Commit bfa9d289 authored May 21, 2026 by Pavitra Jha Committed by Luiz Augusto von Dentz May 27, 2026

Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()

hci_le_big_terminate() allocates iso_list_data via kzalloc_obj but
returns 0 without freeing it when neither pa_sync_term nor big_sync_term
flags are set after evaluating the PA and BIG sync connection state.

This early-return path was introduced when hci_le_big_terminate() was
refactored to take struct hci_conn instead of raw u8 parameters, adding
PA/BIG flag evaluation logic. The existing kfree() on hci_cmd_sync_queue
failure does not cover this path.

Fixes: a7bcffc6 ("Bluetooth: Add PA_LINK to distinguish BIG sync and PA sync connections")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent ab151359

net/bluetooth/hci_conn.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -870,8 +870,10 @@ static int hci_le_big_terminate(struct hci_dev hdev, struct hci_conn conn)
		d->big_sync_term = true;
		}

		if (!d->pa_sync_term && !d->big_sync_term)
		if (!d->pa_sync_term && !d->big_sync_term) {
		kfree(d);
		return 0;
		}

		ret = hci_cmd_sync_queue(hdev, big_terminate_sync, d,
		terminate_big_destroy);