From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> mainline inclusion from mainline-v5.17-rc7 commit dd3b1dc3dd050f1f47cd13e300732852414270f8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGRH CVE: CVE-2022-48844 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... --------------------------- sent_cmd memory is not freed before freeing hci_dev causing it to leak it contents. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Conflicts: net/bluetooth/hci_core.c [Only backport e04480920d1ee. Did not backport 58ce6d5b271ab, e61fbee7be4b.] Signed-off-by: Liu Jian <liujian56@huawei.com> --- net/bluetooth/hci_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 2227b5abc988..3bcb5c760b26 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3898,6 +3898,7 @@ void hci_cleanup_dev(struct hci_dev *hdev) hci_dev_unlock(hdev); ida_simple_remove(&hci_index_ida, hdev->id); + kfree_skb(hdev->sent_cmd); } /* Suspend HCI device */ -- 2.34.1