tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Bluetooth: Fix invalid-free in bcsp_close()
Syzbot reported an invalid-free that I introduced fixing a memleak.
bcsp_recv() also frees bcsp->rx_skb but never nullifies its value.
Nullify bcsp->rx_skb every time it is freed.
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+a0d209a4676664613e76@syzkaller.appspotmail.com
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
authored by
Tomas Bortoli
and committed by
Marcel Holtmann
cf94da6f
41d5b25f
+3
+3
drivers/bluetooth/hci_bcsp.c
+3
drivers/bluetooth/hci_bcsp.c
···
591
591
if (*ptr == 0xc0) {
592
592
BT_ERR("Short BCSP packet");
593
593
kfree_skb(bcsp->rx_skb);
594
+
bcsp->rx_skb = NULL;
594
595
bcsp->rx_state = BCSP_W4_PKT_START;
595
596
bcsp->rx_count = 0;
596
597
} else
···
607
606
bcsp->rx_skb->data[2])) != bcsp->rx_skb->data[3]) {
608
607
BT_ERR("Error in BCSP hdr checksum");
609
608
kfree_skb(bcsp->rx_skb);
609
+
bcsp->rx_skb = NULL;
610
610
bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
611
611
bcsp->rx_count = 0;
612
612
continue;
···
632
630
bscp_get_crc(bcsp));
633
631
634
632
kfree_skb(bcsp->rx_skb);
633
+
bcsp->rx_skb = NULL;
635
634
bcsp->rx_state = BCSP_W4_PKT_DELIMITER;
636
635
bcsp->rx_count = 0;
637
636
continue;