From patchwork Thu Mar 8 04:59:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sasha Levin X-Patchwork-Id: 130934 Delivered-To: patch@linaro.org Received: by 10.46.66.2 with SMTP id p2csp6033480lja; Wed, 7 Mar 2018 21:04:05 -0800 (PST) X-Google-Smtp-Source: AG47ELs9Ii+R5SSMYcpFza76C+4YED5ZpZ4iODtdWX2wEA22YEoNPdt1SYRzF15hmZ9cHDRcjyQI X-Received: by 2002:a17:902:a60d:: with SMTP id u13-v6mr22558167plq.165.1520485445639; Wed, 07 Mar 2018 21:04:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520485445; cv=none; d=google.com; s=arc-20160816; b=OQAZPw4uzKkYryqq8jMfIq05/GOMzGu4aN/pQIWzMq0g8XwLy0Qxjx0gHheKSzOrqI a15Ip/vG+IBrhTsKT15JPnmh0m7o909XzdQm5Iw8reJfwpO075e7Q6hN9WkmYi+yoQWB oWmaurv+I3X+dbDVSYuZMq0bXSanCBCmsdQy1IwLcAvFfieY3DIRtX26xiNjIA+gIfaU qRUdkaCVng14rjhZhUEo9l8x6zyLLHFy8oxC2nmBiS+qCTrIlP6xpFm/vdSuguGzAVXf CuaX5s7gLKa2i7QoNS13oMCXIsEmnrw0XDjNYPAzp+Ye3mMjbIuxPLwRZyrzMGjOJTjm Y6uQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=uyaf5HsN8Cd6P2drtdaUXJ/w8lDox6ZQWhmN3kmv+aM=; b=wr3xkY22XQe/mRMkztbmEW9VY8WkFqcC5G7BsIQYBx0SKvNbFqb/wGY56xTSjj0nGi ipE4QID0DO0+ijtkzworAimZwTDEOU5J315uCefsTqAQJyXpJPqB/g/fuuk4LMLM1IIw HOj4Y1Iblqbx68brxL/fnTOpNODvIhVlNgXO40w8WrpuGOtjbDZHQ9WIFc2Wynemg7TO J//MCDEwSjmrBnwT+EWQ61ZNXRtGX6hNYpgTZNY29S00PFbFwko/xnE2lUkiAeIRL5dY 9/ugQt03Pc7s/jwnK2tia59wHdfyIkopt5uGvBIAPd0sX4ACXjiBZzPpRyoD7Sva7DFh S6tw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=laQqHp2m; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j14si1936401pfn.150.2018.03.07.21.04.05; Wed, 07 Mar 2018 21:04:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=laQqHp2m; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966096AbeCHFED (ORCPT + 10 others); Thu, 8 Mar 2018 00:04:03 -0500 Received: from mail-co1nam03on0092.outbound.protection.outlook.com ([104.47.40.92]:45512 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S966085AbeCHFEA (ORCPT ); Thu, 8 Mar 2018 00:04:00 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uyaf5HsN8Cd6P2drtdaUXJ/w8lDox6ZQWhmN3kmv+aM=; b=laQqHp2mVQ+O55aomf+kGTlWdiGdSQpPdXWbXTpe5HcH8na2EYXXMhGfapdgFi6IxqAZSIzqzTB4K7IS4ia3NRrVFZebczFi6vqwnu8iy3tq0HP9r72ux96j6Qif82EujA4TNaRofV0209uWWg2Qzvn1312kJlSD8EWvBCNKBJo= Received: from DM5PR2101MB1032.namprd21.prod.outlook.com (52.132.128.13) by DM5PR2101MB0902.namprd21.prod.outlook.com (52.132.132.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.3; Thu, 8 Mar 2018 05:03:54 +0000 Received: from DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8063:c68a:b210:7446]) by DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8063:c68a:b210:7446%2]) with mapi id 15.20.0588.008; Thu, 8 Mar 2018 05:03:54 +0000 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Loic Poulain , Marcel Holtmann , Sasha Levin Subject: [PATCH AUTOSEL for 4.9 153/190] Bluetooth: btqcomsmd: Fix skb double free corruption Thread-Topic: [PATCH AUTOSEL for 4.9 153/190] Bluetooth: btqcomsmd: Fix skb double free corruption Thread-Index: AQHTtppPf4KU4wF3PUCx2PlgKImAqA== Date: Thu, 8 Mar 2018 04:59:59 +0000 Message-ID: <20180308045810.8041-153-alexander.levin@microsoft.com> References: <20180308045810.8041-1-alexander.levin@microsoft.com> In-Reply-To: <20180308045810.8041-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DM5PR2101MB0902; 20:blq5u8zkCLigCyLgG28lsvZQGDG5IgCwBawLbAosm2eEmdp3gU4JwhSCeFTpinhftc4CgI0KNl+iQ9VA53n8YmvqBdHFVHx4d1zaTM6WLDqO9RjkAr9fze8FgRSy1mbTL9TSnUx5ZqGk34gaY8Ntie3tFK8DQACvI5O8eaAzdfo= x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 99bff63e-2584-4623-4d7c-08d584b1fdf4 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR2101MB0902; x-ms-traffictypediagnostic: DM5PR2101MB0902: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231220)(944501244)(52105095)(93006095)(93001095)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR2101MB0902; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2101MB0902; x-forefront-prvs: 060503E79B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(39380400002)(376002)(366004)(396003)(189003)(199004)(8936002)(81156014)(81166006)(7736002)(5250100002)(8676002)(99286004)(26005)(107886003)(186003)(2950100002)(106356001)(10090500001)(575784001)(305945005)(66066001)(97736004)(2501003)(86362001)(3846002)(3660700001)(72206003)(6436002)(1076002)(6486002)(5660300001)(54906003)(110136005)(68736007)(53936002)(14454004)(36756003)(25786009)(478600001)(10290500003)(6506007)(59450400001)(2900100001)(102836004)(76176011)(6512007)(22452003)(6116002)(316002)(4326008)(105586002)(86612001)(2906002)(3280700002)(22906009)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR2101MB0902; H:DM5PR2101MB1032.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: Ktt4a4pd4T8l9B1CGJk3k4Cz29XTLyFeX4rE8JiufC5n/ErEYNRKDjFRSi+YD7Adr+pKANZyi/bbPYDPoz2cfA7VgldDxMpJUhnmXgCIbHFp2VUNxP5P+CzQZZov9aQ//ts1kB38jJOS2hqMYN2InwkSN2Mfz2B0V7wBpAyNfvh4dP2Ln1xs5DW+0XBRnyEF8J5A7hA+Z6nFbqohd0aLEU7TCosRqlhCXbnhbzv3toUzWvIL/gCfAiqB3gaANi1PB8reUdvQyW41AujyLJ38xxWbi940RO8i3thRxJg3zlE66OY3kkZyrKapL0bFTlUqWRqp0vvUkHZMgCy1NFKpcQ== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 99bff63e-2584-4623-4d7c-08d584b1fdf4 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2018 04:59:59.8803 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB0902 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Loic Poulain [ Upstream commit 67b8fbead4685b36d290a0ef91c6ddffc4920ec9 ] In case of hci send frame failure, skb is still owned by the caller (hci_core) and then should not be freed. This fixes crash on dragonboard-410c when sending SCO packet. skb is freed by both btqcomsmd and hci_core. Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") Signed-off-by: Loic Poulain Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin --- drivers/bluetooth/btqcomsmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.14.1 diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c index 08c2c93887c1..3aac78a5091b 100644 --- a/drivers/bluetooth/btqcomsmd.c +++ b/drivers/bluetooth/btqcomsmd.c @@ -85,7 +85,8 @@ static int btqcomsmd_send(struct hci_dev *hdev, struct sk_buff *skb) break; } - kfree_skb(skb); + if (!ret) + kfree_skb(skb); return ret; }