Hello Luiz Augusto von Dentz, The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch static checker warning: net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm() error: we previously assumed 'c' could be null (see line 1996) net/bluetooth/l2cap_core.c 1968 static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, 1969 bdaddr_t *src, 1970 bdaddr_t *dst, 1971 u8 link_type) 1972 { 1973 struct l2cap_chan *c, *c1 = NULL; 1974 1975 read_lock(&chan_list_lock); 1976 --> 1977 list_for_each_entry(c, &chan_list, global_l) { 1978 if (state && c->state != state) 1979 continue; 1980 1981 if (link_type == ACL_LINK && c->src_type != BDADDR_BREDR) 1982 continue; 1983 1984 if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) 1985 continue; 1986 1987 if (c->psm == psm) { 1988 int src_match, dst_match; 1989 int src_any, dst_any; 1990 1991 /* Exact match. */ 1992 src_match = !bacmp(&c->src, src); 1993 dst_match = !bacmp(&c->dst, dst); 1994 if (src_match && dst_match) { 1995 c = l2cap_chan_hold_unless_zero(c); 1996 if (!c) 1997 continue; If "c" is NULL then this will crash on the continue statement. Should it be list_for_each_entry_safe()? 1998 1999 read_unlock(&chan_list_lock); 2000 return c; 2001 } 2002 2003 /* Closest match */ 2004 src_any = !bacmp(&c->src, BDADDR_ANY); 2005 dst_any = !bacmp(&c->dst, BDADDR_ANY); 2006 if ((src_match && dst_any) || (src_any && dst_match) || 2007 (src_any && dst_any)) 2008 c1 = c; 2009 } 2010 } 2011 2012 if (c1) 2013 c1 = l2cap_chan_hold_unless_zero(c1); 2014 2015 read_unlock(&chan_list_lock); 2016 2017 return c1; 2018 } regards, dan carpenter