Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device

hu->serdev is NULL for hci_uart attached via non-serdev paths, but
qca_setup() unconditionally calls serdev_device_get_drvdata(hu->serdev)
and dereferences the result, causing a NULL pointer dereference.

Fix by guarding the dereference with a NULL check, consistent with the
rest of qca_setup().

Fixes: 22d893eec0d5 ("Bluetooth: hci_qca: Refactor HFP hardware offload capability handling")
Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 34500137df2c107bf4fb820b3d7df21c4d085635..cc7b34a61fa783d4358141912ea8682482f43b8a 100644 (file)
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1916,9 +1916,12 @@ static int qca_setup(struct hci_uart *hu)
        const char *rampatch_name = qca_get_rampatch_name(hu);
        int ret;
        struct qca_btsoc_version ver;
-       struct qca_serdev *qcadev = serdev_device_get_drvdata(hu->serdev);
+       struct qca_serdev *qcadev = NULL;
        const char *soc_name;
 
+       if (hu->serdev)
+               qcadev = serdev_device_get_drvdata(hu->serdev);
+
        ret = qca_check_speeds(hu);
        if (ret)
                return ret;
@@ -1980,7 +1983,7 @@ retry:
        case QCA_WCN6750:
        case QCA_WCN6855:
        case QCA_WCN7850:
-               if (qcadev->bdaddr_property_broken)
+               if (qcadev && qcadev->bdaddr_property_broken)
                        hci_set_quirk(hdev, HCI_QUIRK_BDADDR_PROPERTY_BROKEN);
 
                hci_set_aosp_capable(hdev);
@@ -2073,7 +2076,7 @@ out:
        else
                hu->hdev->set_bdaddr = qca_set_bdaddr;
 
-       if (qcadev->support_hfp_hw_offload)
+       if (qcadev && qcadev->support_hfp_hw_offload)
                qca_configure_hfp_offload(hdev);
 
        qca->fw_version = le16_to_cpu(ver.patch_ver);