Bluetooth: purge error queues in socket destructors

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued
into sk_error_queue and will stay there until consumed. If userspace never
gets to read the timestamps, or if the controller is removed unexpectedly,
these SKBs will leak.

Fix by adding skb_queue_purge() calls for sk_error_queue in affected
bluetooth destructors. RFCOMM does not currently use sk_error_queue.

Fixes: 134f4b39df7b ("Bluetooth: add support for skb TX SND/COMPLETION timestamping")
Reported-by: syzbot+7ff4013eabad1407b70a@syzkaller.appspotmail.com
Closes: https://syzbot.org/bug?extid=7ff4013eabad1407b70a
Cc: stable@vger.kernel.org
Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

authored by

Heitor Alves de Siqueira and committed by

Luiz Augusto von Dentz 3 months ago 21e4271e c28d2bff

4 changed files

expand all

net

bluetooth

hci_sock.c

iso.c

l2cap_sock.c

sco.c

net/bluetooth/hci_sock.c

··· 2166 2166 mgmt_cleanup(sk); 2167 2167 skb_queue_purge(&sk->sk_receive_queue); 2168 2168 skb_queue_purge(&sk->sk_write_queue); 2169 + skb_queue_purge(&sk->sk_error_queue); 2169 2170 } 2170 2171 2171 2172 static const struct proto_ops hci_sock_ops = {

net/bluetooth/iso.c

··· 746 746 747 747 skb_queue_purge(&sk->sk_receive_queue); 748 748 skb_queue_purge(&sk->sk_write_queue); 749 + skb_queue_purge(&sk->sk_error_queue); 749 750 } 750 751 751 752 static void iso_sock_cleanup_listen(struct sock *parent)

net/bluetooth/l2cap_sock.c

··· 1817 1817 1818 1818 skb_queue_purge(&sk->sk_receive_queue); 1819 1819 skb_queue_purge(&sk->sk_write_queue); 1820 + skb_queue_purge(&sk->sk_error_queue); 1820 1821 } 1821 1822 1822 1823 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,

net/bluetooth/sco.c

··· 470 470 471 471 skb_queue_purge(&sk->sk_receive_queue); 472 472 skb_queue_purge(&sk->sk_write_queue); 473 + skb_queue_purge(&sk->sk_error_queue); 473 474 } 474 475 475 476 static void sco_sock_cleanup_listen(struct sock *parent)

Configure Feed

Configure Feed