, hust-os-kernel-patches@googlegroups.com,
Yinhao Hu <dddddd@hust.edu.cn>
Subject: [PATCH] Bluetooth: btrtl: set error code when RTL_SEC_PROJ read fails
Date: Sat, 20 Jun 2026 03:56:40 -0700 [thread overview]
Message-ID: <20260620105640.1369098-1-dddddd@hust.edu.cn> (raw)
btrtl_initialize() returns ERR_PTR(ret) at the err_free label, so every
path that jumps there must leave a negative error code in ret.
The RTL_SEC_PROJ register read stored its result in a separate variable
rc and jumped to err_free on failure without updating ret. At that point
ret is still 0 from the previous successful read, so btrtl_initialize()
returns ERR_PTR(0), i.e. NULL. btrtl_setup_realtek() only checks
IS_ERR(), then passes the NULL pointer to btrtl_download_firmware(),
which dereferences it:
Oops: general protection fault
RIP: btrtl_download_firmware+0x39
btrtl_setup_realtek
btusb_setup_realtek
hci_dev_open_sync
Read the register into ret directly and drop the now-redundant rc so the
failure propagates as a negative error pointer.
Fixes: cd8dbd9ef600 ("Bluetooth: btrtl: Avoid loading the config file on security chips")
Signed-off-by: Yinhao Hu <dddddd@hust.edu.cn>
---
drivers/bluetooth/btrtl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 62f9d4df3a4f..eb6fdf8592c2 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -1073,7 +1073,6 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
u16 hci_rev, lmp_subver;
u8 hci_ver, lmp_ver, chip_type = 0;
int ret;
- int rc;
u8 key_id;
u8 reg_val[2];
@@ -1185,8 +1184,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
goto err_free;
}
- rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
- if (rc < 0)
+ ret = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
+ if (ret < 0)
goto err_free;
key_id = reg_val[0];
--
2.43.0
reply other threads:[~2026-06-20 10:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260620105640.1369098-1-dddddd@hust.edu.cn \
--to=dddddd@hust.edu.cn \
--cc=dzm91@hust.edu.cn \
--cc=hust-os-kernel-patches@googlegroups.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox