From: Frederic Dalleau <[email protected]>
hci_req_sync_complete takes a reference on the skb in hdev->req_skb.
It is called (via hci_req_run_skb) from either __hci_cmd_sync_ev which will
pass the skb to the caller, or __hci_req_sync which leaks.
Signed-off-by: Frédéric Dalleau <[email protected]>
---
net/bluetooth/hci_request.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index c045b3c..7a5f9ed 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -212,6 +212,10 @@ int __hci_req_sync(struct hci_dev *hdev, int (*func)(struct hci_request *req,
set_current_state(TASK_INTERRUPTIBLE);
err = hci_req_run_skb(&req, hci_req_sync_complete);
+
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = NULL;
+
if (err < 0) {
hdev->req_status = 0;
--
2.7.4