On Mon, 24 May 2021 02:12:26 -0700
syzbot <syzbot+b558506ba8165425fee2@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 6ebb6814 Merge tag 'perf-urgent-2021-05-23' of
> git://git.k.. git tree: upstream
> console output:
> https://syzkaller.appspot.com/x/log.txt?x=1334afc7d00000 kernel
> config: https://syzkaller.appspot.com/x/.config?x=ae7b129a135ab06b
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=b558506ba8165425fee2 syz
> repro: https://syzkaller.appspot.com/x/repro.syz?x=11ca4a35d00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit: Reported-by:
> syzbot+b558506ba8165425fee2@xxxxxxxxxxxxxxxxxxxxxxxxx
>
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From a93ac5c6364b739f96448613d1bc196c11adf61e Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@xxxxxxxxx>
Date: Mon, 24 May 2021 22:36:42 +0300
Subject: [PATCH] net: usb: fix memory leak in smsc75xx_bind
Syzbot reported memory leak in smsc75xx_bind().
The problem was is non-freed memory in case of
errors after memory allocation.
backtrace:
[<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline]
[<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline]
[<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460
[<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
Reported-by: syzbot+b558506ba8165425fee2@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
---
drivers/net/usb/smsc75xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
index f8cdabb9ef5a..b286993da67c 100644
--- a/drivers/net/usb/smsc75xx.c
+++ b/drivers/net/usb/smsc75xx.c
@@ -1483,7 +1483,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
ret = smsc75xx_wait_ready(dev, 0);
if (ret < 0) {
netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
- return ret;
+ goto err;
}
smsc75xx_init_mac_address(dev);
@@ -1492,7 +1492,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
ret = smsc75xx_reset(dev);
if (ret < 0) {
netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
- return ret;
+ goto err;
}
dev->net->netdev_ops = &smsc75xx_netdev_ops;
@@ -1502,6 +1502,10 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
return 0;
+
+err:
+ kfree(pdata);
+ return ret;
}
static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
--
2.31.1
