From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Mark-YW.Chen" <mark-yw.chen@mediatek.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: [PATCH 5.10 04/25] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
Date: Fri, 14 Jan 2022 09:16:12 +0100 [thread overview]
Message-ID: <20220114081542.845951314@linuxfoundation.org> (raw)
In-Reply-To: <20220114081542.698002137@linuxfoundation.org>
From: Mark-YW.Chen <mark-yw.chen@mediatek.com>
commit 60c6a63a3d3080a62f3e0e20084f58dbeff16748 upstream.
Driver should free `usb->setup_packet` to avoid the leak.
$ cat /sys/kernel/debug/kmemleak
unreferenced object 0xffffffa564a58080 (size 128):
backtrace:
[<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384
[<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994
[btusb]
[<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc
[btusb]
[<00000000c6105069>] hci_dev_do_open+0x290/0x974
[bluetooth]
[<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth]
[<000000005d80e687>] process_one_work+0x514/0xc80
[<00000000f4d57637>] worker_thread+0x818/0xd0c
[<00000000dc7bdb55>] kthread+0x2f8/0x3b8
[<00000000f9999513>] ret_from_fork+0x10/0x30
Fixes: a1c49c434e150 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
Signed-off-by: Mark-YW.Chen <mark-yw.chen@mediatek.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/btusb.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2845,6 +2845,7 @@ static void btusb_mtk_wmt_recv(struct ur
skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
if (!skb) {
hdev->stat.err_rx++;
+ kfree(urb->setup_packet);
return;
}
@@ -2865,6 +2866,7 @@ static void btusb_mtk_wmt_recv(struct ur
data->evt_skb = skb_clone(skb, GFP_ATOMIC);
if (!data->evt_skb) {
kfree_skb(skb);
+ kfree(urb->setup_packet);
return;
}
}
@@ -2873,6 +2875,7 @@ static void btusb_mtk_wmt_recv(struct ur
if (err < 0) {
kfree_skb(data->evt_skb);
data->evt_skb = NULL;
+ kfree(urb->setup_packet);
return;
}
@@ -2883,6 +2886,7 @@ static void btusb_mtk_wmt_recv(struct ur
wake_up_bit(&data->flags,
BTUSB_TX_WAIT_VND_EVT);
}
+ kfree(urb->setup_packet);
return;
} else if (urb->status == -ENOENT) {
/* Avoid suspend failed when usb_kill_urb */
@@ -2903,6 +2907,7 @@ static void btusb_mtk_wmt_recv(struct ur
usb_anchor_urb(urb, &data->ctrl_anchor);
err = usb_submit_urb(urb, GFP_ATOMIC);
if (err < 0) {
+ kfree(urb->setup_packet);
/* -EPERM: urb is being killed;
* -ENODEV: device got disconnected
*/
next prev parent reply other threads:[~2022-01-14 8:19 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-14 8:16 [PATCH 5.10 00/25] 5.10.92-rc1 review Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 01/25] md: revert io stats accounting Greg Kroah-Hartman
2022-01-26 10:09 ` Jack Wang
2022-01-26 11:42 ` Greg Kroah-Hartman
2022-01-26 12:37 ` Jack Wang
2022-01-26 12:57 ` Greg Kroah-Hartman
2022-01-26 15:19 ` Guillaume Morin
2022-01-26 15:12 ` Guillaume Morin
2022-01-26 21:22 ` Jack Wang
2022-01-14 8:16 ` [PATCH 5.10 02/25] workqueue: Fix unbind_workers() VS wq_worker_running() race Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 03/25] bpf: Fix out of bounds access from invalid *_or_null type verification Greg Kroah-Hartman
2022-01-14 8:16 ` Greg Kroah-Hartman [this message]
2022-01-14 8:16 ` [PATCH 5.10 05/25] Bluetooth: btusb: Add two more Bluetooth parts for WCN6855 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 06/25] Bluetooth: btusb: Add support for Foxconn MT7922A Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 07/25] Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 08/25] Bluetooth: bfusb: fix division by zero in send path Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 09/25] ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 10/25] USB: core: Fix bug in resuming hubs handling of wakeup requests Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 11/25] USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 12/25] ath11k: Fix buffer overflow when scanning with extraie Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 13/25] mmc: sdhci-pci: Add PCI ID for Intel ADL Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 14/25] veth: Do not record rx queue hint in veth_xmit Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 15/25] mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 16/25] can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 17/25] can: isotp: convert struct tpcon::{idx,len} to unsigned int Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 18/25] can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved} Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 19/25] random: fix data race on crng_node_pool Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 20/25] random: fix data race on crng init time Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 21/25] random: fix crash on multiple early calls to add_bootloader_randomness() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 22/25] media: Revert "media: uvcvideo: Set unique vdev name based in type" Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 23/25] staging: wlan-ng: Avoid bitwise vs logical OR warning in hfa384x_usb_throttlefn() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 24/25] drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk() Greg Kroah-Hartman
2022-01-14 8:16 ` [PATCH 5.10 25/25] staging: greybus: fix stack size warning with UBSAN Greg Kroah-Hartman
2022-01-14 13:22 ` [PATCH 5.10 00/25] 5.10.92-rc1 review Pavel Machek
2022-01-14 21:25 ` Fox Chen
2022-01-14 22:29 ` Florian Fainelli
2022-01-15 0:25 ` Shuah Khan
2022-01-15 5:35 ` Naresh Kamboju
2022-01-15 11:07 ` Sudip Mukherjee
2022-01-15 16:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220114081542.845951314@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=mark-yw.chen@mediatek.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).