Patch "Bluetooth: Fix memory leak in read_adv_mon_features()" has been added to the 5.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Oct 2020 01:10:43 -0400

This is a note to let you know that I've just added the patch titled

    Bluetooth: Fix memory leak in read_adv_mon_features()

to the 5.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-fix-memory-leak-in-read_adv_mon_features.patch
and it can be found in the queue-5.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e1ca94c7bf42577925791a019a398086d43fbcbd
Author: Peilin Ye <yepeilin.cs@xxxxxxxxx>
Date:   Wed Sep 9 03:25:51 2020 -0400

    Bluetooth: Fix memory leak in read_adv_mon_features()
    
    [ Upstream commit cafd472a10ff3bccd8afd25a69f20a491cd8d7b8 ]
    
    read_adv_mon_features() is leaking memory. Free `rp` before returning.
    
    Fixes: e5e1e7fd470c ("Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES")
    Reported-and-tested-by: syzbot+f7f6e564f4202d8601c6@xxxxxxxxxxxxxxxxxxxxxxxxx
    Link: https://syzkaller.appspot.com/bug?extid=f7f6e564f4202d8601c6
    Signed-off-by: Peilin Ye <yepeilin.cs@xxxxxxxxx>
    Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 5758ccb524ef7..12a7cc9840b4d 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -4162,7 +4162,7 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
 {
 	struct adv_monitor *monitor = NULL;
 	struct mgmt_rp_read_adv_monitor_features *rp = NULL;
-	int handle;
+	int handle, err;
 	size_t rp_size = 0;
 	__u32 supported = 0;
 	__u16 num_handles = 0;
@@ -4197,9 +4197,13 @@ static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
 	if (num_handles)
 		memcpy(&rp->handles, &handles, (num_handles * sizeof(u16)));
 
-	return mgmt_cmd_complete(sk, hdev->id,
-				 MGMT_OP_READ_ADV_MONITOR_FEATURES,
-				 MGMT_STATUS_SUCCESS, rp, rp_size);
+	err = mgmt_cmd_complete(sk, hdev->id,
+				MGMT_OP_READ_ADV_MONITOR_FEATURES,
+				MGMT_STATUS_SUCCESS, rp, rp_size);
+
+	kfree(rp);
+
+	return err;
 }
 
 static int add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,






