Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close

[linux-flexiantxendom0.git] / drivers / bluetooth / hci_ldisc.c

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 74cb6f3..8f3d6db 100644 (file)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -237,7 +237,6 @@ static void hci_uart_destruct(struct hci_dev *hdev)
                return;
 
        BT_DBG("%s", hdev->name);
-       kfree(hdev->driver_data);
 }
 
 /* ------ LDISC part ------ */
@@ -256,9 +255,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
 
        BT_DBG("tty %p", tty);
 
+       /* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+          the pointer */
        if (hu)
                return -EEXIST;
 
+       /* Error if the tty has no write op instead of leaving an exploitable
+          hole */
+       if (tty->ops->write == NULL)
+               return -EOPNOTSUPP;
+
        if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
                BT_ERR("Can't allocate control structure");
                return -ENFILE;
@@ -303,10 +309,13 @@ static void hci_uart_tty_close(struct tty_struct *tty)
                        hci_uart_close(hdev);
 
                if (test_and_clear_bit(HCI_UART_PROTO_SET, &hu->flags)) {
+                       if (hdev) {
+                               hci_unregister_dev(hdev);
+                               hci_free_dev(hdev);
+                       }
                        hu->proto->close(hu);
-                       hci_unregister_dev(hdev);
-                       hci_free_dev(hdev);
                }
+               kfree(hu);
        }
 }
 
@@ -389,6 +398,7 @@ static int hci_uart_register_dev(struct hci_uart *hu)
        hdev->flush = hci_uart_flush;
        hdev->send  = hci_uart_send_frame;
        hdev->destruct = hci_uart_destruct;
+       hdev->parent = hu->tty->dev;
 
        hdev->owner = THIS_MODULE;