* [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak @ 2023-10-07 11:39 Yuran Pereira 2023-10-07 11:41 ` Greg KH 0 siblings, 1 reply; 5+ messages in thread From: Yuran Pereira @ 2023-10-07 11:39 UTC (permalink / raw) To: marcel Cc: johan.hedberg, linux-kernel, linux-bluetooth, luiz.dentz, syzbot+39ec16ff6cc18b1d066d, Yuran Pereira, linux-kernel-mentees The hci_conn_failed() function currently calls hci_connect_cfm(), which indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add(). This operation results in a memory leak, as the l2cap_conn structure becomes unreferenced. To address this issue and prevent the memory leak, this patch modifies hci_conn_failed() to replace the call to hci_connect_cfm() with a call to hci_disconn_cfm(). Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> --- net/bluetooth/hci_conn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 7a6f20338db8..1d2d03b4a98a 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1248,7 +1248,7 @@ void hci_conn_failed(struct hci_conn *conn, u8 status) } conn->state = BT_CLOSED; - hci_connect_cfm(conn, status); + hci_disconn_cfm(conn, status); hci_conn_del(conn); } -- 2.25.1 _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak 2023-10-07 11:39 [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak Yuran Pereira @ 2023-10-07 11:41 ` Greg KH 2023-10-07 17:39 ` Yuran Pereira 0 siblings, 1 reply; 5+ messages in thread From: Greg KH @ 2023-10-07 11:41 UTC (permalink / raw) To: Yuran Pereira Cc: johan.hedberg, marcel, linux-kernel, linux-bluetooth, luiz.dentz, syzbot+39ec16ff6cc18b1d066d, linux-kernel-mentees On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote: > The hci_conn_failed() function currently calls hci_connect_cfm(), which > indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add(). > This operation results in a memory leak, as the l2cap_conn structure > becomes unreferenced. > > To address this issue and prevent the memory leak, this patch modifies > hci_conn_failed() to replace the call to hci_connect_cfm() with a > call to hci_disconn_cfm(). > > Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> > --- > net/bluetooth/hci_conn.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) What commit id does this fix? thanks, greg k-h _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak 2023-10-07 11:41 ` Greg KH @ 2023-10-07 17:39 ` Yuran Pereira 2023-10-09 19:50 ` Luiz Augusto von Dentz 0 siblings, 1 reply; 5+ messages in thread From: Yuran Pereira @ 2023-10-07 17:39 UTC (permalink / raw) To: Greg KH Cc: johan.hedberg@gmail.com, marcel@holtmann.org, linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org, luiz.dentz@gmail.com, syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com, linux-kernel-mentees@lists.linuxfoundation.org [-- Attachment #1.1: Type: text/plain, Size: 1708 bytes --] Hello Greg, My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing. Thanks, Yuran Pereira ________________________________ De: Greg KH <gregkh@linuxfoundation.org> Enviado: 7 de outubro de 2023 11:41 Para: Yuran Pereira <yuran.pereira@hotmail.com> Cc: marcel@holtmann.org <marcel@holtmann.org>; johan.hedberg@gmail.com <johan.hedberg@gmail.com>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; linux-bluetooth@vger.kernel.org <linux-bluetooth@vger.kernel.org>; luiz.dentz@gmail.com <luiz.dentz@gmail.com>; syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com <syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com>; linux-kernel-mentees@lists.linuxfoundation.org <linux-kernel-mentees@lists.linuxfoundation.org> Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote: > The hci_conn_failed() function currently calls hci_connect_cfm(), which > indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add(). > This operation results in a memory leak, as the l2cap_conn structure > becomes unreferenced. > > To address this issue and prevent the memory leak, this patch modifies > hci_conn_failed() to replace the call to hci_connect_cfm() with a > call to hci_disconn_cfm(). > > Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> > --- > net/bluetooth/hci_conn.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) What commit id does this fix? thanks, greg k-h [-- Attachment #1.2: Type: text/html, Size: 3149 bytes --] [-- Attachment #2: Type: text/plain, Size: 201 bytes --] _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak 2023-10-07 17:39 ` Yuran Pereira @ 2023-10-09 19:50 ` Luiz Augusto von Dentz 2023-10-10 14:43 ` Yuran Pereira 0 siblings, 1 reply; 5+ messages in thread From: Luiz Augusto von Dentz @ 2023-10-09 19:50 UTC (permalink / raw) To: Yuran Pereira Cc: johan.hedberg@gmail.com, marcel@holtmann.org, linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org, syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com, linux-kernel-mentees@lists.linuxfoundation.org Hi Yuran, On Sat, Oct 7, 2023 at 10:39 AM Yuran Pereira <yuran.pereira@hotmail.com> wrote: > > Hello Greg, > My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing. > > Thanks, > Yuran Pereira > ________________________________ > De: Greg KH <gregkh@linuxfoundation.org> > Enviado: 7 de outubro de 2023 11:41 > Para: Yuran Pereira <yuran.pereira@hotmail.com> > Cc: marcel@holtmann.org <marcel@holtmann.org>; johan.hedberg@gmail.com <johan.hedberg@gmail.com>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; linux-bluetooth@vger.kernel.org <linux-bluetooth@vger.kernel.org>; luiz.dentz@gmail.com <luiz.dentz@gmail.com>; syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com <syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com>; linux-kernel-mentees@lists.linuxfoundation.org <linux-kernel-mentees@lists.linuxfoundation.org> > Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak > > On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote: > > The hci_conn_failed() function currently calls hci_connect_cfm(), which > > indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add(). > > This operation results in a memory leak, as the l2cap_conn structure > > becomes unreferenced. > > > > To address this issue and prevent the memory leak, this patch modifies > > hci_conn_failed() to replace the call to hci_connect_cfm() with a > > call to hci_disconn_cfm(). I suspect this is not quite right, hci_disconn_cfm is called when a disconnection has been requested, hci_connect_cfm is correct here since it is meant to notify the result of connection request procedure so I can only assume that the culprit here is that hci_conn_failed is called with status 0 which is invalid and needs fixing. > > Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com > > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> > > --- > > net/bluetooth/hci_conn.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > What commit id does this fix? > > thanks, > > greg k-h -- Luiz Augusto von Dentz _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak 2023-10-09 19:50 ` Luiz Augusto von Dentz @ 2023-10-10 14:43 ` Yuran Pereira 0 siblings, 0 replies; 5+ messages in thread From: Yuran Pereira @ 2023-10-10 14:43 UTC (permalink / raw) To: Luiz Augusto von Dentz Cc: johan.hedberg@gmail.com, marcel@holtmann.org, linux-kernel@vger.kernel.org, linux-bluetooth@vger.kernel.org, syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com, linux-kernel-mentees@lists.linuxfoundation.org Hello Luiz, Thanks for the reply. I just took another look at hci_abort_conn_sync which is where hci_conn_failed is being called, and as you suggested, hci_conn_failed, is in fact being called with a status 0. So my previous patch might in fact be inaccurate. By the time hci_conn_failed is called, the value of "err" within hci_conn_abort_sync can also be 0, so using bt_status(err) as status is not going to solve the issue. I am considering using one of the HCI_ERROR_ values but not exactly sure which is the most appropriate in this specific situation. Perhaps HCI_ERROR_UNSPECIFIED ??? Something like: - hci_conn_failed(conn, reason); + hci_conn_failed(conn, HCI_ERROR_UNSPECIFIED); So, would you suggest going with this solution, or do you think the issue might be originating earlier in the call sequence and I should pay more attention to conn->reason? Thanks, Yuran Pereira On 10/10/23 01:20, Luiz Augusto von Dentz wrote: > Hi Yuran, > > On Sat, Oct 7, 2023 at 10:39 AM Yuran Pereira <yuran.pereira@hotmail.com> wrote: >> Hello Greg, >> My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing. >> >> Thanks, >> Yuran Pereira >> ________________________________ >> De: Greg KH <gregkh@linuxfoundation.org> >> Enviado: 7 de outubro de 2023 11:41 >> Para: Yuran Pereira <yuran.pereira@hotmail.com> >> Cc: marcel@holtmann.org <marcel@holtmann.org>; johan.hedberg@gmail.com <johan.hedberg@gmail.com>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; linux-bluetooth@vger.kernel.org <linux-bluetooth@vger.kernel.org>; luiz.dentz@gmail.com <luiz.dentz@gmail.com>; syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com <syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com>; linux-kernel-mentees@lists.linuxfoundation.org <linux-kernel-mentees@lists.linuxfoundation.org> >> Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak >> >> On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote: >>> The hci_conn_failed() function currently calls hci_connect_cfm(), which >>> indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add(). >>> This operation results in a memory leak, as the l2cap_conn structure >>> becomes unreferenced. >>> >>> To address this issue and prevent the memory leak, this patch modifies >>> hci_conn_failed() to replace the call to hci_connect_cfm() with a >>> call to hci_disconn_cfm(). > I suspect this is not quite right, hci_disconn_cfm is called when a > disconnection has been requested, hci_connect_cfm is correct here > since it is meant to notify the result of connection request procedure > so I can only assume that the culprit here is that hci_conn_failed is > called with status 0 which is invalid and needs fixing. > >>> Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com >>> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com> >>> --- >>> net/bluetooth/hci_conn.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >> What commit id does this fix? >> >> thanks, >> >> greg k-h > > _______________________________________________ Linux-kernel-mentees mailing list Linux-kernel-mentees@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-10-10 14:43 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-07 11:39 [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak Yuran Pereira 2023-10-07 11:41 ` Greg KH 2023-10-07 17:39 ` Yuran Pereira 2023-10-09 19:50 ` Luiz Augusto von Dentz 2023-10-10 14:43 ` Yuran Pereira
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox