[PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[Eugene Teo]

Commit 22ad42033b7d2b3d7928fba9f89d1c7f8a3c9581 did not completely fix all 
the possible NULL dereferences. Besides hci_uart_close(), we also need to 
make sure that hdev is valid before calling hci_{unregister,free}_dev().

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
---
 drivers/bluetooth/hci_ldisc.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 6055b9c..4813f7c 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -308,11 +308,10 @@ static void hci_uart_tty_close(struct tty_struct *tty)
 	if (hu) {
 		struct hci_dev *hdev = hu->hdev;
 
-		if (hdev)
+		if (hdev) {
 			hci_uart_close(hdev);
-
-		if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
-			hu->proto->close(hu);
+			if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags))
+				hu->proto->close(hu);
 			hci_unregister_dev(hdev);
 			hci_free_dev(hdev);
 		}

Re: [PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[Marcel Holtmann]

Hi Eugene,

> Commit 22ad42033b7d2b3d7928fba9f89d1c7f8a3c9581 did not completely fix all 
> the possible NULL dereferences. Besides hci_uart_close(), we also need to 
> make sure that hdev is valid before calling hci_{unregister,free}_dev().

I don't see any issue. Without HCI_UART_PROTO_SET, the hdev will never
be registered. So no need to protect it twice.

Regards

Marcel

Re: [PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[Eugene Teo]

Hi Marcel,

Marcel Holtmann wrote:
>> Commit 22ad42033b7d2b3d7928fba9f89d1c7f8a3c9581 did not completely fix all 
>> the possible NULL dereferences. Besides hci_uart_close(), we also need to 
>> make sure that hdev is valid before calling hci_{unregister,free}_dev().
> 
> I don't see any issue. Without HCI_UART_PROTO_SET, the hdev will never
> be registered. So no need to protect it twice.

Correct me if I am wrong. HCI_UART_PROTO_SET bit is only set if hci_uart_tty_ioctl()
is called with HCIUARTSETPROTO. Is it possible for the HCI device to be registered
and then unregistered without setting the HCI_UART_PROTO_SET bit in hdev->flags?

Thanks,
Eugene

Re: [PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[Marcel Holtmann]

Hi Eugene,

> >> Commit 22ad42033b7d2b3d7928fba9f89d1c7f8a3c9581 did not completely fix all 
> >> the possible NULL dereferences. Besides hci_uart_close(), we also need to 
> >> make sure that hdev is valid before calling hci_{unregister,free}_dev().
> > 
> > I don't see any issue. Without HCI_UART_PROTO_SET, the hdev will never
> > be registered. So no need to protect it twice.
> 
> Correct me if I am wrong. HCI_UART_PROTO_SET bit is only set if hci_uart_tty_ioctl()
> is called with HCIUARTSETPROTO. Is it possible for the HCI device to be registered
> and then unregistered without setting the HCI_UART_PROTO_SET bit in hdev->flags?

look at the code. The hci_uart_tty_ioctl() is the only function that can
register the HCI device. So besides opening the TTY and set the line
discipline, you also have to the set the UART protocol running on top. I
don't see any way you can achieve to register a HCI device without
setting the HCI_UART_PROTO_SET bit in hu->flags.

Regards

Marcel

Re: [PATCH] drivers/bluetooth/hci_ldisc.c: fix possible NULL dereferences

[Eugene Teo]

Hi Marcel,

Marcel Holtmann wrote:
>>>> Commit 22ad42033b7d2b3d7928fba9f89d1c7f8a3c9581 did not completely fix all 
>>>> the possible NULL dereferences. Besides hci_uart_close(), we also need to 
>>>> make sure that hdev is valid before calling hci_{unregister,free}_dev().
>>> I don't see any issue. Without HCI_UART_PROTO_SET, the hdev will never
>>> be registered. So no need to protect it twice.
>> Correct me if I am wrong. HCI_UART_PROTO_SET bit is only set if hci_uart_tty_ioctl()
>> is called with HCIUARTSETPROTO. Is it possible for the HCI device to be registered
>> and then unregistered without setting the HCI_UART_PROTO_SET bit in hdev->flags?
> 
> look at the code. The hci_uart_tty_ioctl() is the only function that can
> register the HCI device. So besides opening the TTY and set the line
> discipline, you also have to the set the UART protocol running on top. I
> don't see any way you can achieve to register a HCI device without
> setting the HCI_UART_PROTO_SET bit in hu->flags.

Ok. Thanks for the explanation.

Eugene