[PATCH] btmrvl: Fix hdev dangling pointer and error code in register_hdev

[PATCH] btmrvl: Fix hdev dangling pointer and error code in register_hdev

[Wentao Liang]

In btmrvl_register_hdev(), when hci_register_dev() fails, the
function frees the hci_dev via hci_free_dev() but leaves
priv->btmrvl_dev.hcidev as a dangling pointer. While the subsequent
cleanup code does not currently access it, setting it to NULL is a
defensive fix that prevents potential use-after-free.

Additionally, the function always returns -ENOMEM on the
hci_register_dev() failure path, discarding the actual error code.
Fix this by preserving and returning the original error code.

Cc: stable@vger.kernel.org
Fixes: 132ff4e5fa8d ("Bluetooth: Add btmrvl driver for Marvell Bluetooth devices")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
---
 drivers/bluetooth/btmrvl_main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/bluetooth/btmrvl_main.c b/drivers/bluetooth/btmrvl_main.c
index d6f0ad0b4b6e..3a4c8abae05b 100644
--- a/drivers/bluetooth/btmrvl_main.c
+++ b/drivers/bluetooth/btmrvl_main.c
@@ -683,7 +683,7 @@ int btmrvl_register_hdev(struct btmrvl_private *priv)
 	ret = hci_register_dev(hdev);
 	if (ret < 0) {
 		BT_ERR("Can not register HCI device");
-		goto err_hci_register_dev;
+		goto err_hci_register_dev_free;
 	}
 
 #ifdef CONFIG_DEBUG_FS
@@ -692,8 +692,9 @@ int btmrvl_register_hdev(struct btmrvl_private *priv)
 
 	return 0;
 
-err_hci_register_dev:
+err_hci_register_dev_free:
 	hci_free_dev(hdev);
+	priv->btmrvl_dev.hcidev = NULL;
 
 err_hdev:
 	/* Stop the thread servicing the interrupts */
@@ -702,7 +703,7 @@ int btmrvl_register_hdev(struct btmrvl_private *priv)
 	btmrvl_free_adapter(priv);
 	kfree(priv);
 
-	return -ENOMEM;
+	return ret;
 }
 EXPORT_SYMBOL_GPL(btmrvl_register_hdev);
 
-- 
2.39.5 (Apple Git-154)

RE: btmrvl: Fix hdev dangling pointer and error code in register_hdev

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1348 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1116653

---Test result---

Test Summary:
CheckPatch                    PASS      1.04 seconds
VerifyFixes                   PASS      0.21 seconds
VerifySignedoff               PASS      0.20 seconds
GitLint                       PASS      0.46 seconds
SubjectPrefix                 FAIL      0.20 seconds
BuildKernel                   PASS      26.32 seconds
CheckAllWarning               PASS      29.01 seconds
CheckSparse                   PASS      27.79 seconds
BuildKernel32                 PASS      25.65 seconds
CheckKernelLLVM               SKIP      0.00 seconds
TestRunnerSetup               PASS      490.64 seconds
IncrementalBuild              PASS      25.84 seconds

Details
##############################
Test: SubjectPrefix - FAIL
Desc: Check subject contains "Bluetooth" prefix
Output:
"Bluetooth: " prefix is not specified in the subject
##############################
Test: CheckKernelLLVM - SKIP
Desc: Build kernel with LLVM + context analysis
Output:
Clang not found


https://github.com/bluez/bluetooth-next/pull/353

---
Regards,
Linux Bluetooth