projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 88153929 GKH |
1 | From 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 Mon Sep 17 00:00:00 2001 |
| 2 | From: Dmitry Antipov <dmantipov@yandex.ru> | |
| 3 | Date: Tue, 2 Apr 2024 14:32:05 +0300 | |
| 4 | Subject: Bluetooth: Fix memory leak in hci_req_sync_complete() | |
| 5 | ||
| 6 | From: Dmitry Antipov <dmantipov@yandex.ru> | |
| 7 | ||
| 8 | commit 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810 upstream. | |
| 9 | ||
| 10 | In 'hci_req_sync_complete()', always free the previous sync | |
| 11 | request state before assigning reference to a new one. | |
| 12 | ||
| 13 | Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com | |
| 14 | Closes: https://syzkaller.appspot.com/bug?extid=39ec16ff6cc18b1d066d | |
| 15 | Cc: stable@vger.kernel.org | |
| 16 | Fixes: f60cb30579d3 ("Bluetooth: Convert hci_req_sync family of function to new request API") | |
| 17 | Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> | |
| 18 | Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | |
| 19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
| 20 | --- | |
| 21 | net/bluetooth/hci_request.c | 4 +++- | |
| 22 | 1 file changed, 3 insertions(+), 1 deletion(-) | |
| 23 | ||
| 24 | --- a/net/bluetooth/hci_request.c | |
| 25 | +++ b/net/bluetooth/hci_request.c | |
| 26 | @@ -107,8 +107,10 @@ static void hci_req_sync_complete(struct | |
| 27 | if (hdev->req_status == HCI_REQ_PEND) { | |
| 28 | hdev->req_result = result; | |
| 29 | hdev->req_status = HCI_REQ_DONE; | |
| 30 | - if (skb) | |
| 31 | + if (skb) { | |
| 32 | + kfree_skb(hdev->req_skb); | |
| 33 | hdev->req_skb = skb_get(skb); | |
| 34 | + } | |
| 35 | wake_up_interruptible(&hdev->req_wait_q); | |
| 36 | } | |
| 37 | } |