public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: brian.gix@intel.com
Cc: linux-bluetooth@vger.kernel.org
Subject: [bug report] Bluetooth: Fix not checking MGMT cmd pending queue
Date: Fri, 4 Mar 2022 16:16:41 +0300	[thread overview]
Message-ID: <20220304131641.GE28739@kili> (raw)

Hello Brian Gix,

The patch 275f3f648702: "Bluetooth: Fix not checking MGMT cmd pending
queue" from Mar 1, 2022, leads to the following Smatch static checker
warning:

	net/bluetooth/mgmt.c:1587 mgmt_set_connectable_complete()
	warn: variable dereferenced before check 'cmd' (see line 1579)

net/bluetooth/mgmt.c
    1564 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
    1565                                           int err)
    1566 {
    1567         struct mgmt_pending_cmd *cmd = data;
    1568 
    1569         bt_dev_dbg(hdev, "err %d", err);
    1570 
    1571         /* Make sure cmd still outstanding. */
    1572         if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
    1573                 return;
    1574 
    1575         hci_dev_lock(hdev);
    1576 
    1577         if (err) {
    1578                 u8 mgmt_err = mgmt_status(err);
    1579                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
                                         ^^^^^^^

    1580                 goto done;
    1581         }
    1582 
    1583         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
    1584         new_settings(hdev, cmd->sk);
                                    ^^^^^^^
Dereferences.

    1585 
    1586 done:
--> 1587         if (cmd)
                     ^^^
The patch adds a new NULL check but the pointer has already been
dereferenced.

    1588                 mgmt_pending_remove(cmd);
    1589 
    1590         hci_dev_unlock(hdev);
    1591 }

regards,
dan carpenter

             reply	other threads:[~2022-03-04 13:17 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-04 13:16 Dan Carpenter [this message]
2022-03-07 16:56 ` [bug report] Bluetooth: Fix not checking MGMT cmd pending queue Marcel Holtmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220304131641.GE28739@kili \
    --to=dan.carpenter@oracle.com \
    --cc=brian.gix@intel.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox