rpms/kernel
9
4
Fork 6
Code Issues Pull Requests Releases Activity
a10
kernel/1281-bluetooth-hci-sync-fix-leaks-when-hci-cmd-sync-queue-once-fa.patch
Andrew Lukoshko f6916a8ae1 Recreate RHEL 6.12.0-211.20.1 from CS10/upstream backports 
Add the RHEL 211.19.1..211.20.1 backports (1245-1287) from centos-stream-10 and
upstream, on top of 211.18.1, plus the dpll RHEL kABI adaptation (1287). RHEL now
ships the smb cifs.spnego fix too; the existing ahead-fix 1105 is byte-identical,
so RHEL's redundant copy is omitted. Bump to 211.20.1.
2026-06-07 00:04:20 +00:00

70 lines
2.1 KiB
Diff
Raw Permalink Blame History

From 3eed784fc3a9e5477b2948a4fa33f6ce32c33319 Mon Sep 17 00:00:00 2001
From: David Marlin <dmarlin@redhat.com>
Date: Thu, 16 Apr 2026 00:04:46 -0500
Subject: [PATCH] Bluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once
fails
JIRA: https://issues.redhat.com/browse/RHEL-157827
commit aca377208e7f7322bf4e107cdec6e7d7e8aa7a88
Author: Pauli Virtanen <pav@iki.fi>
Date: Wed Mar 25 21:07:44 2026 +0200
Bluetooth: hci_sync: fix leaks when hci_cmd_sync_queue_once fails
When hci_cmd_sync_queue_once() returns with error, the destroy callback
will not be called.
Fix leaking references / memory on these failures.
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: David Marlin <dmarlin@redhat.com>
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6291e1ce61f4..cac7a8078795 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -7453,13 +7453,16 @@ int hci_le_read_remote_features(struct hci_conn *conn)
* role is possible. Otherwise just transition into the
* connected state without requesting the remote features.
*/
- if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES))
+ if (conn->out || (hdev->le_features[0] & HCI_LE_PERIPHERAL_FEATURES)) {
err = hci_cmd_sync_queue_once(hdev,
hci_le_read_remote_features_sync,
hci_conn_hold(conn),
le_read_features_complete);
- else
+ if (err)
+ hci_conn_drop(conn);
+ } else {
err = -EOPNOTSUPP;
+ }
return (err == -EEXIST) ? 0 : err;
}
@@ -7498,6 +7501,9 @@ int hci_acl_change_pkt_type(struct hci_conn *conn, u16 pkt_type)
err = hci_cmd_sync_queue_once(hdev, hci_change_conn_ptype_sync, cp,
pkt_type_changed);
+ if (err)
+ kfree(cp);
+
return (err == -EEXIST) ? 0 : err;
}
@@ -7537,5 +7543,8 @@ int hci_le_set_phy(struct hci_conn *conn, u8 tx_phys, u8 rx_phys)
err = hci_cmd_sync_queue_once(hdev, hci_le_set_phy_sync, cp,
le_phy_update_complete);
+ if (err)
+ kfree(cp);
+
return (err == -EEXIST) ? 0 : err;
}
--
2.50.1 (Apple Git-155)
Reference in New Issue View Git Blame Copy Permalink