On Wed, 18. Dec 00:19, Fedor Pchelkin wrote: > A NULL sock pointer is passed into l2cap_sock_alloc() when it is called > from l2cap_sock_new_connection_cb() and the error handling paths should > also be aware of it. > > Seemingly a more elegant solution would be to swap bt_sock_alloc() and > l2cap_chan_create() calls since they are not interdependent to that moment > but then l2cap_chan_create() adds the soon to be deallocated and still > dummy-initialized channel to the global list accessible by many L2CAP > paths. The channel would be removed from the list in short period of time > but be a bit more straight-forward here and just check for NULL instead of > changing the order of function calls. > > Found by Linux Verification Center (linuxtesting.org) with SVACE static > analysis tool. > > Fixes: 7c4f78cdb8e7 ("Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx> > --- Urgh.. a bit confused about which tree the patch should go to - net or bluetooth. I've now noticed the Fixes commit went directly via net-next as part of a series (despite "Bluetooth: L2CAP:" patches usually go through bluetooth tree first). So what about this patch? > net/bluetooth/l2cap_sock.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c > index 3d2553dcdb1b..49f97d4138ea 100644 > --- a/net/bluetooth/l2cap_sock.c > +++ b/net/bluetooth/l2cap_sock.c > @@ -1888,7 +1888,8 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, > chan = l2cap_chan_create(); > if (!chan) { > sk_free(sk); > - sock->sk = NULL; > + if (sock) > + sock->sk = NULL; > return NULL; > } > > -- > 2.39.5 >