[PATCH] Bluetooth: hci_ll: Fix firmware leak on error path

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path
@ 2026-03-14 16:56 Anas Iqbal
  2026-03-14 18:13 ` bluez.test.bot
  2026-03-15  8:54 ` [PATCH] " Paul Menzel
  0 siblings, 2 replies; 6+ messages in thread
From: Anas Iqbal @ 2026-03-14 16:56 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: marcel, luiz.dentz, linux-kernel, Anas Iqbal

Smatch reports:
drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned
firmware has no data or size, the function returns immediately without
releasing the firmware, resulting in a resource leak.

Add a release_firmware() call before returning when request_firmware()
succeeds but the firmware contents are invalid.

Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
---
 drivers/bluetooth/hci_ll.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 91acf24f1ef5..91c96ad12342 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
 	if (err || !fw->data || !fw->size) {
 		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
 			   err, bts_scr_name);
+		if (!err)
+			release_firmware(fw);
 		return -EINVAL;
 	}
 	ptr = (void *)fw->data;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-14 16:56 [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path Anas Iqbal
@ 2026-03-14 18:13 ` bluez.test.bot
  2026-03-15  8:54 ` [PATCH] " Paul Menzel
  1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-03-14 18:13 UTC (permalink / raw)
  To: linux-bluetooth, mohd.abd.6602

[-- Attachment #1: Type: text/plain, Size: 2833 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1066761

---Test result---

Test Summary:
CheckPatch                    PENDING   0.32 seconds
GitLint                       PENDING   0.24 seconds
SubjectPrefix                 PASS      0.09 seconds
BuildKernel                   PASS      27.29 seconds
CheckAllWarning               PASS      29.88 seconds
CheckSparse                   PASS      34.26 seconds
BuildKernel32                 PASS      26.62 seconds
TestRunnerSetup               PASS      576.28 seconds
TestRunner_l2cap-tester       PASS      29.71 seconds
TestRunner_iso-tester         FAIL      61.50 seconds
TestRunner_bnep-tester        PASS      6.49 seconds
TestRunner_mgmt-tester        FAIL      119.04 seconds
TestRunner_rfcomm-tester      PASS      9.99 seconds
TestRunner_sco-tester         FAIL      14.98 seconds
TestRunner_ioctl-tester       PASS      10.78 seconds
TestRunner_mesh-tester        FAIL      12.46 seconds
TestRunner_smp-tester         PASS      9.16 seconds
TestRunner_userchan-tester    PASS      7.05 seconds
IncrementalBuild              PENDING   0.84 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_iso-tester - FAIL
Desc: Run iso-tester with test-runner
Output:
BUG: KASAN: slab-use-after-free in le_read_features_complete+0x7e/0x2b0
Total: 141, Passed: 141 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.117 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.468 seconds
Mesh - Send cancel - 2                               Timed out    1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-14 16:56 [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path Anas Iqbal
  2026-03-14 18:13 ` bluez.test.bot
@ 2026-03-15  8:54 ` Paul Menzel
  2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
  1 sibling, 1 reply; 6+ messages in thread
From: Paul Menzel @ 2026-03-15  8:54 UTC (permalink / raw)
  To: Anas Iqbal; +Cc: linux-bluetooth, marcel, luiz.dentz, linux-kernel

Dear Anas,


Thank you for your patch.

Am 14.03.26 um 17:56 schrieb Anas Iqbal:
> Smatch reports:
> drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
> 'fw' from request_firmware() not released on lines: 544.
> 
> In download_firmware(), if request_firmware() succeeds but the returned
> firmware has no data or size, the function returns immediately without
> releasing the firmware, resulting in a resource leak.
> 
> Add a release_firmware() call before returning when request_firmware()
> succeeds but the firmware contents are invalid.

Change to *content is*.

> Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>

Please also add a Fixes: tag.

> ---
>   drivers/bluetooth/hci_ll.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
> index 91acf24f1ef5..91c96ad12342 100644
> --- a/drivers/bluetooth/hci_ll.c
> +++ b/drivers/bluetooth/hci_ll.c
> @@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
>   	if (err || !fw->data || !fw->size) {
>   		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
>   			   err, bts_scr_name);
> +		if (!err)
> +			release_firmware(fw);
>   		return -EINVAL;
>   	}
>   	ptr = (void *)fw->data;

With the improved commit message, feel free to add:

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>


Kind regards,

Paul

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v2] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-15  8:54 ` [PATCH] " Paul Menzel
@ 2026-03-15 10:51   ` Anas Iqbal
  2026-03-15 11:18     ` [v2] " bluez.test.bot
  2026-03-18 16:40     ` [PATCH v2] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 6+ messages in thread
From: Anas Iqbal @ 2026-03-15 10:51 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: linux-kernel, luiz.dentz, marcel, pmenzel, mohd.abd.6602

Smatch reports:

drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned
firmware content is invalid (no data or zero size), the function returns
without releasing the firmware, resulting in a resource leak.

Fix this by calling release_firmware() before returning when
request_firmware() succeeded but the firmware content is invalid.

Fixes: 371805522f87 ("bluetooth: hci_uart: add LL protocol serdev driver support")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
---
v2:
 - Fix grammar ("content is")
 - Add Fixes tag
 - Add Reviewed-by tag from Paul Menzel
---
 drivers/bluetooth/hci_ll.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 91acf24f1ef5..91c96ad12342 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
 	if (err || !fw->data || !fw->size) {
 		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
 			   err, bts_scr_name);
+		if (!err)
+			release_firmware(fw);
 		return -EINVAL;
 	}
 	ptr = (void *)fw->data;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: [v2] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
@ 2026-03-15 11:18     ` bluez.test.bot
  2026-03-18 16:40     ` [PATCH v2] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-03-15 11:18 UTC (permalink / raw)
  To: linux-bluetooth, mohd.abd.6602

[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1066882

---Test result---

Test Summary:
CheckPatch                    PENDING   0.31 seconds
GitLint                       PENDING   0.22 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      26.00 seconds
CheckAllWarning               PASS      28.36 seconds
CheckSparse                   PASS      31.97 seconds
BuildKernel32                 PASS      25.34 seconds
TestRunnerSetup               PASS      558.92 seconds
TestRunner_l2cap-tester       PASS      29.29 seconds
TestRunner_iso-tester         PASS      82.40 seconds
TestRunner_bnep-tester        PASS      6.39 seconds
TestRunner_mgmt-tester        FAIL      115.38 seconds
TestRunner_rfcomm-tester      PASS      9.65 seconds
TestRunner_sco-tester         FAIL      14.87 seconds
TestRunner_ioctl-tester       PASS      10.42 seconds
TestRunner_mesh-tester        FAIL      12.47 seconds
TestRunner_smp-tester         PASS      8.82 seconds
TestRunner_userchan-tester    PASS      9.44 seconds
IncrementalBuild              PENDING   0.50 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.104 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.767 seconds
Mesh - Send cancel - 2                               Timed out    1.996 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
  2026-03-15 11:18     ` [v2] " bluez.test.bot
@ 2026-03-18 16:40     ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-18 16:40 UTC (permalink / raw)
  To: Anas Iqbal; +Cc: linux-bluetooth, linux-kernel, luiz.dentz, marcel, pmenzel

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 15 Mar 2026 10:51:37 +0000 you wrote:
> Smatch reports:
> 
> drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
> 'fw' from request_firmware() not released on lines: 544.
> 
> In download_firmware(), if request_firmware() succeeds but the returned
> firmware content is invalid (no data or zero size), the function returns
> without releasing the firmware, resulting in a resource leak.
> 
> [...]

Here is the summary with links:
  - [v2] Bluetooth: hci_ll: Fix firmware leak on error path
    https://git.kernel.org/bluetooth/bluetooth-next/c/0f1a322270bb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-03-18 16:40 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-14 16:56 [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path Anas Iqbal
2026-03-14 18:13 ` bluez.test.bot
2026-03-15  8:54 ` [PATCH] " Paul Menzel
2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
2026-03-15 11:18     ` [v2] " bluez.test.bot
2026-03-18 16:40     ` [PATCH v2] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox