* [PATCH] Bluetooth: l2cap: Fix double free of 'skb'
@ 2025-04-16 12:23 Frédéric Danis
2025-04-16 12:48 ` bluez.test.bot
2025-04-16 14:44 ` [PATCH] " Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Danis @ 2025-04-16 12:23 UTC (permalink / raw)
To: linux-bluetooth
Commit ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too
long frame") from Apr 14, 2025 (linux-next), leads to the following
Smatch static checker warning:
net/bluetooth/l2cap_core.c:7613 l2cap_recv_acldata()
error: double free of 'skb' (line 7557)
l2cap_recv_frame() consumes the skb.
Fixes: ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too long frame")
Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 1bba7152fd70..5ca7ac43c58d 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7556,7 +7556,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
skb->len = len;
l2cap_recv_frame(conn, skb);
l2cap_conn_unreliable(conn, ECOMM);
- goto drop;
+ goto unlock;
}
/* Append fragment into frame (with header) */
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: l2cap: Fix double free of 'skb'
2025-04-16 12:23 [PATCH] Bluetooth: l2cap: Fix double free of 'skb' Frédéric Danis
@ 2025-04-16 12:48 ` bluez.test.bot
2025-04-16 14:44 ` [PATCH] " Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-04-16 12:48 UTC (permalink / raw)
To: linux-bluetooth, frederic.danis
[-- Attachment #1: Type: text/plain, Size: 1952 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=953999
---Test result---
Test Summary:
CheckPatch PENDING 0.39 seconds
GitLint PENDING 0.28 seconds
SubjectPrefix PASS 0.06 seconds
BuildKernel PASS 24.36 seconds
CheckAllWarning PASS 31.05 seconds
CheckSparse PASS 29.79 seconds
BuildKernel32 PASS 23.80 seconds
TestRunnerSetup PASS 459.58 seconds
TestRunner_l2cap-tester PASS 20.95 seconds
TestRunner_iso-tester PASS 28.46 seconds
TestRunner_bnep-tester PASS 4.73 seconds
TestRunner_mgmt-tester FAIL 120.31 seconds
TestRunner_rfcomm-tester PASS 19.23 seconds
TestRunner_sco-tester PASS 33.25 seconds
TestRunner_ioctl-tester PASS 9.35 seconds
TestRunner_mesh-tester PASS 35.06 seconds
TestRunner_smp-tester PASS 12.09 seconds
TestRunner_userchan-tester PASS 4.94 seconds
IncrementalBuild PENDING 0.78 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 490, Passed: 485 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
LL Privacy - Set Device Flag 1 (Device Privacy) Failed 0.155 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: l2cap: Fix double free of 'skb'
2025-04-16 12:23 [PATCH] Bluetooth: l2cap: Fix double free of 'skb' Frédéric Danis
2025-04-16 12:48 ` bluez.test.bot
@ 2025-04-16 14:44 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2025-04-16 14:44 UTC (permalink / raw)
To: Frédéric Danis; +Cc: linux-bluetooth
Hi Frédéric,
On Wed, Apr 16, 2025 at 8:24 AM Frédéric Danis
<frederic.danis@collabora.com> wrote:
>
> Commit ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too
> long frame") from Apr 14, 2025 (linux-next), leads to the following
> Smatch static checker warning:
>
> net/bluetooth/l2cap_core.c:7613 l2cap_recv_acldata()
> error: double free of 'skb' (line 7557)
>
> l2cap_recv_frame() consumes the skb.
>
> Fixes: ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too long frame")
> Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
> ---
> net/bluetooth/l2cap_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 1bba7152fd70..5ca7ac43c58d 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -7556,7 +7556,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
> skb->len = len;
> l2cap_recv_frame(conn, skb);
> l2cap_conn_unreliable(conn, ECOMM);
> - goto drop;
> + goto unlock;
I went ahead and fixed it up in place since I'm planning to send this
to net this week.
> }
>
> /* Append fragment into frame (with header) */
> --
> 2.43.0
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-04-16 14:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16 12:23 [PATCH] Bluetooth: l2cap: Fix double free of 'skb' Frédéric Danis
2025-04-16 12:48 ` bluez.test.bot
2025-04-16 14:44 ` [PATCH] " Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox