From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jiri Slaby <jslaby@suse.cz>,
Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 3.14 12/20] Bluetooth: vhci: purge unhandled skbs
Date: Mon, 30 May 2016 13:49:43 -0700 [thread overview]
Message-ID: <20160530204934.831956223@linuxfoundation.org> (raw)
In-Reply-To: <20160530204934.262210466@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby <jslaby@suse.cz>
commit 13407376b255325fa817798800117a839f3aa055 upstream.
The write handler allocates skbs and queues them into data->readq.
Read side should read them, if there is any. If there is none, skbs
should be dropped by hdev->flush. But this happens only if the device
is HCI_UP, i.e. hdev->power_on work was triggered already. When it was
not, skbs stay allocated in the queue when /dev/vhci is closed. So
purge the queue in ->release.
Program to reproduce:
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/uio.h>
int main()
{
char buf[] = { 0xff, 0 };
struct iovec iov = {
.iov_base = buf,
.iov_len = sizeof(buf),
};
int fd;
while (1) {
fd = open("/dev/vhci", O_RDWR);
if (fd < 0)
err(1, "open");
usleep(50);
if (writev(fd, &iov, 1) < 0)
err(1, "writev");
usleep(50);
close(fd);
}
return 0;
}
Result:
kmemleak: 4609 new suspected memory leaks
unreferenced object 0xffff88059f4d5440 (size 232):
comm "vhci", pid 1084, jiffies 4294912542 (age 37569.296s)
hex dump (first 32 bytes):
20 f0 23 87 05 88 ff ff 20 f0 23 87 05 88 ff ff .#..... .#.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
...
[<ffffffff81ece010>] __alloc_skb+0x0/0x5a0
[<ffffffffa021886c>] vhci_create_device+0x5c/0x580 [hci_vhci]
[<ffffffffa0219436>] vhci_write+0x306/0x4c8 [hci_vhci]
Fixes: 23424c0d31 (Bluetooth: Add support creating virtual AMP controllers)
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_vhci.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -340,6 +340,7 @@ static int vhci_release(struct inode *in
hci_free_dev(hdev);
}
+ skb_queue_purge(&data->readq);
file->private_data = NULL;
kfree(data);
next prev parent reply other threads:[~2016-05-30 22:11 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 20:49 [PATCH 3.14 00/20] 3.14.71-stable review Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 01/20] Btrfs: dont use src fd for printk Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 02/20] arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 03/20] remove directory incorrectly tries to set delete on close on non-empty directories Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 04/20] fs/cifs: correctly to anonymous authentication via NTLMSSP Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 05/20] ring-buffer: Use long for nr_pages to avoid overflow failures Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 06/20] ring-buffer: Prevent overflow of size in ring_buffer_resize() Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 07/20] crypto: caam - fix caam_jr_alloc() ret code Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 08/20] mfd: omap-usb-tll: Fix scheduling while atomic BUG Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 09/20] mmc: mmc: Fix partition switch timeout for some eMMCs Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 10/20] ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal strings Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 11/20] mmc: longer timeout for long read time quirk Greg Kroah-Hartman
2016-05-30 20:49 ` Greg Kroah-Hartman [this message]
2016-05-30 20:49 ` [PATCH 3.14 13/20] USB: serial: mxuport: fix use-after-free in probe error path Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 14/20] USB: serial: keyspan: " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 15/20] USB: serial: quatech2: " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 16/20] USB: serial: io_edgeport: fix memory leaks in attach " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 17/20] USB: serial: io_edgeport: fix memory leaks in probe " Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 18/20] USB: serial: option: add support for Cinterion PH8 and AHxx Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 19/20] tty: vt, return error when con_startup fails Greg Kroah-Hartman
2016-05-30 20:49 ` [PATCH 3.14 20/20] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Greg Kroah-Hartman
2016-06-01 5:23 ` [PATCH 3.14 00/20] 3.14.71-stable review Guenter Roeck
2016-06-01 14:19 ` Shuah Khan
2016-06-01 16:16 ` Greg Kroah-Hartman
[not found] ` <574e993f.92981c0a.59c4b.ffff8936@mx.google.com>
2016-06-01 16:17 ` Greg Kroah-Hartman
2016-06-01 17:38 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160530204934.831956223@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.