Forwarded: [PATCH] netrom: fix memory leak in nr_add_node()

[syzbot <syzbot+3f2d46b6e62b8dd546d3@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netrom: fix memory leak in nr_add_node()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When nr_add_node() creates a new neighbor but the route quality is too
low to be added (node already has 3 routes with better quality), the
newly allocated neighbor is never used but remains in the neighbor list
with refcount=1, causing a memory leak.

Also fix the same leak in the error path when nr_node allocation fails
after creating a new neighbor.

Fix by tracking whether a new neighbor was allocated and removing it
from the list if it was not used (count == 0) or on allocation failure.

Add debug printk to trace the issue.

Reported-by: syzbot+3f2d46b6e62b8dd546d3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3f2d46b6e62b8dd546d3
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/netrom/nr_route.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index b94cb2ffbaf8..b5f6b41e34e5 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -100,9 +100,12 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
 {
 	struct nr_node  *nr_node;
 	struct nr_neigh *nr_neigh;
+	bool new_neigh = false;
 	int i, found;
 	struct net_device *odev;
 
+	printk(KERN_ERR "nr_add_node: PATCHED VERSION called\n");
+
 	if ((odev=nr_dev_get(nr)) != NULL) {	/* Can't add routes to ourself */
 		dev_put(odev);
 		return -EINVAL;
@@ -172,6 +175,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
 			}
 		}
 
+		new_neigh = true;
 		spin_lock_bh(&nr_neigh_list_lock);
 		hlist_add_head(&nr_neigh->neigh_node, &nr_neigh_list);
 		nr_neigh_hold(nr_neigh);
@@ -183,8 +187,11 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
 
 	if (nr_node == NULL) {
 		if ((nr_node = kmalloc(sizeof(*nr_node), GFP_ATOMIC)) == NULL) {
-			if (nr_neigh)
+			if (nr_neigh) {
+				if (new_neigh)
+					nr_remove_neigh(nr_neigh);
 				nr_neigh_put(nr_neigh);
+			}
 			return -ENOMEM;
 		}
 
@@ -279,6 +286,13 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
 		}
 	}
 
+	if (new_neigh && nr_neigh->count == 0) {
+		printk(KERN_ERR "nr_add_node: cleaning up unused neighbor\n");
+		nr_remove_neigh(nr_neigh);
+	} else if (new_neigh) {
+		printk(KERN_ERR "nr_add_node: new_neigh used, count=%d\n", nr_neigh->count);
+	}
+
 	nr_neigh_put(nr_neigh);
 	nr_node_unlock(nr_node);
 	nr_node_put(nr_node);
-- 
2.43.0