* [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed
@ 2025-09-22 18:11 Pauli Virtanen
2025-09-22 18:11 ` [PATCH 2/2] Bluetooth: ISO: don't leak skb in ISO_CONT RX Pauli Virtanen
2025-09-23 13:50 ` [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2025-09-22 18:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
If iso_conn is freed when RX is incomplete, free any leftover skb piece.
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
net/bluetooth/iso.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 5c68c0ea7d97..d63d4d6f874c 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -111,6 +111,8 @@ static void iso_conn_free(struct kref *ref)
/* Ensure no more work items will run since hci_conn has been dropped */
disable_delayed_work_sync(&conn->timeout_work);
+ kfree_skb(conn->rx_skb);
+
kfree(conn);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] Bluetooth: ISO: don't leak skb in ISO_CONT RX
2025-09-22 18:11 [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed Pauli Virtanen
@ 2025-09-22 18:11 ` Pauli Virtanen
2025-09-23 13:50 ` [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: Pauli Virtanen @ 2025-09-22 18:11 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
For ISO_CONT RX, the data from skb is copied to conn->rx_skb, but the
skb is leaked.
Free skb after copying its data.
Signed-off-by: Pauli Virtanen <pav@iki.fi>
---
net/bluetooth/iso.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index d63d4d6f874c..f5a9a13317df 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -2420,7 +2420,7 @@ void iso_recv(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
skb->len);
conn->rx_len -= skb->len;
- return;
+ break;
case ISO_END:
skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed
2025-09-22 18:11 [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed Pauli Virtanen
2025-09-22 18:11 ` [PATCH 2/2] Bluetooth: ISO: don't leak skb in ISO_CONT RX Pauli Virtanen
@ 2025-09-23 13:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2025-09-23 13:50 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hello:
This series was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 22 Sep 2025 21:11:21 +0300 you wrote:
> If iso_conn is freed when RX is incomplete, free any leftover skb piece.
>
> Signed-off-by: Pauli Virtanen <pav@iki.fi>
> ---
> net/bluetooth/iso.c | 2 ++
> 1 file changed, 2 insertions(+)
Here is the summary with links:
- [1/2] Bluetooth: ISO: free rx_skb if not consumed
https://git.kernel.org/bluetooth/bluetooth-next/c/b18365fe359a
- [2/2] Bluetooth: ISO: don't leak skb in ISO_CONT RX
https://git.kernel.org/bluetooth/bluetooth-next/c/f7db34762ae5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-09-23 13:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-22 18:11 [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed Pauli Virtanen
2025-09-22 18:11 ` [PATCH 2/2] Bluetooth: ISO: don't leak skb in ISO_CONT RX Pauli Virtanen
2025-09-23 13:50 ` [PATCH 1/2] Bluetooth: ISO: free rx_skb if not consumed patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox