From: Jarod Wilson <jarod@redhat.com>
Date: Mon, 22 Nov 2010 19:30:47 -0500
Subject: [bluetooth] hci_ldisc: fix missing NULL check
Message-id: <20101122193047.GA13579@redhat.com>
Patchwork-id: 29545
O-Subject: [RHEL5 PATCH] bluetooth: Fix missing NULL check
Bugzilla: 655666
RH-Acked-by: John Linville <linville@redhat.com>
RH-Acked-by: David S. Miller <davem@redhat.com>
RH-Acked-by: Ivan Vecera <ivecera@redhat.com>
RH-Acked-by: Prarit Bhargava <prarit@redhat.com>

Bugzilla #655666 - missing tty ops write function presence check
                   in hci_uart_tty_open() [rhel-5.6]

Upstream commit c19483cc5e56ac5e22dd19cf25ba210ab1537773

    bluetooth: Fix missing NULL check

    Fortunately this is only exploitable on very unusual hardware.

    [Reported a while ago but nothing happened so just fixing it]

    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Cc: stable@kernel.org
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Trivial backport (s/ops/driver/), but compile-tested on x86_64 only.

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
index 93ba25b..a664589 100644
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -268,9 +268,16 @@ static int hci_uart_tty_open(struct tty_struct *tty)
 
 	BT_DBG("tty %p", tty);
 
+	/* FIXME: This btw is bogus, nothing requires the old ldisc to clear
+	   the pointer */
 	if (hu)
 		return -EEXIST;
 
+	/* Error if the tty has no write op instead of leaving an exploitable
+	   hole */
+	if (tty->driver->write == NULL)
+		return -EOPNOTSUPP;
+
 	if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) {
 		BT_ERR("Can't allocate controll structure");
 		return -ENFILE;