From dc3ff8b6abfc6c3f19d5753b7aa51bce76f10aea Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 22 Jul 2024 14:43:02 +0800
Subject: [PATCH] Bluetooth: hci_core: Fix leaking sent_cmd skb

mainline inclusion
from mainline-v5.17-rc7
commit dd3b1dc3dd050f1f47cd13e300732852414270f8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IADGRH
CVE: CVE-2022-48844

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd3b1dc3dd050f1f47cd13e300732852414270f8

---------------------------

sent_cmd memory is not freed before freeing hci_dev causing it to leak
it contents.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Conflicts:
	net/bluetooth/hci_core.c
[Only backport e04480920d1ee.
Did not backport 58ce6d5b271ab, e61fbee7be4b.]
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
 net/bluetooth/hci_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 2227b5abc988..3bcb5c760b26 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3898,6 +3898,7 @@ void hci_cleanup_dev(struct hci_dev *hdev)
 	hci_dev_unlock(hdev);
 
 	ida_simple_remove(&hci_index_ida, hdev->id);
+	kfree_skb(hdev->sent_cmd);
 }
 
 /* Suspend HCI device */
-- 
Gitee