public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: luiz.von.dentz@intel.com
Cc: linux-bluetooth@vger.kernel.org
Subject: [bug report] Bluetooth: hci_sync: Rework hci_suspend_notifier
Date: Wed, 27 Jul 2022 14:58:42 +0300	[thread overview]
Message-ID: <YuEocqGzotojM7vg@kili> (raw)

Hello Luiz Augusto von Dentz,

The patch 182ee45da083: "Bluetooth: hci_sync: Rework
hci_suspend_notifier" from Oct 27, 2021, leads to the following
Smatch static checker warning:

	net/bluetooth/hci_core.c:1944 hci_add_adv_monitor()
	error: dereferencing freed memory 'monitor'

net/bluetooth/hci_core.c
    1942         case HCI_ADV_MONITOR_EXT_MSFT:
    1943                 status = msft_add_monitor_pattern(hdev, monitor);
--> 1944                 bt_dev_dbg(hdev, "%s add monitor %d msft status %d", hdev->name,
    1945                            monitor->handle, status);
    1946                 break;
    1947         }

The problem is that msft_le_monitor_advertisement_cb() will free
monitor on error.

net/bluetooth/msft.c
   243          monitor->state = ADV_MONITOR_STATE_OFFLOADED;
   244  
   245  unlock:
   246          if (status)
   247                  hci_free_adv_monitor(hdev, monitor);
                            ^^^^                   ^^^^^^^

   248  
   249          hci_dev_unlock(hdev);
   250  
   251          return status;
   252  }

I really think freeing monitor is the wrong thing.  It's a layering
violation.  Other error paths in the callers do not free monitor.  It
leads to other use after frees besides this one that that static checker
found.  For example, it leads to a double free in
__add_adv_patterns_monitor().

regards,
dan carpenter

                 reply	other threads:[~2022-07-27 11:58 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YuEocqGzotojM7vg@kili \
    --to=dan.carpenter@oracle.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=luiz.von.dentz@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox