From: Jarod Wilson <jarod@redhat.com> Date: Mon, 22 Nov 2010 19:30:47 -0500 Subject: [bluetooth] hci_ldisc: fix missing NULL check Message-id: <20101122193047.GA13579@redhat.com> Patchwork-id: 29545 O-Subject: [RHEL5 PATCH] bluetooth: Fix missing NULL check Bugzilla: 655666 RH-Acked-by: John Linville <linville@redhat.com> RH-Acked-by: David S. Miller <davem@redhat.com> RH-Acked-by: Ivan Vecera <ivecera@redhat.com> RH-Acked-by: Prarit Bhargava <prarit@redhat.com> Bugzilla #655666 - missing tty ops write function presence check in hci_uart_tty_open() [rhel-5.6] Upstream commit c19483cc5e56ac5e22dd19cf25ba210ab1537773 bluetooth: Fix missing NULL check Fortunately this is only exploitable on very unusual hardware. [Reported a while ago but nothing happened so just fixing it] Signed-off-by: Alan Cox <alan@linux.intel.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Trivial backport (s/ops/driver/), but compile-tested on x86_64 only. Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index 93ba25b..a664589 100644 --- a/drivers/bluetooth/hci_ldisc.c +++ b/drivers/bluetooth/hci_ldisc.c @@ -268,9 +268,16 @@ static int hci_uart_tty_open(struct tty_struct *tty) BT_DBG("tty %p", tty); + /* FIXME: This btw is bogus, nothing requires the old ldisc to clear + the pointer */ if (hu) return -EEXIST; + /* Error if the tty has no write op instead of leaving an exploitable + hole */ + if (tty->driver->write == NULL) + return -EOPNOTSUPP; + if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) { BT_ERR("Can't allocate controll structure"); return -ENFILE;