Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp125978pxk; Wed, 9 Sep 2020 00:27:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy40du+dIkAQfJqoqtw4Gs2kh4PWIgSHTslQCT/oQAUDK/1AttHj0ZjDa4tyZ2tgjwlN68m X-Received: by 2002:a17:906:bcd5:: with SMTP id lw21mr2347095ejb.430.1599636426336; Wed, 09 Sep 2020 00:27:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599636426; cv=none; d=google.com; s=arc-20160816; b=nsjzhJfMRAEyzsEb3bwQoODB2SpmJ6qi2nF+bYpnPRmU68G6y72XC++Z0t6BFp5wKq pvqYzfO9jiJkl/qhd4IwS81VcXAGbI6sfTMbGF9OiPx595EM+1eHWdpMESO5koPTImsq 0fHJDKaG9/3K2i3C6AQTGxc0YAI5jT5tBLJIghp22htqRj178Uk/CBVmSbIqC3B/dgoX P1TDHYjU01rIk6LreRCrfAgbB1RyJe90Du7ihcPTHsNs/RYBno3pqnpI0euRLIPTo+84 t2wpiJERz7xiARIKc8a8RdXfo8JKseX1kWRQ08xSKLis69DJsk1/9eyx4z5tVbtNt4Al s2dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NB8HBUKnl+eWfZNHIQZWAbfkL9C5IcAO+9Z1lg426u8=; b=NV+wfbKqWC79v98PsuJlJDew36jkfexcck0J7f8i8Z+8OWClngrTkRfMgL8PbXivib ISAwLTmulbMUj/flvBhH5VLfM7CfI30ieJW2aR9oT7GJ1rNf8sC6bmDLzCydHmtot2fU aO+gUuv4Z8nlUCIj4fO3X5TuwC9CaA+G/o48qgQ0NQATryKf7gNzNS01aR2HGmrT3Lqp /IYZqZU0z+Tlmdf3MEPOX2kPNzjz5xlqWWuss71luFVO8aAFJz7ytzFkJfpieChdxn+e lA/vs57epYE6Ro+J2/RKxTypK5jQv4wwGmEnAl+KGmzy9yeavf9iVQuYW/UDr9vZmAmI oSFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hNAVYHr5; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l13si929505ejc.723.2020.09.09.00.26.41; Wed, 09 Sep 2020 00:27:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hNAVYHr5; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725826AbgIIH0i (ORCPT + 99 others); Wed, 9 Sep 2020 03:26:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57126 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725772AbgIIH0d (ORCPT ); Wed, 9 Sep 2020 03:26:33 -0400 Received: from mail-pf1-x442.google.com (mail-pf1-x442.google.com [IPv6:2607:f8b0:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7C6CC061573; Wed, 9 Sep 2020 00:26:32 -0700 (PDT) Received: by mail-pf1-x442.google.com with SMTP id d6so1371411pfn.9; Wed, 09 Sep 2020 00:26:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=NB8HBUKnl+eWfZNHIQZWAbfkL9C5IcAO+9Z1lg426u8=; b=hNAVYHr5uxDesz7m8yBEg9nTrnbnzLgkuYvjloOejB/N6d8aae8dTdQu2xhhan0Vtl viJO7ZNo030PGxkXyTbUWpTLuecLUIQqkBS8LH3U7RamoG+oAkaDuHOi1A+4PZjSmPqi EoBVK7TpvxlDjdnHPXyH3Yt8wyrKOK8XGgzfYVPpmIKGXeE12M8psa9BW0zZQJ/aHR+4 KF/ZtkQjl2s+FQdRkBIGBmzK0/R0Z4NYX3mb0hIpGiLpkbIV26/G31SgEorcqReRRZiM ikR/C5UVkQ4ft+STBWWOMXlnHbrPVrbPt6HloxfdmkPRVFO2/z1j6cGnR0nhUwxzeynF JkHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=NB8HBUKnl+eWfZNHIQZWAbfkL9C5IcAO+9Z1lg426u8=; b=t12lx9coJGdoCnAhFce6SBCJ5KTJ+px911baX2lT8OOkEaJBI7YwISalcBHIRJnQPM 1ghh+kbzWyfS1NOsc0f8HreEG+nesx+v3DOnEkoyCR2qF/JIrT6t+ImlHlMaA2hlGyvC OH4C6LOSjmFDHcnkLuiqol6/a5ue9ikaZuWj69QEOuMwshx1dwol/LhFJ8o09sD7sCA5 ejd9FImKnhExzDMakc9ZQb7im3W4hXMA4oiePsnf3F5oiDJkZ9pXnRk6zrGS7acRBHc6 TnsCsinPiS27wMv0a/UW1a/14y4RHlnv+lTef9jM0AWt5QB/JPVUPwg8alb6YrOVTTDP MWhA== X-Gm-Message-State: AOAM533U9m8ANTHHsZQ7JFppywn+2ugCSnohk/6FKMLGGdTdZicbJnvd dMjhkviDCGu5N4Vx4//0ww== X-Received: by 2002:a17:902:c38a:: with SMTP id g10mr2551819plg.23.1599636392271; Wed, 09 Sep 2020 00:26:32 -0700 (PDT) Received: from localhost.localdomain (n11212042027.netvigator.com. [112.120.42.27]) by smtp.gmail.com with ESMTPSA id r10sm1129570pjp.49.2020.09.09.00.26.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Sep 2020 00:26:31 -0700 (PDT) From: Peilin Ye To: Marcel Holtmann , Johan Hedberg Cc: Peilin Ye , Miao-chen Chou , "David S. Miller" , Jakub Kicinski , Greg Kroah-Hartman , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com Subject: [Linux-kernel-mentees] [PATCH v2] Bluetooth: Fix memory leak in read_adv_mon_features() Date: Wed, 9 Sep 2020 03:25:51 -0400 Message-Id: <20200909072551.1101031-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200908200635.1099360-1-yepeilin.cs@gmail.com> References: <20200908200635.1099360-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org read_adv_mon_features() is leaking memory. Free `rp` before returning. Fixes: e5e1e7fd470c ("Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES") Reported-and-tested-by: syzbot+f7f6e564f4202d8601c6@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=f7f6e564f4202d8601c6 Signed-off-by: Peilin Ye --- I forgot the "Link:" tag yesterday. Sorry about that. Change in v2: - add a proper "Link:" tag. net/bluetooth/mgmt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index 5bbe71002fb9..f96251f818fc 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -4157,7 +4157,7 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, { struct adv_monitor *monitor = NULL; struct mgmt_rp_read_adv_monitor_features *rp = NULL; - int handle; + int handle, err; size_t rp_size = 0; __u32 supported = 0; __u16 num_handles = 0; @@ -4192,9 +4192,13 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev, if (num_handles) memcpy(&rp->handles, &handles, (num_handles * sizeof(u16))); - return mgmt_cmd_complete(sk, hdev->id, - MGMT_OP_READ_ADV_MONITOR_FEATURES, - MGMT_STATUS_SUCCESS, rp, rp_size); + err = mgmt_cmd_complete(sk, hdev->id, + MGMT_OP_READ_ADV_MONITOR_FEATURES, + MGMT_STATUS_SUCCESS, rp, rp_size); + + kfree(rp); + + return err; } static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev, -- 2.25.1