Hi,
On 10/7/20 5:48 AM, Anant Thazhemadam wrote:
> If h5_close is called when !hu->serdev, h5 is directly freed.
> However, h5->rx_skb is not freed, which causes a memory leak.
>
> Freeing h5->rx_skb fixes this memory leak.
>
> In case hu->serdev exists, h5->rx_skb is then set to NULL,
> since we do not want to risk a potential NULL pointer
> dereference.
>
> Fixes: ce945552fde4 ("Bluetooth: hci_h5: Add support for serdev enumerated devices")
> Reported-by: syzbot+6ce141c55b2f7aafd1c4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+6ce141c55b2f7aafd1c4@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@xxxxxxxxx>h5_close v4
> ---
> Changes in v4:
> * Free h5->rx_skb even when hu->serdev
> (Suggested by Hans de Goede <hdegoede@xxxxxxxxxx>)
> * If hu->serdev, then assign h5->rx_skb = NULL
>
> Changes in v3:
> * Free h5->rx_skb when !hu->serdev, and fix the memory leak
> * Do not incorrectly and unnecessarily call serdev_device_close()
>
> Changes in v2:
> * Fixed the Fixes tag
>
> drivers/bluetooth/hci_h5.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
> index e41854e0d79a..39f9553caa5c 100644
> --- a/drivers/bluetooth/hci_h5.c
> +++ b/drivers/bluetooth/hci_h5.c
> @@ -245,11 +245,15 @@ static int h5_close(struct hci_uart *hu)
> skb_queue_purge(&h5->rel);
> skb_queue_purge(&h5->unrel);
>
> + kfree_skb(h5->rx_skb);
> +
> if (h5->vnd && h5->vnd->close)
> h5->vnd->close(h5);
>
> if (!hu->serdev)
> kfree(h5);
> + else
> + h5->rx_skb = NULL;
Please just do this unconditionally directly after
the kfree_skb()
So after this comment has been addressed the end result should
look like this:
skb_queue_purge(&h5->rel);
skb_queue_purge(&h5->unrel);
kfree_skb(h5->rx_skb);
h5->rx_skb = NULL;
if (h5->vnd && h5->vnd->close)
h5->vnd->close(h5);
if (!hu->serdev)
kfree(h5);
return 0;
Regards,
Hans
