linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Skripkin <paskripkin@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 33/71] net: hamradio: fix memory leak in mkiss_close
Date: Mon, 28 Jun 2021 10:39:25 -0400	[thread overview]
Message-ID: <20210628144003.34260-34-sashal@kernel.org> (raw)
In-Reply-To: <20210628144003.34260-1-sashal@kernel.org>

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 7edcc682301492380fbdd604b4516af5ae667a13 ]

My local syzbot instance hit memory leak in
mkiss_open()[1]. The problem was in missing
free_netdev() in mkiss_close().

In mkiss_open() netdevice is allocated and then
registered, but in mkiss_close() netdevice was
only unregistered, but not freed.

Fail log:

BUG: memory leak
unreferenced object 0xffff8880281ba000 (size 4096):
  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
  hex dump (first 32 bytes):
    61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00  ax0.............
    00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00  .'.*............
  backtrace:
    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
    [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80
    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff8880141a9a00 (size 96):
  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
  hex dump (first 32 bytes):
    e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff  ...(.......(....
    98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00  .....@..........
  backtrace:
    [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310
    [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0
    [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0
    [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80
    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff8880219bfc00 (size 512):
  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
  hex dump (first 32 bytes):
    00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff  ...(............
    80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
    [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80
    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888029b2b200 (size 256):
  comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0
    [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80
    [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1]
    [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110
    [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670
    [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440
    [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200
    [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0
    [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 815f62bf7427 ("[PATCH] SMP rewrite of mkiss")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/hamradio/mkiss.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
index 088fe5d34f50..76340bc3cf44 100644
--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -810,6 +810,7 @@ static void mkiss_close(struct tty_struct *tty)
 	ax->tty = NULL;
 
 	unregister_netdev(ax->dev);
+	free_netdev(ax->dev);
 }
 
 /* Perform I/O control on an active ax25 channel. */
-- 
2.30.2


  parent reply	other threads:[~2021-06-28 15:19 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-28 14:38 [PATCH 4.9 00/71] 4.9.274-rc1 review Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 01/71] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 02/71] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 03/71] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 04/71] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 05/71] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 06/71] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-28 14:38 ` [PATCH 4.9 07/71] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 08/71] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 09/71] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 10/71] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 11/71] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 12/71] net/x25: Return the correct errno code Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 13/71] net: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 14/71] fib: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 15/71] dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 16/71] dmaengine: stedma40: add missing iounmap() on error in d40_probe() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 17/71] mm: hwpoison: change PageHWPoison behavior on hugetlb pages Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 18/71] batman-adv: Avoid WARN_ON timing related checks Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 19/71] net: ipv4: fix memory leak in netlbl_cipsov4_add_std Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 20/71] net: rds: fix memory leak in rds_recvmsg Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 21/71] udp: fix race between close() and udp_abort() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 22/71] rtnetlink: Fix regression in bridge VLAN configuration Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 23/71] netfilter: synproxy: Fix out of bounds when parsing TCP options Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 24/71] alx: Fix an error handling path in 'alx_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 25/71] net: stmmac: dwmac1000: Fix extended MAC address registers definition Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 26/71] qlcnic: Fix an error handling path in 'qlcnic_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 27/71] netxen_nic: Fix an error handling path in 'netxen_nic_probe()' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 28/71] net: cdc_ncm: switch to eth%d interface naming Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 29/71] net: usb: fix possible use-after-free in smsc75xx_bind Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 30/71] net: ipv4: fix memory leak in ip_mc_add1_src Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 31/71] net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 32/71] be2net: Fix an error handling path in 'be_probe()' Sasha Levin
2021-06-28 14:39 ` Sasha Levin [this message]
2021-06-28 14:39 ` [PATCH 4.9 34/71] net: cdc_eem: fix tx fixup skb leak Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 35/71] net: ethernet: fix potential use-after-free in ec_bhf_remove Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 36/71] scsi: core: Put .shost_dev in failure path if host state changes to RUNNING Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 37/71] radeon: use memcpy_to/fromio for UVD fw upload Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 38/71] can: bcm: fix infoleak in struct bcm_msg_head Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 39/71] tracing: Do no increment trace_clock_global() by one Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 40/71] PCI: Mark TI C667X to avoid bus reset Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 41/71] PCI: Mark some NVIDIA GPUs " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 42/71] ARCv2: save ABI registers across signal handling Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 43/71] dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 44/71] net: fec_ptp: add clock rate zero check Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 45/71] can: bcm/raw/isotp: use per module netdevice notifier Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 46/71] usb: dwc3: core: fix kernel panic when do reboot Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 47/71] tracing: Do not stop recording cmdlines when tracing is off Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 48/71] tracing: Do not stop recording comms if the trace file is being read Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 49/71] x86/fpu: Reset state for all signal restore failures Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 50/71] inet: use bigger hash table for IP ID generation Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 51/71] i40e: Be much more verbose about what we can and cannot offload Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 52/71] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 53/71] Makefile: Move -Wno-unused-but-set-variable out of GCC only block Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 54/71] arm64: perf: Disable PMU while processing counter overflows Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 55/71] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 56/71] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 57/71] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 58/71] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 59/71] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 60/71] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 61/71] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 62/71] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 63/71] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 64/71] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 65/71] sh_eth: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 66/71] r8169: " Sasha Levin
2021-06-28 14:39 ` [PATCH 4.9 67/71] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 68/71] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 69/71] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 70/71] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:40 ` [PATCH 4.9 71/71] Linux 4.9.274-rc1 Sasha Levin
2021-06-29 12:50 ` [PATCH 4.9 00/71] 4.9.274-rc1 review Naresh Kamboju
2021-06-29 14:11 ` Guenter Roeck
2021-06-29 22:07   ` Sasha Levin
2021-06-29 18:18 ` Guenter Roeck
2021-06-29 23:43 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210628144003.34260-34-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paskripkin@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).