Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5046325ybi; Tue, 28 May 2019 06:44:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxg4BOMHdtkiqqLc7Wvt0YO2Q0QL4rcfd717BCc27co/Oz2fUpUoU9IFrEPZ/DKqHKpWxsY X-Received: by 2002:a63:4c06:: with SMTP id z6mr22619039pga.296.1559051074449; Tue, 28 May 2019 06:44:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559051074; cv=none; d=google.com; s=arc-20160816; b=wzFXthE2jY4u99J0oVZ7rSh3xhyKEjy5WycpNUOBqMUru0fayt2TbuvnllqygqKWtv rGQo2+tBYZClZLcdDO1fj2ckpLouRr6TyU00sYclKlu0YnBptQBR03KbA9HJ5XJuyike rgunwiU4yfQMkS5GYlRAdrgKSC+W+xAzJbZRFyjIT/jNFJkFMbzqRxUyxFahsckGZCSy M9RWIyDevYKxwSBc2egVENkESN3WaX0ajNgV0Z4OtfDYM0IRlD7P4EWSuWXEO474qPFy bv2l/7ukroJJdxGMiqwSzsjaQg4ZY8/X7bxUIPOjL225yIWcIwAS4evd8xKhsDJYFb/T 6wQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=SEeFPNZj/QO+Z5ptX7FeXaKpRH7B0reByetK9LT1X/k=; b=Zal+P+HWSuqv0IIjXZMsDmqz3UP1phZ5YOJtjzSTHFR9jFv/WhJlmyZYa7jlNqpW1Y wFIBGOfLeQ+KI39+uKR9lfZna2ix+t4fqm/nVBvCIFU/1G2FYoHw4TUvomaTeAfTdHPQ WD3JaZ81TB4UUOj2y/JeZ0PRxvXukVsKvMF9PagMicyeEMLXlJ9PwDQf1o0jES9joGQL +XcgCwHtYNdFo3teH3S6P35fOP8kxcv5vY/HezZncL2HsFZy5xc68/K3ii0LISk3yiLX nOB/Kd9761es86sldeQRVWFSiRZowlPKsiQcYZTLQZ/YOxuSqtnzoTdhGzukD5Pro08W fapA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PdRwG4zq; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s16si20969189plr.292.2019.05.28.06.44.02; Tue, 28 May 2019 06:44:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PdRwG4zq; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727632AbfE1Nni (ORCPT + 99 others); Tue, 28 May 2019 09:43:38 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:44726 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727045AbfE1Nnh (ORCPT ); Tue, 28 May 2019 09:43:37 -0400 Received: by mail-lj1-f193.google.com with SMTP id e13so17715613ljl.11; Tue, 28 May 2019 06:43:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=SEeFPNZj/QO+Z5ptX7FeXaKpRH7B0reByetK9LT1X/k=; b=PdRwG4zq5zSdU3T15Hg5FQW72sJm9Xilyt6hLsn4kEJM4f8G9ZsQIBWFEv2q1wXmxf Y5aOr1J0fpIA3Jd2t8NSj4dhuCS+9JL7vYheNSB51MfKKwb5DyGDbz5bfhgrusxESLs+ Azqu2GQY1yrMjlp3+aoWziNZGojdiyU+c2jRddwj7BnPjLGebPAjtJU18Sl2iFtehrAU TpnbTea6rHYys21N565ODk9QGgJplKZdwgVMdNZgQSMQo5c4eR/BCk7vX4NcmxtmGTyh n/1GFAyJS/uZdYr+NEI8YVU0IOP3ZKEICo36wVdDRd9t3rJ5VZ1TzAFMYWzdZVvYCt5l BXXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=SEeFPNZj/QO+Z5ptX7FeXaKpRH7B0reByetK9LT1X/k=; b=Xe2eJL1mu0rTOPMfonJaj5bPuTSOAsw0mPCG3TExmbUeJn0xc/57ztRb+a4nV1qKLg yqFMI5W786J6wXAF8MauBCT/jmciXv238Y19SVeROyxhUgiwvR/Zuy+bi61rEj5sQr8p PxrGmA/N+j4VYFs+hOBoVFtVdjnRX3kL51fWjleavdly93sQK6u+byUPpLLWH4ji5rmu g5rbyjIndR1U62U6qNAlFk1OezHTJgdP3qyXB6R1W4HlKTs8BLnTxXBmbk+q5ESGqcQe u9EQszit/CvAU/49nRjc7ptJB/gkmR8w/MPHkvozru0gwqm1DvM7uFoyf2NyG6CoQ9qc vvbQ== X-Gm-Message-State: APjAAAUynyAGs+fqYW5YU5bOtwmhDhJQwoBJtsZe4RSTzVVmbu3t7mYN 5P1Wr3zrUjVPdj1VhAh+H/E= X-Received: by 2002:a2e:3818:: with SMTP id f24mr38832479lja.13.1559051015719; Tue, 28 May 2019 06:43:35 -0700 (PDT) Received: from debian-tom.home (2-111-15-75-dynamic.dk.customer.tdc.net. [2.111.15.75]) by smtp.gmail.com with ESMTPSA id d2sm2237177lfj.0.2019.05.28.06.43.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 May 2019 06:43:35 -0700 (PDT) From: Tomas Bortoli To: marcel@holtmann.org, johan.hedberg@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, Tomas Bortoli Subject: [PATCH] Bluetooth: hci_bcsp: Fix memory leak in rx_skb Date: Tue, 28 May 2019 15:42:58 +0200 Message-Id: <20190528134258.3743-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Syzkaller found that it is possible to provoke a memory leak by never freeing rx_skb in struct bcsp_struct. Fix by freeing in bcsp_close() Signed-off-by: Tomas Bortoli Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com --- drivers/bluetooth/hci_bcsp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c index 1a7f0c82fb36..550ab5b4c8be 100644 --- a/drivers/bluetooth/hci_bcsp.c +++ b/drivers/bluetooth/hci_bcsp.c @@ -759,6 +759,10 @@ static int bcsp_close(struct hci_uart *hu) skb_queue_purge(&bcsp->rel); skb_queue_purge(&bcsp->unrel); + if (bcsp->rx_skb) { + kfree_skb(bcsp->rx_skb); bcsp->rx_skb = NULL; + } + kfree(bcsp); return 0; } -- 2.11.0