Bluetooth: purge error queues in socket destructors

hrasiq · Vudentz · commit 21e4271e6509 · 2026-02-23T15:30:16.000-05:00
When TX timestamping is enabled via SO_TIMESTAMPING, SKBs may be queued into sk_error_queue and will stay there until consumed. If userspace never gets to read the timestamps, or if the controller is removed unexpectedly, these SKBs will leak. Fix by adding skb_queue_purge() calls for sk_error_queue in affected bluetooth destructors. RFCOMM does not currently use sk_error_queue. Fixes: 134f4b3 ("Bluetooth: add support for skb TX SND/COMPLETION timestamping") Reported-by: syzbot+7ff4013eabad1407b70a@syzkaller.appspotmail.com Closes: https://syzbot.org/bug?extid=7ff4013eabad1407b70a Cc: stable@vger.kernel.org Signed-off-by: Heitor Alves de Siqueira <halves@igalia.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
@@ -2166,6 +2166,7 @@ static void hci_sock_destruct(struct sock *sk)
 	mgmt_cleanup(sk);
 	skb_queue_purge(&sk->sk_receive_queue);
 	skb_queue_purge(&sk->sk_write_queue);
+	skb_queue_purge(&sk->sk_error_queue);
 }
 
 static const struct proto_ops hci_sock_ops = {
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
@@ -746,6 +746,7 @@ static void iso_sock_destruct(struct sock *sk)
 
 	skb_queue_purge(&sk->sk_receive_queue);
 	skb_queue_purge(&sk->sk_write_queue);
+	skb_queue_purge(&sk->sk_error_queue);
 }
 
 static void iso_sock_cleanup_listen(struct sock *parent)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
@@ -1817,6 +1817,7 @@ static void l2cap_sock_destruct(struct sock *sk)
 
 	skb_queue_purge(&sk->sk_receive_queue);
 	skb_queue_purge(&sk->sk_write_queue);
+	skb_queue_purge(&sk->sk_error_queue);
 }
 
 static void l2cap_skb_msg_name(struct sk_buff *skb, void *msg_name,
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
@@ -470,6 +470,7 @@ static void sco_sock_destruct(struct sock *sk)
 
 	skb_queue_purge(&sk->sk_receive_queue);
 	skb_queue_purge(&sk->sk_write_queue);
+	skb_queue_purge(&sk->sk_error_queue);
 }
 
 static void sco_sock_cleanup_listen(struct sock *parent)

Original file line number	Diff line number	Diff line change
`@@ -2166,6 +2166,7 @@ static void hci_sock_destruct(struct sock *sk)`
`2166`	`2166`	`mgmt_cleanup(sk);`
`2167`	`2167`	`skb_queue_purge(&sk->sk_receive_queue);`
`2168`	`2168`	`skb_queue_purge(&sk->sk_write_queue);`
	`2169`	`+ skb_queue_purge(&sk->sk_error_queue);`
`2169`	`2170`	`}`
`2170`	`2171`
`2171`	`2172`	`static const struct proto_ops hci_sock_ops = {`
Original file line number	Diff line number	Diff line change
`@@ -746,6 +746,7 @@ static void iso_sock_destruct(struct sock *sk)`
`746`	`746`
`747`	`747`	`skb_queue_purge(&sk->sk_receive_queue);`
`748`	`748`	`skb_queue_purge(&sk->sk_write_queue);`
	`749`	`+ skb_queue_purge(&sk->sk_error_queue);`
`749`	`750`	`}`
`750`	`751`
`751`	`752`	`static void iso_sock_cleanup_listen(struct sock *parent)`
Original file line number	Diff line number	Diff line change
`@@ -1817,6 +1817,7 @@ static void l2cap_sock_destruct(struct sock *sk)`
`1817`	`1817`
`1818`	`1818`	`skb_queue_purge(&sk->sk_receive_queue);`
`1819`	`1819`	`skb_queue_purge(&sk->sk_write_queue);`
	`1820`	`+ skb_queue_purge(&sk->sk_error_queue);`
`1820`	`1821`	`}`
`1821`	`1822`
`1822`	`1823`	`static void l2cap_skb_msg_name(struct sk_buff skb, void msg_name,`
Original file line number	Diff line number	Diff line change
`@@ -470,6 +470,7 @@ static void sco_sock_destruct(struct sock *sk)`
`470`	`470`
`471`	`471`	`skb_queue_purge(&sk->sk_receive_queue);`
`472`	`472`	`skb_queue_purge(&sk->sk_write_queue);`
	`473`	`+ skb_queue_purge(&sk->sk_error_queue);`
`473`	`474`	`}`
`474`	`475`
`475`	`476`	`static void sco_sock_cleanup_listen(struct sock *parent)`