* [linux-next:master 3872/6512] net/bluetooth/smp.c:1633 smp_user_confirm_reply() warn: variable dereferenced before check 'conn' (see line 1631)
@ 2021-03-23 9:52 kernel test robot
0 siblings, 0 replies; 2+ messages in thread
From: kernel test robot @ 2021-03-23 9:52 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 6438 bytes --]
CC: kbuild-all(a)lists.01.org
CC: Linux Memory Management List <linux-mm@kvack.org>
TO: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
CC: Marcel Holtmann <marcel@holtmann.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: d949689e7383cd5271470f2b99dbe2fd3199bffd
commit: 2e1614f7d61e407f1a8e7935a2903a6fa3cb0b11 [3872/6512] Bluetooth: SMP: Convert BT_ERR/BT_DBG to bt_dev_err/bt_dev_dbg
:::::: branch date: 3 hours ago
:::::: commit date: 8 days ago
config: powerpc-randconfig-m031-20210323 (attached as .config)
compiler: powerpc-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/bluetooth/smp.c:1633 smp_user_confirm_reply() warn: variable dereferenced before check 'conn' (see line 1631)
vim +/conn +1633 net/bluetooth/smp.c
760b018b6cf08e Johan Hedberg 2014-06-06 1622
2b64d153a0cc9d Brian Gix 2011-12-21 1623 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
2b64d153a0cc9d Brian Gix 2011-12-21 1624 {
b10e8017bd9d02 Johan Hedberg 2014-06-27 1625 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73dded31 Johan Hedberg 2014-08-08 1626 struct l2cap_chan *chan;
2b64d153a0cc9d Brian Gix 2011-12-21 1627 struct smp_chan *smp;
2b64d153a0cc9d Brian Gix 2011-12-21 1628 u32 value;
fc75cc8684d21d Johan Hedberg 2014-09-05 1629 int err;
2b64d153a0cc9d Brian Gix 2011-12-21 1630
2e1614f7d61e40 Luiz Augusto von Dentz 2021-03-15 @1631 bt_dev_dbg(conn->hcon->hdev, "");
2b64d153a0cc9d Brian Gix 2011-12-21 1632
fc75cc8684d21d Johan Hedberg 2014-09-05 @1633 if (!conn)
2b64d153a0cc9d Brian Gix 2011-12-21 1634 return -ENOTCONN;
2b64d153a0cc9d Brian Gix 2011-12-21 1635
5d88cc73dded31 Johan Hedberg 2014-08-08 1636 chan = conn->smp;
5d88cc73dded31 Johan Hedberg 2014-08-08 1637 if (!chan)
5d88cc73dded31 Johan Hedberg 2014-08-08 1638 return -ENOTCONN;
5d88cc73dded31 Johan Hedberg 2014-08-08 1639
fc75cc8684d21d Johan Hedberg 2014-09-05 1640 l2cap_chan_lock(chan);
fc75cc8684d21d Johan Hedberg 2014-09-05 1641 if (!chan->data) {
fc75cc8684d21d Johan Hedberg 2014-09-05 1642 err = -ENOTCONN;
fc75cc8684d21d Johan Hedberg 2014-09-05 1643 goto unlock;
fc75cc8684d21d Johan Hedberg 2014-09-05 1644 }
fc75cc8684d21d Johan Hedberg 2014-09-05 1645
5d88cc73dded31 Johan Hedberg 2014-08-08 1646 smp = chan->data;
2b64d153a0cc9d Brian Gix 2011-12-21 1647
760b018b6cf08e Johan Hedberg 2014-06-06 1648 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
760b018b6cf08e Johan Hedberg 2014-06-06 1649 err = sc_user_reply(smp, mgmt_op, passkey);
760b018b6cf08e Johan Hedberg 2014-06-06 1650 goto unlock;
760b018b6cf08e Johan Hedberg 2014-06-06 1651 }
760b018b6cf08e Johan Hedberg 2014-06-06 1652
2b64d153a0cc9d Brian Gix 2011-12-21 1653 switch (mgmt_op) {
2b64d153a0cc9d Brian Gix 2011-12-21 1654 case MGMT_OP_USER_PASSKEY_REPLY:
2b64d153a0cc9d Brian Gix 2011-12-21 1655 value = le32_to_cpu(passkey);
943a732ab6440f Johan Hedberg 2014-03-18 1656 memset(smp->tk, 0, sizeof(smp->tk));
2e1614f7d61e40 Luiz Augusto von Dentz 2021-03-15 1657 bt_dev_dbg(conn->hcon->hdev, "PassKey: %d", value);
943a732ab6440f Johan Hedberg 2014-03-18 1658 put_unaligned_le32(value, smp->tk);
19186c7b45c134 Gustavo A. R. Silva 2020-07-08 1659 fallthrough;
2b64d153a0cc9d Brian Gix 2011-12-21 1660 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d65868f10d Johan Hedberg 2014-05-20 1661 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153a0cc9d Brian Gix 2011-12-21 1662 break;
2b64d153a0cc9d Brian Gix 2011-12-21 1663 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
2b64d153a0cc9d Brian Gix 2011-12-21 1664 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e119a22f6 Johan Hedberg 2013-11-06 1665 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc8684d21d Johan Hedberg 2014-09-05 1666 err = 0;
fc75cc8684d21d Johan Hedberg 2014-09-05 1667 goto unlock;
2b64d153a0cc9d Brian Gix 2011-12-21 1668 default:
84794e119a22f6 Johan Hedberg 2013-11-06 1669 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc8684d21d Johan Hedberg 2014-09-05 1670 err = -EOPNOTSUPP;
fc75cc8684d21d Johan Hedberg 2014-09-05 1671 goto unlock;
2b64d153a0cc9d Brian Gix 2011-12-21 1672 }
2b64d153a0cc9d Brian Gix 2011-12-21 1673
fc75cc8684d21d Johan Hedberg 2014-09-05 1674 err = 0;
fc75cc8684d21d Johan Hedberg 2014-09-05 1675
2b64d153a0cc9d Brian Gix 2011-12-21 1676 /* If it is our turn to send Pairing Confirm, do so now */
1cc6114402f864 Johan Hedberg 2014-05-20 1677 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1cc6114402f864 Johan Hedberg 2014-05-20 1678 u8 rsp = smp_confirm(smp);
1cc6114402f864 Johan Hedberg 2014-05-20 1679 if (rsp)
1cc6114402f864 Johan Hedberg 2014-05-20 1680 smp_failure(conn, rsp);
1cc6114402f864 Johan Hedberg 2014-05-20 1681 }
2b64d153a0cc9d Brian Gix 2011-12-21 1682
fc75cc8684d21d Johan Hedberg 2014-09-05 1683 unlock:
fc75cc8684d21d Johan Hedberg 2014-09-05 1684 l2cap_chan_unlock(chan);
fc75cc8684d21d Johan Hedberg 2014-09-05 1685 return err;
2b64d153a0cc9d Brian Gix 2011-12-21 1686 }
2b64d153a0cc9d Brian Gix 2011-12-21 1687
:::::: The code at line 1633 was first introduced by commit
:::::: fc75cc8684d21d3649b28c4c37d4ce3f000759e4 Bluetooth: Fix locking of the SMP context
:::::: TO: Johan Hedberg <johan.hedberg@intel.com>
:::::: CC: Marcel Holtmann <marcel@holtmann.org>
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 25715 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* [linux-next:master 3872/6512] net/bluetooth/smp.c:1633 smp_user_confirm_reply() warn: variable dereferenced before check 'conn' (see line 1631)
@ 2021-03-23 12:43 Dan Carpenter
0 siblings, 0 replies; 2+ messages in thread
From: Dan Carpenter @ 2021-03-23 12:43 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 2565 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head: d949689e7383cd5271470f2b99dbe2fd3199bffd
commit: 2e1614f7d61e407f1a8e7935a2903a6fa3cb0b11 [3872/6512] Bluetooth: SMP: Convert BT_ERR/BT_DBG to bt_dev_err/bt_dev_dbg
config: powerpc-randconfig-m031-20210323 (attached as .config)
compiler: powerpc-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/bluetooth/smp.c:1633 smp_user_confirm_reply() warn: variable dereferenced before check 'conn' (see line 1631)
vim +/conn +1633 net/bluetooth/smp.c
2b64d153a0cc9d Brian Gix 2011-12-21 1623 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
2b64d153a0cc9d Brian Gix 2011-12-21 1624 {
b10e8017bd9d02 Johan Hedberg 2014-06-27 1625 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73dded31 Johan Hedberg 2014-08-08 1626 struct l2cap_chan *chan;
2b64d153a0cc9d Brian Gix 2011-12-21 1627 struct smp_chan *smp;
2b64d153a0cc9d Brian Gix 2011-12-21 1628 u32 value;
fc75cc8684d21d Johan Hedberg 2014-09-05 1629 int err;
2b64d153a0cc9d Brian Gix 2011-12-21 1630
2e1614f7d61e40 Luiz Augusto von Dentz 2021-03-15 @1631 bt_dev_dbg(conn->hcon->hdev, "");
^^^^^^^^^^
Unchecked dereference
2b64d153a0cc9d Brian Gix 2011-12-21 1632
fc75cc8684d21d Johan Hedberg 2014-09-05 @1633 if (!conn)
^^^^^
Checked too late
2b64d153a0cc9d Brian Gix 2011-12-21 1634 return -ENOTCONN;
2b64d153a0cc9d Brian Gix 2011-12-21 1635
5d88cc73dded31 Johan Hedberg 2014-08-08 1636 chan = conn->smp;
5d88cc73dded31 Johan Hedberg 2014-08-08 1637 if (!chan)
5d88cc73dded31 Johan Hedberg 2014-08-08 1638 return -ENOTCONN;
5d88cc73dded31 Johan Hedberg 2014-08-08 1639
fc75cc8684d21d Johan Hedberg 2014-09-05 1640 l2cap_chan_lock(chan);
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
_______________________________________________
kbuild mailing list -- kbuild(a)lists.01.org
To unsubscribe send an email to kbuild-leave(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 25715 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-23 12:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-23 9:52 [linux-next:master 3872/6512] net/bluetooth/smp.c:1633 smp_user_confirm_reply() warn: variable dereferenced before check 'conn' (see line 1631) kernel test robot
2021-03-23 12:43 Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.