Re: [bug report] Bluetooth: Fix not checking MGMT cmd pending queue

Marcel Holtmann <marcel@xxxxxxxxxxxx> · Mon, 7 Mar 2022 17:56:08 +0100

Hi Brian,

> The patch 275f3f648702: "Bluetooth: Fix not checking MGMT cmd pending
> queue" from Mar 1, 2022, leads to the following Smatch static checker
> warning:
> 
> 	net/bluetooth/mgmt.c:1587 mgmt_set_connectable_complete()
> 	warn: variable dereferenced before check 'cmd' (see line 1579)
> 
> net/bluetooth/mgmt.c
>    1564 static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
>    1565                                           int err)
>    1566 {
>    1567         struct mgmt_pending_cmd *cmd = data;
>    1568 
>    1569         bt_dev_dbg(hdev, "err %d", err);
>    1570 
>    1571         /* Make sure cmd still outstanding. */
>    1572         if (cmd != pending_find(MGMT_OP_SET_CONNECTABLE, hdev))
>    1573                 return;
>    1574 
>    1575         hci_dev_lock(hdev);
>    1576 
>    1577         if (err) {
>    1578                 u8 mgmt_err = mgmt_status(err);
>    1579                 mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
>                                         ^^^^^^^
> 
>    1580                 goto done;
>    1581         }
>    1582 
>    1583         send_settings_rsp(cmd->sk, MGMT_OP_SET_CONNECTABLE, hdev);
>    1584         new_settings(hdev, cmd->sk);
>                                    ^^^^^^^
> Dereferences.
> 
>    1585 
>    1586 done:
> --> 1587         if (cmd)
>                     ^^^
> The patch adds a new NULL check but the pointer has already been
> dereferenced.
> 
>    1588                 mgmt_pending_remove(cmd);
>    1589 
>    1590         hci_dev_unlock(hdev);
>    1591 }

are you sending a fix for this?

Regards

Marcel