Hi Frédéric,
On Wed, Apr 16, 2025 at 8:24 AM Frédéric Danis
<frederic.danis@xxxxxxxxxxxxx> wrote:
>
> Commit ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too
> long frame") from Apr 14, 2025 (linux-next), leads to the following
> Smatch static checker warning:
>
> net/bluetooth/l2cap_core.c:7613 l2cap_recv_acldata()
> error: double free of 'skb' (line 7557)
>
> l2cap_recv_frame() consumes the skb.
>
> Fixes: ad5747d4eed1 ("Bluetooth: l2cap: Process valid commands in too long frame")
> Signed-off-by: Frédéric Danis <frederic.danis@xxxxxxxxxxxxx>
> ---
> net/bluetooth/l2cap_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index 1bba7152fd70..5ca7ac43c58d 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -7556,7 +7556,7 @@ void l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
> skb->len = len;
> l2cap_recv_frame(conn, skb);
> l2cap_conn_unreliable(conn, ECOMM);
> - goto drop;
> + goto unlock;
I went ahead and fixed it up in place since I'm planning to send this
to net this week.
> }
>
> /* Append fragment into frame (with header) */
> --
> 2.43.0
>
>
--
Luiz Augusto von Dentz
