[PATCH] Bluetooth: set bcsp to NULL after purging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Set hu->priv to NULL after skb purging in bcsp_close to prevent NULL
pointer dereference in bcsp_recv.

Reported-by: syzbot+4ed6852d4da4606c93da@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/67b0cc5b.050a0220.6f0b7.0014.GAE@xxxxxxxxxx/T/
Signed-off-by: Ivan Pravdin <ipravdin.official@xxxxxxxxx>
---
 drivers/bluetooth/hci_bcsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index 610d0e3c36d4..de9a6ed3a8aa 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -739,8 +739,6 @@ static int bcsp_close(struct hci_uart *hu)
 
 	timer_shutdown_sync(&bcsp->tbcsp);
 
-	hu->priv = NULL;
-
 	BT_DBG("hu %p", hu);
 
 	skb_queue_purge(&bcsp->unack);
@@ -753,6 +751,8 @@ static int bcsp_close(struct hci_uart *hu)
 	}
 
 	kfree(bcsp);
+	hu->priv = NULL;
+
 	return 0;
 }
 
-- 
2.45.2
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux