Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails

Wang Hai · holtmann · commit 2a7ca7459d90 · 2021-10-25T15:02:04.000+02:00
I got a kernel BUG report when doing fault injection test: ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:45! ... RIP: 0010:__list_del_entry_valid.cold+0x12/0x4d ... Call Trace: proto_unregister+0x83/0x220 cmtp_cleanup_sockets+0x37/0x40 [cmtp] cmtp_exit+0xe/0x1f [cmtp] do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae If cmtp_init_sockets() in cmtp_init() fails, cmtp_init() still returns success. This will cause a kernel bug when accessing uncreated ctmp related data when the module exits. Fixes: 1da177e ("Linux-2.6.12-rc2") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
@@ -501,9 +501,7 @@ static int __init cmtp_init(void)
 {
 	BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);
 
-	cmtp_init_sockets();
-
-	return 0;
+	return cmtp_init_sockets();
 }
 
 static void __exit cmtp_exit(void)

Original file line number	Diff line number	Diff line change
`@@ -501,9 +501,7 @@ static int __init cmtp_init(void)`
`501`	`501`	`{`
`502`	`502`	`BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);`
`503`	`503`
`504`		`- cmtp_init_sockets();`
`505`		`-`
`506`		`- return 0;`
	`504`	`+ return cmtp_init_sockets();`
`507`	`505`	`}`
`508`	`506`
`509`	`507`	`static void __exit cmtp_exit(void)`