From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E43022D5A14 for ; Mon, 8 Dec 2025 23:08:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765235322; cv=none; b=B12HHIRwjoe60WMHM8pNL209IKzAfMkUtcuafy9GOEKKDlOSC/+iOvS0d0SCzEj/lAaHQRCMbG9+uTtqXbhit8bUt2w3MpCIgHzxgTNTXKz+59fpnPj9uGjEJam2ZbvJZNVnAMrhPvv37h4QrUYw0DagYLrFl41/WMyz80eYWAI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765235322; c=relaxed/simple; bh=Q20InNVHIvgQ+m2NrLZQY576vBi3FHAysOclxKafWhk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=k9ZA75OVGY7Kb281Lgo31MA7l7ciAzjinEO+xw78C/G+GytjLxNCNtSa+aJBdhyI290Sa1RbglRyxWh1MKia0+WrO0Zj47Y7rm0kwY/W8ex2+jTVbMSztFWrdCjwKYp9Z2zuoImgRSHaQWys4jc+pnlQcRqptTShZZDzRV2UXQQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ES2XtZuh; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ES2XtZuh" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B399C4CEF1; Mon, 8 Dec 2025 23:08:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1765235321; bh=Q20InNVHIvgQ+m2NrLZQY576vBi3FHAysOclxKafWhk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ES2XtZuh28C+CqTb/+SZcKD0j89ttNdZ5WNHv8vGv6VOFPDwf+PTmGksnv2Ui9VOs /LPigkuTE1aAJhNIzEPJZbSh29SVFsjrGYs2fIRoycYhlJvmRD4mvwcWPohixTVb+w BTzIhMAwBRO7LfUXZA3aE8PYQ5WhxhhhC4V9rVCE= Date: Tue, 9 Dec 2025 08:08:38 +0900 From: Greg Kroah-Hartman To: Kuniyuki Iwashima Cc: "Rafael J. Wysocki" , Danilo Krummrich , Christian Brauner , NeilBrown , Kuniyuki Iwashima , linux-kernel@vger.kernel.org, syzbot+3d7ca9c802c547f8550a@syzkaller.appspotmail.com Subject: Re: [PATCH] debugfs: Fix memleak in debugfs_change_name(). Message-ID: <2025120925-unmanaged-awoke-3c8a@gregkh> References: <20251208094551.46184-1-kuniyu@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251208094551.46184-1-kuniyu@google.com> On Mon, Dec 08, 2025 at 09:45:45AM +0000, Kuniyuki Iwashima wrote: > syzbot reported memleak in debugfs_change_name(). [0] > > When lookup_noperm_unlocked() fails, new_name is leaked. > > Let's fix it by reusing to kfree_const() at the end of > debugfs_change_name(). > > [0]: > BUG: memory leak > unreferenced object 0xffff8881110bb308 (size 8): > comm "syz.0.17", pid 6090, jiffies 4294942958 > hex dump (first 8 bytes): > 2e 00 00 00 00 00 00 00 ........ > backtrace (crc ecfc7064): > kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] > slab_post_alloc_hook mm/slub.c:4953 [inline] > slab_alloc_node mm/slub.c:5258 [inline] > __do_kmalloc_node mm/slub.c:5651 [inline] > __kmalloc_node_track_caller_noprof+0x3b2/0x670 mm/slub.c:5759 > __kmemdup_nul mm/util.c:64 [inline] > kstrdup+0x3c/0x80 mm/util.c:84 > kstrdup_const+0x63/0x80 mm/util.c:104 > kvasprintf_const+0xca/0x110 lib/kasprintf.c:48 > debugfs_change_name+0xf6/0x5d0 fs/debugfs/inode.c:854 > cfg80211_dev_rename+0xd8/0x110 net/wireless/core.c:149 > nl80211_set_wiphy+0x102/0x1770 net/wireless/nl80211.c:3844 > genl_family_rcv_msg_doit+0x11e/0x190 net/netlink/genetlink.c:1115 > genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] > genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1210 > netlink_rcv_skb+0x93/0x1d0 net/netlink/af_netlink.c:2550 > genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 > netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] > netlink_unicast+0x3a3/0x4f0 net/netlink/af_netlink.c:1344 > netlink_sendmsg+0x335/0x6b0 net/netlink/af_netlink.c:1894 > sock_sendmsg_nosec net/socket.c:718 [inline] > __sock_sendmsg net/socket.c:733 [inline] > ____sys_sendmsg+0x562/0x5a0 net/socket.c:2608 > ___sys_sendmsg+0xc8/0x130 net/socket.c:2662 > __sys_sendmsg+0xc7/0x140 net/socket.c:2694 > > Fixes: 833d2b3a072f7 ("Add start_renaming_two_dentries()") > Reported-by: syzbot+3d7ca9c802c547f8550a@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/69369d82.a70a0220.38f243.009f.GAE@google.com/ > Signed-off-by: Kuniyuki Iwashima > --- > fs/debugfs/inode.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c > index 4b263c328ed29..4005d21cf009c 100644 > --- a/fs/debugfs/inode.c > +++ b/fs/debugfs/inode.c > @@ -841,8 +841,10 @@ int __printf(2, 3) debugfs_change_name(struct dentry *dentry, const char *fmt, . > rd.new_parent = rd.old_parent; > rd.flags = RENAME_NOREPLACE; > target = lookup_noperm_unlocked(&QSTR(new_name), rd.new_parent); > - if (IS_ERR(target)) > - return PTR_ERR(target); > + if (IS_ERR(target)) { > + error = PTR_ERR(target); > + goto out_free; > + } > > error = start_renaming_two_dentries(&rd, dentry, target); > if (error) { > @@ -862,6 +864,7 @@ int __printf(2, 3) debugfs_change_name(struct dentry *dentry, const char *fmt, . > out: > dput(rd.old_parent); > dput(target); > +out_free: > kfree_const(new_name); > return error; > } > -- > 2.52.0.223.gf5cc29aaa4-goog > Thanks, I'll queue this up after -rc1 is out. greg k-h