lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_846463A4A44B1775777A26C7D36F8374C905@qq.com>
Date: Thu, 20 Nov 2025 22:54:47 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+f098d64cc684b8dbaf65@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..3d9c94a46c62 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -201,18 +203,30 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	flush_work(&hdev->cmd_work);
+	skb_queue_purge(&hdev->cmd_q);
+
+	return ERR_PTR(err);
+
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ