Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 60c6a63

Browse files
Mark-YW.Chenholtmann
Mark-YW.Chen
authored and
holtmann
committed
Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
Driver should free `usb->setup_packet` to avoid the leak. $ cat /sys/kernel/debug/kmemleak unreferenced object 0xffffffa564a58080 (size 128): backtrace: [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384 [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994 [btusb] [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc [btusb] [<00000000c6105069>] hci_dev_do_open+0x290/0x974 [bluetooth] [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth] [<000000005d80e687>] process_one_work+0x514/0xc80 [<00000000f4d57637>] worker_thread+0x818/0xd0c [<00000000dc7bdb55>] kthread+0x2f8/0x3b8 [<00000000f9999513>] ret_from_fork+0x10/0x30 Fixes: a1c49c4 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") Signed-off-by: Mark-YW.Chen <[email protected]> Signed-off-by: Marcel Holtmann <[email protected]>
1 parent 75d9b85 commit 60c6a63

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

drivers/bluetooth/btusb.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2265,6 +2265,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
22652265
skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
22662266
if (!skb) {
22672267
hdev->stat.err_rx++;
2268+
kfree(urb->setup_packet);
22682269
return;
22692270
}
22702271

@@ -2285,6 +2286,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
22852286
data->evt_skb = skb_clone(skb, GFP_ATOMIC);
22862287
if (!data->evt_skb) {
22872288
kfree_skb(skb);
2289+
kfree(urb->setup_packet);
22882290
return;
22892291
}
22902292
}
@@ -2293,6 +2295,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
22932295
if (err < 0) {
22942296
kfree_skb(data->evt_skb);
22952297
data->evt_skb = NULL;
2298+
kfree(urb->setup_packet);
22962299
return;
22972300
}
22982301

@@ -2303,6 +2306,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
23032306
wake_up_bit(&data->flags,
23042307
BTUSB_TX_WAIT_VND_EVT);
23052308
}
2309+
kfree(urb->setup_packet);
23062310
return;
23072311
} else if (urb->status == -ENOENT) {
23082312
/* Avoid suspend failed when usb_kill_urb */
@@ -2323,6 +2327,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
23232327
usb_anchor_urb(urb, &data->ctrl_anchor);
23242328
err = usb_submit_urb(urb, GFP_ATOMIC);
23252329
if (err < 0) {
2330+
kfree(urb->setup_packet);
23262331
/* -EPERM: urb is being killed;
23272332
* -ENODEV: device got disconnected
23282333
*/

0 commit comments

Comments
 (0)