[PATCH] Bluetooth: hci_ll: Fix firmware leak on error path

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path
@ 2026-03-14 16:56 Anas Iqbal
  2026-03-15  8:54 ` Paul Menzel
  0 siblings, 1 reply; 4+ messages in thread
From: Anas Iqbal @ 2026-03-14 16:56 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: marcel, luiz.dentz, linux-kernel, Anas Iqbal

Smatch reports:
drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned
firmware has no data or size, the function returns immediately without
releasing the firmware, resulting in a resource leak.

Add a release_firmware() call before returning when request_firmware()
succeeds but the firmware contents are invalid.

Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
---
 drivers/bluetooth/hci_ll.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 91acf24f1ef5..91c96ad12342 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
 	if (err || !fw->data || !fw->size) {
 		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
 			   err, bts_scr_name);
+		if (!err)
+			release_firmware(fw);
 		return -EINVAL;
 	}
 	ptr = (void *)fw->data;
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-14 16:56 [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path Anas Iqbal
@ 2026-03-15  8:54 ` Paul Menzel
  2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
  0 siblings, 1 reply; 4+ messages in thread
From: Paul Menzel @ 2026-03-15  8:54 UTC (permalink / raw)
  To: Anas Iqbal; +Cc: linux-bluetooth, marcel, luiz.dentz, linux-kernel

Dear Anas,


Thank you for your patch.

Am 14.03.26 um 17:56 schrieb Anas Iqbal:
> Smatch reports:
> drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
> 'fw' from request_firmware() not released on lines: 544.
> 
> In download_firmware(), if request_firmware() succeeds but the returned
> firmware has no data or size, the function returns immediately without
> releasing the firmware, resulting in a resource leak.
> 
> Add a release_firmware() call before returning when request_firmware()
> succeeds but the firmware contents are invalid.

Change to *content is*.

> Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>

Please also add a Fixes: tag.

> ---
>   drivers/bluetooth/hci_ll.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
> index 91acf24f1ef5..91c96ad12342 100644
> --- a/drivers/bluetooth/hci_ll.c
> +++ b/drivers/bluetooth/hci_ll.c
> @@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
>   	if (err || !fw->data || !fw->size) {
>   		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
>   			   err, bts_scr_name);
> +		if (!err)
> +			release_firmware(fw);
>   		return -EINVAL;
>   	}
>   	ptr = (void *)fw->data;

With the improved commit message, feel free to add:

Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>


Kind regards,

Paul

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-15  8:54 ` Paul Menzel
@ 2026-03-15 10:51   ` Anas Iqbal
  2026-03-18 16:40     ` patchwork-bot+bluetooth
  0 siblings, 1 reply; 4+ messages in thread
From: Anas Iqbal @ 2026-03-15 10:51 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: linux-kernel, luiz.dentz, marcel, pmenzel, mohd.abd.6602

Smatch reports:

drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
'fw' from request_firmware() not released on lines: 544.

In download_firmware(), if request_firmware() succeeds but the returned
firmware content is invalid (no data or zero size), the function returns
without releasing the firmware, resulting in a resource leak.

Fix this by calling release_firmware() before returning when
request_firmware() succeeded but the firmware content is invalid.

Fixes: 371805522f87 ("bluetooth: hci_uart: add LL protocol serdev driver support")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Anas Iqbal <mohd.abd.6602@gmail.com>
---
v2:
 - Fix grammar ("content is")
 - Add Fixes tag
 - Add Reviewed-by tag from Paul Menzel
---
 drivers/bluetooth/hci_ll.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 91acf24f1ef5..91c96ad12342 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -541,6 +541,8 @@ static int download_firmware(struct ll_device *lldev)
 	if (err || !fw->data || !fw->size) {
 		bt_dev_err(lldev->hu.hdev, "request_firmware failed(errno %d) for %s",
 			   err, bts_scr_name);
+		if (!err)
+			release_firmware(fw);
 		return -EINVAL;
 	}
 	ptr = (void *)fw->data;
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Bluetooth: hci_ll: Fix firmware leak on error path
  2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
@ 2026-03-18 16:40     ` patchwork-bot+bluetooth
  0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-18 16:40 UTC (permalink / raw)
  To: Anas Iqbal; +Cc: linux-bluetooth, linux-kernel, luiz.dentz, marcel, pmenzel

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Sun, 15 Mar 2026 10:51:37 +0000 you wrote:
> Smatch reports:
> 
> drivers/bluetooth/hci_ll.c:587 download_firmware() warn:
> 'fw' from request_firmware() not released on lines: 544.
> 
> In download_firmware(), if request_firmware() succeeds but the returned
> firmware content is invalid (no data or zero size), the function returns
> without releasing the firmware, resulting in a resource leak.
> 
> [...]

Here is the summary with links:
  - [v2] Bluetooth: hci_ll: Fix firmware leak on error path
    https://git.kernel.org/bluetooth/bluetooth-next/c/0f1a322270bb

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-18 16:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-14 16:56 [PATCH] Bluetooth: hci_ll: Fix firmware leak on error path Anas Iqbal
2026-03-15  8:54 ` Paul Menzel
2026-03-15 10:51   ` [PATCH v2] " Anas Iqbal
2026-03-18 16:40     ` patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox