| From foo@baz Mon 18 Nov 2019 09:16:01 AM CET |
| From: Jouni Hogander <jouni.hogander@unikie.com> |
| Date: Wed, 13 Nov 2019 13:45:02 +0200 |
| Subject: slip: Fix memory leak in slip_open error path |
| |
| From: Jouni Hogander <jouni.hogander@unikie.com> |
| |
| [ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ] |
| |
| Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected |
| by Syzkaller in slcan. Same issue exists in slip.c and this patch is |
| addressing the leak in slip.c. |
| |
| Here is the slcan memory leak trace reported by Syzkaller: |
| |
| BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096): |
| comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s) |
| hex dump (first 32 bytes): |
| 73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0.......... |
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
| backtrace: |
| [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0 |
| [<0000000083306e66>] kvmalloc_node+0x3a/0xc0 |
| [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080 |
| [<0000000061a996c9>] slcan_open+0x3ae/0x9a0 |
| [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0 |
| [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0 |
| [<000000004de5a617>] tty_ioctl+0x48d/0x1590 |
| [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510 |
| [<0000000059068dbc>] ksys_ioctl+0x99/0xb0 |
| [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0 |
| [<0000000053d0332e>] do_syscall_64+0x16f/0x580 |
| [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 |
| [<000000008ea75434>] 0xfffffffffffffff |
| |
| Cc: "David S. Miller" <davem@davemloft.net> |
| Cc: Oliver Hartkopp <socketcan@hartkopp.net> |
| Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com> |
| Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/net/slip/slip.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/drivers/net/slip/slip.c |
| +++ b/drivers/net/slip/slip.c |
| @@ -855,6 +855,7 @@ err_free_chan: |
| sl->tty = NULL; |
| tty->disc_data = NULL; |
| clear_bit(SLF_INUSE, &sl->flags); |
| + free_netdev(sl->dev); |
| |
| err_exit: |
| rtnl_unlock(); |