From: Sergey Shtylyov <s.shtylyov@auroraos.dev>
Date: Mon, 1 Jun 2026 20:21:30 +0000 (+0300)
Subject: Bluetooth: hci_h5: reset hci_uart::priv in the close() method
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93f5d7057da83e951e1e49de7c8a80ccd44d8d82;p=thirdparty%2Flinux.git

Bluetooth: hci_h5: reset hci_uart::priv in the close() method

Unlike the other HCI UART drivers, the 3-wire UART driver doesn't reset
hci_uart::priv in its close() method -- this shouldn't pose a problem as
all the methods in *struct* hci_uart_proto should only be called after the
open() method that sets up hci_uart::priv properly. However, it seems wise
to be more consistent and provide for the *struct* hci_uart_proto methods
the same state that exists before the first open() method call (so that
they rather crash than dereference a stale hci_uart::priv pointer)...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---

diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index d35383718212..c6d9f70ad3bb 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -273,6 +273,7 @@ static int h5_close(struct hci_uart *hu)
 	if (!hu->serdev)
 		kfree(h5);
 
+	hu->priv = NULL;
 	return 0;
 }