* [bug report] Bluetooth: Fix not checking MGMT cmd pending queue
@ 2022-03-04 13:16 Dan Carpenter
2022-03-07 16:56 ` Marcel Holtmann
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2022-03-04 13:16 UTC (permalink / raw)
To: brian.gix; +Cc: linux-bluetooth
Hello Brian Gix,
The patch 275f3f648702: "Bluetooth: Fix not checking MGMT cmd pending
queue" from Mar 1, 2022, leads to the following Smatch static checker
warning:
net/bluetooth/mgmt.c:1587 mgmt_set_connectable_complete()
warn: variable dereferenced before check 'cmd' (see line 1579)
net/bluetooth/mgmt.c
1564 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
1565 int err)
1566 {
1567 struct mgmt_pending_cmd *cmd = data;
1568
1569 bt_dev_dbg(hdev, "err %d", err);
1570
1571 /* Make sure cmd still outstanding. */
1572 if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
1573 return;
1574
1575 hci_dev_lock(hdev);
1576
1577 if (err) {
1578 u8 mgmt_err = mgmt_status(err);
1579 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
^^^^^^^
1580 goto done;
1581 }
1582
1583 send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
1584 new_settings(hdev, cmd->sk);
^^^^^^^
Dereferences.
1585
1586 done:
--> 1587 if (cmd)
^^^
The patch adds a new NULL check but the pointer has already been
dereferenced.
1588 mgmt_pending_remove(cmd);
1589
1590 hci_dev_unlock(hdev);
1591 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] Bluetooth: Fix not checking MGMT cmd pending queue
2022-03-04 13:16 [bug report] Bluetooth: Fix not checking MGMT cmd pending queue Dan Carpenter
@ 2022-03-07 16:56 ` Marcel Holtmann
0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2022-03-07 16:56 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Brian Gix, linux-bluetooth
Hi Brian,
> The patch 275f3f648702: "Bluetooth: Fix not checking MGMT cmd pending
> queue" from Mar 1, 2022, leads to the following Smatch static checker
> warning:
>
> net/bluetooth/mgmt.c:1587 mgmt_set_connectable_complete()
> warn: variable dereferenced before check 'cmd' (see line 1579)
>
> net/bluetooth/mgmt.c
> 1564 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
> 1565 int err)
> 1566 {
> 1567 struct mgmt_pending_cmd *cmd = data;
> 1568
> 1569 bt_dev_dbg(hdev, "err %d", err);
> 1570
> 1571 /* Make sure cmd still outstanding. */
> 1572 if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
> 1573 return;
> 1574
> 1575 hci_dev_lock(hdev);
> 1576
> 1577 if (err) {
> 1578 u8 mgmt_err = mgmt_status(err);
> 1579 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
> ^^^^^^^
>
> 1580 goto done;
> 1581 }
> 1582
> 1583 send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
> 1584 new_settings(hdev, cmd->sk);
> ^^^^^^^
> Dereferences.
>
> 1585
> 1586 done:
> --> 1587 if (cmd)
> ^^^
> The patch adds a new NULL check but the pointer has already been
> dereferenced.
>
> 1588 mgmt_pending_remove(cmd);
> 1589
> 1590 hci_dev_unlock(hdev);
> 1591 }
are you sending a fix for this?
Regards
Marcel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-07 16:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-04 13:16 [bug report] Bluetooth: Fix not checking MGMT cmd pending queue Dan Carpenter
2022-03-07 16:56 ` Marcel Holtmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox