Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1006255pxb; Wed, 6 Apr 2022 06:33:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAtILBMYJ24zzTS0CpCb+mDIP2bbhI2VgrAP/n/gb/jvTGci/egc5MNoH9q6raJdSZ2I+q X-Received: by 2002:a05:6808:bc2:b0:2ec:e7f0:c11e with SMTP id o2-20020a0568080bc200b002ece7f0c11emr3635797oik.126.1649251998878; Wed, 06 Apr 2022 06:33:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649251998; cv=none; d=google.com; s=arc-20160816; b=Xgv9xx8BsRvryRxV2ORWAIv/r7Ve+lz8V31yIQqnYCoEl9CTq1kV/oOJL9KgS37WN1 /ecF0PHh4p54/Z6OXBGL6zYqjT/CUQ6SAfxuQzfl6DqsvlMNpvnNKiPPF6Rw4czO/XOU 3wOT/mqRdTvcZ6yHUJuSSg9WWV9f9J1B+1tDOcjDax9O+K+aBFycYBUjI9XJI4Qjep0o 2KLd1yRznlo/RU9PQI8GAG29tQNV+t64KrDnKoyrDJS5+z9B3zM8w2k8CJIsq310QbP7 AE1ZXfKOtHJd3rL9I/ZYutp5BbcQx987Q+imccZc8cNnFwvrg3PHl1WkcW846Uo1WYoi xzfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lrIKdYTLK2fTzLetFs5hi6v/svutP0KwCeRYLfGDlnQ=; b=zLfSjMFukyVdlbfyMve9KCEnewp7ALUzA3F5UfLlmnIfyu4qMJZZZqj88qaygrcM6r zvnZ6RogOnRx52aHOu/SHLwenEo+U1bW6SyDDVn5dGqWZDh235qCQ6Y3qsN/QbEIiowA PNhpI/u/DPBww3WMtYXpHiWQvYammeRkW3GBuiw9NkmsPwt8ZvNzGDiEi9kYgIpyMWVz OgS4VAg/Tyn241FF+9pRjQ/lcjkDlbd/Q43p4PLfNS103MHDl1Thar3LQFQNR6b7yohI jZ15GoREZYxVMHGu0r7ElPixthO21IyLggKVGh04kDqwM1ZFGvZpoFrSo/Mp1GNR9NIY 8LkA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kDgYjHIW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id g9-20020a9d6a09000000b005cb2fc1380csi8423560otn.136.2022.04.06.06.33.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 06:33:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kDgYjHIW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 912BC49DE3A; Wed, 6 Apr 2022 04:12:37 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1843931AbiDFBmV (ORCPT + 99 others); Tue, 5 Apr 2022 21:42:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356314AbiDEKXg (ORCPT ); Tue, 5 Apr 2022 06:23:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5EC2BB0AE; Tue, 5 Apr 2022 03:08:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7198B6176C; Tue, 5 Apr 2022 10:08:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 86BEDC385A2; Tue, 5 Apr 2022 10:08:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649153287; bh=R7jBaNNOIfBcdkDD1sAHN6W5EEcD4afMpqTGiA3CiWY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kDgYjHIWRB7bYX76Jlw5ninWbblEUBj1zY5Lv5FISAfA5BaO7yDOqVxa75SvHCb4Q dS6//zvTpdZGYyHmpqDghPNFXA8/w5HoNso4z1UegdrDqQ8KHNqbP0j5fNW4FJn5zd cez8gFXA52FyaZgChvquEnIf2eZAR/+2bAaEhX04= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , "Fabio M. De Francesco" , Sasha Levin , syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com Subject: [PATCH 5.10 170/599] watch_queue: Fix NULL dereference in error cleanup Date: Tue, 5 Apr 2022 09:27:44 +0200 Message-Id: <20220405070303.901025767@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070258.802373272@linuxfoundation.org> References: <20220405070258.802373272@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells [ Upstream commit a635415a064e77bcfbf43da413fd9dfe0bbed9cb ] In watch_queue_set_size(), the error cleanup code doesn't take account of the fact that __free_page() can't handle a NULL pointer when trying to free up buffer pages that did get allocated. Fix this by only calling __free_page() on the pages actually allocated. Without the fix, this can lead to something like the following: BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold+0x66/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:717 [inline] __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275 pipe_ioctl+0xac/0x2b0 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-and-tested-by: syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Fabio M. De Francesco Signed-off-by: Sasha Levin --- kernel/watch_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c index e3f144d96026..45a8eb90e5fc 100644 --- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -274,7 +274,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes) return 0; error_p: - for (i = 0; i < nr_pages; i++) + while (--i >= 0) __free_page(pages[i]); kfree(pages); error: -- 2.34.1