[PATCH 1/2] Bluetooth: hci_qca: fix NULL pointer dereference in qca_setup() for non-serdev device
From: Zijun Hu
Date: Mon Jun 01 2026 - 07:39:35 EST
hu->serdev is NULL for hci_uart attached via non-serdev paths, but
qca_setup() unconditionally calls serdev_device_get_drvdata(hu->serdev)
and dereferences the result, causing a NULL pointer dereference.
Fix by guarding the dereference with a NULL check, consistent with the
rest of qca_setup().
Fixes: 22d893eec0d5 ("Bluetooth: hci_qca: Refactor HFP hardware offload capability handling")
Signed-off-by: Zijun Hu <zijun.hu@xxxxxxxxxxxxxxxx>
---
drivers/bluetooth/hci_qca.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 34500137df2c..cc7b34a61fa7 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1916,9 +1916,12 @@ static int qca_setup(struct hci_uart *hu)
const char *rampatch_name = qca_get_rampatch_name(hu);
int ret;
struct qca_btsoc_version ver;
- struct qca_serdev *qcadev = serdev_device_get_drvdata(hu->serdev);
+ struct qca_serdev *qcadev = NULL;
const char *soc_name;
+ if (hu->serdev)
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+
ret = qca_check_speeds(hu);
if (ret)
return ret;
@@ -1980,7 +1983,7 @@ static int qca_setup(struct hci_uart *hu)
case QCA_WCN6750:
case QCA_WCN6855:
case QCA_WCN7850:
- if (qcadev->bdaddr_property_broken)
+ if (qcadev && qcadev->bdaddr_property_broken)
hci_set_quirk(hdev, HCI_QUIRK_BDADDR_PROPERTY_BROKEN);
hci_set_aosp_capable(hdev);
@@ -2073,7 +2076,7 @@ static int qca_setup(struct hci_uart *hu)
else
hu->hdev->set_bdaddr = qca_set_bdaddr;
- if (qcadev->support_hfp_hw_offload)
+ if (qcadev && qcadev->support_hfp_hw_offload)
qca_configure_hfp_offload(hdev);
qca->fw_version = le16_to_cpu(ver.patch_ver);
--
2.34.1