Re: [PATCH v2] net: caif: fix memory leak in ldisc_receive

[Jiri Slaby <jirislaby@kernel.org>]

On 18. 01. 26, 18:44, Osama Abdelkader wrote:
> Add NULL pointer checks for ser and ser->dev in ldisc_receive() to
> prevent memory leaks when the function is called during device close
> or in race conditions where tty->disc_data or ser->dev may be NULL.
> 
> The memory leak occurred because ser->dev was accessed before checking
> if ser or ser->dev was NULL, which could cause a NULL pointer
> dereference or use of freed memory. Additionally, set tty->disc_data
> to NULL in ldisc_close() to prevent receive_buf() from using a freed
> ser pointer after the line discipline is closed.
> 
> Reported-by: syzbot+f9d847b2b84164fa69f3@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=f9d847b2b84164fa69f3
> Fixes: 9b27105b4a44 ("net-caif-driver: add CAIF serial driver (ldisc)")
> CC: stable@vger.kernel.org
> Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
> ---
> v2:
> 1.Combine NULL pointer checks for ser and ser->dev in ldisc_receive()
> 2.Set tty->disc_data = NULL in ldisc_close() to prevent receive_buf()
> from using a freed ser pointer after close.
> 3.Add NULL pointer check for ser in ldisc_close()
> ---
>   drivers/net/caif/caif_serial.c | 8 ++++++--
>   1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/caif/caif_serial.c b/drivers/net/caif/caif_serial.c
> index c398ac42eae9..970237a3ccca 100644
> --- a/drivers/net/caif/caif_serial.c
> +++ b/drivers/net/caif/caif_serial.c
> @@ -152,6 +152,8 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
>   	int ret;
>   
>   	ser = tty->disc_data;
> +	if (!ser || !ser->dev)
> +		return;
>   
>   	/*
>   	 * NOTE: flags may contain information about break or overrun.
> @@ -170,8 +172,6 @@ static void ldisc_receive(struct tty_struct *tty, const u8 *data,
>   		return;
>   	}
>   
> -	BUG_ON(ser->dev == NULL);
> -
>   	/* Get a suitable caif packet and copy in data. */
>   	skb = netdev_alloc_skb(ser->dev, count+1);

Wait, the reported error is memory leak of mem allocated here. So both 
ser and ser->dev appear to be valid?

So instead, does netif_rx() return an error few lines below for some 
reason? So should skb just be freed in that path?

         if (skb == NULL)
                 return;
         skb_put_data(skb, data, count);

         skb->protocol = htons(ETH_P_CAIF);
         skb_reset_mac_header(skb);
         debugfs_rx(ser, data, count);
         /* Push received packet up the stack. */
         ret = netif_rx(skb);
         if (!ret) {
                 ser->dev->stats.rx_packets++;
                 ser->dev->stats.rx_bytes += count;
         } else
                 ++ser->dev->stats.rx_dropped;

Not calling skb_free() in this else path _is_ a BUG™ in any case IMO.

thanks,
-- 
js
suse labs