| From d6d509563c4a21cf1c4819daa9e52f3fe12a44d0 Mon Sep 17 00:00:00 2001 |
| From: Matthias Kaehlcke <mka@chromium.org> |
| Date: Tue, 23 Apr 2019 11:16:52 -0700 |
| Subject: Bluetooth: hci_qca: Fix crash with non-serdev devices |
| |
| [ Upstream commit ecf2b768bd11e2ff09ecbe621b387d0d58e970cf ] |
| |
| qca_set_baudrate() calls serdev_device_wait_until_sent() assuming that |
| the HCI is always associated with a serdev device. This isn't true for |
| ROME controllers instantiated through ldisc, where the call causes a |
| crash due to a NULL pointer dereferentiation. Only call the function |
| when we have a serdev device. The timeout for ROME devices at the end |
| of qca_set_baudrate() is long enough to be reasonably sure that the |
| command was sent. |
| |
| Fixes: fa9ad876b8e0 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990") |
| Reported-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> |
| Reported-by: Rocky Liao <rjliao@codeaurora.org> |
| Signed-off-by: Matthias Kaehlcke <mka@chromium.org> |
| Reviewed-by: Rocky Liao <rjliao@codeaurora.org> |
| Tested-by: Rocky Liao <rjliao@codeaurora.org> |
| Reviewed-by: Balakrishna Godavarthi <bgodavar@codeaurora.org> |
| Signed-off-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/bluetooth/hci_qca.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c |
| index 237aea34b69f1..340c3c750b180 100644 |
| --- a/drivers/bluetooth/hci_qca.c |
| +++ b/drivers/bluetooth/hci_qca.c |
| @@ -992,7 +992,8 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate) |
| while (!skb_queue_empty(&qca->txq)) |
| usleep_range(100, 200); |
| |
| - serdev_device_wait_until_sent(hu->serdev, |
| + if (hu->serdev) |
| + serdev_device_wait_until_sent(hu->serdev, |
| msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS)); |
| |
| /* Give the controller time to process the request */ |
| -- |
| 2.20.1 |
| |
