projects / linux-2.6-block.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c595ea)
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
authorTomas Bortoli <tomasbortoli@gmail.com>
Tue, 28 May 2019 13:42:58 +0000 (15:42 +0200)
committerMarcel Holtmann <marcel@holtmann.org>
Sat, 6 Jul 2019 11:02:38 +0000 (13:02 +0200)
Syzkaller found that it is possible to provoke a memory leak by
never freeing rx_skb in struct bcsp_struct.

Fix by freeing in bcsp_close()

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
drivers/bluetooth/hci_bcsp.c patch | blob | blame | history

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index 82b13faa94228fb896e9d8debfad8110a0ddb846..fe2e307009f472e7158e914fd3865ecd9b242236 100644 (file)
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -744,6 +744,11 @@ static int bcsp_close(struct hci_uart *hu)
        skb_queue_purge(&bcsp->rel);
        skb_queue_purge(&bcsp->unrel);
 
+       if (bcsp->rx_skb) {
+               kfree_skb(bcsp->rx_skb);
+               bcsp->rx_skb = NULL;
+       }
+
        kfree(bcsp);
        return 0;
 }
Linux 6.x block layer and io_uring tree(s)