Skip to content

Commit 4ce9146

Browse files
Tomas Bortoliholtmann
authored andcommitted
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Syzkaller found that it is possible to provoke a memory leak by never freeing rx_skb in struct bcsp_struct. Fix by freeing in bcsp_close() Signed-off-by: Tomas Bortoli <[email protected]> Reported-by: [email protected] Signed-off-by: Marcel Holtmann <[email protected]>
1 parent 6c595ea commit 4ce9146

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

drivers/bluetooth/hci_bcsp.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -744,6 +744,11 @@ static int bcsp_close(struct hci_uart *hu)
744744
skb_queue_purge(&bcsp->rel);
745745
skb_queue_purge(&bcsp->unrel);
746746

747+
if (bcsp->rx_skb) {
748+
kfree_skb(bcsp->rx_skb);
749+
bcsp->rx_skb = NULL;
750+
}
751+
747752
kfree(bcsp);
748753
return 0;
749754
}

0 commit comments

Comments
 (0)