Bluetooth: Fix memory leak in le_scan_disable_work_complete()

The hci_request in le_scan_disable_work_complete() was being initialized
in a general context but only used in a specific branch in the function
(when simultaneous discovery is not supported). This patch moves the
usage to be limited to the branch where hci_req_run() is actually
called.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 773f216..17f52a1 100644 (file)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2874,7 +2874,6 @@ static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status,
 {
        /* General inquiry access code (GIAC) */
        u8 lap[3] = { 0x33, 0x8b, 0x9e };
-       struct hci_request req;
        struct hci_cp_inquiry cp;
        int err;
 
@@ -2893,13 +2892,6 @@ static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status,
                break;
 
        case DISCOV_TYPE_INTERLEAVED:
-               hci_req_init(&req, hdev);
-
-               memset(&cp, 0, sizeof(cp));
-               memcpy(&cp.lap, lap, sizeof(cp.lap));
-               cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
-               hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
-
                hci_dev_lock(hdev);
 
                if (test_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY,
@@ -2914,8 +2906,17 @@ static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status,
                                hci_discovery_set_state(hdev,
                                                        DISCOVERY_STOPPED);
                } else {
+                       struct hci_request req;
+
                        hci_inquiry_cache_flush(hdev);
 
+                       hci_req_init(&req, hdev);
+
+                       memset(&cp, 0, sizeof(cp));
+                       memcpy(&cp.lap, lap, sizeof(cp.lap));
+                       cp.length = DISCOV_INTERLEAVED_INQUIRY_LEN;
+                       hci_req_add(&req, HCI_OP_INQUIRY, sizeof(cp), &cp);
+
                        err = hci_req_run(&req, inquiry_complete);
                        if (err) {
                                BT_ERR("Inquiry request failed: err %d", err);