From nobody Wed Jun 17 05:14:06 2026 Received: from cvsmtppost19.nm.naver.com (cvsmtppost19.nm.naver.com [114.111.35.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5F8C373BFE for ; Wed, 22 Apr 2026 18:43:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.111.35.160 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776883421; cv=none; b=UTL8Caubu1ejWTbswn6puGhmQhZUBBau+nNH17HnYdnZYqr94FHrlD12GxZ76Ne9r7oqUukOQS8jwnxWaXC7jzJ4BIOB+M6OYBDi7D0iR7nXc0v2bEnVh0McF5hZRyT1QTMfLxV/gUfQk+7wJUAPoliXBsD6xVnafO64qNfSqCM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776883421; c=relaxed/simple; bh=9XrIPgYRDo+W2usQFkeBYLACbA1KNyI8sLBUGQzR0Bs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=XOOGwjIwKZNV4UcogNM9tvQ9RqOfgk8ylLaiMubdd+WCHlyhvBM3pHb0SwrEeCIBUjij+fMuXRe7WBe+y4WFWaKUE4FvPo7N/g//Bp6pNIA9yf4/L2vYtSBgN6LgD+Q1/07zWLzkZMdxSZVjVaugLr/0tB+ny/Ouy58EVROxfu4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=naver.com; spf=pass smtp.mailfrom=naver.com; dkim=pass (2048-bit key) header.d=naver.com header.i=@naver.com header.b=jWijRy/C; arc=none smtp.client-ip=114.111.35.160 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=naver.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=naver.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=naver.com header.i=@naver.com header.b="jWijRy/C" Received: from cvsendbo009.nm ([10.112.18.55]) by cvsmtppost19.nm.naver.com with ESMTP id EXcjpvj4SsKjvzUb00npwA for ; Wed, 22 Apr 2026 18:33:31 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=naver.com; s=s20171208; t=1776882811; bh=9XrIPgYRDo+W2usQFkeBYLACbA1KNyI8sLBUGQzR0Bs=; h=From:To:Subject:Date:Message-ID:From:Subject:Feedback-ID: X-Works-Security; b=jWijRy/CM1/0eAYyewrdNVIa0NkTTWpE7mPjNZDWWWfzeg1tz6VTdyaEqt+GLdLAz Q2r4lljEYOox9QMveLPGrKgmNp67X3Afbi8Fxoxr2ywSE19bHDKy0OHcxWJJpOshLB LcSUvALKzNTs0kPOz1DPT/Hc1sL20TvZpx4Yg/mF9+EB+XxI65fVxRvEzcru5KJwCt kLZ9vx/naTaCTdnXIH0nDm55ZMu2SaXpNMIJxU1vKiRfw156TV22Y5S30deZKUb44k 5pkp2Ev49V5uO6F+VqKWJmJbXGICWELKD/IpAQNINEBFsyenkl1g/vvZthnSK67iU6 /WQrb+NKt45Ig== X-Session-ID: 44z8U0u0Rb6xTqzhvo8sdw X-Works-Send-Opt: B/YrjAJYjHmwKo2qKqJYFquqFNwkx0eFjAJYKg== X-Works-Smtp-Source: Vmn9aAMXFqJZ+HmwKxtm+6E= Received: from JMW-Ubuntu.. ([14.38.141.199]) by cvnsmtp009.nm.naver.com with ESMTP id 44z8U0u0Rb6xTqzhvo8sdw for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 22 Apr 2026 18:33:31 -0000 From: Minu Jin To: gregkh@linuxfoundation.org, jirislaby@kernel.org Cc: daniel.starke@siemens.com, linux-kernel@vger.kernel.org, linux-serial@vger.kernel.org, Minu Jin , syzbot+b5d1f455d385b2c7da3c@syzkaller.appspotmail.com Subject: [PATCH] tty: n_gsm: fix memory leak in gsm_activate_mux Date: Thu, 23 Apr 2026 03:33:21 +0900 Message-ID: <20260422183321.596414-1-s9430939@naver.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a memory leak in gsm_activate_mux(). The root cause is a missing cleanup path when gsm_register_devices() fails. In this case, the previously allocated DLCI 0 and its associated kfifo remain allocated, leading to a memory leak. And gsm_dlci_alloc() does not check for already allocated DLCIs. Repeated calls to gsm_activate_mux() would overwrite the existing pointer in gsm->dlci[addr], causing the original memory to be lost. Fix this by: 1. Adding gsm_dlci_free() in the error path of gsm_activate_mux(). 2. Adding a check in gsm_dlci_alloc() to return the existing DLCI if it is already allocated. Reported-by: syzbot+b5d1f455d385b2c7da3c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Db5d1f455d385b2c7da3c Tested-by: syzbot+b5d1f455d385b2c7da3c@syzkaller.appspotmail.com Fixes: 01aecd917114 ("tty: n_gsm: fix tty registration before control chann= el open") Signed-off-by: Minu Jin --- drivers/tty/n_gsm.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index c13e050de83b..de3d30eac86e 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2645,7 +2645,12 @@ static int gsm_dlci_config(struct gsm_dlci *dlci, st= ruct gsm_dlci_config *dc, in =20 static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr) { - struct gsm_dlci *dlci =3D kzalloc_obj(struct gsm_dlci, GFP_ATOMIC); + struct gsm_dlci *dlci; + + if (gsm->dlci[addr]) + return gsm->dlci[addr]; + + dlci =3D kzalloc_obj(struct gsm_dlci, GFP_ATOMIC); if (dlci =3D=3D NULL) return NULL; spin_lock_init(&dlci->lock); @@ -3196,8 +3201,10 @@ static int gsm_activate_mux(struct gsm_mux *gsm) gsm->receive =3D gsm1_receive; =20 ret =3D gsm_register_devices(gsm_tty_driver, gsm->num); - if (ret) + if (ret) { + gsm_dlci_free(&dlci->port); return ret; + } =20 gsm->has_devices =3D true; gsm->dead =3D false; /* Tty opens are now permissible */ --=20 2.43.0