| Message ID | 20201016131447.32107-1-anant.thazhemadam@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v5] bluetooth: hci_h5: fix memory leak in h5_close | expand |
Hi, On 10/16/20 3:14 PM, Anant Thazhemadam wrote: > When h5_close() is called, h5 is directly freed when !hu->serdev. > However, h5->rx_skb is not freed, which causes a memory leak. > > Freeing h5->rx_skb and setting it to NULL, fixes this memory leak. > > Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") > Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com > Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> Patch looks good to me now: Reviewed-by: Hans de Goede <hdegoede@redhat.com> Regards, Hans > --- > Changes in v5: > * Set h5->rx_skb = NULL unconditionally - to improve code > readability > * Update commit message accordingly > > Changes in v4: > * Free h5->rx_skb even when hu->serdev > (Suggested by Hans de Goede <hdegoede@redhat.com>) > * If hu->serdev, then assign h5->rx_skb = NULL > > Changes in v3: > * Free h5->rx_skb when !hu->serdev, and fix the memory leak > * Do not incorrectly and unnecessarily call serdev_device_close() > > Changes in v2: > * Fixed the Fixes tag > > > drivers/bluetooth/hci_h5.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c > index e41854e0d79a..0ef253136b06 100644 > --- a/drivers/bluetooth/hci_h5.c > +++ b/drivers/bluetooth/hci_h5.c > @@ -245,6 +245,9 @@ static int h5_close(struct hci_uart *hu) > skb_queue_purge(&h5->rel); > skb_queue_purge(&h5->unrel); > > + kfree_skb(h5->rx_skb); > + h5->rx_skb = NULL; > + > if (h5->vnd && h5->vnd->close) > h5->vnd->close(h5); > >
Hi Anant, > When h5_close() is called, h5 is directly freed when !hu->serdev. > However, h5->rx_skb is not freed, which causes a memory leak. > > Freeing h5->rx_skb and setting it to NULL, fixes this memory leak. > > Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") > Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com > Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com > Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> > --- > Changes in v5: > * Set h5->rx_skb = NULL unconditionally - to improve code > readability > * Update commit message accordingly > > Changes in v4: > * Free h5->rx_skb even when hu->serdev > (Suggested by Hans de Goede <hdegoede@redhat.com>) > * If hu->serdev, then assign h5->rx_skb = NULL > > Changes in v3: > * Free h5->rx_skb when !hu->serdev, and fix the memory leak > * Do not incorrectly and unnecessarily call serdev_device_close() > > Changes in v2: > * Fixed the Fixes tag > > > drivers/bluetooth/hci_h5.c | 3 +++ > 1 file changed, 3 insertions(+) patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c index e41854e0d79a..0ef253136b06 100644 --- a/drivers/bluetooth/hci_h5.c +++ b/drivers/bluetooth/hci_h5.c @@ -245,6 +245,9 @@ static int h5_close(struct hci_uart *hu) skb_queue_purge(&h5->rel); skb_queue_purge(&h5->unrel); + kfree_skb(h5->rx_skb); + h5->rx_skb = NULL; + if (h5->vnd && h5->vnd->close) h5->vnd->close(h5);
When h5_close() is called, h5 is directly freed when !hu->serdev. However, h5->rx_skb is not freed, which causes a memory leak. Freeing h5->rx_skb and setting it to NULL, fixes this memory leak. Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices") Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com> --- Changes in v5: * Set h5->rx_skb = NULL unconditionally - to improve code readability * Update commit message accordingly Changes in v4: * Free h5->rx_skb even when hu->serdev (Suggested by Hans de Goede <hdegoede@redhat.com>) * If hu->serdev, then assign h5->rx_skb = NULL Changes in v3: * Free h5->rx_skb when !hu->serdev, and fix the memory leak * Do not incorrectly and unnecessarily call serdev_device_close() Changes in v2: * Fixed the Fixes tag drivers/bluetooth/hci_h5.c | 3 +++ 1 file changed, 3 insertions(+)