From: Osama Abdelkader <osama.abdelkader@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
"Jiri Slaby (SUSE)" <jirislaby@kernel.org>,
Sjur Braendeland <sjur.brandeland@stericsson.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+f9d847b2b84164fa69f3@syzkaller.appspotmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH] net: caif: fix memory leak in ldisc_receive
Date: Sun, 18 Jan 2026 18:35:11 +0100 [thread overview]
Message-ID: <aW0Zz9SNbxJRxghp@osama> (raw)
In-Reply-To: <2026011805-bamboo-disband-926a@gregkh>
On Sun, Jan 18, 2026 at 04:02:44PM +0100, Greg Kroah-Hartman wrote:
> On Sun, Jan 18, 2026 at 03:47:54PM +0100, Osama Abdelkader wrote:
> > Add NULL pointer checks for ser and ser->dev in ldisc_receive() to
> > prevent memory leaks when the function is called during device close
> > or in race conditions where tty->disc_data or ser->dev may be NULL.
> >
> > The memory leak occurred because netdev_alloc_skb() would allocate an
> > skb, but if ser or ser->dev was NULL, the function would return early
> > without freeing the allocated skb. Additionally, ser->dev was accessed
> > before checking if it was NULL, which could cause a NULL pointer
> > dereference.
> >
> > Reported-by: syzbot+f9d847b2b84164fa69f3@syzkaller.appspotmail.com
> > Closes:
> > https://syzkaller.appspot.com/bug?extid=f9d847b2b84164fa69f3
>
> Please do not wrap this line.
OK.
>
> > Fixes: 9b27105b4a44 ("net-caif-driver: add CAIF serial driver (ldisc)")
> > CC: stable@vger.kernel.org
> > Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> > ---
> > drivers/net/caif/caif_serial.c | 6 ++++--
> > 1 file changed, 4 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
> > index c398ac42eae9..0ec9670bd35c 100644
> > --- a/drivers/net/caif/caif_serial.c
> > +++ b/drivers/net/caif/caif_serial.c
> > @@ -152,12 +152,16 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
> > int ret;
> >
> > ser = tty->disc_data;
> > + if (!ser)
> > + return;
>
> Can this ever be true?
Yes, when the line discipline is changed, tty_set_termios_ldisc() sets tty->disc_data = NULL
>
> > /*
> > * NOTE: flags may contain information about break or overrun.
> > * This is not yet handled.
> > */
> >
> > + if (!ser->dev)
> > + return;
>
> Why is this check here and not just merged together with the one you
> added above? And how can ->dev be NULL?
I'm going to combine them in v2.
If ser exists, ser->dev should be non-NULL (they're created together), but the check is defensive.
>
> And where is the locking to prevent this from changing right after you
> check it?
>
I'm going to address that in v2.
> thanks,
>
> greg k-h
Thanks,
Osama
prev parent reply other threads:[~2026-01-18 17:35 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-18 14:47 [PATCH] net: caif: fix memory leak in ldisc_receive Osama Abdelkader
2026-01-18 15:02 ` Greg Kroah-Hartman
2026-01-18 17:35 ` Osama Abdelkader [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aW0Zz9SNbxJRxghp@osama \
--to=osama.abdelkader@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=horms@kernel.org \
--cc=jirislaby@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sjur.brandeland@stericsson.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+f9d847b2b84164fa69f3@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.