Commit a79e0742 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Liu Jian
Browse files

Bluetooth: hci_core: Fix leaking sent_cmd skb 

mainline inclusion
from mainline-v5.17-rc7
commit dd3b1dc3
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGRH
CVE: CVE-2022-48844

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd3b1dc3dd050f1f47cd13e300732852414270f8



---------------------------

sent_cmd memory is not freed before freeing hci_dev causing it to leak
it contents.

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>

Conflicts:
	net/bluetooth/hci_core.c
[Only backport e0448092.
Did not backport 58ce6d5b, e61fbee7.]
Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
parent c9155daa

net/bluetooth/hci_core.c

+1 −0
Original line number Diff line number Diff line
@@ -3902,6 +3902,7 @@ void hci_cleanup_dev(struct hci_dev *hdev) 
	hci_dev_unlock(hdev);



	ida_simple_remove(&hci_index_ida, hdev->id);

	kfree_skb(hdev->sent_cmd);

}



/* Suspend HCI device */