[PATCH] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

[PATCH] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

[Pavitra Jha]

hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but
returns 0 without freeing it when neither pa_sync_term nor big_sync_term
flags are set after evaluating the PA and BIG sync connection state.

This early-return path was introduced when hci_le_big_terminate() was
refactored to take struct hci_conn instead of raw u8 parameters, adding
PA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue
failure does not cover this path.

Fixes: 1ffee96604de ("Bluetooth: Add PA_LINK to distinguish BIG sync and PA sync connections")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
---
 net/bluetooth/hci_conn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 11d3ad8d2..9c5a3dbf8 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -803,8 +803,10 @@ static int hci_le_big_terminate(struct hci_dev *hdev, struct hci_conn *conn)
 			d->big_sync_term = true;
 	}
 
-	if (!d->pa_sync_term && !d->big_sync_term)
+	if (!d->pa_sync_term && !d->big_sync_term) {
+		kfree(d);
 		return 0;
+	}
 
 	ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
 				 terminate_big_destroy);
-- 
2.53.0

RE: Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1482 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1098541

---Test result---

Test Summary:
CheckPatch                    PASS      0.75 seconds
GitLint                       PASS      0.34 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      27.54 seconds
CheckAllWarning               PASS      29.95 seconds
CheckSparse                   PASS      28.59 seconds
BuildKernel32                 PASS      26.38 seconds
TestRunnerSetup               PASS      589.00 seconds
TestRunner_l2cap-tester       PASS      379.35 seconds
TestRunner_iso-tester         PASS      597.75 seconds
TestRunner_bnep-tester        PASS      19.30 seconds
TestRunner_mgmt-tester        PASS      2024.30 seconds
TestRunner_rfcomm-tester      PASS      63.92 seconds
TestRunner_sco-tester         PASS      142.85 seconds
TestRunner_ioctl-tester       PASS      134.60 seconds
TestRunner_mesh-tester        PASS      60.19 seconds
TestRunner_smp-tester         PASS      18.14 seconds
TestRunner_userchan-tester    PASS      19.35 seconds
TestRunner_6lowpan-tester     PASS      51.23 seconds
IncrementalBuild              PASS      25.94 seconds



https://github.com/bluez/bluetooth-next/pull/229

---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 21 May 2026 04:04:14 -0400 you wrote:
> hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but
> returns 0 without freeing it when neither pa_sync_term nor big_sync_term
> flags are set after evaluating the PA and BIG sync connection state.
> 
> This early-return path was introduced when hci_le_big_terminate() was
> refactored to take struct hci_conn instead of raw u8 parameters, adding
> PA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue
> failure does not cover this path.
> 
> [...]

Here is the summary with links:
  - Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
    https://git.kernel.org/bluetooth/bluetooth-next/c/6dbf781d0885

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html