CVE-2021-47237

In the Linux kernel, the following vulnerability has been resolved:

net: hamradio: fix memory leak in mkiss_close

My local syzbot instance hit memory leak in mkissopen()[1]. The problem was in missing freenetdev() in mkiss_close().

In mkissopen() netdevice is allocated and then registered, but in mkissclose() netdevice was only unregistered, but not freed.

Fail log:

BUG: memory leak unreferenced object 0xffff8880281ba000 (size 4096): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ backtrace: [<ffffffff81a27201>] kvmallocnode+0x61/0xf0 [<ffffffff8706e7e8>] allocnetdevmqs+0x98/0xe80 [<ffffffff84e64192>] mkissopen+0xb2/0x6f0 [1] [<ffffffff842355db>] ttyldiscopen+0x9b/0x110 [<ffffffff84236488>] ttysetldisc+0x2e8/0x670 [<ffffffff8421f7f3>] ttyioctl+0xda3/0x1440 [<ffffffff81c9f273>] _x64sysioctl+0x193/0x200 [<ffffffff8911263a>] dosyscall64+0x3a/0xb0 [<ffffffff89200068>] entrySYSCALL64afterhwframe+0x44/0xae

BUG: memory leak unreferenced object 0xffff8880141a9a00 (size 96): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... backtrace: [<ffffffff8709f68b>] _hwaddrcreateex+0x5b/0x310 [<ffffffff8709fb38>] _hwaddraddex+0x1f8/0x2b0 [<ffffffff870a0c7b>] devaddrinit+0x10b/0x1f0 [<ffffffff8706e88b>] allocnetdevmqs+0x13b/0xe80 [<ffffffff84e64192>] mkissopen+0xb2/0x6f0 [1] [<ffffffff842355db>] ttyldiscopen+0x9b/0x110 [<ffffffff84236488>] ttysetldisc+0x2e8/0x670 [<ffffffff8421f7f3>] ttyioctl+0xda3/0x1440 [<ffffffff81c9f273>] _x64sysioctl+0x193/0x200 [<ffffffff8911263a>] dosyscall64+0x3a/0xb0 [<ffffffff89200068>] entrySYSCALL64after_hwframe+0x44/0xae

BUG: memory leak unreferenced object 0xffff8880219bfc00 (size 512): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81a27201>] kvmallocnode+0x61/0xf0 [<ffffffff8706eec7>] allocnetdevmqs+0x777/0xe80 [<ffffffff84e64192>] mkissopen+0xb2/0x6f0 [1] [<ffffffff842355db>] ttyldiscopen+0x9b/0x110 [<ffffffff84236488>] ttysetldisc+0x2e8/0x670 [<ffffffff8421f7f3>] ttyioctl+0xda3/0x1440 [<ffffffff81c9f273>] _x64sysioctl+0x193/0x200 [<ffffffff8911263a>] dosyscall64+0x3a/0xb0 [<ffffffff89200068>] entrySYSCALL64afterhwframe+0x44/0xae

BUG: memory leak unreferenced object 0xffff888029b2b200 (size 256): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81a27201>] kvmallocnode+0x61/0xf0 [<ffffffff8706f062>] allocnetdevmqs+0x912/0xe80 [<ffffffff84e64192>] mkissopen+0xb2/0x6f0 [1] [<ffffffff842355db>] ttyldiscopen+0x9b/0x110 [<ffffffff84236488>] ttysetldisc+0x2e8/0x670 [<ffffffff8421f7f3>] ttyioctl+0xda3/0x1440 [<ffffffff81c9f273>] _x64sysioctl+0x193/0x200 [<ffffffff8911263a>] dosyscall64+0x3a/0xb0 [<ffffffff89200068>] entrySYSCALL64afterhwframe+0x44/0xae