* [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
@ 2022-08-01 22:04 Luiz Augusto von Dentz
2022-08-01 23:07 ` bluez.test.bot
0 siblings, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2022-08-01 22:04 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:
net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
error: we previously assumed 'c' could be null (see line 1996)
Fixes: d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/l2cap_core.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 77c0aac14539..cbe0cae73434 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1970,11 +1970,11 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
bdaddr_t *dst,
u8 link_type)
{
- struct l2cap_chan *c, *c1 = NULL;
+ struct l2cap_chan *c, *tmp, *c1 = NULL;
read_lock(&chan_list_lock);
- list_for_each_entry(c, &chan_list, global_l) {
+ list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
if (state && c->state != state)
continue;
@@ -1993,11 +1993,10 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
dst_match = !bacmp(&c->dst, dst);
if (src_match && dst_match) {
c = l2cap_chan_hold_unless_zero(c);
- if (!c)
- continue;
-
- read_unlock(&chan_list_lock);
- return c;
+ if (c) {
+ read_unlock(&chan_list_lock);
+ return c;
+ }
}
/* Closest match */
--
2.37.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
@ 2022-08-01 21:06 Luiz Augusto von Dentz
2022-08-01 22:21 ` kernel test robot
0 siblings, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2022-08-01 21:06 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:
net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
error: we previously assumed 'c' could be null (see line 1996)
Fixes: d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put"
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/l2cap_core.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 52668662ae8d..f18d0c72713f 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1969,11 +1969,11 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
bdaddr_t *dst,
u8 link_type)
{
- struct l2cap_chan *c, *c1 = NULL;
+ struct l2cap_chan *c, *tmp, *c1 = NULL;
read_lock(&chan_list_lock);
- list_for_each_entry(c, &chan_list, global_l) {
+ list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
if (state && c->state != state)
continue;
@@ -1992,11 +1992,10 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
dst_match = !bacmp(&c->dst, dst);
if (src_match && dst_match) {
c = l2cap_chan_hold_unless_zero(c);
- if (!c)
- continue;
-
- read_unlock(&chan_list_lock);
- return c;
+ if (c) {
+ read_unlock(&chan_list_lock);
+ return c;
+ }
}
/* Closest match */
--
2.37.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
2022-08-01 21:06 [PATCH] " Luiz Augusto von Dentz
@ 2022-08-01 22:21 ` kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2022-08-01 22:21 UTC (permalink / raw)
To: Luiz Augusto von Dentz, linux-bluetooth; +Cc: kbuild-all
Hi Luiz,
I love your patch! Perhaps something to improve:
[auto build test WARNING on bluetooth-next/master]
[also build test WARNING on bluetooth/master linus/master v5.19 next-20220728]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Luiz-Augusto-von-Dentz/Bluetooth-L2CAP-Fix-l2cap_global_chan_by_psm-regression/20220802-050647
base: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
config: parisc-randconfig-r024-20220801 (https://download.01.org/0day-ci/archive/20220802/202208020648.fs6gb987-lkp@intel.com/config)
compiler: hppa-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/075988314335917c0e43d00f6a3a8ef68963b3de
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Luiz-Augusto-von-Dentz/Bluetooth-L2CAP-Fix-l2cap_global_chan_by_psm-regression/20220802-050647
git checkout 075988314335917c0e43d00f6a3a8ef68963b3de
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=parisc SHELL=/bin/bash net/bluetooth/
If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from net/bluetooth/l2cap_core.c:37:
In function 'bacmp',
inlined from 'l2cap_global_chan_by_psm' at net/bluetooth/l2cap_core.c:2003:15:
>> include/net/bluetooth/bluetooth.h:347:16: warning: 'memcmp' specified bound 6 exceeds source size 0 [-Wstringop-overread]
347 | return memcmp(ba1, ba2, sizeof(bdaddr_t));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/memcmp +347 include/net/bluetooth/bluetooth.h
^1da177e4c3f41 Linus Torvalds 2005-04-16 343
^1da177e4c3f41 Linus Torvalds 2005-04-16 344 /* Copy, swap, convert BD Address */
f53c20e93612f7 David Herrmann 2013-04-06 345 static inline int bacmp(const bdaddr_t *ba1, const bdaddr_t *ba2)
^1da177e4c3f41 Linus Torvalds 2005-04-16 346 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 @347 return memcmp(ba1, ba2, sizeof(bdaddr_t));
^1da177e4c3f41 Linus Torvalds 2005-04-16 348 }
f53c20e93612f7 David Herrmann 2013-04-06 349 static inline void bacpy(bdaddr_t *dst, const bdaddr_t *src)
^1da177e4c3f41 Linus Torvalds 2005-04-16 350 {
^1da177e4c3f41 Linus Torvalds 2005-04-16 351 memcpy(dst, src, sizeof(bdaddr_t));
^1da177e4c3f41 Linus Torvalds 2005-04-16 352 }
^1da177e4c3f41 Linus Torvalds 2005-04-16 353
--
0-DAY CI Kernel Test Service
https://01.org/lkp
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-08-01 23:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-01 22:04 [PATCH] Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression Luiz Augusto von Dentz
2022-08-01 23:07 ` bluez.test.bot
-- strict thread matches above, loose matches on Subject: below --
2022-08-01 21:06 [PATCH] " Luiz Augusto von Dentz
2022-08-01 22:21 ` kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox