From 9afee94939e3eda4c8bf239f7727cb56e158c976 Mon Sep 17 00:00:00 2001 From: Frederic Dalleau Date: Tue, 23 Aug 2016 07:59:19 +0200 Subject: Bluetooth: Fix memory leak at end of hci requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In hci_req_sync_complete the event skb is referenced in hdev->req_skb. It is used (via hci_req_run_skb) from either __hci_cmd_sync_ev which will pass the skb to the caller, or __hci_req_sync which leaks. unreferenced object 0xffff880005339a00 (size 256): comm "kworker/u3:1", pid 1011, jiffies 4294671976 (age 107.389s) backtrace: [] kmemleak_alloc+0x49/0xa0 [] kmem_cache_alloc+0x128/0x180 [] skb_clone+0x4f/0xa0 [] hci_event_packet+0xc1/0x3290 [] hci_rx_work+0x18b/0x360 [] process_one_work+0x14a/0x440 [] worker_thread+0x43/0x4d0 [] kthread+0xc4/0xe0 [] ret_from_fork+0x1f/0x40 [] 0xffffffffffffffff Signed-off-by: Frédéric Dalleau Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_request.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c index c045b3c54768..b0e23dfc5c34 100644 --- a/net/bluetooth/hci_request.c +++ b/net/bluetooth/hci_request.c @@ -262,6 +262,8 @@ int __hci_req_sync(struct hci_dev *hdev, int (*func)(struct hci_request *req, break; } + kfree_skb(hdev->req_skb); + hdev->req_skb = NULL; hdev->req_status = hdev->req_result = 0; BT_DBG("%s end: err %d", hdev->name, err); -- cgit v1.2.3