Hi Kieran, > if btmrvl_tx_pkt() is called, and the branch > if (skb_headroom(skb) < BTM_HEADER_LEN) > evaluates positive, a new skb is allocated via skb_realloc_headroom. > > The original skb is stored in a tmp variable, before being free'd. > However on success, the new skb, is not free'd, nor is it > returned to the caller which will then double-free the original skb. > > This issue exists from the original driver submission in > commit: #132ff4e5fa8dfb71a7d99902f88043113947e972 > > If this code path had been alive, it would have been noted from the > double-free causing a panic. > > All skb's here should be allocated through bt_skb_alloc which > adds 8 bytes as headroom, which is plenty against the 4 bytes > pushed on by this driver. > > This code path is dead, and buggy at the same time, so the cleanest > approach is to remove the affected branch. > > Reported by coverity (CID 113422) > > Signed-off-by: Kieran Bingham <kieranbingham@xxxxxxxxx> > --- > drivers/bluetooth/btmrvl_main.c | 14 -------------- > 1 file changed, 14 deletions(-) patch has been applied to bluetooth-next tree. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
