[PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp_complete
@ 2026-01-21  5:29 Jianpeng Chang
  2026-01-21  6:13 ` bluez.test.bot
  2026-01-21 21:50 ` [PATCH] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Jianpeng Chang @ 2026-01-21  5:29 UTC (permalink / raw)
  To: marcel, johan.hedberg, luiz.dentz
  Cc: linux-bluetooth, linux-kernel, Jianpeng Chang

Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
are not freed after being removed from the pending list.

Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
mgmt_pending_foreach() calls with individual command handling but missed
adding mgmt_pending_free() calls in both error and success paths of
set_ssp_complete(). Other completion functions like set_le_complete()
were fixed correctly in the same commit.

This causes a memory leak of the mgmt_pending_cmd structure and its
associated parameter data for each SSP command that completes.

Add the missing mgmt_pending_free(cmd) calls in both code paths to fix
the memory leak. Also fix the same issue in set_advertising_complete().

Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
---
 net/bluetooth/mgmt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 5be9b8c91949..0e46f9e08b10 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1966,6 +1966,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
 		}

 		mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
+		mgmt_pending_free(cmd);
 		return;
 	}

@@ -1984,6 +1985,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
 		sock_put(match.sk);

 	hci_update_eir_sync(hdev);
+	mgmt_pending_free(cmd);
 }

 static int set_ssp_sync(struct hci_dev *hdev, void *data)
@@ -6438,6 +6440,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
 		hci_dev_clear_flag(hdev, HCI_ADVERTISING);

 	settings_rsp(cmd, &match);
+	mgmt_pending_free(cmd);

 	new_settings(hdev, match.sk);

-- 
2.52.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: Bluetooth: MGMT: Fix memory leak in set_ssp_complete
  2026-01-21  5:29 [PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Jianpeng Chang
@ 2026-01-21  6:13 ` bluez.test.bot
  2026-01-21 21:50 ` [PATCH] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-01-21  6:13 UTC (permalink / raw)
  To: linux-bluetooth, jianpeng.chang.cn

[-- Attachment #1: Type: text/plain, Size: 2673 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1044966

---Test result---

Test Summary:
CheckPatch                    PENDING   0.34 seconds
GitLint                       PENDING   0.22 seconds
SubjectPrefix                 PASS      0.19 seconds
BuildKernel                   PASS      26.82 seconds
CheckAllWarning               PASS      28.97 seconds
CheckSparse                   PASS      31.82 seconds
BuildKernel32                 PASS      25.55 seconds
TestRunnerSetup               PASS      553.55 seconds
TestRunner_l2cap-tester       PASS      28.87 seconds
TestRunner_iso-tester         PASS      87.97 seconds
TestRunner_bnep-tester        PASS      6.22 seconds
TestRunner_mgmt-tester        FAIL      115.12 seconds
TestRunner_rfcomm-tester      PASS      9.59 seconds
TestRunner_sco-tester         FAIL      14.64 seconds
TestRunner_ioctl-tester       PASS      10.34 seconds
TestRunner_mesh-tester        FAIL      11.50 seconds
TestRunner_smp-tester         PASS      8.66 seconds
TestRunner_userchan-tester    PASS      6.67 seconds
IncrementalBuild              PENDING   0.94 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 488 (98.8%), Failed: 2, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.104 seconds
LL Privacy - Add Device 2 (2 Devices to AL)          Failed       0.162 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    1.785 seconds
Mesh - Send cancel - 2                               Timed out    1.998 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp_complete
  2026-01-21  5:29 [PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Jianpeng Chang
  2026-01-21  6:13 ` bluez.test.bot
@ 2026-01-21 21:50 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-01-21 21:50 UTC (permalink / raw)
  To: Jianpeng Chang
  Cc: marcel, johan.hedberg, luiz.dentz, linux-bluetooth, linux-kernel

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 21 Jan 2026 13:29:26 +0800 you wrote:
> Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures
> are not freed after being removed from the pending list.
> 
> Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced
> mgmt_pending_foreach() calls with individual command handling but missed
> adding mgmt_pending_free() calls in both error and success paths of
> set_ssp_complete(). Other completion functions like set_le_complete()
> were fixed correctly in the same commit.
> 
> [...]

Here is the summary with links:
  - Bluetooth: MGMT: Fix memory leak in set_ssp_complete
    https://git.kernel.org/bluetooth/bluetooth-next/c/efa3d7c22e98

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-01-21 21:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-21  5:29 [PATCH] Bluetooth: MGMT: Fix memory leak in set_ssp_complete Jianpeng Chang
2026-01-21  6:13 ` bluez.test.bot
2026-01-21 21:50 ` [PATCH] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox