releases/4.4.187/bluetooth-hci_bcsp-fix-memory-leak-in-rx_skb.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 4f212364bae71d6d764313135e659642d1caa1e2 Mon Sep 17 00:00:00 2001
 From: Tomas Bortoli <tomasbortoli@gmail.com>
 Date: Tue, 28 May 2019 15:42:58 +0200
 Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb

 [ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]

 Syzkaller found that it is possible to provoke a memory leak by
 never freeing rx_skb in struct bcsp_struct.

 Fix by freeing in bcsp_close()

 Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
 Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
 Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/bluetooth/hci_bcsp.c | 5 +++++
  1 file changed, 5 insertions(+)

 diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
 index d0b615a932d1..9833b53a8b50 100644
 --- a/drivers/bluetooth/hci_bcsp.c
 +++ b/drivers/bluetooth/hci_bcsp.c
 @@ -729,6 +729,11 @@ static int bcsp_close(struct hci_uart *hu)
  	skb_queue_purge(&bcsp->rel);
  	skb_queue_purge(&bcsp->unrel);

 +	if (bcsp->rx_skb) {
 +		kfree_skb(bcsp->rx_skb);
 +		bcsp->rx_skb = NULL;
 +	}
 +
  	kfree(bcsp);
  	return 0;
  }
 --
 2.20.1
	From 4f212364bae71d6d764313135e659642d1caa1e2 Mon Sep 17 00:00:00 2001
	From: Tomas Bortoli <tomasbortoli@gmail.com>
	Date: Tue, 28 May 2019 15:42:58 +0200
	Subject: Bluetooth: hci_bcsp: Fix memory leak in rx_skb

	[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]

	Syzkaller found that it is possible to provoke a memory leak by
	never freeing rx_skb in struct bcsp_struct.

	Fix by freeing in bcsp_close()

	Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
	Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
	Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/bluetooth/hci_bcsp.c \| 5 +++++
	1 file changed, 5 insertions(+)

	diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
	index d0b615a932d1..9833b53a8b50 100644
	--- a/drivers/bluetooth/hci_bcsp.c
	+++ b/drivers/bluetooth/hci_bcsp.c
	@@ -729,6 +729,11 @@ static int bcsp_close(struct hci_uart *hu)
	skb_queue_purge(&bcsp->rel);
	skb_queue_purge(&bcsp->unrel);

	+ if (bcsp->rx_skb) {
	+ kfree_skb(bcsp->rx_skb);
	+ bcsp->rx_skb = NULL;
	+ }
	+
	kfree(bcsp);
	return 0;
	}
	--
	2.20.1