This is a note to let you know that I've just added the patch titled drivers: net: fix memory leak in peak_usb_create_dev to the 4.19-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch and it can be found in the queue-4.19 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From a0b96b4a62745397aee662670cfc2157bac03f55 Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@xxxxxxxxx> Date: Thu, 1 Apr 2021 16:27:52 +0300 Subject: drivers: net: fix memory leak in peak_usb_create_dev From: Pavel Skripkin <paskripkin@xxxxxxxxx> commit a0b96b4a62745397aee662670cfc2157bac03f55 upstream. syzbot reported memory leak in peak_usb. The problem was in case of failure after calling ->dev_init()[2] in peak_usb_create_dev()[1]. The data allocated int dev_init() wasn't freed, so simple ->dev_free() call fix this problem. backtrace: [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline] [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline] [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868 [2] [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1] [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949 Reported-by: syzbot+91adee8d9ebb9193d22d@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c @@ -864,7 +864,7 @@ static int peak_usb_create_dev(const str if (dev->adapter->dev_set_bus) { err = dev->adapter->dev_set_bus(dev, 0); if (err) - goto lbl_unregister_candev; + goto adap_dev_free; } /* get device number early */ @@ -876,6 +876,10 @@ static int peak_usb_create_dev(const str return 0; +adap_dev_free: + if (dev->adapter->dev_free) + dev->adapter->dev_free(dev); + lbl_unregister_candev: unregister_candev(netdev); Patches currently in stable-queue which might be from paskripkin@xxxxxxxxx are queue-4.19/drivers-net-fix-memory-leak-in-atusb_probe.patch queue-4.19/net-mac802154-fix-general-protection-fault.patch queue-4.19/drivers-net-fix-memory-leak-in-peak_usb_create_dev.patch