| Message ID | 1511359397-25523-1-git-send-email-loic.poulain@linaro.org |
|---|---|
| State | Accepted |
| Commit | 76e5fc687e9875140e256914d043f18885770919 |
| Headers | show |
| Series | Bluetooth: btqcomsmd: Fix skb double free corruption | expand |
Hi Loic, > In case of hci send frame failure, skb is still owned > by the caller (hci_core) and then should not be freed. > > This fixes crash on dragonboard-410c when sending SCO > packet. skb is freed by both btqcomsmd and hci_core. > > Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") > Signed-off-by: Loic Poulain <loic.poulain@linaro.org> > --- > drivers/bluetooth/btqcomsmd.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) patch has been applied to bluetooth-next tree. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c index 663bed6..2c9a5fc 100644 --- a/drivers/bluetooth/btqcomsmd.c +++ b/drivers/bluetooth/btqcomsmd.c @@ -88,7 +88,8 @@ static int btqcomsmd_send(struct hci_dev *hdev, struct sk_buff *skb) break; } - kfree_skb(skb); + if (!ret) + kfree_skb(skb); return ret; }
In case of hci send frame failure, skb is still owned by the caller (hci_core) and then should not be freed. This fixes crash on dragonboard-410c when sending SCO packet. skb is freed by both btqcomsmd and hci_core. Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") Signed-off-by: Loic Poulain <loic.poulain@linaro.org> --- drivers/bluetooth/btqcomsmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html