Re: [PATCH] net: netrom: fix memory leak in nr_output()
From: Wang Liang <hidden>
Date: 2025-11-29 04:01:24
Also in:
linux-hams, lkml
在 2025/11/29 11:42, Deepanshu Kartikey 写道:
When nr_output() fragments a large packet, it calls sock_alloc_send_skb()
Hi! Coincidentally, we both are working on this issue simultaneously. From the syz test requests: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58 I sended the test patch earlier, only a dozen seconds... ------ Best regards Wang Liang
quoted hunk ↗ jump to hunk
in a loop to allocate skbs for each fragment. If this allocation fails, the function returns without freeing the original skb that was passed in, causing a memory leak. Add the missing kfree_skb() call before returning on allocation failure. Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Deepanshu Kartikey <redacted> --- net/netrom/nr_out.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c index 5e531394a724..2b3cbceb0b52 100644 --- a/net/netrom/nr_out.c +++ b/net/netrom/nr_out.c@@ -43,8 +42,11 @@ void nr_output(struct sock *sk, struct sk_buff *skb) frontlen = skb_headroom(skb); while (skb->len > 0) { - if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err); if (skbn == NULL) { + kfree_skb(skb); return; + } skb_reserve(skbn, frontlen);