[PATCH] Bluetooth: btrtl: set error code when RTL_SEC_PROJ read fails

0 views
Skip to first unread message

Yinhao Hu

unread,
Jun 20, 2026, 6:58:05 AM (11 days ago) Jun 20
to mar...@holtmann.org, luiz....@gmail.com, linux-b...@vger.kernel.org, dz...@hust.edu.cn, hust-os-ker...@googlegroups.com, Yinhao Hu
btrtl_initialize() returns ERR_PTR(ret) at the err_free label, so every
path that jumps there must leave a negative error code in ret.

The RTL_SEC_PROJ register read stored its result in a separate variable
rc and jumped to err_free on failure without updating ret. At that point
ret is still 0 from the previous successful read, so btrtl_initialize()
returns ERR_PTR(0), i.e. NULL. btrtl_setup_realtek() only checks
IS_ERR(), then passes the NULL pointer to btrtl_download_firmware(),
which dereferences it:

Oops: general protection fault
RIP: btrtl_download_firmware+0x39
btrtl_setup_realtek
btusb_setup_realtek
hci_dev_open_sync

Read the register into ret directly and drop the now-redundant rc so the
failure propagates as a negative error pointer.

Fixes: cd8dbd9ef600 ("Bluetooth: btrtl: Avoid loading the config file on security chips")
Signed-off-by: Yinhao Hu <ddd...@hust.edu.cn>
---
drivers/bluetooth/btrtl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 62f9d4df3a4f..eb6fdf8592c2 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -1073,7 +1073,6 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
u16 hci_rev, lmp_subver;
u8 hci_ver, lmp_ver, chip_type = 0;
int ret;
- int rc;
u8 key_id;
u8 reg_val[2];

@@ -1185,8 +1184,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
goto err_free;
}

- rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
- if (rc < 0)
+ ret = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
+ if (ret < 0)
goto err_free;

key_id = reg_val[0];
--
2.43.0

Reply all
Reply to author
Forward
0 new messages