From: Luiz Augusto von Dentz luiz.von.dentz@intel.com
mainline inclusion from mainline-v5.17-rc7 commit dd3b1dc3dd050f1f47cd13e300732852414270f8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGRH CVE: CVE-2022-48844
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
---------------------------
sent_cmd memory is not freed before freeing hci_dev causing it to leak it contents.
Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com Signed-off-by: Marcel Holtmann marcel@holtmann.org
Conflicts: net/bluetooth/hci_core.c [Only backport e04480920d1ee. Did not backport 58ce6d5b271ab, e61fbee7be4b.] Signed-off-by: Liu Jian liujian56@huawei.com --- net/bluetooth/hci_core.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index b9cf5bc9364c..18aae3d8b59d 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3902,6 +3902,7 @@ void hci_cleanup_dev(struct hci_dev *hdev) hci_dev_unlock(hdev);
ida_simple_remove(&hci_index_ida, hdev->id); + kfree_skb(hdev->sent_cmd); }
/* Suspend HCI device */
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/10245 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/10245 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6...