From nobody Mon Dec 1 22:34:42 2025 Received: from canpmsgout02.his.huawei.com (canpmsgout02.his.huawei.com [113.46.200.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0A2715A864; Sat, 29 Nov 2025 03:52:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=113.46.200.217 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764388331; cv=none; b=KuBespvR+viZTYgQxmekKnvyM/c/8ywsc2eF9hBSWn041HUIJ7Pi55xgIwm+S5uahO1stn6+Usfy8XtmQQt0EhPA1nwIWSLmzEJ8DiUEsg1FZzLR3Q9qWxr0LvlXjAxrGpA1cKMTN1hYjYWst2NjYu7dN3LjTWT5mR2m/miwiDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764388331; c=relaxed/simple; bh=UcdZnP2wKdHIt5BZMfGDUxEGIodjgsA2zh4IMyYRj08=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=qYCatPwg8cg0rLrHZ2+8YQFaxQBktHWCqW79qU9pAUutoEq0aQzk0mG+SZ0Y2bVKYawPrAasgmpCK5qCKCKi84uP189SaIEuzSmxcavX6k4J7vErgCNPUgMDCs6zIzN31lWiY8IlhL6NElPrlTHC6KcEpqkRkSvCrr45rHDUwVw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b=Ox0yXWg+; arc=none smtp.client-ip=113.46.200.217 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=huawei.com header.i=@huawei.com header.b="Ox0yXWg+" dkim-signature: v=1; a=rsa-sha256; d=huawei.com; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From; bh=1mNJRAfvIbnJNCFsjrluULGbKW9aYcUOkpw+8htNpoY=; b=Ox0yXWg+QBK2FX4LEGL70UPzj43pWMSNiB6b0TPDoa72mb5LaIE9a/0PDPTAttr6rNUEzYLZG sOJ8VMJifmPsMQcj5o+ZNyr4j3jxA0veRr+0bZ2T+fxRSgNThRuDdpqnYtgZksE47+YfK5WHjL0 h5n9nCB9D8yYrKNo/1Fv/DY= Received: from mail.maildlp.com (unknown [172.19.88.105]) by canpmsgout02.his.huawei.com (SkyGuard) with ESMTPS id 4dJGQ05xf8zcZyQ; Sat, 29 Nov 2025 11:49:44 +0800 (CST) Received: from dggpemf500016.china.huawei.com (unknown [7.185.36.197]) by mail.maildlp.com (Postfix) with ESMTPS id F003F140275; Sat, 29 Nov 2025 11:52:04 +0800 (CST) Received: from huawei.com (10.50.85.128) by dggpemf500016.china.huawei.com (7.185.36.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Sat, 29 Nov 2025 11:52:04 +0800 From: Wang Liang To: , , , , CC: , , , , , Subject: [PATCH net] netrom: Fix memory leak in nr_sendmsg() Date: Sat, 29 Nov 2025 12:13:15 +0800 Message-ID: <20251129041315.1550766-1-wangliang74@huawei.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: kwepems200001.china.huawei.com (7.221.188.67) To dggpemf500016.china.huawei.com (7.185.36.197) Content-Type: text/plain; charset="utf-8" syzbot reported a memory leak [1]. When function sock_alloc_send_skb() return NULL in nr_output(), the original skb is not freed, which was allocated in nr_sendmsg(). Fix this by freeing it before return. [1] BUG: memory leak unreferenced object 0xffff888129f35500 (size 240): comm "syz.0.17", pid 6119, jiffies 4294944652 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(.... backtrace (crc 1456a3e4): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4983 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340 __alloc_skb+0x203/0x240 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671 sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965 sock_alloc_send_skb include/net/sock.h:1859 [inline] nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x293/0x2a0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0x143/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd7abc36bbbb6d7d40b58 Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Wang Liang --- net/netrom/nr_out.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c index 5e531394a724..2b3cbceb0b52 100644 --- a/net/netrom/nr_out.c +++ b/net/netrom/nr_out.c @@ -43,8 +43,10 @@ void nr_output(struct sock *sk, struct sk_buff *skb) frontlen =3D skb_headroom(skb); =20 while (skb->len > 0) { - if ((skbn =3D sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0,= &err)) =3D=3D NULL) + if ((skbn =3D sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0,= &err)) =3D=3D NULL) { + kfree_skb(skb); return; + } =20 skb_reserve(skbn, frontlen); =20 --=20 2.34.1