Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.7\))
Subject: Re: [PATCH] Bluetooth: Fix potential memory leak
From: Marcel Holtmann <marcel@holtmann.org>
In-Reply-To: <1508830195-13824-1-git-send-email-jaganathx.kanakkassery@intel.com>
Date: Tue, 24 Oct 2017 09:41:18 +0200
Cc: "open list:BLUETOOTH DRIVERS" <linux-bluetooth@vger.kernel.org>,
        Jaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
Message-Id: <F0B9BF0A-BC07-4074-923E-518E6A227DF0@holtmann.org>
References: <1508830195-13824-1-git-send-email-jaganathx.kanakkassery@intel.com>
To: Jaganath Kanakkassery <jaganath.k.os@gmail.com>
Sender: linux-bluetooth-owner@vger.kernel.org
List-ID: <linux-bluetooth.vger.kernel.org>

Hi Jaganath,

> If command is added to req then it should be freed in case if
> hdev is down or HCI_ADVERTISING flag is not set.
> 
> Signed-off-by: Jaganath Kanakkassery <jaganathx.kanakkassery@intel.com>
> ---
> net/bluetooth/mgmt.c | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index 1fba2a0..58045ee 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -6383,6 +6383,7 @@ static int remove_advertising(struct sock *sk, struct hci_dev *hdev,
> 	if (skb_queue_empty(&req.cmd_q) ||
> 	    !hdev_is_powered(hdev) ||
> 	    hci_dev_test_flag(hdev, HCI_ADVERTISING)) {
> +		skb_queue_purge(&req.cmd_q);
> 		rp.instance = cp->instance;
> 		err = mgmt_cmd_complete(sk, hdev->id,
> 					MGMT_OP_REMOVE_ADVERTISING,

this does not look right to me. It most likely has side affects. The fix must be differently if there is a memory leak.

Regards

Marcel