From: shaurya <ssranevjti@gmail.com>
To: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
Date: Thu, 20 Nov 2025 00:15:54 +0530 [thread overview]
Message-ID: <6d2a1c9f-d4db-496d-9230-e41e5166eb86@gmail.com> (raw)
In-Reply-To: <691b301e.a70a0220.f6df1.0011.GAE@google.com>
[-- Attachment #1: Type: text/plain, Size: 83 bytes --]
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
[-- Attachment #2: 0001-Bluetooth-hci_sync-fix-memory-leak-in-__hci_cmd_sync.patch --]
[-- Type: text/x-patch, Size: 2002 bytes --]
From 31c93fbc37d699e498cf51f7dc17e69cb210faaf Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Thu, 20 Nov 2025 00:11:40 +0530
Subject: [PATCH] Bluetooth: hci_sync: fix memory leak in __hci_cmd_sync_sk
Fix a memory leak in __hci_cmd_sync_sk where allocated request command
SKBs are not properly cleaned up when the function fails.
The issue occurs when hci_cmd_sync_alloc() successfully allocates an SKB
and it gets queued via hci_cmd_sync_add(), but then __hci_cmd_sync_sk()
fails due to timeout, interruption, or cancellation. In these error
paths, the req_skb that was cloned and stored in hdev->req_skb is not
freed, leading to memory leaks.
The memory leak can be reproduced when __hci_cmd_sync_sk() allocates
and queues an HCI command SKB, and hci_req_sync_run() transfers this
SKB to hdev->cmd_q and clones it to hdev->req_skb. If the subsequent
wait_event_interruptible_timeout() call fails (due to timeout or
interruption), the function returns an error without hdev->req_skb
ever being cleaned up.
The fix ensures that when __hci_cmd_sync_sk() returns an error, any
pending request command SKB in hdev->req_skb is properly freed before
returning. This matches the cleanup pattern used elsewhere in the HCI
sync code.
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
net/bluetooth/hci_sync.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..fbaa5749ad7b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -203,6 +203,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0) {
kfree_skb(skb);
+ /* Clean up any pending request command */
+ if (hdev->req_skb) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = NULL;
+ }
return ERR_PTR(err);
}
--
2.34.1
next prev parent reply other threads:[~2025-11-19 18:46 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
2025-11-18 2:53 ` Edward Adam Davis
2025-11-18 3:24 ` syzbot
2025-11-18 3:40 ` Edward Adam Davis
2025-11-18 3:54 ` syzbot
2025-11-18 3:56 ` Edward Adam Davis
2025-11-18 4:24 ` syzbot
2025-11-19 2:46 ` shaurya
2025-11-19 3:22 ` Edward Adam Davis
2025-11-19 3:47 ` syzbot
2025-11-19 18:45 ` shaurya [this message]
2025-11-19 19:32 ` syzbot
2025-11-20 13:27 ` Edward Adam Davis
2025-11-20 13:59 ` syzbot
2025-11-20 14:11 ` Edward Adam Davis
2025-11-20 14:45 ` syzbot
2025-11-20 14:54 ` Edward Adam Davis
2025-11-20 15:27 ` syzbot
2025-11-21 0:05 ` Edward Adam Davis
2025-11-21 0:34 ` syzbot
2025-11-21 0:55 ` Edward Adam Davis
2025-11-21 2:14 ` syzbot
2025-11-21 0:57 ` Edward Adam Davis
2025-11-21 2:32 ` syzbot
2025-11-21 6:17 ` Edward Adam Davis
2025-11-21 8:08 ` syzbot
2025-11-21 9:06 ` Edward Adam Davis
2025-11-21 14:36 ` syzbot
2025-11-22 7:09 ` Edward Adam Davis
2025-11-22 10:23 ` syzbot
2025-11-22 14:14 ` Edward Adam Davis
2025-11-22 14:39 ` syzbot
2025-11-23 14:05 ` Edward Adam Davis
2025-11-23 15:23 ` syzbot
2025-11-23 14:33 ` Edward Adam Davis
2025-11-23 16:09 ` syzbot
2025-11-23 15:08 ` Edward Adam Davis
2025-11-23 16:30 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6d2a1c9f-d4db-496d-9230-e41e5166eb86@gmail.com \
--to=ssranevjti@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox