Message ID | 20221118082419.239475-1-liushixin2@huawei.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 53270fb0fd77fe786d8c07a0793981d797836b93 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | NFC: nci: fix memory leak in nci_rx_data_packet() | expand |
Hello: This patch was applied to netdev/net.git (master) by Paolo Abeni <pabeni@redhat.com>: On Fri, 18 Nov 2022 16:24:19 +0800 you wrote: > Syzbot reported a memory leak about skb: > > unreferenced object 0xffff88810e144e00 (size 240): > comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<ffffffff83ab79a9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 > [<ffffffff82a5cf64>] alloc_skb include/linux/skbuff.h:1267 [inline] > [<ffffffff82a5cf64>] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 > [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:759 [inline] > [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:743 [inline] > [<ffffffff815f6503>] do_iter_write+0x253/0x300 fs/read_write.c:863 > [<ffffffff815f66ed>] vfs_writev+0xdd/0x240 fs/read_write.c:934 > [<ffffffff815f68f6>] do_writev+0xa6/0x1c0 fs/read_write.c:977 > [<ffffffff848802d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] > [<ffffffff848802d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > [...] Here is the summary with links: - NFC: nci: fix memory leak in nci_rx_data_packet() https://git.kernel.org/netdev/net/c/53270fb0fd77 You are awesome, thank you!
diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c index aa5e712adf07..3d36ea5701f0 100644 --- a/net/nfc/nci/data.c +++ b/net/nfc/nci/data.c @@ -279,8 +279,10 @@ void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb) nci_plen(skb->data)); conn_info = nci_get_conn_info_by_conn_id(ndev, nci_conn_id(skb->data)); - if (!conn_info) + if (!conn_info) { + kfree_skb(skb); return; + } /* strip the nci data header */ skb_pull(skb, NCI_DATA_HDR_SIZE);
Syzbot reported a memory leak about skb: unreferenced object 0xffff88810e144e00 (size 240): comm "syz-executor284", pid 3701, jiffies 4294952403 (age 12.620s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83ab79a9>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:497 [<ffffffff82a5cf64>] alloc_skb include/linux/skbuff.h:1267 [inline] [<ffffffff82a5cf64>] virtual_ncidev_write+0x24/0xe0 drivers/nfc/virtual_ncidev.c:116 [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:759 [inline] [<ffffffff815f6503>] do_loop_readv_writev fs/read_write.c:743 [inline] [<ffffffff815f6503>] do_iter_write+0x253/0x300 fs/read_write.c:863 [<ffffffff815f66ed>] vfs_writev+0xdd/0x240 fs/read_write.c:934 [<ffffffff815f68f6>] do_writev+0xa6/0x1c0 fs/read_write.c:977 [<ffffffff848802d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff848802d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84a00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd In nci_rx_data_packet(), if we don't get a valid conn_info, we will return directly but forget to release the skb. Reported-by: syzbot+cdb9a427d1bc08815104@syzkaller.appspotmail.com Fixes: 4aeee6871e8c ("NFC: nci: Add dynamic logical connections support") Signed-off-by: Liu Shixin <liushixin2@huawei.com> --- net/nfc/nci/data.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)