Patch "Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 28 Feb 2021 23:09:40 -0500

This is a note to let you know that I've just added the patch titled

    Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-btusb-fix-memory-leak-in-btusb_mtk_wmt_rec.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 352657aa00e477219187ff2511ace551cb6b238b
Author: Jupeng Zhong <zhongjupeng@xxxxxxxxxx>
Date:   Tue Feb 2 09:39:13 2021 +0800

    Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv
    
    [ Upstream commit de71a6cb4bf24d8993b9ca90d1ddb131b60251a1 ]
    
    In btusb_mtk_wmt_recv if skb_clone fails, the alocated skb should be
    released.
    
    Omit the labels â??err_outâ?? and â??err_free_skbâ?? in this function
    implementation so that the desired exception handling code
    would be directly specified in the affected if branches.
    
    Fixes: a1c49c434e15 ("btusb: Add protocol support for MediaTek MT7668U USB devices")
    Signed-off-by: Jupeng Zhong <zhongjupeng@xxxxxxxxxx>
    Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index b92bd97b1c399..b467fd05c5e82 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2568,7 +2568,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 		skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
 		if (!skb) {
 			hdev->stat.err_rx++;
-			goto err_out;
+			return;
 		}
 
 		hci_skb_pkt_type(skb) = HCI_EVENT_PKT;
@@ -2586,13 +2586,18 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 		 */
 		if (test_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags)) {
 			data->evt_skb = skb_clone(skb, GFP_ATOMIC);
-			if (!data->evt_skb)
-				goto err_out;
+			if (!data->evt_skb) {
+				kfree_skb(skb);
+				return;
+			}
 		}
 
 		err = hci_recv_frame(hdev, skb);
-		if (err < 0)
-			goto err_free_skb;
+		if (err < 0) {
+			kfree_skb(data->evt_skb);
+			data->evt_skb = NULL;
+			return;
+		}
 
 		if (test_and_clear_bit(BTUSB_TX_WAIT_VND_EVT,
 				       &data->flags)) {
@@ -2601,11 +2606,6 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 			wake_up_bit(&data->flags,
 				    BTUSB_TX_WAIT_VND_EVT);
 		}
-err_out:
-		return;
-err_free_skb:
-		kfree_skb(data->evt_skb);
-		data->evt_skb = NULL;
 		return;
 	} else if (urb->status == -ENOENT) {
 		/* Avoid suspend failed when usb_kill_urb */






