This is a note to let you know that I've just added the patch titled
Bluetooth: btqcomsmd: Fix skb double free corruption
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Thu Mar 22 14:03:39 CET 2018
From: Loic Poulain <loic.poulain@xxxxxxxxxx>
Date: Wed, 22 Nov 2017 15:03:17 +0100
Subject: Bluetooth: btqcomsmd: Fix skb double free corruption
From: Loic Poulain <loic.poulain@xxxxxxxxxx>
[ Upstream commit 67b8fbead4685b36d290a0ef91c6ddffc4920ec9 ]
In case of hci send frame failure, skb is still owned
by the caller (hci_core) and then should not be freed.
This fixes crash on dragonboard-410c when sending SCO
packet. skb is freed by both btqcomsmd and hci_core.
Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver")
Signed-off-by: Loic Poulain <loic.poulain@xxxxxxxxxx>
Signed-off-by: Marcel Holtmann <marcel@xxxxxxxxxxxx>
Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/bluetooth/btqcomsmd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/bluetooth/btqcomsmd.c
+++ b/drivers/bluetooth/btqcomsmd.c
@@ -88,7 +88,8 @@ static int btqcomsmd_send(struct hci_dev
break;
}
- kfree_skb(skb);
+ if (!ret)
+ kfree_skb(skb);
return ret;
}
Patches currently in stable-queue which might be from loic.poulain@xxxxxxxxxx are
queue-4.15/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch
queue-4.15/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch