diff mbox series

[Linux-kernel-mentees] bluetooth: hci_h5: close serdev device and free hu in h5_close

Message ID 20200929185815.12879-1-anant.thazhemadam@gmail.com (mailing list archive)
State New, archived
Headers show
Series [Linux-kernel-mentees] bluetooth: hci_h5: close serdev device and free hu in h5_close | expand

Commit Message

Anant Thazhemadam Sept. 29, 2020, 6:58 p.m. UTC 
When h5_close() gets called, the memory allocated for the hu gets 
freed only if hu->serdev doesn't exist. This leads to a memory leak.
So when h5_close() is requested, close the serdev device instance and
free the memory allocated to the hu entirely instead.

Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
---
 drivers/bluetooth/hci_h5.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Marcel Holtmann Oct. 1, 2020, 7:08 a.m. UTC | #1 
Hi Anant,

> When h5_close() gets called, the memory allocated for the hu gets 
> freed only if hu->serdev doesn't exist. This leads to a memory leak.
> So when h5_close() is requested, close the serdev device instance and
> free the memory allocated to the hu entirely instead.
> 
> Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
> Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
> Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
> ---
> drivers/bluetooth/hci_h5.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel
Anant Thazhemadam Oct. 1, 2020, 7:15 a.m. UTC | #2 
On 01/10/20 12:38 pm, Marcel Holtmann wrote:
> Hi Anant,
>
>> When h5_close() gets called, the memory allocated for the hu gets 
>> freed only if hu->serdev doesn't exist. This leads to a memory leak.
>> So when h5_close() is requested, close the serdev device instance and
>> free the memory allocated to the hu entirely instead.
>>
>> Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
>> Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
>> Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
>> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
>> ---
>> drivers/bluetooth/hci_h5.c | 8 ++++++--
>> 1 file changed, 6 insertions(+), 2 deletions(-)
> patch has been applied to bluetooth-next tree.
>
> Regards
>
> Marcel

Great! Thanks :)

Thanks,
Anant
diff mbox series

Patch

diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index e41854e0d79a..3d1585add572 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -248,8 +248,12 @@  static int h5_close(struct hci_uart *hu)
 	if (h5->vnd && h5->vnd->close)
 		h5->vnd->close(h5);
 
-	if (!hu->serdev)
-		kfree(h5);
+	if (hu->serdev)
+		serdev_device_close(hu->serdev);
+
+	kfree_skb(h5->rx_skb);
+	kfree(h5);
+	h5 = NULL;
 
 	return 0;
 }