[PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

[PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

[Yuran Pereira]

The hci_conn_failed() function currently calls hci_connect_cfm(), which
indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add().
This operation results in a memory leak, as the l2cap_conn structure
becomes unreferenced.

To address this issue and prevent the memory leak, this patch modifies
hci_conn_failed() to replace the call to hci_connect_cfm() with a
call to hci_disconn_cfm().

Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
---
 net/bluetooth/hci_conn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 7a6f20338db8..1d2d03b4a98a 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1248,7 +1248,7 @@ void hci_conn_failed(struct hci_conn *conn, u8 status)
 	}
 
 	conn->state = BT_CLOSED;
-	hci_connect_cfm(conn, status);
+	hci_disconn_cfm(conn, status);
 	hci_conn_del(conn);
 }
 
-- 
2.25.1

Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

[Greg KH]

On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote:
> The hci_conn_failed() function currently calls hci_connect_cfm(), which
> indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add().
> This operation results in a memory leak, as the l2cap_conn structure
> becomes unreferenced.
> 
> To address this issue and prevent the memory leak, this patch modifies
> hci_conn_failed() to replace the call to hci_connect_cfm() with a
> call to hci_disconn_cfm().
> 
> Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
> ---
>  net/bluetooth/hci_conn.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

What commit id does this fix?

thanks,

greg k-h

Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

[Luiz Augusto von Dentz]

Hi Yuran,

On Sat, Oct 7, 2023 at 10:39 AM Yuran Pereira <yuran.pereira@hotmail.com> wrote:
>
> Hello Greg,
> My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing.
>
> Thanks,
> Yuran Pereira
> ________________________________
> De: Greg KH <gregkh@linuxfoundation.org>
> Enviado: 7 de outubro de 2023 11:41
> Para: Yuran Pereira <yuran.pereira@hotmail.com>
> Cc: marcel@holtmann.org <marcel@holtmann.org>; johan.hedberg@gmail.com <johan.hedberg@gmail.com>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; linux-bluetooth@vger.kernel.org <linux-bluetooth@vger.kernel.org>; luiz.dentz@gmail.com <luiz.dentz@gmail.com>; syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com <syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com>; linux-kernel-mentees@lists.linuxfoundation.org <linux-kernel-mentees@lists.linuxfoundation.org>
> Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak
>
> On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote:
> > The hci_conn_failed() function currently calls hci_connect_cfm(), which
> > indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add().
> > This operation results in a memory leak, as the l2cap_conn structure
> > becomes unreferenced.
> >
> > To address this issue and prevent the memory leak, this patch modifies
> > hci_conn_failed() to replace the call to hci_connect_cfm() with a
> > call to hci_disconn_cfm().

I suspect this is not quite right, hci_disconn_cfm is called when a
disconnection has been requested, hci_connect_cfm is correct here
since it is meant to notify the result of connection request procedure
so I can only assume that the culprit here is that hci_conn_failed is
called with status 0 which is invalid and needs fixing.

> > Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
> > Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
> > ---
> >  net/bluetooth/hci_conn.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
>
> What commit id does this fix?
>
> thanks,
>
> greg k-h



-- 
Luiz Augusto von Dentz

Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

[Yuran Pereira]

Hello Luiz,

Thanks for the reply.

I just took another look at hci_abort_conn_sync which is where 
hci_conn_failed is being called, and as you suggested, hci_conn_failed, 
is in fact being called with a status 0. So my previous patch might in 
fact be inaccurate.

By the time hci_conn_failed is called, the value of "err" within 
hci_conn_abort_sync can also be 0, so using bt_status(err) as status is 
not going to solve the issue.
I am considering using one of the HCI_ERROR_ values but not exactly sure 
which is the most appropriate in this specific situation.

Perhaps HCI_ERROR_UNSPECIFIED ???

Something like:
- hci_conn_failed(conn, reason);
+ hci_conn_failed(conn, HCI_ERROR_UNSPECIFIED);

So, would you suggest going with this solution, or do you think the 
issue might be originating earlier in the call sequence and I should pay 
more attention to conn->reason?

Thanks,

Yuran Pereira

On 10/10/23 01:20, Luiz Augusto von Dentz wrote:
> Hi Yuran,
>
> On Sat, Oct 7, 2023 at 10:39 AM Yuran Pereira <yuran.pereira@hotmail.com> wrote:
>> Hello Greg,
>> My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing.
>>
>> Thanks,
>> Yuran Pereira
>> ________________________________
>> De: Greg KH <gregkh@linuxfoundation.org>
>> Enviado: 7 de outubro de 2023 11:41
>> Para: Yuran Pereira <yuran.pereira@hotmail.com>
>> Cc: marcel@holtmann.org <marcel@holtmann.org>; johan.hedberg@gmail.com <johan.hedberg@gmail.com>; linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>; linux-bluetooth@vger.kernel.org <linux-bluetooth@vger.kernel.org>; luiz.dentz@gmail.com <luiz.dentz@gmail.com>; syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com <syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com>; linux-kernel-mentees@lists.linuxfoundation.org <linux-kernel-mentees@lists.linuxfoundation.org>
>> Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak
>>
>> On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote:
>>> The hci_conn_failed() function currently calls hci_connect_cfm(), which
>>> indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add().
>>> This operation results in a memory leak, as the l2cap_conn structure
>>> becomes unreferenced.
>>>
>>> To address this issue and prevent the memory leak, this patch modifies
>>> hci_conn_failed() to replace the call to hci_connect_cfm() with a
>>> call to hci_disconn_cfm().
> I suspect this is not quite right, hci_disconn_cfm is called when a
> disconnection has been requested, hci_connect_cfm is correct here
> since it is meant to notify the result of connection request procedure
> so I can only assume that the culprit here is that hci_conn_failed is
> called with status 0 which is invalid and needs fixing.
>
>>> Reported-by: syzbot+39ec16ff6cc18b1d066d@syzkaller.appspotmail.com
>>> Signed-off-by: Yuran Pereira <yuran.pereira@hotmail.com>
>>> ---
>>>   net/bluetooth/hci_conn.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>> What commit id does this fix?
>>
>> thanks,
>>
>> greg k-h
>
>