[Bluez 00/13] Fixing memory leak, leaked_handle and use_after

[Bluez 00/13] Fixing memory leak, leaked_handle and use_after

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Following fixes are reported by coverity tool.  

Gopal Tiwari (13):
  Fixing memory leak issue in gatt.c
  Fixing memory leakage in appkey.c
  Fixing memory leak in jlink.c
  Fixing memory leak in sixaxis.c
  Fixing leaked_handle in cltest.c
  Fixing leaked_handle in create-image.c
  Fixing leaked_handle in l2cap-tester.c
  Fixing resource leak in mesh/mesh-db.c
  Fixing leaked_handle in obex-client-tool.c
  Fixing use after free in src/device.c
  Fixing memory leak in pbap.c
  Fixing possible use_after_free in meshctl.c
  Fixing use_after_free in prov-db.c

 client/gatt.c             | 11 ++++++++---
 mesh/appkey.c             |  8 ++++++--
 monitor/jlink.c           |  5 ++++-
 obexd/client/pbap.c       |  5 +++--
 plugins/sixaxis.c         |  9 +++++++--
 src/device.c              |  1 +
 tools/cltest.c            |  1 +
 tools/create-image.c      |  7 +++----
 tools/l2cap-tester.c      |  1 +
 tools/mesh-gatt/prov-db.c |  3 ++-
 tools/mesh/mesh-db.c      |  2 ++
 tools/meshctl.c           |  1 -
 tools/obex-client-tool.c  |  1 +
 13 files changed, 39 insertions(+), 16 deletions(-)

-- 
2.26.2

[Bluez V2 01/13] Fixing memory leak issue in gatt.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing the static tool analysis using coverity tool 
found following reports

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:1531: leaked_storage: Variable "service" 
going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:2626: leaked_storage: Variable "chrc" 
going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:2906: leaked_storage: Variable "desc" 
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 client/gatt.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/client/gatt.c b/client/gatt.c
index 13872c794..4c1efaf75 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -1527,8 +1527,10 @@ void gatt_register_service(DBusConnection *conn, GDBusProxy *proxy,
 
 	if (argc > 2) {
 		service->handle = parse_handle(argv[2]);
-		if (!service->handle)
+		if (!service->handle) {
+			service_free(service);
 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
+		}
 	}
 
 	if (g_dbus_register_interface(conn, service->path,
@@ -2622,8 +2624,10 @@ void gatt_register_chrc(DBusConnection *conn, GDBusProxy *proxy,
 
 	if (argc > 3) {
 		chrc->handle = parse_handle(argv[3]);
-		if (!chrc->handle)
+		if (!chrc->handle) {
+			chrc_free(chrc);
 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
+		}
 	}
 
 	if (g_dbus_register_interface(conn, chrc->path, CHRC_INTERFACE,
@@ -2902,8 +2906,10 @@ void gatt_register_desc(DBusConnection *conn, GDBusProxy *proxy,
 
 	if (argc > 3) {
 		desc->handle = parse_handle(argv[3]);
-		if (!desc->handle)
+		if (!desc->handle) {
+			desc_free(desc);
 			return bt_shell_noninteractive_quit(EXIT_FAILURE);
+		}
 	}
 
 	if (g_dbus_register_interface(conn, desc->path, DESC_INTERFACE,
-- 
2.26.2

[Bluez V2 02/13] Fixing memory leakage in appkey.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing the static analysis using the coverity tool found
following memory leak reports

bluez-5.64/mesh/appkey.c:143: leaked_storage: Variable "key" going 
out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/mesh/appkey.c:146: leaked_storage: Variable "key" going 
out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 mesh/appkey.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/mesh/appkey.c b/mesh/appkey.c
index 5088a1812..52fed8c31 100644
--- a/mesh/appkey.c
+++ b/mesh/appkey.c
@@ -139,11 +139,15 @@ bool appkey_key_init(struct mesh_net *net, uint16_t net_idx, uint16_t app_idx,
 	key->net_idx = net_idx;
 	key->app_idx = app_idx;
 
-	if (key_value && !set_key(key, app_idx, key_value, false))
+	if (key_value && !set_key(key, app_idx, key_value, false)) {
+		appkey_key_free(key);
 		return false;
+	}
 
-	if (new_key_value && !set_key(key, app_idx, new_key_value, true))
+	if (new_key_value && !set_key(key, app_idx, new_key_value, true)) {
+		appkey_key_free(key);
 		return false;
+	}
 
 	l_queue_push_tail(app_keys, key);
 
-- 
2.26.2

[Bluez V2 03/13] Fixing memory leak in jlink.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity
found following reports for resouse leak

bluez-5.64/monitor/jlink.c:111: leaked_storage: Variable "so"
going out of scope leaks the storage it points to.

bluez-5.64/monitor/jlink.c:113: leaked_storage: Variable "so"
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 monitor/jlink.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/monitor/jlink.c b/monitor/jlink.c
index 9aaa4ebd8..f1d8ce660 100644
--- a/monitor/jlink.c
+++ b/monitor/jlink.c
@@ -107,9 +107,12 @@ int jlink_init(void)
 			!jlink.tif_select || !jlink.setspeed ||
 			!jlink.connect || !jlink.getsn ||
 			!jlink.emu_getproductname ||
-			!jlink.rtterminal_control || !jlink.rtterminal_read)
+			!jlink.rtterminal_control || !jlink.rtterminal_read) {
+		dlclose(so);
 		return -EIO;
+	}
 
+	dlclose(so);
 	return 0;
 }
 
-- 
2.26.2

[Bluez V2 04/13] Fixing memory leak in sixaxis.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity
found following reports for resouse leak

bluez-5.64/plugins/sixaxis.c:425: alloc_arg:
"get_pairing_type_for_device" allocates memory that is 
stored into "sysfs_path".

bluez-5.64/plugins/sixaxis.c:428: leaked_storage: Variable "sysfs_path"
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 plugins/sixaxis.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/plugins/sixaxis.c b/plugins/sixaxis.c
index ddecbcccb..10cf15948 100644
--- a/plugins/sixaxis.c
+++ b/plugins/sixaxis.c
@@ -424,10 +424,15 @@ static void device_added(struct udev_device *udevice)
 
 	cp = get_pairing_type_for_device(udevice, &bus, &sysfs_path);
 	if (!cp || (cp->type != CABLE_PAIRING_SIXAXIS &&
-				cp->type != CABLE_PAIRING_DS4))
+				cp->type != CABLE_PAIRING_DS4)) {
+		g_free(sysfs_path);
 		return;
-	if (bus != BUS_USB)
+	}
+
+	if (bus != BUS_USB) {
+		g_free(sysfs_path);
 		return;
+	}
 
 	info("sixaxis: compatible device connected: %s (%04X:%04X %s)",
 				cp->name, cp->vid, cp->pid, sysfs_path);
-- 
2.26.2

[Bluez V2 05/13] Fixing leaked_handle in cltest.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity found 
following reports for resouse leak

bluez-5.64/tools/cltest.c:75: leaked_handle: Handle variable "fd" 
going out of scope leaks the handle.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/cltest.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/cltest.c b/tools/cltest.c
index 2766fcd23..250c93cc7 100644
--- a/tools/cltest.c
+++ b/tools/cltest.c
@@ -72,6 +72,7 @@ static bool send_message(const bdaddr_t *src, const bdaddr_t *dst,
 		return false;
 	}
 
+	close(fd);
 	return true;
 }
 
-- 
2.26.2

[Bluez V2 06/13] Fixing leaked_handle in create-image.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity found following 
reports for resouse leak

bluez-5.64/tools/create-image.c:124: leaked_storage: Variable "map" 
going out of scope leaks the storage it points to.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/create-image.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tools/create-image.c b/tools/create-image.c
index aba940da7..90cd87315 100644
--- a/tools/create-image.c
+++ b/tools/create-image.c
@@ -97,12 +97,13 @@ static void write_block(FILE *fp, const char *pathname, unsigned int ino,
 
 	map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
 	if (!map || map == MAP_FAILED) {
-		close(fd);
-		fd = -1;
 		map = NULL;
 		st.st_size = 0;
         }
 
+	close(fd);
+	fd = -1;
+
 done:
 	fprintf(fp, HDR_FMT, HDR_MAGIC, ino, mode, 0, 0, 1, 0,
 		(uintmax_t) st.st_size, 0, 0, 0, 0, namelen + 1, 0, name);
@@ -117,9 +118,7 @@ done:
 		pad = 3 - ((st.st_size + 3) % 4);
 		for (i = 0; i < pad; i++)
 			fputc(0, fp);
-
 		munmap(map, st.st_size);
-		close(fd);
 	}
 }
 
-- 
2.26.2

[Bluez V2 07/13] Fixing leaked_handle in l2cap-tester.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity found following 
reports for resouse leak

bluez-5.64/tools/l2cap-tester.c:1712: leaked_handle: Handle variable 
"new_sk" going out of scope leaks the handle.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/l2cap-tester.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/l2cap-tester.c b/tools/l2cap-tester.c
index d78b1e29c..3f0464013 100644
--- a/tools/l2cap-tester.c
+++ b/tools/l2cap-tester.c
@@ -1709,6 +1709,7 @@ static gboolean l2cap_listen_cb(GIOChannel *io, GIOCondition cond,
 
 	if (!check_mtu(data, new_sk)) {
 		tester_test_failed();
+		close(new_sk);
 		return FALSE;
 	}
 
-- 
2.26.2

[Bluez V2 08/13] Fixing resource leak in mesh/mesh-db.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity found following 
reports for resouse leak

bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_handle: Handle variable 
"fd" going out of scope leaks the handle.

bluez-5.64/tools/mesh/mesh-db.c:2388: leaked_storage: Variable "str" 
going out of scope leaks the storage it points to.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/mesh/mesh-db.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c
index fa11837df..896ff722c 100644
--- a/tools/mesh/mesh-db.c
+++ b/tools/mesh/mesh-db.c
@@ -2384,6 +2384,8 @@ bool mesh_db_load(const char *fname)
 
 	sz = read(fd, str, st.st_size);
 	if (sz != st.st_size) {
+		close(fd);
+		l_free(str);
 		l_error("Failed to read configuration file %s", fname);
 		return false;
 	}
-- 
2.26.2

[Bluez V2 09/13] Fixing leaked_handle in obex-client-tool.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

While performing static tool analysis using coverity found following 
reports for resouse leak

bluez-5.64/tools/obex-client-tool.c:315: leaked_handle: Handle variable 
"sk" going out of scope leaks the handle.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/obex-client-tool.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/obex-client-tool.c b/tools/obex-client-tool.c
index ab9332896..cb0e41247 100644
--- a/tools/obex-client-tool.c
+++ b/tools/obex-client-tool.c
@@ -312,6 +312,7 @@ static GIOChannel *unix_connect(GObexTransportType transport)
 	if (connect(sk, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
 		err = errno;
 		g_printerr("connect: %s (%d)\n", strerror(err), err);
+		close(sk);
 		return NULL;
 	}
 
-- 
2.26.2

[Bluez V2 10/13] Fixing use after free in src/device.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Following traces reported by covirty tool

Error: USE_AFTER_FREE (CWE-416):
bluez-5.64/src/device.c:2962: path: Condition 
"!dbus_message_get_args(msg, NULL, 0 /* (int)0 */)", taking false branch.

bluez-5.64/src/device.c:2965: path: 
Condition "device->bonding", taking false branch.

bluez-5.64/src/device.c:2968: path: 
Condition "device->bredr_state.bonded", taking true branch.

bluez-5.64/src/device.c:2969: path: Falling through to end of 
if statement.

bluez-5.64/src/device.c:2977: path: Condition "state->bonded", 
taking false branch.

bluez-5.64/src/device.c:2983: path: Condition "agent", taking 
true branch.

bluez-5.64/src/device.c:2984: path: Falling through to end of 
if statement.

bluez-5.64/src/device.c:2990: path: Condition "agent", taking 
true branch.

bluez-5.64/src/device.c:3005: path: Condition "bdaddr_type != 0", 
taking true branch.

bluez-5.64/src/device.c:3006: path: 

Condition "!state->connected", taking true branch.

bluez-5.64/src/device.c:3006: path: 
Condition "btd_le_connect_before_pairing()", taking true branch.
bluez-5.64/src/device.c:3007: freed_arg: "device_connect_le" frees 
"device->bonding".

bluez-5.64/src/device.c:3007: path: Falling through to end of 
if statement.

bluez-5.64/src/device.c:3012: path: Falling through to end of 
if statement.

bluez-5.64/src/device.c:3017: path: Condition "err < 0", 
taking true branch.

bluez-5.64/src/device.c:3018: double_free: Calling "bonding_request_free" 
frees pointer "device->bonding" which has already been freed.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 src/device.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/device.c b/src/device.c
index 8dc12d026..a0e5d40db 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2942,6 +2942,7 @@ static void bonding_request_free(struct bonding_req *bonding)
 		bonding->device->bonding = NULL;
 
 	g_free(bonding);
+	bonding = NULL;
 }
 
 static DBusMessage *pair_device(DBusConnection *conn, DBusMessage *msg,
-- 
2.26.2

[Bluez V2 11/13] Fixing memory leak in pbap.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Reported by coverity tool as follows:

bluez-5.64/obexd/client/pbap.c:929: leaked_storage: Variable "apparam" 
going out of scope leaks the storage it points to.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 obexd/client/pbap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/obexd/client/pbap.c b/obexd/client/pbap.c
index 1a2bacc9f..1ed8c68ec 100644
--- a/obexd/client/pbap.c
+++ b/obexd/client/pbap.c
@@ -925,10 +925,11 @@ static DBusMessage *pbap_search(DBusConnection *connection,
 		return g_dbus_create_error(message,
 				ERROR_INTERFACE ".InvalidArguments", NULL);
 
-	if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING)
+	if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_STRING) {
+		g_obex_apparam_free(apparam);
 		return g_dbus_create_error(message,
 				ERROR_INTERFACE ".InvalidArguments", NULL);
-
+	}
 	dbus_message_iter_get_basic(&args, &value);
 	dbus_message_iter_next(&args);
 
-- 
2.26.2

[Bluez V2 12/13] Fixing possible use_after_free in meshctl.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Reported by coverity tool as follows :

bluez-5.64/tools/meshctl.c:1968: freed_arg: "g_free" frees "mesh_dir".

bluez-5.64/tools/meshctl.c:2018: double_free: Calling "g_free" frees 
pointer "mesh_dir" which has already been freed.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/meshctl.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tools/meshctl.c b/tools/meshctl.c
index 18e20c40d..38ffd35f3 100644
--- a/tools/meshctl.c
+++ b/tools/meshctl.c
@@ -2015,7 +2015,6 @@ int main(int argc, char *argv[])
 
 fail:
 	bt_shell_cleanup();
-	g_free(mesh_dir);
 
 	return EXIT_FAILURE;
 }
-- 
2.26.2

[Bluez V2 13/13] Fixing use_after_free in prov-db.c

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Following scenario happens when prov is false and we have double free as
mentioned in the below

bluez-5.64/tools/mesh-gatt/prov-db.c:847: freed_arg: "g_free" frees 
"in_str".

bluez-5.64/tools/mesh-gatt/prov-db.c:867: double_free: Calling "g_free"
frees pointer "in_str" which has already been freed.

Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
---
 tools/mesh-gatt/prov-db.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/mesh-gatt/prov-db.c b/tools/mesh-gatt/prov-db.c
index 2fb08f799..a5b6997e0 100644
--- a/tools/mesh-gatt/prov-db.c
+++ b/tools/mesh-gatt/prov-db.c
@@ -859,7 +859,8 @@ bool prov_db_local_set_iv_index(uint32_t iv_index, bool update, bool prov)
 
 		set_local_iv_index(jmain, iv_index, update);
 		prov_file_write(jmain, false);
-	}
+	} else
+		return true;
 
 	res = true;
 done:
-- 
2.26.2

Re: [Bluez V2 10/13] Fixing use after free in src/device.c

[Luiz Augusto von Dentz]

Hi Gopal,

On Tue, May 31, 2022 at 12:42 AM Gopal Tiwari
<gopalkrishna.tiwari@gmail.com> wrote:
>
> From: Gopal Tiwari <gtiwari@redhat.com>
>
> Following traces reported by covirty tool
>
> Error: USE_AFTER_FREE (CWE-416):
> bluez-5.64/src/device.c:2962: path: Condition
> "!dbus_message_get_args(msg, NULL, 0 /* (int)0 */)", taking false branch.
>
> bluez-5.64/src/device.c:2965: path:
> Condition "device->bonding", taking false branch.
>
> bluez-5.64/src/device.c:2968: path:
> Condition "device->bredr_state.bonded", taking true branch.
>
> bluez-5.64/src/device.c:2969: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:2977: path: Condition "state->bonded",
> taking false branch.
>
> bluez-5.64/src/device.c:2983: path: Condition "agent", taking
> true branch.
>
> bluez-5.64/src/device.c:2984: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:2990: path: Condition "agent", taking
> true branch.
>
> bluez-5.64/src/device.c:3005: path: Condition "bdaddr_type != 0",
> taking true branch.
>
> bluez-5.64/src/device.c:3006: path:
>
> Condition "!state->connected", taking true branch.
>
> bluez-5.64/src/device.c:3006: path:
> Condition "btd_le_connect_before_pairing()", taking true branch.
> bluez-5.64/src/device.c:3007: freed_arg: "device_connect_le" frees
> "device->bonding".
>
> bluez-5.64/src/device.c:3007: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:3012: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:3017: path: Condition "err < 0",
> taking true branch.
>
> bluez-5.64/src/device.c:3018: double_free: Calling "bonding_request_free"
> frees pointer "device->bonding" which has already been freed.
>
> Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
> ---
>  src/device.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/src/device.c b/src/device.c
> index 8dc12d026..a0e5d40db 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -2942,6 +2942,7 @@ static void bonding_request_free(struct bonding_req *bonding)
>                 bonding->device->bonding = NULL;
>
>         g_free(bonding);
> +       bonding = NULL;

I don't think this fixes anything really, since bonding variable goes
out of scope this won't change anything, in fact this seems to be a
false positive since device->bonding shall be set to NULL in the if
statement just above any other call to bonding_request_free will bail
out when checking !bonding, it would be a problem if and only if the
code was using bonding pointer directly instead of device->bonding
with bonding_request_free.

>  }
>
>  static DBusMessage *pair_device(DBusConnection *conn, DBusMessage *msg,
> --
> 2.26.2
>


-- 
Luiz Augusto von Dentz

Re: [Bluez 00/13] Fixing memory leak, leaked_handle and use_after

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue, 31 May 2022 13:11:04 +0530 you wrote:
> From: Gopal Tiwari <gtiwari@redhat.com>
> 
> Following fixes are reported by coverity tool.
> 
> Gopal Tiwari (13):
>   Fixing memory leak issue in gatt.c
>   Fixing memory leakage in appkey.c
>   Fixing memory leak in jlink.c
>   Fixing memory leak in sixaxis.c
>   Fixing leaked_handle in cltest.c
>   Fixing leaked_handle in create-image.c
>   Fixing leaked_handle in l2cap-tester.c
>   Fixing resource leak in mesh/mesh-db.c
>   Fixing leaked_handle in obex-client-tool.c
>   Fixing use after free in src/device.c
>   Fixing memory leak in pbap.c
>   Fixing possible use_after_free in meshctl.c
>   Fixing use_after_free in prov-db.c
> 
> [...]

Here is the summary with links:
  - [Bluez,V2,01/13] Fixing memory leak issue in gatt.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=b4233bca1815
  - [Bluez,V2,02/13] Fixing memory leakage in appkey.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=5eb96b3ec854
  - [Bluez,V2,03/13] Fixing memory leak in jlink.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=6f02010ce004
  - [Bluez,V2,04/13] Fixing memory leak in sixaxis.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=fc57aa92a4f3
  - [Bluez,V2,05/13] Fixing leaked_handle in cltest.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=f4743109f381
  - [Bluez,V2,06/13] Fixing leaked_handle in create-image.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=4ae130455b17
  - [Bluez,V2,07/13] Fixing leaked_handle in l2cap-tester.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=4334be027ae1
  - [Bluez,V2,08/13] Fixing resource leak in mesh/mesh-db.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=35cbfd966094
  - [Bluez,V2,09/13] Fixing leaked_handle in obex-client-tool.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=39b638526d9a
  - [Bluez,V2,10/13] Fixing use after free in src/device.c
    (no matching commit)
  - [Bluez,V2,11/13] Fixing memory leak in pbap.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=06d3c7429ad6
  - [Bluez,V2,12/13] Fixing possible use_after_free in meshctl.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=56bda20ce9e3
  - [Bluez,V2,13/13] Fixing use_after_free in prov-db.c
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=5cdaeaefc350

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[Bluez 00/13] Fixing memory leak, leaked_handle and use_after

[Gopal Tiwari]

From: Gopal Tiwari <gtiwari@redhat.com>

Following fixes are reported by coverity tool.  

Gopal Tiwari (13):
  Fixing memory leak issue in gatt.c
  Fixing memory leakage in appkey.c
  Fixing memroy leak in jlink.c
  Fixing memory leak in sixaxis.c
  Fixing leaked_handle in cltest.c
  Fixing leaked_handle in create-image.c
  Fixing leaked_handle in l2cap-tester.c
  Fixing resource leak in mesh/mesh-db.c
  Fixing leaked_handle in obex-client-tool.c
  Fixing use after free in src/device.c
  Fixing memory leak in pbap.c
  Fixing possible use_after_free in meshctl.c
  Fixing use_after_free in prov-db.c

 client/gatt.c             | 11 ++++++++---
 mesh/appkey.c             |  8 ++++++--
 monitor/jlink.c           |  5 ++++-
 obexd/client/pbap.c       |  5 +++--
 plugins/sixaxis.c         |  9 +++++++--
 src/device.c              |  1 +
 tools/cltest.c            |  1 +
 tools/create-image.c      |  7 +++----
 tools/l2cap-tester.c      |  1 +
 tools/mesh-gatt/prov-db.c |  3 ++-
 tools/mesh/mesh-db.c      |  2 ++
 tools/meshctl.c           |  1 -
 tools/obex-client-tool.c  |  1 +
 13 files changed, 39 insertions(+), 16 deletions(-)

-- 
2.26.2