| Message ID | 20240520021625.110430-2-suhui@nfschina.com |
|---|---|
| State | New |
| Headers | show |
| Series | [1/2] Bluetooth: btintel: remove useless code in btintel_set_dsm_reset_method | expand |
Hi Su Hui, Thanks for your patch. 'btintel_ppag_callback' has been removed as part of 287da9035b2e. >-----Original Message----- >From: Su Hui <suhui@nfschina.com> >Sent: Monday, May 20, 2024 7:46 AM >To: marcel@holtmann.org; luiz.dentz@gmail.com; nathan@kernel.org; >ndesaulniers@google.com; morbo@google.com; justinstitt@google.com >Cc: Su Hui <suhui@nfschina.com>; K, Kiran <kiran.k@intel.com>; >seema.sreemantha@intel.com; linux-bluetooth@vger.kernel.org; linux- >kernel@vger.kernel.org; llvm@lists.linux.dev; kernel-janitors@vger.kernel.org >Subject: [PATCH 2/2] Bluetooth: btintel: fix use after free problem in >btintel_ppag_callback() > >Clang static checker(scan-build) warning: >drivers/bluetooth/btintel.c:1369:8: Use of memory after it is freed. > >'p' is equal to 'buffer.pointer', using of 'p->type' after releasing 'buffer.pointer' >causes this use after free problem. >Change the order of releasing buffer.pointer to fix this problem. > >Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna >Gain(PPAG)") >Signed-off-by: Su Hui <suhui@nfschina.com> >--- > drivers/bluetooth/btintel.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index >f1c101dc0c28..d94a8ccd1428 100644 >--- a/drivers/bluetooth/btintel.c >+++ b/drivers/bluetooth/btintel.c >@@ -1364,9 +1364,9 @@ static acpi_status btintel_ppag_callback(acpi_handle >handle, u32 lvl, void *data > ppag = (struct btintel_ppag *)data; > > if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { >- kfree(buffer.pointer); > bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or >package count: %d", > p->type, p->package.count); >+ kfree(buffer.pointer); > ppag->status = AE_ERROR; > return AE_ERROR; > } >-- >2.30.2 Thanks, Kiran
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c index f1c101dc0c28..d94a8ccd1428 100644 --- a/drivers/bluetooth/btintel.c +++ b/drivers/bluetooth/btintel.c @@ -1364,9 +1364,9 @@ static acpi_status btintel_ppag_callback(acpi_handle handle, u32 lvl, void *data ppag = (struct btintel_ppag *)data; if (p->type != ACPI_TYPE_PACKAGE || p->package.count != 2) { - kfree(buffer.pointer); bt_dev_warn(hdev, "PPAG-BT: Invalid object type: %d or package count: %d", p->type, p->package.count); + kfree(buffer.pointer); ppag->status = AE_ERROR; return AE_ERROR; }
Clang static checker(scan-build) warning: drivers/bluetooth/btintel.c:1369:8: Use of memory after it is freed. 'p' is equal to 'buffer.pointer', using of 'p->type' after releasing 'buffer.pointer' causes this use after free problem. Change the order of releasing buffer.pointer to fix this problem. Fixes: c585a92b2f9c ("Bluetooth: btintel: Set Per Platform Antenna Gain(PPAG)") Signed-off-by: Su Hui <suhui@nfschina.com> --- drivers/bluetooth/btintel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)