2023-12-14 10:22:38

by Dan Carpenter

[permalink] [raw]
Subject: Re: [bug report] Bluetooth: btusb: mediatek: add MediaTek devcoredump support

Ping. Let me add the bluetooth mailing list as well to see if anyone
knows.

regards,
dan carpenter

On Mon, Jul 03, 2023 at 04:21:32PM +0300, Dan Carpenter wrote:
> Hello Jing Cai,
>
> The patch 872f8c253cb9: "Bluetooth: btusb: mediatek: add MediaTek
> devcoredump support" from Jun 29, 2023, leads to the following Smatch
> static checker warning:
>
> drivers/bluetooth/btmtk.c:409 btmtk_process_coredump()
> error: double free of 'skb'
>
> drivers/bluetooth/btmtk.c
> 381 if (err < 0)
> 382 break;
> 383 data->cd_info.cnt = 0;
> 384
> 385 /* It is supposed coredump can be done within 5 seconds */
> 386 schedule_delayed_work(&hdev->dump.dump_timeout,
> 387 msecs_to_jiffies(5000));
> 388 fallthrough;
> 389 case HCI_DEVCOREDUMP_ACTIVE:
> 390 default:
> 391 err = hci_devcd_append(hdev, skb);
>
> hci_devcd_append() free skb on error
>
> 392 if (err < 0)
> 393 break;
> 394 data->cd_info.cnt++;
> 395
> 396 /* Mediatek coredump data would be more than MTK_COREDUMP_NUM */
> 397 if (data->cd_info.cnt > MTK_COREDUMP_NUM &&
> 398 skb->len > sizeof(MTK_COREDUMP_END) &&
> 399 !memcmp((char *)&skb->data[skb->len - sizeof(MTK_COREDUMP_END)],
> 400 MTK_COREDUMP_END, sizeof(MTK_COREDUMP_END) - 1)) {
> 401 bt_dev_info(hdev, "Mediatek coredump end");
> 402 hci_devcd_complete(hdev);
> 403 }
> 404
> 405 break;
> 406 }
> 407
> 408 if (err < 0)
> 409 kfree_skb(skb);
>
> double free
>
> 410
> 411 return err;
> 412 }
>
> regards,
> dan carpenter
>