Received: by 2002:a05:6500:1b45:b0:1f5:f2ab:c469 with SMTP id cz5csp954281lqb;
        Wed, 17 Apr 2024 16:27:53 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVONwMNyCt1jeNDS+z4TL3+ApHbZgwA/KdOr5+wcA/7LTvtBfw0HaWuWQoB7oJ6iGJBtTZnoKbdudbnh4yCiAWATPUUyKpE/9gkiOHKfg==
X-Google-Smtp-Source: AGHT+IGxCqLI0DDASA50KmAovZgwJT1KjtzwPEI/0z1IlteKltyrz8hYSPkpXe2feGbi41a4nll5
X-Received: by 2002:a0c:e7cf:0:b0:69b:569f:199b with SMTP id c15-20020a0ce7cf000000b0069b569f199bmr1049024qvo.60.1713396473456;
        Wed, 17 Apr 2024 16:27:53 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1713396473; cv=pass;
        d=google.com; s=arc-20160816;
        b=egGj2tb1zB9iaqhIPqhUhmCVaKaWtsfoAm6x0H26GKrVIXuoOQMVSsuK7RqI4qVoIz
         FGsH0G+8F8Qku+AyQly4Okcy/w4gAb+OthF6hNv+ATC06OVgPK4LhKHSTL9WuSzoBjaD
         cvhZcdb/fVrQXv0Doi0G1Blp/e3u2m5Trny96msCW0Pmc/rhyGpAo4/9BmGSLZPvRnZK
         CpktA582ep/Ec9C4O5d4lC14IifKK61r1hR7T66Srb6Z6QzG5AS6ON6J/AdkkgFcl0fg
         ZNMwLyUNpFtyc1SXhIQ4Tkr1wiS9tbByK0A7buQe7l/bh8NRhZZeE9qIjJNEGHIkZWlj
         XN/g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from;
        bh=kQzDJkz2ShC6jD7BVo0uLIszI5IpreqEnXzr4s/NGaQ=;
        fh=ow3hj5YZJGNxsClZBxSKdl48knGdtBWmdzhU6XUNlBc=;
        b=AG0PZzwUcpK3q5uKC9g8Jh4NwjrFT/o0zlYc9tcP9palR4DdMICVwEUM+/SJ6XuR/z
         U4DkEYIgLrRDPifkA9y1AVaCIpSzWCsS/CrkEppDmQkJHSV5e+XctgLsRRxcG+v12QJg
         OAdWIDBbMFITj8gsdc+l8v2AdEb6q8+ZBPKRywPp9MZDZ0fNsTHCo277ahkoeoITQasA
         YNxEKqbnXJfojCvRnwCS3AtRgYz2SZ7x0T9Hd3IMLXtkO4wtZYY2Qu2Xe0OzAvT2vXbI
         clw8UefQLacwwJ3VZARYTY29xaa2+WYXB6x11O/r1T8/dTM/81JtBcMUhR/MS9U9e1Bn
         Tlqw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=gmail.com);
       spf=pass (google.com: domain of linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1])
        by mx.google.com with ESMTPS id iu5-20020ad45cc5000000b0069b559b7112si278915qvb.268.2024.04.17.16.27.53
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 17 Apr 2024 16:27:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=gmail.com);
       spf=pass (google.com: domain of linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-3697-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 4EBC41C20DC6
	for <linux.lists.archive@gmail.com>; Wed, 17 Apr 2024 23:27:52 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 4EA0B8594D;
	Wed, 17 Apr 2024 23:27:49 +0000 (UTC)
X-Original-To: linux-bluetooth@vger.kernel.org
Received: from mail-il1-f176.google.com (mail-il1-f176.google.com [209.85.166.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 838DBFC1F;
	Wed, 17 Apr 2024 23:27:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.166.176
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1713396468; cv=none; b=INi+AzzD/bhtP0k/hogZMPFKQKjNIDIbJpZkljMGoWrXeHOTONiSpRv9ZasRZ6q1AhcOffJzpr/zyyjY7Tp6K01ktnlmUJkQbnp/vTdP0MLUJ5b6Qc0s/dhE48H8ny3Nl+FbCqCHgDIq9U9zUInij1ZzjqPu5L7VsMraj5BwGvI=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1713396468; c=relaxed/simple;
	bh=5UVlu9occiDwBRGiitQP3mupRzJhLkxhOOPiHCK9Abs=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=lqTLiT/cZgaj0trfuu9+nZpmEOnJU70yFlkSpGY11U0pIJ6Q1kBRtxg+jGlOXnHfkC8qj8GQ+wx9/+aStwufvih0bSuDh4n5tCv8hmsz21uTLclQVxI3f+CWdHOvuiJJapq0GsjPiQkQGvT3xdtr2Tf6zn5i2sl+1pIEXq9FmbU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.166.176
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-il1-f176.google.com with SMTP id e9e14a558f8ab-36b00f8fbedso4905ab.0;
        Wed, 17 Apr 2024 16:27:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1713396466; x=1714001266;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kQzDJkz2ShC6jD7BVo0uLIszI5IpreqEnXzr4s/NGaQ=;
        b=JZFYc7OGg6MCpG5BM42PoeS2Sdn2mALRkY2qpSMghpl3Rdkp4229dg6+W2Tzis/JtP
         vynQ2qTAWs2FZy4WI2L7h0XiZ/I/bLozH2D2UNteiumORJjeX+qgSCy6ceXNCDTGUBiv
         h1Wjd1XMLytjhD5MXOg7JmEh61RW3onoC3OJ7Ok97olYGwyKYEYnHwkjGdQsUMRW+gBJ
         UsD8KM3pOlrhEuqP8V9QFfxQ6Ntp4Ivcpa5UElo5HHtfawEFo7ojuMC4fcJ5/j1xlgxC
         +uhBzQ5gtSUMdhtIKcF8k7twp+hBrth/IUEsqQfvmJXDjUywzh/4UXNIvKxa6nfOxWJx
         1ZYQ==
X-Forwarded-Encrypted: i=1; AJvYcCVQUl/B8tO9TrYh3TXcW7spWcBse95G2XMDZfg5YnyWiNz3SszJsuFGa37Hm3SD7N2kBx16cxl4nsyRNJUaiMvVlyBARhiKiFwFR1I1JEX+psJJBVNMXJPJR/+tLnUukDsby5ZzL9HsNgEtj+Kl
X-Gm-Message-State: AOJu0YyGBc0lqMBu2AhDLpP92DdWmdsCP1SfOcp6frndoEWqdIVOF6cO
	dj0gFQXL3MwOCXNqKn/St3cTn4f3RFHvJed9b8tpM8TbYlglNGu9M16BuA==
X-Received: by 2002:a92:c561:0:b0:36b:2ff9:9275 with SMTP id b1-20020a92c561000000b0036b2ff99275mr1319293ilj.2.1713396466596;
        Wed, 17 Apr 2024 16:27:46 -0700 (PDT)
Received: from sean-ThinkPad-T450s.hsd1.ca.comcast.net ([2601:646:8002:f344:5981:35f1:46e:37bc])
        by smtp.gmail.com with ESMTPSA id r8-20020a63fc48000000b005dbd0facb4dsm149695pgk.61.2024.04.17.16.27.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 17 Apr 2024 16:27:45 -0700 (PDT)
From: sean.wang@kernel.org
To: luiz.dentz@gmail.com,
	marcel@holtmann.org,
	johan.hedberg@gmail.com
Cc: sean.wang@mediatek.com,
	chris.lu@mediatek.com,
	Deren.Wu@mediatek.com,
	jsiuda@google.com,
	frankgor@google.com,
	abhishekpandit@google.com,
	michaelfsun@google.com,
	mmandlik@google.com,
	abhishekpandit@chromium.org,
	mcchou@chromium.org,
	shawnku@google.com,
	linux-bluetooth@vger.kernel.org,
	linux-mediatek@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump
Date: Wed, 17 Apr 2024 16:27:38 -0700
Message-Id: <da0859c4b24d314d9ff38179c26a58ee7e3f16d6.1713395895.git.sean.wang@kernel.org>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

From: Sean Wang <sean.wang@mediatek.com>

hci_devcd_append() would free the skb on error so the caller don't
have to free it again otherwise it would cause the double free of skb.

Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
Reported-by : Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
 drivers/bluetooth/btmtk.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ac8ebccd3507..812fd2a8f853 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -380,8 +380,10 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
 	switch (data->cd_info.state) {
 	case HCI_DEVCOREDUMP_IDLE:
 		err = hci_devcd_init(hdev, MTK_COREDUMP_SIZE);
-		if (err < 0)
+		if (err < 0) {
+			kfree_skb(skb);
 			break;
+		}
 		data->cd_info.cnt = 0;
 
 		/* It is supposed coredump can be done within 5 seconds */
@@ -407,9 +409,6 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
 		break;
 	}
 
-	if (err < 0)
-		kfree_skb(skb);
-
 	return err;
 }
 EXPORT_SYMBOL_GPL(btmtk_process_coredump);
-- 
2.25.1