Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

From: Yuran Pereira
Date: Tue Oct 10 2023 - 10:43:36 EST


Hello Luiz,

Thanks for the reply.

I just took another look at hci_abort_conn_sync which is where hci_conn_failed is being called, and as you suggested, hci_conn_failed, is in fact being called with a status 0. So my previous patch might in fact be inaccurate.

By the time hci_conn_failed is called, the value of "err" within hci_conn_abort_sync can also be 0, so using bt_status(err) as status is not going to solve the issue.
I am considering using one of the HCI_ERROR_ values but not exactly sure which is the most appropriate in this specific situation.

Perhaps HCI_ERROR_UNSPECIFIED ???

Something like:
- hci_conn_failed(conn, reason);
+ hci_conn_failed(conn, HCI_ERROR_UNSPECIFIED);

So, would you suggest going with this solution, or do you think the issue might be originating earlier in the call sequence and I should pay more attention to conn->reason?

Thanks,

Yuran Pereira

On 10/10/23 01:20, Luiz Augusto von Dentz wrote:
Hi Yuran,

On Sat, Oct 7, 2023 at 10:39 AM Yuran Pereira <yuran.pereira@xxxxxxxxxxx> wrote:
Hello Greg,
My apologies, I just noticed that my patch is based on the mainline tree. I'll re-submit one based on the Bluetooth tree and I'll ensure to include the commit id that it's fixing.

Thanks,
Yuran Pereira
________________________________
De: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
Enviado: 7 de outubro de 2023 11:41
Para: Yuran Pereira <yuran.pereira@xxxxxxxxxxx>
Cc: marcel@xxxxxxxxxxxx <marcel@xxxxxxxxxxxx>; johan.hedberg@xxxxxxxxx <johan.hedberg@xxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx <linux-kernel@xxxxxxxxxxxxxxx>; linux-bluetooth@xxxxxxxxxxxxxxx <linux-bluetooth@xxxxxxxxxxxxxxx>; luiz.dentz@xxxxxxxxx <luiz.dentz@xxxxxxxxx>; syzbot+39ec16ff6cc18b1d066d@xxxxxxxxxxxxxxxxxxxxxxxxx <syzbot+39ec16ff6cc18b1d066d@xxxxxxxxxxxxxxxxxxxxxxxxx>; linux-kernel-mentees@xxxxxxxxxxxxxxxxxxxxxxxxx <linux-kernel-mentees@xxxxxxxxxxxxxxxxxxxxxxxxx>
Assunto: Re: [PATCH] Bluetooth: hci_conn_failed: Fixes memory leak

On Sat, Oct 07, 2023 at 05:09:01PM +0530, Yuran Pereira wrote:
The hci_conn_failed() function currently calls hci_connect_cfm(), which
indirectly leads to the allocation of an l2cap_conn struct in l2cap_conn_add().
This operation results in a memory leak, as the l2cap_conn structure
becomes unreferenced.

To address this issue and prevent the memory leak, this patch modifies
hci_conn_failed() to replace the call to hci_connect_cfm() with a
call to hci_disconn_cfm().
I suspect this is not quite right, hci_disconn_cfm is called when a
disconnection has been requested, hci_connect_cfm is correct here
since it is meant to notify the result of connection request procedure
so I can only assume that the culprit here is that hci_conn_failed is
called with status 0 which is invalid and needs fixing.

Reported-by: syzbot+39ec16ff6cc18b1d066d@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Yuran Pereira <yuran.pereira@xxxxxxxxxxx>
---
net/bluetooth/hci_conn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
What commit id does this fix?

thanks,

greg k-h