From patchwork Wed Jun 19 15:34:27 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dean Jenkins X-Patchwork-Id: 252596 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3F6462C016F for ; Thu, 20 Jun 2013 01:41:34 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756947Ab3FSPla (ORCPT ); Wed, 19 Jun 2013 11:41:30 -0400 Received: from cpc6-farn7-2-0-cust119.6-2.cable.virginmedia.com ([81.110.26.120]:37730 "EHLO localhost.localdomain" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756745Ab3FSPl3 (ORCPT ); Wed, 19 Jun 2013 11:41:29 -0400 X-Greylist: delayed 416 seconds by postgrey-1.27 at vger.kernel.org; Wed, 19 Jun 2013 11:41:29 EDT Received: by localhost.localdomain (Postfix, from userid 500) id 9BBD8442059; Wed, 19 Jun 2013 16:34:31 +0100 (BST) From: Dean Jenkins To: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 1/5] Bluetooth: Add RFCOMM TTY write return error codes Date: Wed, 19 Jun 2013 16:34:27 +0100 Message-Id: <1371656071-27754-2-git-send-email-Dean_Jenkins@mentor.com> X-Mailer: git-send-email 1.8.1.5 In-Reply-To: <1371656071-27754-1-git-send-email-Dean_Jenkins@mentor.com> References: <1371656071-27754-1-git-send-email-Dean_Jenkins@mentor.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org It appears that rfcomm_tty_write() does not check that the passed in TTY device_data is not NULL and also does not check that the RFCOMM DLC serial data link pointer is not NULL. A kernel crash was observed whilst SLIP was bound to /dev/rfcomm0 but the /dev/rfcomm0 had subsequently disconnected. Unfortunately, SLIP attempted to write to the now non-existant RFCOMM TTY device which caused a NULL pointer dereference because the device_data no longer existed. Therefore, add NULL pointer checks for the dev and dlc pointers and output kernel error debug to show that NULL had been detected. Signed-off-by: Dean Jenkins --- net/bluetooth/rfcomm/tty.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index b6e44ad..56d28d1 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -761,12 +761,24 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp) static int rfcomm_tty_write(struct tty_struct *tty, const unsigned char *buf, int count) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - struct rfcomm_dlc *dlc = dev->dlc; + struct rfcomm_dlc *dlc; struct sk_buff *skb; int err = 0, sent = 0, size; BT_DBG("tty %p count %d", tty, count); + if (!dev) { + BT_ERR("RFCOMM TTY device data structure does not exist"); + return -ENODEV; + } + + dlc = dev->dlc; + + if (!dlc) { + BT_ERR("RFCOMM serial data link does not exist"); + return -ENOLINK; + } + while (count) { size = min_t(uint, count, dlc->mtu);