[PATCH] btintel_pcie: Clear hdev pointer in error path of btintel_pcie_setup_hdev

[PATCH] btintel_pcie: Clear hdev pointer in error path of btintel_pcie_setup_hdev

[Wentao Liang]

In btintel_pcie_setup_hdev(), if hci_register_dev() fails, the
function frees the hci_dev via hci_free_dev() but leaves
data->hdev as a dangling pointer. If a subsequent error handler in
the probe function accesses data->hdev, it would result in a
use-after-free.

Although the current probe error path (btintel_pcie_reset_bt) does
not access data->hdev, setting it to NULL after freeing is a
defensive fix that prevents potential future bugs.

Cc: stable@vger.kernel.org
Fixes: 6e65a09f9275 ("Bluetooth: btintel_pcie: Add *setup* function to download firmware")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/bluetooth/btintel_pcie.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/bluetooth/btintel_pcie.c b/drivers/bluetooth/btintel_pcie.c
index 37e050763633..56d24467b7d5 100644
--- a/drivers/bluetooth/btintel_pcie.c
+++ b/drivers/bluetooth/btintel_pcie.c
@@ -2478,6 +2478,7 @@ static int btintel_pcie_setup_hdev(struct btintel_pcie_data *data)
 
 exit_error:
 	hci_free_dev(hdev);
+	data->hdev = NULL;
 	return err;
 }
 
-- 
2.39.5 (Apple Git-154)

RE: btintel_pcie: Clear hdev pointer in error path of btintel_pcie_setup_hdev

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 567 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: drivers/bluetooth/btintel_pcie.c:2478
error: drivers/bluetooth/btintel_pcie.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth