Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close

[linux-flexiantxendom0.git] / drivers / bluetooth / hci_ldisc.c

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 320f718..8f3d6db 100644 (file)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -237,7 +237,6 @@ static void hci_uart_destruct(struct hci_dev *hdev)
                return;
 
        BT_DBG("%s", hdev->name);
-       kfree(hdev->driver_data);
 }
 
 /* ------ LDISC part ------ */
@@ -310,12 +309,13 @@ static void hci_uart_tty_close(struct tty_struct *tty)
                        hci_uart_close(hdev);
 
                if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
-                       hu->proto->close(hu);
                        if (hdev) {
                                hci_unregister_dev(hdev);
                                hci_free_dev(hdev);
                        }
+                       hu->proto->close(hu);
                }
+               kfree(hu);
        }
 }
 
@@ -359,7 +359,6 @@ static void hci_uart_tty_wakeup(struct tty_struct *tty)
  */
 static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, char *flags, int count)
 {
-       int ret;
        struct hci_uart *hu = (void *)tty->disc_data;
 
        if (!hu || tty != hu->tty)
@@ -369,9 +368,8 @@ static void hci_uart_tty_receive(struct tty_struct *tty, const u8 *data, char *f
                return;
 
        spin_lock(&hu->rx_lock);
-       ret = hu->proto->recv(hu, (void *) data, count);
-       if (ret > 0)
-               hu->hdev->stat.byte_rx += count;
+       hu->proto->recv(hu, (void *) data, count);
+       hu->hdev->stat.byte_rx += count;
        spin_unlock(&hu->rx_lock);
 
        tty_unthrottle(tty);