From patchwork Wed Nov 22 14:03:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Loic Poulain X-Patchwork-Id: 119490 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp213353qgn; Wed, 22 Nov 2017 06:03:22 -0800 (PST) X-Google-Smtp-Source: AGs4zMZ+J9FzRyScDxhIkfq6NhAhyJNVZn9ED/QBGY9eI+xdFIg7rqUnPg8q5CMJP1bV8qBf9gyM X-Received: by 10.84.168.101 with SMTP id e92mr8593933plb.34.1511359402062; Wed, 22 Nov 2017 06:03:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511359402; cv=none; d=google.com; s=arc-20160816; b=A7l9X/2/m5kmWP0VhDqYehzGL5mODnNxS1noYEVrOzIIbrZziGTprhJFt16olcVKtA wHiRN6n9uVIC2+VXMdMbNw/w9EIlDXi7I7fEaQLyx3P6YzhffnSyQZ5wqJxK2IH8khvE EPLSc89zVl+Ces/x0cH2/6GqWikb0as0UCU7U8NEpdgaghJVtTjBwMTq+5dz9GZ/47Oq axkcY6SpOljTBCdm/q3uRaubyUnT9+Q/1uizBkbr9lB1dyprpkfxBpTAtxXfGqpnaEVM 9WGKks40I9MaFnqpZH54+efTPz36eCUCedd7jVqiogbwbIuoS7aYBqEm2lhSlzM4X3+U x/Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=s3mHqmPZBAJGGJ0fsEWa6Mp3+gHLyhcZsXO+InHtIBU=; b=yl+zygn974/27zW8+pcMW0ziUHGpeo61z3YHK1fmC5WxRi2CVKw09iE1RmKq9b10+D f0RHTHovuvTkQ/gvCjYCjS3KoxR25iH7ew6C1w586KHdPJ0IBPpX7lvIOrQSPKcm0wB+ xqMIaTOJgVf7H92hq0zspyW8QJff//Cy8nzHEiOxJP/XMEEeiRQQRLhJZ8hOPTJWq9CA 6HZEADoPCfFLjS8u8TeLv3wB/osvFnpyxSbHGjTmtFJx6OvzYRgZBBuVJi7NC2fym1lB StnfLD7T++kVybYhv2YO7fIC7TkS5lcOsoYq6ZwWEXFqMVZCJCMm66rxu4mliR3Pw291 7UtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=CdLfhsxE; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y3si6653499pgy.611.2017.11.22.06.03.21; Wed, 22 Nov 2017 06:03:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=CdLfhsxE; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751303AbdKVODV (ORCPT + 1 other); Wed, 22 Nov 2017 09:03:21 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:46499 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751280AbdKVODU (ORCPT ); Wed, 22 Nov 2017 09:03:20 -0500 Received: by mail-wm0-f66.google.com with SMTP id u83so10637730wmb.5 for ; Wed, 22 Nov 2017 06:03:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=/CgKE85vyTPRT6yFCqFZNzeDTz7ufOCCFEKtIgmIhNs=; b=CdLfhsxEagnQBukQLlhyT8Fpklj+oEddT388upR6a8V85HdVZ3trAdik6IFiCug6kj AB65ZtZlRzPWUbPcH96jJbsNTV+Ha/nF37ANjnPT9gC1Ce+C5Kcf/uAHr08ZNpStAUAZ zwrFW8jZ3mnNGmCfgILDlEssHUODqGXOqFhuo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=/CgKE85vyTPRT6yFCqFZNzeDTz7ufOCCFEKtIgmIhNs=; b=nkUSJoH0AQvMnxsCF12ZbK082VwPJKwDc3T3Ur6/zXdpOK+MtKrkweRIvLNpcqvTx4 PvLD3foFWf6NjEyB20WS0ngZ0Dv1J3LFvYSKex495Mqmotb9M129miXOt7evEGPH8zgc +yW3vRIZA/pHq1ZS34o/YwJv6zfWNvrqBn9CfEf+BwA3fS6gtxZJ6KHWU7fuW/btr+5Q UFYGfavfNEP4scntPELyFT/uvSl2afINF8wDQ6tz4DLOHL3t44nMA9S400F36FszLssg LOu8zlgrmOQ6zeQ2+T4+qZ4FPOnuh2pSU3C36EhX7YfYbNlxtwshXWmrtlfNhvUSIJoz PqOQ== X-Gm-Message-State: AJaThX4X76PiBWMDImFJ6AuqWf+TizTJar7OOCjZmfjl4x3kgt5Xa2sV sDPtZfslSOoHlHpAFNiHCLtRqA== X-Received: by 10.28.190.12 with SMTP id o12mr4193140wmf.148.1511359399596; Wed, 22 Nov 2017 06:03:19 -0800 (PST) Received: from localhost.localdomain (LFbn-1-2084-157.w90-76.abo.wanadoo.fr. [90.76.149.157]) by smtp.gmail.com with ESMTPSA id x127sm1806496wmb.10.2017.11.22.06.03.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 22 Nov 2017 06:03:19 -0800 (PST) From: Loic Poulain To: marcel@holtmann.org, johan.hedberg@gmail.com Cc: linux-bluetooth@vger.kernel.org, Loic Poulain Subject: [PATCH] Bluetooth: btqcomsmd: Fix skb double free corruption Date: Wed, 22 Nov 2017 15:03:17 +0100 Message-Id: <1511359397-25523-1-git-send-email-loic.poulain@linaro.org> X-Mailer: git-send-email 2.7.4 Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In case of hci send frame failure, skb is still owned by the caller (hci_core) and then should not be freed. This fixes crash on dragonboard-410c when sending SCO packet. skb is freed by both btqcomsmd and hci_core. Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") Signed-off-by: Loic Poulain --- drivers/bluetooth/btqcomsmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/bluetooth/btqcomsmd.c b/drivers/bluetooth/btqcomsmd.c index 663bed6..2c9a5fc 100644 --- a/drivers/bluetooth/btqcomsmd.c +++ b/drivers/bluetooth/btqcomsmd.c @@ -88,7 +88,8 @@ static int btqcomsmd_send(struct hci_dev *hdev, struct sk_buff *skb) break; } - kfree_skb(skb); + if (!ret) + kfree_skb(skb); return ret; }