Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1790075rwb; Fri, 12 Aug 2022 06:59:43 -0700 (PDT) X-Google-Smtp-Source: AA6agR5vAQdxtW8+Kg5/NwYpDgm8hn9RmXS66ibuBaB8ILhCf2Pn/8KY4ha0BAz/bgVCyj6LNDiY X-Received: by 2002:a17:90a:8a8d:b0:1f3:155:3324 with SMTP id x13-20020a17090a8a8d00b001f301553324mr4188727pjn.89.1660312783678; Fri, 12 Aug 2022 06:59:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660312783; cv=none; d=google.com; s=arc-20160816; b=G7fxqVpaItsd6Cnxbkd9OqSPMqtcMoJu12BPxxn8Ti6cJ2gLYbsYZTaTQdOz2Ow5L5 murCMj5PU32IIW+K2vj8VXAz+zF6gqwMkgLoog8gcriEjx4KZDFjP/5rZmDslQKN9hRp Zg7EkP6C7cF4QWAYwtZmfagSRf6D+OknyLjRplfDjgHGGnrU0aEiD52iu+zZx+VYB1wl PwTvQqyPiZIQMFRRE55/n1tdiOETOZ/w6AWd7J1+KETcj2NuyHj2KiXt+Rvki3SGIbbC HpURTA+0DzMLE59CO559KH7BxW9y9siJPY9RwiRD9taqgesA/mIZAA20x1SWY97V64/z d35Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=7R35Mj+4MoN7FiU9wXqCrzfGK4s+rcJG85Ul5M7Eps0=; b=zW1RNSctx2o86azzU4LTb3SPvkj5ak7XsmyfyVowwuXwplS1FAHrkbCRGQgLUhoH74 mHBg4DjH9mg50AHiHvlLbkr3ygLIpoOGjc322A+TwxdDWz/TyLOfQyJ+EMeUoUyuGayS WUB75EJlWPw6faNe6T7IiFqe5VBhyMs7s7MzezoT0jjgNoqZs4mj83eGTwqCTlurHwKK U4HEHZ8vIG3jaZRUIxtDwe9Hx4+CSO4UFNgHxRYmRFLmxsXCOUNqdZNmT2BI9ci41nRG G4Iy8L2H14TuFqydKYDl05uKqw8ZDQSkOTyHqGKK0veSuvrtrl7pT4PDvatymUadvKpa XaUg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t191-20020a6381c8000000b0041baf0357afsi2431512pgd.505.2022.08.12.06.59.29; Fri, 12 Aug 2022 06:59:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238467AbiHLNXc (ORCPT + 99 others); Fri, 12 Aug 2022 09:23:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230105AbiHLNX3 (ORCPT ); Fri, 12 Aug 2022 09:23:29 -0400 Received: from hust.edu.cn (mail.hust.edu.cn [202.114.0.240]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0165390C68 for ; Fri, 12 Aug 2022 06:23:26 -0700 (PDT) Received: from localhost.localdomain ([222.20.126.44]) (user=dzm91@hust.edu.cn mech=LOGIN bits=0) by mx1.hust.edu.cn with ESMTP id 27CDLQdu023627-27CDLQdx023627 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 12 Aug 2022 21:21:32 +0800 From: Dongliang Mu To: Greg Kroah-Hartman , =?UTF-8?q?Arve=20Hj=C3=B8nnev=C3=A5g?= , Todd Kjos , Martijn Coenen , Joel Fernandes , Christian Brauner , Carlos Llamas , Suren Baghdasaryan , Kees Cook Cc: Dongliang Mu , syzkaller , linux-kernel@vger.kernel.org Subject: [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super Date: Fri, 12 Aug 2022 21:21:24 +0800 Message-Id: <20220812132124.2053673-1-dzm91@hust.edu.cn> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-FEAS-AUTH-USER: dzm91@hust.edu.cn X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dongliang Mu In binderfs_fill_super, if s_root is not successfully initialized by d_make_root, the previous allocated s_sb_info will not be freed since generic_shutdown_super first checks if sb->s_root and then does put_super operation. The put_super operation calls binderfs_put_super to deallocate s_sb_info and put ipc_ns. This will lead to memory leak in binderfs_fill_super. Fix this by invoking binderfs_put_super at error sites before s_root is successfully initialized. Fixes: 095cf502b31e ("binderfs: port to new mount api") Reported-by: syzkaller Signed-off-by: Dongliang Mu --- drivers/android/binderfs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c index 588d753a7a19..20f5bc77495f 100644 --- a/drivers/android/binderfs.c +++ b/drivers/android/binderfs.c @@ -710,8 +710,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc) info->mount_opts.stats_mode = ctx->stats_mode; inode = new_inode(sb); - if (!inode) + if (!inode) { + binderfs_put_super(sb); return -ENOMEM; + } inode->i_ino = FIRST_INODE; inode->i_fop = &simple_dir_operations; @@ -721,8 +723,10 @@ static int binderfs_fill_super(struct super_block *sb, struct fs_context *fc) set_nlink(inode, 2); sb->s_root = d_make_root(inode); - if (!sb->s_root) + if (!sb->s_root) { + binderfs_put_super(sb); return -ENOMEM; + } ret = binderfs_binder_ctl_create(sb); if (ret) -- 2.25.1