From: Cong Wang Date: Thu, 27 Jun 2019 21:30:58 +0000 (-0700) Subject: netrom: fix a memory leak in nr_rx_frame() X-Git-Tag: v5.3-rc1~96^2~14^2~38 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=c8c8218ec5af5d2598381883acbefbf604e56b5e;p=linux-2.6-block.git netrom: fix a memory leak in nr_rx_frame() When the skb is associated with a new sock, just assigning it to skb->sk is not sufficient, we have to set its destructor to free the sock properly too. Reported-by: syzbot+d6636a36d3c34bd88938@syzkaller.appspotmail.com Signed-off-by: Cong Wang Signed-off-by: David S. Miller --- diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c index 86b87925ef34..96740d389377 100644 --- a/net/netrom/af_netrom.c +++ b/net/netrom/af_netrom.c @@ -869,7 +869,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) unsigned short frametype, flags, window, timeout; int ret; - skb->sk = NULL; /* Initially we don't know who it's for */ + skb_orphan(skb); /* * skb->data points to the netrom frame start @@ -968,6 +968,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev) window = skb->data[20]; skb->sk = make; + skb->destructor = sock_efree; make->sk_state = TCP_ESTABLISHED; /* Fill in his circuit details */