Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2274270pxb; Mon, 11 Jan 2021 05:47:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJwmzmHapnmU9l5HExiPkQCTm8+H59Wbpdbu3mKkETDorag/leUUHznYqKAyaKDZGkYz3q8F X-Received: by 2002:a17:906:a115:: with SMTP id t21mr10668967ejy.549.1610372852811; Mon, 11 Jan 2021 05:47:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610372852; cv=none; d=google.com; s=arc-20160816; b=zuA7wst72HIhvQykVFeO4RFLxMp07z5dhNfEoUI26FRZrdvsNmNMOlZpDjev7x2UWY Ib5ELQdYKQUlT6HUKpG3SwCtoch66z2j19d6kH8ltOuPmXbLEKMTMOBu5rdyzx+Kgq3z Xa63VXsEx7EZPJXY9Dy0XnDKtzQDUMDzMWefi/loYzg2ZxAJWNKzVCHdKp+DheZ8RWAA Eh+3xPTL8URB3cFQGIUn9/1sMuYCPPUONNQR2FFjMyUwIUMM336QDfr9n5lqLHAei0e1 kVJvfQzkajY12IkbyoE49s1RQcDisgcGgB8zv67FBk4wG3dTxH6RKMMnaY7Zzoud1dd1 JIVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MtTJwhkBA1APSA2hBIi1o8ubKsnp9TJyqH5IN3XgPg0=; b=fgipFARktovg/Q5upW5cMrkzf1IfKobgRD5xXW6TPsUxvONcxCmVEAkYWQtT6dp2Xr dBQ07IOtVKjyXFFYg94uoSSRZjFY+EGXG8huQnnU8yCWg/j7cr106mHwjkBLZohgB+aU R5JmjLjleiShE9xOrhaS9gwkheoQBgZXRkLm+IEBH21StZB4G+vVx6DpUTkg8xgrbmrd xTt3y+9hfIzlqLjUV4Oilb3poVvgRulCPDLS1eVkSg/hxrGa0TngXnr8YZj4g83K8D1z vWEEFb7EQyiNMnHeRYw3vy5ysSRq/odM+zydYweYvaIhgkhwgEjTYfzVMKkLyKSY9EDl PjCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1Dr/Lyq0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y11si7623668edp.516.2021.01.11.05.47.09; Mon, 11 Jan 2021 05:47:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1Dr/Lyq0"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387458AbhAKNnu (ORCPT + 99 others); Mon, 11 Jan 2021 08:43:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:59012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730736AbhAKNLw (ORCPT ); Mon, 11 Jan 2021 08:11:52 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 89CCC225AB; Mon, 11 Jan 2021 13:11:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1610370672; bh=VL9IKgNgQz2J7NwXX484ckSLnlZn/DTR/YyUnEcM0fk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1Dr/Lyq0I6aBdn5pDO1v9Pq7brI2KHFBqUja3zx8qBHwxtQMCGebCDvYayrnw7yJ3 AU/aRLz1Q5TBusqo83tLLCU080uMQXQETtAeVdO69I4nl3uLCZLIuZIB7xmpcCBK9M HopM0+ehv7/wjeG/TXkg7LvR7nTqr9PrCT/SgpUo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Anant Thazhemadam , Hans de Goede , Marcel Holtmann Subject: [PATCH 5.4 47/92] Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close Date: Mon, 11 Jan 2021 14:01:51 +0100 Message-Id: <20210111130041.409792879@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210111130039.165470698@linuxfoundation.org> References: <20210111130039.165470698@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hans de Goede commit 5c3b5796866f85354a5ce76a28f8ffba0dcefc7e upstream. There have been multiple revisions of the patch fix the h5->rx_skb leak. Accidentally the first revision (which is buggy) and v5 have both been merged: v1 commit 70f259a3f427 ("Bluetooth: hci_h5: close serdev device and free hu in h5_close"); v5 commit 855af2d74c87 ("Bluetooth: hci_h5: fix memory leak in h5_close") The correct v5 makes changes slightly higher up in the h5_close() function, which allowed both versions to get merged without conflict. The changes from v1 unconditionally frees the h5 data struct, this is wrong because in the serdev enumeration case the memory is allocated in h5_serdev_probe() like this: h5 = devm_kzalloc(dev, sizeof(*h5), GFP_KERNEL); So its lifetime is tied to the lifetime of the driver being bound to the serdev and it is automatically freed when the driver gets unbound. In the serdev case the same h5 struct is re-used over h5_close() and h5_open() calls and thus MUST not be free-ed in h5_close(). The serdev_device_close() added to h5_close() is incorrect in the same way, serdev_device_close() is called on driver unbound too and also MUST no be called from h5_close(). This reverts the changes made by merging v1 of the patch, so that just the changes of the correct v5 remain. Cc: Anant Thazhemadam Signed-off-by: Hans de Goede Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman --- drivers/bluetooth/hci_h5.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -250,12 +250,8 @@ static int h5_close(struct hci_uart *hu) if (h5->vnd && h5->vnd->close) h5->vnd->close(h5); - if (hu->serdev) - serdev_device_close(hu->serdev); - - kfree_skb(h5->rx_skb); - kfree(h5); - h5 = NULL; + if (!hu->serdev) + kfree(h5); return 0; }