Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..84a57a79a025 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -177,8 +177,17 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
 
-	if (err == -ERESTARTSYS)
-		return ERR_PTR(-EINTR);
+	if (err == -ERESTARTSYS || !err) {
+		if (err)
+			err = -EINTR;
+		else
+			err = -ETIMEDOUT;
+
+		flush_work(&hdev->cmd_work);
+		skb_queue_purge(&hdev->cmd_q);
+
+		return ERR_PTR(err);
+	}
 
 	switch (hdev->req_status) {
 	case HCI_REQ_DONE: