Re: [PATCH v7 1/2] bluetooth: Handle MSFT Monitor Device Event

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Manish,

url:    https://github.com/0day-ci/linux/commits/Manish-Mandlik/bluetooth-Handle-MSFT-Monitor-Device-Event/20211203-151659
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
config: x86_64-randconfig-m001-20211203 (https://download.01.org/0day-ci/archive/20211205/202112050416.RYsEcWkk-lkp@xxxxxxxxx/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

smatch warnings:
net/bluetooth/msft.c:312 msft_le_cancel_monitor_advertisement_cb() error: dereferencing freed memory 'handle_data'

vim +/handle_data +312 net/bluetooth/msft.c

182ee45da083db Luiz Augusto von Dentz 2021-10-27  266  static void msft_le_cancel_monitor_advertisement_cb(struct hci_dev *hdev,
182ee45da083db Luiz Augusto von Dentz 2021-10-27  267  						    u8 status, u16 opcode,
182ee45da083db Luiz Augusto von Dentz 2021-10-27  268  						    struct sk_buff *skb)
ce81843be24e9d Manish Mandlik         2021-09-21  269  {
182ee45da083db Luiz Augusto von Dentz 2021-10-27  270  	struct msft_cp_le_cancel_monitor_advertisement *cp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  271  	struct msft_rp_le_cancel_monitor_advertisement *rp;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  272  	struct adv_monitor *monitor;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  273  	struct msft_monitor_advertisement_handle_data *handle_data;
ce81843be24e9d Manish Mandlik         2021-09-21  274  	struct msft_data *msft = hdev->msft_data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  275  	int err;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  276  	bool pending;
eb96f195e598b7 Manish Mandlik         2021-12-02  277  	struct monitored_device *dev, *tmp;
ce81843be24e9d Manish Mandlik         2021-09-21  278  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  279  	if (status)
182ee45da083db Luiz Augusto von Dentz 2021-10-27  280  		goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  281  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  282  	rp = (struct msft_rp_le_cancel_monitor_advertisement *)skb->data;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  283  	if (skb->len < sizeof(*rp)) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27  284  		status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  285  		goto done;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  286  	}
182ee45da083db Luiz Augusto von Dentz 2021-10-27  287  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  288  	hci_dev_lock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  289  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  290  	cp = hci_sent_cmd_data(hdev, hdev->msft_opcode);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  291  	handle_data = msft_find_handle_data(hdev, cp->handle, false);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  292  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  293  	if (handle_data) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27  294  		monitor = idr_find(&hdev->adv_monitors_idr,
182ee45da083db Luiz Augusto von Dentz 2021-10-27  295  				   handle_data->mgmt_handle);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  296  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  297  		if (monitor && monitor->state == ADV_MONITOR_STATE_OFFLOADED)
182ee45da083db Luiz Augusto von Dentz 2021-10-27  298  			monitor->state = ADV_MONITOR_STATE_REGISTERED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  299  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  300  		/* Do not free the monitor if it is being removed due to
182ee45da083db Luiz Augusto von Dentz 2021-10-27  301  		 * suspend. It will be re-monitored on resume.
182ee45da083db Luiz Augusto von Dentz 2021-10-27  302  		 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27  303  		if (monitor && !msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27  304  			hci_free_adv_monitor(hdev, monitor);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  305  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  306  		list_del(&handle_data->list);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  307  		kfree(handle_data);
                                                                ^^^^^^^^^^^^^^^^^^
Free

eb96f195e598b7 Manish Mandlik         2021-12-02  308  
eb96f195e598b7 Manish Mandlik         2021-12-02  309  		/* Clear any monitored devices by this Adv Monitor */
eb96f195e598b7 Manish Mandlik         2021-12-02  310  		list_for_each_entry_safe(dev, tmp, &hdev->monitored_devices,
eb96f195e598b7 Manish Mandlik         2021-12-02  311  					 list) {
eb96f195e598b7 Manish Mandlik         2021-12-02 @312  			if (dev->handle == handle_data->mgmt_handle) {
                                                                                           ^^^^^^^^^^^^^^^^^^^^^^^^
Use after free.

eb96f195e598b7 Manish Mandlik         2021-12-02  313  				list_del(&dev->list);
eb96f195e598b7 Manish Mandlik         2021-12-02  314  				kfree(dev);
eb96f195e598b7 Manish Mandlik         2021-12-02  315  			}
eb96f195e598b7 Manish Mandlik         2021-12-02  316  		}
182ee45da083db Luiz Augusto von Dentz 2021-10-27  317  	}
182ee45da083db Luiz Augusto von Dentz 2021-10-27  318  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  319  	/* If remove all monitors is required, we need to continue the process
182ee45da083db Luiz Augusto von Dentz 2021-10-27  320  	 * here because the earlier it was paused when waiting for the
182ee45da083db Luiz Augusto von Dentz 2021-10-27  321  	 * response from controller.
182ee45da083db Luiz Augusto von Dentz 2021-10-27  322  	 */
182ee45da083db Luiz Augusto von Dentz 2021-10-27  323  	if (msft->pending_remove_handle == 0) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27  324  		pending = hci_remove_all_adv_monitor(hdev, &err);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  325  		if (pending) {
182ee45da083db Luiz Augusto von Dentz 2021-10-27  326  			hci_dev_unlock(hdev);
ce81843be24e9d Manish Mandlik         2021-09-21  327  			return;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  328  		}
182ee45da083db Luiz Augusto von Dentz 2021-10-27  329  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  330  		if (err)
182ee45da083db Luiz Augusto von Dentz 2021-10-27  331  			status = HCI_ERROR_UNSPECIFIED;
182ee45da083db Luiz Augusto von Dentz 2021-10-27  332  	}
182ee45da083db Luiz Augusto von Dentz 2021-10-27  333  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  334  	hci_dev_unlock(hdev);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  335  
182ee45da083db Luiz Augusto von Dentz 2021-10-27  336  done:
182ee45da083db Luiz Augusto von Dentz 2021-10-27  337  	if (!msft->suspending)
182ee45da083db Luiz Augusto von Dentz 2021-10-27  338  		hci_remove_adv_monitor_complete(hdev, status);
182ee45da083db Luiz Augusto von Dentz 2021-10-27  339  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux