Thank you for your suggestion. This bug may not cause serious security problem. Function 'bt_sock_unregister' takes its parameter as an index and nulls the corresponding element of 'bt_proto' which is an array of pointers. When 'bt_proto' dereferences each element, it would check whether the element is empty or not. Therefore, the problem of null pointer deference does not occur. This bug is observed by manually code review. ---------- On Fri, Mar 31, 2023 at 02:45:20PM +0800, Chenyuan Mi wrote: > Fix this issue by using BTPROTO_CMTP as argument instead of BTPROTO_HIDP. Thanks for your patch. Some things you may want to consider: * I think it would be good to describe what the effect of this problem is, if it can be observed. And if not, say so. I think it would also be useful to state how the problem was found. F.e. using a tool, or by inspection. * As this is described as a fix, it should probably have a fixes tag. I think it would be: Fixes: 8c8de589cedd ("Bluetooth: Added /proc/net/cmtp via bt_procfs_init()") > Signed-off-by: Chenyuan Mi <michenyuan@xxxxxxxxxx> > --- > net/bluetooth/cmtp/sock.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Code change looks good. > diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c > index 96d49d9fae96..cf4370055ce2 100644 > --- a/net/bluetooth/cmtp/sock.c > +++ b/net/bluetooth/cmtp/sock.c > @@ -250,7 +250,7 @@ int cmtp_init_sockets(void) > err = bt_procfs_init(&init_net, "cmtp", &cmtp_sk_list, NULL); > if (err < 0) { > BT_ERR("Failed to create CMTP proc file"); > - bt_sock_unregister(BTPROTO_HIDP); > + bt_sock_unregister(BTPROTO_CMTP); > goto error; > } > > -- > 2.25.1