From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hulk Robot <hulkci@huawei.com>,
Wei Yongjun <weiyongjun1@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>,
Chris Wilson <chris@chris-wilson.co.uk>,
Al Viro <viro@zeniv.linux.org.uk>,
Michael Ellerman <mpe@ellerman.id.au>,
David Rientjes <rientjes@google.com>,
Michel Lespinasse <walken@google.com>,
Daniel Axtens <dja@axtens.net>,
Thomas Gleixner <tglx@linutronix.de>,
Akash Goel <akash.goel@intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.9 12/39] kernel/relay.c: fix memleak on destroy relay channel
Date: Mon, 24 Aug 2020 10:31:11 +0200 [thread overview]
Message-ID: <20200824082349.099514201@linuxfoundation.org> (raw)
In-Reply-To: <20200824082348.445866152@linuxfoundation.org>
From: Wei Yongjun <weiyongjun1@huawei.com>
commit 71e843295c680898959b22dc877ae3839cc22470 upstream.
kmemleak report memory leak as follows:
unreferenced object 0x607ee4e5f948 (size 8):
comm "syz-executor.1", pid 2098, jiffies 4295031601 (age 288.468s)
hex dump (first 8 bytes):
00 00 00 00 00 00 00 00 ........
backtrace:
relay_open kernel/relay.c:583 [inline]
relay_open+0xb6/0x970 kernel/relay.c:563
do_blk_trace_setup+0x4a8/0xb20 kernel/trace/blktrace.c:557
__blk_trace_setup+0xb6/0x150 kernel/trace/blktrace.c:597
blk_trace_ioctl+0x146/0x280 kernel/trace/blktrace.c:738
blkdev_ioctl+0xb2/0x6a0 block/ioctl.c:613
block_ioctl+0xe5/0x120 fs/block_dev.c:1871
vfs_ioctl fs/ioctl.c:48 [inline]
__do_sys_ioctl fs/ioctl.c:753 [inline]
__se_sys_ioctl fs/ioctl.c:739 [inline]
__x64_sys_ioctl+0x170/0x1ce fs/ioctl.c:739
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
'chan->buf' is malloced in relay_open() by alloc_percpu() but not free
while destroy the relay channel. Fix it by adding free_percpu() before
return from relay_destroy_channel().
Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: David Rientjes <rientjes@google.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Akash Goel <akash.goel@intel.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/20200817122826.48518-1-weiyongjun1@huawei.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/relay.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -196,6 +196,7 @@ free_buf:
static void relay_destroy_channel(struct kref *kref)
{
struct rchan *chan = container_of(kref, struct rchan, kref);
+ free_percpu(chan->buf);
kfree(chan);
}
next prev parent reply other threads:[~2020-08-24 8:52 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-24 8:30 [PATCH 4.9 00/39] 4.9.234-rc1 review Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 01/39] x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 02/39] x86/asm: Add instruction suffixes to bitops Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 03/39] drm/imx: imx-ldb: Disable both channels for split mode in enc->disable() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 04/39] perf probe: Fix memory leakage when the probe point is not found Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 05/39] tracing: Clean up the hwlat binding code Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 06/39] tracing/hwlat: Honor the tracing_cpumask Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 07/39] khugepaged: khugepaged_test_exit() check mmget_still_valid() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 08/39] khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 09/39] btrfs: export helpers for subvolume name/id resolution Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 10/39] btrfs: dont show full path of bind mounts in subvol= Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 11/39] romfs: fix uninitialized memory leak in romfs_dev_read() Greg Kroah-Hartman
2020-08-24 8:31 ` Greg Kroah-Hartman [this message]
2020-08-24 8:31 ` [PATCH 4.9 13/39] mm: include CMA pages in lowmem_reserve at boot Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 14/39] mm, page_alloc: fix core hung in free_pcppages_bulk() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 15/39] jbd2: add the missing unlock_buffer() in the error path of jbd2_write_superblock() Greg Kroah-Hartman
2020-08-24 11:15 ` zhangyi (F)
2020-08-24 15:38 ` Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 16/39] ext4: clean up ext4_match() and callers Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 17/39] ext4: fix checking of directory entry validity for inline directories Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 18/39] scsi: ufs: Add DELAY_BEFORE_LPM quirk for Micron devices Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 19/39] media: budget-core: Improve exception handling in budget_register() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 20/39] media: vpss: clean up resources in init Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 21/39] Input: psmouse - add a newline when printing proto by sysfs Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 22/39] m68knommu: fix overwriting of bits in ColdFire V3 cache control Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 23/39] xfs: fix inode quota reservation checks Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 24/39] jffs2: fix UAF problem Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 25/39] scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 26/39] virtio_ring: Avoid loop when vq is broken in virtqueue_poll Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 27/39] xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 28/39] alpha: fix annotation of io{read,write}{16,32}be() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 29/39] ext4: fix potential negative array index in do_split() Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 30/39] i40e: Set RX_ONLY mode for unicast promiscuous on VLAN Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 31/39] net: fec: correct the error path for regulator disable in probe Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 32/39] ASoC: intel: Fix memleak in sst_media_open Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 33/39] net: dsa: b53: check for timeout Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 34/39] powerpc/pseries: Do not initiate shutdown when system is running on UPS Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 35/39] powerpc: Allow 4224 bytes of stack expansion for the signal frame Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 36/39] epoll: Keep a reference on files added to the check list Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 37/39] do_epoll_ctl(): clean the failure exits up a bit Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 38/39] mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible Greg Kroah-Hartman
2020-08-24 8:31 ` [PATCH 4.9 39/39] xen: dont reschedule in preemption off sections Greg Kroah-Hartman
2020-08-24 10:16 ` [PATCH 4.9 00/39] 4.9.234-rc1 review Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200824082349.099514201@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akash.goel@intel.com \
--cc=akpm@linux-foundation.org \
--cc=chris@chris-wilson.co.uk \
--cc=dja@axtens.net \
--cc=hulkci@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=rientjes@google.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=walken@google.com \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.