summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2016-02-22 04:46:26 +0100
committerDavid S. Miller <davem@davemloft.net>2016-02-22 04:46:26 +0100
commit9ca69b705486a6fd5c3ecf0558b2203c376ec048 (patch)
tree862474f29f9899888801f4dc015cf425aa961892
parentnet: ethernet: davicom: fix devicetree irq resource (diff)
parentBluetooth: hci_core: Avoid mixing up req_complete and req_complete_skb (diff)
downloadlinux-9ca69b705486a6fd5c3ecf0558b2203c376ec048.tar.xz
linux-9ca69b705486a6fd5c3ecf0558b2203c376ec048.zip
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says: ==================== pull request: bluetooth 2016-02-20 Here's an important patch for 4.5 which fixes potential invalid pointer access when processing completed Bluetooth HCI commands. Please let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bluetooth/hci_core.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 47bcef754796..883c821a9e78 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4112,8 +4112,10 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
break;
}
- *req_complete = bt_cb(skb)->hci.req_complete;
- *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
+ if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB)
+ *req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
+ else
+ *req_complete = bt_cb(skb)->hci.req_complete;
kfree_skb(skb);
}
spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);