queue/Bluetooth-hci_intel-add-missing-tty-device-sanity-ch.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-4.8 - Git at Google

 From dcb9cfaa5ea9aa0ec08aeb92582ccfe3e4c719a9 Mon Sep 17 00:00:00 2001
 From: Johan Hovold <johan@kernel.org>
 Date: Wed, 29 Mar 2017 18:15:28 +0200
 Subject: [PATCH] Bluetooth: hci_intel: add missing tty-device sanity check

 commit dcb9cfaa5ea9aa0ec08aeb92582ccfe3e4c719a9 upstream.

 Make sure to check the tty-device pointer before looking up the sibling
 platform device to avoid dereferencing a NULL-pointer when the tty is
 one end of a Unix98 pty.

 Fixes: 74cdad37cd24 ("Bluetooth: hci_intel: Add runtime PM support")
 Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver")
 Cc: stable <stable@vger.kernel.org>     # 4.3
 Cc: Loic Poulain <loic.poulain@intel.com>
 Signed-off-by: Johan Hovold <johan@kernel.org>
 Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

 diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
 index d915e7eee233..fa5099986f1b 100644
 --- a/drivers/bluetooth/hci_intel.c
 +++ b/drivers/bluetooth/hci_intel.c
 @@ -307,6 +307,9 @@ static int intel_set_power(struct hci_uart *hu, bool powered)
  	struct list_head *p;
  	int err = -ENODEV;

 +	if (!hu->tty->dev)
 +		return err;
 +
  	mutex_lock(&intel_device_list_lock);

  	list_for_each(p, &intel_device_list) {
 @@ -379,6 +382,9 @@ static void intel_busy_work(struct work_struct *work)
  	struct intel_data *intel = container_of(work, struct intel_data,
  						busy_work);

 +	if (!intel->hu->tty->dev)
 +		return;
 +
  	/* Link is busy, delay the suspend */
  	mutex_lock(&intel_device_list_lock);
  	list_for_each(p, &intel_device_list) {
 @@ -899,6 +905,8 @@ done:
  	list_for_each(p, &intel_device_list) {
  		struct intel_device *dev = list_entry(p, struct intel_device,
  						      list);
 +		if (!hu->tty->dev)
 +			break;
  		if (hu->tty->dev->parent == dev->pdev->dev.parent) {
  			if (device_may_wakeup(&dev->pdev->dev)) {
  				set_bit(STATE_LPM_ENABLED, &intel->flags);
 @@ -1066,6 +1074,9 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)

  	BT_DBG("hu %p skb %p", hu, skb);

 +	if (!hu->tty->dev)
 +		goto out_enqueue;
 +
  	/* Be sure our controller is resumed and potential LPM transaction
  	 * completed before enqueuing any packet.
  	 */
 @@ -1082,7 +1093,7 @@ static int intel_enqueue(struct hci_uart *hu, struct sk_buff *skb)
  		}
  	}
  	mutex_unlock(&intel_device_list_lock);
 -
 +out_enqueue:
  	skb_queue_tail(&intel->txq, skb);

  	return 0;
 --
 2.12.0
	From dcb9cfaa5ea9aa0ec08aeb92582ccfe3e4c719a9 Mon Sep 17 00:00:00 2001
	From: Johan Hovold <johan@kernel.org>
	Date: Wed, 29 Mar 2017 18:15:28 +0200
	Subject: [PATCH] Bluetooth: hci_intel: add missing tty-device sanity check

	commit dcb9cfaa5ea9aa0ec08aeb92582ccfe3e4c719a9 upstream.

	Make sure to check the tty-device pointer before looking up the sibling
	platform device to avoid dereferencing a NULL-pointer when the tty is
	one end of a Unix98 pty.

	Fixes: 74cdad37cd24 ("Bluetooth: hci_intel: Add runtime PM support")
	Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver")
	Cc: stable <stable@vger.kernel.org> # 4.3
	Cc: Loic Poulain <loic.poulain@intel.com>
	Signed-off-by: Johan Hovold <johan@kernel.org>
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

	diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c
	index d915e7eee233..fa5099986f1b 100644
	--- a/drivers/bluetooth/hci_intel.c
	+++ b/drivers/bluetooth/hci_intel.c
	@@ -307,6 +307,9 @@ static int intel_set_power(struct hci_uart *hu, bool powered)
	struct list_head *p;
	int err = -ENODEV;

	+ if (!hu->tty->dev)
	+ return err;
	+
	mutex_lock(&intel_device_list_lock);

	list_for_each(p, &intel_device_list) {
	@@ -379,6 +382,9 @@ static void intel_busy_work(struct work_struct *work)
	struct intel_data *intel = container_of(work, struct intel_data,
	busy_work);

	+ if (!intel->hu->tty->dev)
	+ return;
	+
	/* Link is busy, delay the suspend */
	mutex_lock(&intel_device_list_lock);
	list_for_each(p, &intel_device_list) {
	@@ -899,6 +905,8 @@ done:
	list_for_each(p, &intel_device_list) {
	struct intel_device *dev = list_entry(p, struct intel_device,
	list);
	+ if (!hu->tty->dev)
	+ break;
	if (hu->tty->dev->parent == dev->pdev->dev.parent) {
	if (device_may_wakeup(&dev->pdev->dev)) {
	set_bit(STATE_LPM_ENABLED, &intel->flags);
	@@ -1066,6 +1074,9 @@ static int intel_enqueue(struct hci_uart hu, struct sk_buff skb)

	BT_DBG("hu %p skb %p", hu, skb);

	+ if (!hu->tty->dev)
	+ goto out_enqueue;
	+
	/* Be sure our controller is resumed and potential LPM transaction
	* completed before enqueuing any packet.
	*/
	@@ -1082,7 +1093,7 @@ static int intel_enqueue(struct hci_uart hu, struct sk_buff skb)
	}
	}
	mutex_unlock(&intel_device_list_lock);
	-
	+out_enqueue:
	skb_queue_tail(&intel->txq, skb);

	return 0;
	--
	2.12.0