Bluetooth: hci_qca: Fix crash with non-serdev devices

qca_set_baudrate() calls serdev_device_wait_until_sent() assuming that
the HCI is always associated with a serdev device. This isn't true for
ROME controllers instantiated through ldisc, where the call causes a
crash due to a NULL pointer dereferentiation. Only call the function
when we have a serdev device. The timeout for ROME devices at the end
of qca_set_baudrate() is long enough to be reasonably sure that the
command was sent.

Fixes: fa9ad87 ("Bluetooth: hci_qca: Add support for Qualcomm Bluetooth chip wcn3990")
Reported-by: Balakrishna Godavarthi <[email protected]>
Reported-by: Rocky Liao <[email protected]>
Signed-off-by: Matthias Kaehlcke <[email protected]>
Reviewed-by: Rocky Liao <[email protected]>
Tested-by: Rocky Liao <[email protected]>
Reviewed-by: Balakrishna Godavarthi <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>

Author: Matthias Kaehlcke

drivers/bluetooth/hci_qca.c

@@ -1006,7 +1006,8 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
 	while (!skb_queue_empty(&qca->txq))
 		usleep_range(100, 200);
 
-	serdev_device_wait_until_sent(hu->serdev,
+	if (hu->serdev)
+		serdev_device_wait_until_sent(hu->serdev,
 		      msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
 
 	/* Give the controller time to process the request */