Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp2306422rdb; Mon, 20 Nov 2023 07:37:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IFAc/IZUFaoQXF3vWh92066OTYiZ86pTWg6Rfo3YG4DbTPqMJpgnhd3g6KeX7p60RxuS6jp X-Received: by 2002:a17:902:d503:b0:1cc:b09a:b811 with SMTP id b3-20020a170902d50300b001ccb09ab811mr6571114plg.14.1700494655018; Mon, 20 Nov 2023 07:37:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700494655; cv=none; d=google.com; s=arc-20160816; b=KVUKW3DgUctCBg1lkR27Ghhd0uv1+bRjNmOHFphSrHg5Kdl8olxmT5+mNqeRQR45Tt qmTuh963fenNEjCXd3ub1174zLrCWVUkgC66yFAeBY2kIZtgEC0RjOHGHA4kAUp6e5V3 tRl9SgnLtZBFcN2OzMoC2gYDGGEE+rARqUqUNKnO+cIbAalpmjF6XjmRmLgltmxliZhD 8ofX9Nu6hCMHyNWXYFNu5dBT7s8kdY499VKXV0vZmgZ1+fGXu/Av40SwCPmfF29k41C2 QbhOiH+9eZipqOKVqPDlIl7nR65OJ467Yni1DY0YNygYE2an2OpwU6NQdF4Xuqjmwc1t ckew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:organization :message-id:user-agent:references:in-reply-to:subject:cc:to:from :date:mime-version; bh=MY93/qcMwfUEyf1fAowUuWxem1/fPUyDiVfDt2Ej9EI=; fh=gCjvgvGqY7RRuvXPnAuY6n5QuKPYT7cotvtgyB8iEfw=; b=ZDQ7YYWq5bPhdQQs1rgZPHqjYEqAQKrrLuLSDY8XpoZqSHh9DY18rvNidFEY5db7ZG 2FoGmgrJMB0uc8Xqu3JkNhIGkpeelqUq8VTA1OAjBV0ND6OJKzqCz/OqYcsCA3SY1uLa H6+gq8DhBwNKSwgBNuk278ohZ70rxmp0zPGo4pcN7vxLMNqjdmwopPKk8aZzfmY+gic4 Hk5ZjUnSkKuXcqgnU9vtMA+d4kRZPSrPt1klDz76alQxilpm7EDqZ1vHMwWWoidkY6KZ GNRV1Va1mKI961+v+mkptMNi7INjw4SdhAfT1YW0ZWaax/vT27k5Q7Sv4lyx3kj9rriX R50w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id u1-20020a170902bf4100b001c6182d9fdasi7945021pls.326.2023.11.20.07.37.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 07:37:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 589728084078; Mon, 20 Nov 2023 07:37:31 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230110AbjKTPhP (ORCPT + 99 others); Mon, 20 Nov 2023 10:37:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231352AbjKTPhN (ORCPT ); Mon, 20 Nov 2023 10:37:13 -0500 Received: from 4.mo560.mail-out.ovh.net (4.mo560.mail-out.ovh.net [87.98.172.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D0E8A7 for ; Mon, 20 Nov 2023 07:37:08 -0800 (PST) Received: from director5.ghost.mail-out.ovh.net (unknown [10.109.156.34]) by mo560.mail-out.ovh.net (Postfix) with ESMTP id 8FA3425E44 for ; Mon, 20 Nov 2023 15:31:55 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-lljcm (unknown [10.110.208.139]) by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id CE6831FEBC; Mon, 20 Nov 2023 15:31:54 +0000 (UTC) Received: from RCM-web2.webmail.mail.ovh.net ([176.31.232.109]) by ghost-submission-6684bf9d7b-lljcm with ESMTPSA id Gli7Lup7W2WsAgAAgGBV+g (envelope-from ); Mon, 20 Nov 2023 15:31:54 +0000 MIME-Version: 1.0 Date: Mon, 20 Nov 2023 17:31:53 +0200 From: =?UTF-8?Q?Jos=C3=A9_Pekkarinen?= To: viro@zeniv.linux.org.uk, skhan@linuxfoundation.org Cc: linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linux.dev, syzbot+cb729843d0f42a5c1a50@syzkaller.appspotmail.com Subject: Re: [PATCH] iov_iter: fix memleak in iov_iter_extract_pages In-Reply-To: <20231111075323.208181-1-jose.pekkarinen@foxhound.fi> References: <20231111075323.208181-1-jose.pekkarinen@foxhound.fi> User-Agent: Roundcube Webmail/1.4.15 Message-ID: <8ab69336548dfe4f556d7be83d90afeb@foxhound.fi> X-Sender: jose.pekkarinen@foxhound.fi Organization: Foxhound Ltd. X-Originating-IP: 192.42.116.182 X-Webmail-UserID: jose.pekkarinen@foxhound.fi Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 8929230686578320904 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrudegjedghedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpeggfffhvfevufgjfhgfkfigohhitgfgsehtkehjtddtreejnecuhfhrohhmpeflohhsrocurfgvkhhkrghrihhnvghnuceojhhoshgvrdhpvghkkhgrrhhinhgvnhesfhhogihhohhunhgurdhfiheqnecuggftrfgrthhtvghrnhepvdffhfegtdeuiefgkefhgeefheektdekffeufeehgeeuueehjeeijeelleetjeeinecuffhomhgrihhnpehshiiikhgrlhhlvghrrdgrphhpshhpohhtrdgtohhmnecukfhppeduvdejrddtrddtrddupdduledvrdegvddrudduiedrudekvddpudejiedrfedurddvfedvrddutdelnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpeeojhhoshgvrdhpvghkkhgrrhhinhgvnhesfhhogihhohhunhgurdhfiheqpdhnsggprhgtphhtthhopedupdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdfovfetjfhoshhtpehmohehiedtpdhmohguvgepshhmthhpohhuth X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 20 Nov 2023 07:37:31 -0800 (PST) On 2023-11-11 09:53, José Pekkarinen wrote: > syzbot reports there is a memory leak in iov_iter_extract_pages where > in > the unlikely case of having an error in pin_user_pages_fast, the pages > aren't free. This patch will free it before returning. Output of mem > leak follows: > > BUG: memory leak > unreferenced object 0xffff888109d2e400 (size 1024): > comm "syz-executor121", pid 5006, jiffies 4294943225 (age 17.760s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] __do_kmalloc_node mm/slab_common.c:984 > [inline] > [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 > [] kmalloc_node include/linux/slab.h:602 [inline] > [] kvmalloc_node+0x99/0x170 mm/util.c:604 > [] kvmalloc include/linux/slab.h:720 [inline] > [] kvmalloc_array include/linux/slab.h:738 > [inline] > [] want_pages_array lib/iov_iter.c:985 [inline] > [] iov_iter_extract_user_pages > lib/iov_iter.c:1765 [inline] > [] iov_iter_extract_pages+0x1ee/0xa40 > lib/iov_iter.c:1831 > [] bio_map_user_iov+0x167/0x5d0 > block/blk-map.c:297 > [] blk_rq_map_user_iov+0x3e3/0xb30 > block/blk-map.c:664 > [] blk_rq_map_user block/blk-map.c:691 [inline] > [] blk_rq_map_user_io+0x143/0x160 > block/blk-map.c:724 > [] sg_io+0x285/0x510 > drivers/scsi/scsi_ioctl.c:456 > [] scsi_cdrom_send_packet+0x1b5/0x480 > drivers/scsi/scsi_ioctl.c:820 > [] scsi_ioctl+0xca/0xd30 > drivers/scsi/scsi_ioctl.c:903 > [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 > [] vfs_ioctl fs/ioctl.c:51 [inline] > [] __do_sys_ioctl fs/ioctl.c:870 [inline] > [] __se_sys_ioctl fs/ioctl.c:856 [inline] > [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 > [] do_syscall_x64 arch/x86/entry/common.c:50 > [inline] > [] do_syscall_64+0x38/0xb0 > arch/x86/entry/common.c:80 > [] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > BUG: memory leak > unreferenced object 0xffff888109d2dc00 (size 1024): > comm "syz-executor121", pid 5007, jiffies 4294943747 (age 12.540s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] __do_kmalloc_node mm/slab_common.c:984 > [inline] > [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 > [] kmalloc_node include/linux/slab.h:602 [inline] > [] kvmalloc_node+0x99/0x170 mm/util.c:604 > [] kvmalloc include/linux/slab.h:720 [inline] > [] kvmalloc_array include/linux/slab.h:738 > [inline] > [] want_pages_array lib/iov_iter.c:985 [inline] > [] iov_iter_extract_user_pages > lib/iov_iter.c:1765 [inline] > [] iov_iter_extract_pages+0x1ee/0xa40 > lib/iov_iter.c:1831 > [] bio_map_user_iov+0x167/0x5d0 > block/blk-map.c:297 > [] blk_rq_map_user_iov+0x3e3/0xb30 > block/blk-map.c:664 > [] blk_rq_map_user block/blk-map.c:691 [inline] > [] blk_rq_map_user_io+0x143/0x160 > block/blk-map.c:724 > [] sg_io+0x285/0x510 > drivers/scsi/scsi_ioctl.c:456 > [] scsi_cdrom_send_packet+0x1b5/0x480 > drivers/scsi/scsi_ioctl.c:820 > [] scsi_ioctl+0xca/0xd30 > drivers/scsi/scsi_ioctl.c:903 > [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 > [] vfs_ioctl fs/ioctl.c:51 [inline] > [] __do_sys_ioctl fs/ioctl.c:870 [inline] > [] __se_sys_ioctl fs/ioctl.c:856 [inline] > [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 > [] do_syscall_x64 arch/x86/entry/common.c:50 > [inline] > [] do_syscall_64+0x38/0xb0 > arch/x86/entry/common.c:80 > [] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > BUG: memory leak > unreferenced object 0xffff888109d2d800 (size 1024): > comm "syz-executor121", pid 5010, jiffies 4294944269 (age 7.320s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] __do_kmalloc_node mm/slab_common.c:984 > [inline] > [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 > [] kmalloc_node include/linux/slab.h:602 [inline] > [] kvmalloc_node+0x99/0x170 mm/util.c:604 > [] kvmalloc include/linux/slab.h:720 [inline] > [] kvmalloc_array include/linux/slab.h:738 > [inline] > [] want_pages_array lib/iov_iter.c:985 [inline] > [] iov_iter_extract_user_pages > lib/iov_iter.c:1765 [inline] > [] iov_iter_extract_pages+0x1ee/0xa40 > lib/iov_iter.c:1831 > [] bio_map_user_iov+0x167/0x5d0 > block/blk-map.c:297 > [] blk_rq_map_user_iov+0x3e3/0xb30 > block/blk-map.c:664 > [] blk_rq_map_user block/blk-map.c:691 [inline] > [] blk_rq_map_user_io+0x143/0x160 > block/blk-map.c:724 > [] sg_io+0x285/0x510 > drivers/scsi/scsi_ioctl.c:456 > [] scsi_cdrom_send_packet+0x1b5/0x480 > drivers/scsi/scsi_ioctl.c:820 > [] scsi_ioctl+0xca/0xd30 > drivers/scsi/scsi_ioctl.c:903 > [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 > [] vfs_ioctl fs/ioctl.c:51 [inline] > [] __do_sys_ioctl fs/ioctl.c:870 [inline] > [] __se_sys_ioctl fs/ioctl.c:856 [inline] > [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 > [] do_syscall_x64 arch/x86/entry/common.c:50 > [inline] > [] do_syscall_64+0x38/0xb0 > arch/x86/entry/common.c:80 > [] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Reported-by: syzbot+cb729843d0f42a5c1a50@syzkaller.appspotmail.com > Closes: > https://syzkaller.appspot.com/bug?id=99c8551967f413d108cfdd2950a0cb5652de07b8 > Fixes: 7d58fe7310281 ("iov_iter: Add a function to extract a page list > from an iterator") > Signed-off-by: José Pekkarinen > --- > lib/iov_iter.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/lib/iov_iter.c b/lib/iov_iter.c > index 27234a820eeb..c3fd0448dead 100644 > --- a/lib/iov_iter.c > +++ b/lib/iov_iter.c > @@ -1780,8 +1780,10 @@ static ssize_t > iov_iter_extract_user_pages(struct iov_iter *i, > if (!maxpages) > return -ENOMEM; > res = pin_user_pages_fast(addr, maxpages, gup_flags, *pages); > - if (unlikely(res <= 0)) > + if (unlikely(res <= 0)) { > + kvfree(*pages); > return res; > + } > maxsize = min_t(size_t, maxsize, res * PAGE_SIZE - offset); > iov_iter_advance(i, maxsize); > return maxsize; Ping. José.