Commit 162f43b0 authored Nov 18, 2022 by Luiz Augusto von Dentz Committed by Zheng Zengkai Nov 18, 2022

Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression

stable inclusion
from stable-v5.10.137
commit c898e917d8bb317addcafa4511bde51af8e3976e
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I60PLB

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c898e917d8bb317addcafa4511bde51af8e3976e



--------------------------------

commit 332f1795 upstream.

The patch d0be8347: "Bluetooth: L2CAP: Fix use-after-free caused
by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
static checker warning:

        net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
        error: we previously assumed 'c' could be null (see line 1996)

Fixes: d0be8347 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>

parent cbbef496

net/bluetooth/l2cap_core.c

+6 −7

Original line number	Diff line number	Diff line
		@@ -1966,11 +1966,11 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
		bdaddr_t *dst,
		u8 link_type)
		{
		struct l2cap_chan c, c1 = NULL;
		struct l2cap_chan c, tmp, *c1 = NULL;

		read_lock(&chan_list_lock);

		list_for_each_entry(c, &chan_list, global_l) {
		list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
		if (state && c->state != state)
		continue;

		@@ -1989,12 +1989,11 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
		dst_match = !bacmp(&c->dst, dst);
		if (src_match && dst_match) {
		c = l2cap_chan_hold_unless_zero(c);
		if (!c)
		continue;

		if (c) {
		read_unlock(&chan_list_lock);
		return c;
		}
		}

		/* Closest match */
		src_any = !bacmp(&c->src, BDADDR_ANY);