|
Takashi Iwai |
f3c6b3 |
From 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 Mon Sep 17 00:00:00 2001
|
|
Takashi Iwai |
f3c6b3 |
From: Pavel Skripkin <paskripkin@gmail.com>
|
|
Takashi Iwai |
f3c6b3 |
Date: Mon, 24 May 2021 23:02:08 +0300
|
|
Takashi Iwai |
f3c6b3 |
Subject: [PATCH] net: usb: fix memory leak in smsc75xx_bind
|
|
Takashi Iwai |
f3c6b3 |
Git-commit: 46a8b29c6306d8bbfd92b614ef65a47c900d8e70
|
|
Takashi Iwai |
f3c6b3 |
Patch-mainline: v5.13-rc4
|
|
Takashi Iwai |
f3c6b3 |
References: git-fixes
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
Syzbot reported memory leak in smsc75xx_bind().
|
|
Takashi Iwai |
f3c6b3 |
The problem was is non-freed memory in case of
|
|
Takashi Iwai |
f3c6b3 |
errors after memory allocation.
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
Backtrace: [<ffffffff84245b62>] kmalloc include/linux/slab.h:556 [inline] [<ffffffff84245b62>] kzalloc include/linux/slab.h:686 [inline] [<ffffffff84245b62>] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [<ffffffff82b5b2e6>] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
|
|
Takashi Iwai |
f3c6b3 |
Cc: stable@kernel.vger.org
|
|
Takashi Iwai |
f3c6b3 |
Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com
|
|
Takashi Iwai |
f3c6b3 |
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
|
|
Takashi Iwai |
f3c6b3 |
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Takashi Iwai |
f3c6b3 |
Acked-by: Takashi Iwai <tiwai@suse.de>
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
---
|
|
Takashi Iwai |
f3c6b3 |
drivers/net/usb/smsc75xx.c | 8 ++++++--
|
|
Takashi Iwai |
f3c6b3 |
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c
|
|
Takashi Iwai |
f3c6b3 |
index f8cdabb9ef5a..b286993da67c 100644
|
|
Takashi Iwai |
f3c6b3 |
--- a/drivers/net/usb/smsc75xx.c
|
|
Takashi Iwai |
f3c6b3 |
+++ b/drivers/net/usb/smsc75xx.c
|
|
Takashi Iwai |
f3c6b3 |
@@ -1483,7 +1483,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
|
|
Takashi Iwai |
f3c6b3 |
ret = smsc75xx_wait_ready(dev, 0);
|
|
Takashi Iwai |
f3c6b3 |
if (ret < 0) {
|
|
Takashi Iwai |
f3c6b3 |
netdev_warn(dev->net, "device not ready in smsc75xx_bind\n");
|
|
Takashi Iwai |
f3c6b3 |
- return ret;
|
|
Takashi Iwai |
f3c6b3 |
+ goto err;
|
|
Takashi Iwai |
f3c6b3 |
}
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
smsc75xx_init_mac_address(dev);
|
|
Takashi Iwai |
f3c6b3 |
@@ -1492,7 +1492,7 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
|
|
Takashi Iwai |
f3c6b3 |
ret = smsc75xx_reset(dev);
|
|
Takashi Iwai |
f3c6b3 |
if (ret < 0) {
|
|
Takashi Iwai |
f3c6b3 |
netdev_warn(dev->net, "smsc75xx_reset error %d\n", ret);
|
|
Takashi Iwai |
f3c6b3 |
- return ret;
|
|
Takashi Iwai |
f3c6b3 |
+ goto err;
|
|
Takashi Iwai |
f3c6b3 |
}
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
dev->net->netdev_ops = &smsc75xx_netdev_ops;
|
|
Takashi Iwai |
f3c6b3 |
@@ -1502,6 +1502,10 @@ static int smsc75xx_bind(struct usbnet *dev, struct usb_interface *intf)
|
|
Takashi Iwai |
f3c6b3 |
dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len;
|
|
Takashi Iwai |
f3c6b3 |
dev->net->max_mtu = MAX_SINGLE_PACKET_SIZE;
|
|
Takashi Iwai |
f3c6b3 |
return 0;
|
|
Takashi Iwai |
f3c6b3 |
+
|
|
Takashi Iwai |
f3c6b3 |
+err:
|
|
Takashi Iwai |
f3c6b3 |
+ kfree(pdata);
|
|
Takashi Iwai |
f3c6b3 |
+ return ret;
|
|
Takashi Iwai |
f3c6b3 |
}
|
|
Takashi Iwai |
f3c6b3 |
|
|
Takashi Iwai |
f3c6b3 |
static void smsc75xx_unbind(struct usbnet *dev, struct usb_interface *intf)
|
|
Takashi Iwai |
f3c6b3 |
--
|
|
Takashi Iwai |
f3c6b3 |
2.26.2
|
|
Takashi Iwai |
f3c6b3 |
|