public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed
From: Marcel Holtmann <marcel@holtmann.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Brian Gix <brian.gix@intel.com>, linux-bluetooth@vger.kernel.org
Subject: Re: [bug report] Bluetooth: Fix not checking MGMT cmd pending queue
Date: Mon, 7 Mar 2022 17:56:08 +0100	[thread overview]
Message-ID: <84692034-BEBC-46DF-9015-0DD85A59F876@holtmann.org> (raw)
In-Reply-To: <20220304131641.GE28739@kili>

Hi Brian,

> The patch 275f3f648702: "Bluetooth: Fix not checking MGMT cmd pending
> queue" from Mar 1, 2022, leads to the following Smatch static checker
> warning:
> 
> 	net/bluetooth/mgmt.c:1587 mgmt_set_connectable_complete()
> 	warn: variable dereferenced before check 'cmd' (see line 1579)
> 
> net/bluetooth/mgmt.c
>    1564 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
>    1565                                           int err)
>    1566 {
>    1567         struct mgmt_pending_cmd *cmd = data;
>    1568 
>    1569         bt_dev_dbg(hdev, "err %d", err);
>    1570 
>    1571         /* Make sure cmd still outstanding. */
>    1572         if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
>    1573                 return;
>    1574 
>    1575         hci_dev_lock(hdev);
>    1576 
>    1577         if (err) {
>    1578                 u8 mgmt_err = mgmt_status(err);
>    1579                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
>                                         ^^^^^^^
> 
>    1580                 goto done;
>    1581         }
>    1582 
>    1583         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
>    1584         new_settings(hdev, cmd->sk);
>                                    ^^^^^^^
> Dereferences.
> 
>    1585 
>    1586 done:
> --> 1587         if (cmd)
>                     ^^^
> The patch adds a new NULL check but the pointer has already been
> dereferenced.
> 
>    1588                 mgmt_pending_remove(cmd);
>    1589 
>    1590         hci_dev_unlock(hdev);
>    1591 }

are you sending a fix for this?

Regards

Marcel


      reply	other threads:[~2022-03-07 16:56 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-04 13:16 [bug report] Bluetooth: Fix not checking MGMT cmd pending queue Dan Carpenter
2022-03-07 16:56 ` Marcel Holtmann [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=84692034-BEBC-46DF-9015-0DD85A59F876@holtmann.org \
    --to=marcel@holtmann.org \
    --cc=brian.gix@intel.com \
    --cc=dan.carpenter@oracle.com \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox