diff options
author | David S. Miller <davem@davemloft.net> | 2016-02-22 04:46:26 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-02-22 04:46:26 +0100 |
commit | 9ca69b705486a6fd5c3ecf0558b2203c376ec048 (patch) | |
tree | 862474f29f9899888801f4dc015cf425aa961892 | |
parent | net: ethernet: davicom: fix devicetree irq resource (diff) | |
parent | Bluetooth: hci_core: Avoid mixing up req_complete and req_complete_skb (diff) | |
download | linux-9ca69b705486a6fd5c3ecf0558b2203c376ec048.tar.xz linux-9ca69b705486a6fd5c3ecf0558b2203c376ec048.zip |
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says:
====================
pull request: bluetooth 2016-02-20
Here's an important patch for 4.5 which fixes potential invalid pointer
access when processing completed Bluetooth HCI commands.
Please let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/bluetooth/hci_core.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 47bcef754796..883c821a9e78 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -4112,8 +4112,10 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, break; } - *req_complete = bt_cb(skb)->hci.req_complete; - *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; + if (bt_cb(skb)->hci.req_flags & HCI_REQ_SKB) + *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; + else + *req_complete = bt_cb(skb)->hci.req_complete; kfree_skb(skb); } spin_unlock_irqrestore(&hdev->cmd_q.lock, flags); |