Bluetooth: btrtl: Prevent potential NULL dereference

Dan Carpenter · Vudentz · commit 324dddea3210 · 2025-04-10T13:09:16.000-04:00
The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followed by a NULL pointer dereference. This was detected by Smatch: drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR' Fixes: 26503ad ("Bluetooth: btrtl: split the device initialization into smaller parts") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
@@ -1215,6 +1215,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
 			rtl_dev_err(hdev, "mandatory config file %s not found",
 				    btrtl_dev->ic_info->cfg_name);
 			ret = btrtl_dev->cfg_len;
+			if (!ret)
+				ret = -EINVAL;
 			goto err_free;
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -1215,6 +1215,8 @@ struct btrtl_device_info btrtl_initialize(struct hci_dev hdev,`
`1215`	`1215`	`rtl_dev_err(hdev, "mandatory config file %s not found",`
`1216`	`1216`	`btrtl_dev->ic_info->cfg_name);`
`1217`	`1217`	`ret = btrtl_dev->cfg_len;`
	`1218`	`+ if (!ret)`
	`1219`	`+ ret = -EINVAL;`
`1218`	`1220`	`goto err_free;`
`1219`	`1221`	`}`
`1220`	`1222`	`}`