Bluetooth: hci_bcsp: Fix memory leak in rx_skb [Linux 4.9.187]

This Linux kernel change "Bluetooth: hci_bcsp: Fix memory leak in rx_skb" is included in the Linux 4.9.187 release. This change is authored by Tomas Bortoli <tomasbortoli [at]> on Tue May 28 15:42:58 2019 +0200. The commit for this change in Linux stable tree is fa729a3 (patch) which is from upstream commit 4ce9146. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 4ce9146.

Bluetooth: hci_bcsp: Fix memory leak in rx_skb

[ Upstream commit 4ce9146e0370fcd573f0372d9b4e5a211112567c ]

Syzkaller found that it is possible to provoke a memory leak by
never freeing rx_skb in struct bcsp_struct.

Fix by freeing in bcsp_close()

Signed-off-by: Tomas Bortoli <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Sasha Levin <>

There are 5 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/bluetooth/hci_bcsp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index a2c921f..34e04bf 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -759,6 +759,11 @@ static int bcsp_close(struct hci_uart *hu)

+   if (bcsp->rx_skb) {
+       kfree_skb(bcsp->rx_skb);
+       bcsp->rx_skb = NULL;
+   }
    return 0;

Leave a Reply

Your email address will not be published. Required fields are marked *