net/netrom/nr_out.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
When nr_output() fragments a large packet, it calls sock_alloc_send_skb()
in a loop to allocate skbs for each fragment. If this allocation fails,
the function returns without freeing the original skb that was passed in,
causing a memory leak.
Add the missing kfree_skb() call before returning on allocation failure.
Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
net/netrom/nr_out.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 5e531394a724..2b3cbceb0b52 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -43,8 +42,11 @@ void nr_output(struct sock *sk, struct sk_buff *skb)
frontlen = skb_headroom(skb);
while (skb->len > 0) {
- if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)
skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err);
if (skbn == NULL) {
+ kfree_skb(skb);
return;
+ }
skb_reserve(skbn, frontlen);
--
2.43.0
在 2025/11/29 11:42, Deepanshu Kartikey 写道:
> When nr_output() fragments a large packet, it calls sock_alloc_send_skb()
Hi!
Coincidentally, we both are working on this issue simultaneously.
From the syz test requests:
https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
I sended the test patch earlier, only a dozen seconds...
------
Best regards
Wang Liang
> in a loop to allocate skbs for each fragment. If this allocation fails,
> the function returns without freeing the original skb that was passed in,
> causing a memory leak.
>
> Add the missing kfree_skb() call before returning on allocation failure.
>
> Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
> Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> net/netrom/nr_out.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
> index 5e531394a724..2b3cbceb0b52 100644
> --- a/net/netrom/nr_out.c
> +++ b/net/netrom/nr_out.c
> @@ -43,8 +42,11 @@ void nr_output(struct sock *sk, struct sk_buff *skb)
> frontlen = skb_headroom(skb);
>
> while (skb->len > 0) {
> - if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)
> skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err);
> if (skbn == NULL) {
> + kfree_skb(skb);
> return;
> + }
>
> skb_reserve(skbn, frontlen);
>
On 11/29/25 5:01 AM, Wang Liang wrote: > 在 2025/11/29 11:42, Deepanshu Kartikey 写道: >> When nr_output() fragments a large packet, it calls sock_alloc_send_skb() > > Hi! > > Coincidentally, we both are working on this issue simultaneously. > > From the syz test requests: > https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58 > > I sended the test patch earlier, only a dozen seconds... FTR and future similar cases, we don't have the send time information handy. Instead we use the timestamp as available on patchwork. In this specific case Deepanshu's patch landed first, but does not apply cleanly, so I'll apply Wang's one. Cheers, Paolo
© 2016 - 2026 Red Hat, Inc.