Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

From: Edward Adam Davis
Date: Mon Nov 17 2025 - 22:56:25 EST

Next message: Selvarasu Ganesan: "Re: [PATCH v2] usb: dwc3: gadget: Prevent EPs resource conflict during StartTransfer"
Previous message: Stephen Rothwell: "linux-next: Tree for Nov 18"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..b04bd6e357e0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -180,6 +180,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err == -ERESTARTSYS)
return ERR_PTR(-EINTR);

+ printk("err: %d, status: %u, result: %u, %s\n", err, hdev->req_status, hdev->req_result, __func__);
switch (hdev->req_status) {
case HCI_REQ_DONE:
err = -bt_to_errno(hdev->req_result);
@@ -201,8 +202,10 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,

bt_dev_dbg(hdev, "end: err %d", err);

- if (err < 0) {
+ if (err <= 0) {
kfree_skb(skb);
+ if (!err)
+ err = -ETIMEDOUT;
return ERR_PTR(err);
}

Next message: Selvarasu Ganesan: "Re: [PATCH v2] usb: dwc3: gadget: Prevent EPs resource conflict during StartTransfer"
Previous message: Stephen Rothwell: "linux-next: Tree for Nov 18"
In reply to: syzbot: "Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk"
Next in thread: syzbot: "Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]