CVE-2022-49908

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix memory leak in vhci_write<br /> <br /> Syzkaller reports a memory leak as follows:<br /> ====================================<br /> BUG: memory leak<br /> unreferenced object 0xffff88810d81ac00 (size 240):<br /> [...]<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:418<br /> [] alloc_skb include/linux/skbuff.h:1257 [inline]<br /> [] bt_skb_alloc include/net/bluetooth/bluetooth.h:469 [inline]<br /> [] vhci_get_user drivers/bluetooth/hci_vhci.c:391 [inline]<br /> [] vhci_write+0x5f/0x230 drivers/bluetooth/hci_vhci.c:511<br /> [] call_write_iter include/linux/fs.h:2192 [inline]<br /> [] new_sync_write fs/read_write.c:491 [inline]<br /> [] vfs_write+0x42d/0x540 fs/read_write.c:578<br /> [] ksys_write+0x9d/0x160 fs/read_write.c:631<br /> [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> ====================================<br /> <br /> HCI core will uses hci_rx_work() to process frame, which is queued to<br /> the hdev-&gt;rx_q tail in hci_recv_frame() by HCI driver.<br /> <br /> Yet the problem is that, HCI core may not free the skb after handling<br /> ACL data packets. To be more specific, when start fragment does not<br /> contain the L2CAP length, HCI core just copies skb into conn-&gt;rx_skb and<br /> finishes frame process in l2cap_recv_acldata(), without freeing the skb,<br /> which triggers the above memory leak.<br /> <br /> This patch solves it by releasing the relative skb, after processing<br /> the above case in l2cap_recv_acldata().