[PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump

[PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump

[sean.wang]

From: Sean Wang <sean.wang@mediatek.com>

hci_devcd_append() would free the skb on error so the caller don't
have to free it again otherwise it would cause the double free of skb.

Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
Reported-by : Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
---
 drivers/bluetooth/btmtk.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index ac8ebccd3507..812fd2a8f853 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -380,8 +380,10 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
 	switch (data->cd_info.state) {
 	case HCI_DEVCOREDUMP_IDLE:
 		err = hci_devcd_init(hdev, MTK_COREDUMP_SIZE);
-		if (err < 0)
+		if (err < 0) {
+			kfree_skb(skb);
 			break;
+		}
 		data->cd_info.cnt = 0;
 
 		/* It is supposed coredump can be done within 5 seconds */
@@ -407,9 +409,6 @@ int btmtk_process_coredump(struct hci_dev *hdev, struct sk_buff *skb)
 		break;
 	}
 
-	if (err < 0)
-		kfree_skb(skb);
-
 	return err;
 }
 EXPORT_SYMBOL_GPL(btmtk_process_coredump);
-- 
2.25.1

Re: [PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump

[Markus Elfring]

> hci_devcd_append() would free the skb on error so the caller don't
> have to free it again otherwise it would cause the double free of skb.

I hope that a typo will be avoided in the subsystem specification
for the final commit.

Regards,
Markus

Re: [PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump

[Luiz Augusto von Dentz]

Hi Markus,

On Thu, Apr 18, 2024 at 5:40 AM Markus Elfring <Markus.Elfring@web.de> wrote:
>
> > hci_devcd_append() would free the skb on error so the caller don't
> > have to free it again otherwise it would cause the double free of skb.
>
> I hope that a typo will be avoided in the subsystem specification
> for the final commit.

Are you talking about medaitek or is there another typo?


> Regards,
> Markus



-- 
Luiz Augusto von Dentz

Re: [PATCH RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 17 Apr 2024 16:27:38 -0700 you wrote:
> From: Sean Wang <sean.wang@mediatek.com>
> 
> hci_devcd_append() would free the skb on error so the caller don't
> have to free it again otherwise it would cause the double free of skb.
> 
> Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
> Reported-by : Dan Carpenter <dan.carpenter@linaro.org>
> Signed-off-by: Sean Wang <sean.wang@mediatek.com>
> 
> [...]

Here is the summary with links:
  - [RESEND] Bluetooth: btusb: medaitek: fix double free of skb in coredump
    https://git.kernel.org/bluetooth/bluetooth-next/c/6764ab72237d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: Bluetooth: btusb: medaitek: fix double free of skb in coredump

[Markus Elfring]

>> I hope that a typo will be avoided in the subsystem specification
>> for the final commit.
>
> Are you talking about medaitek

Yes.

Do you prefer references for mediatek here?


> or is there another typo?

Not yet.

Regards,
Markus