Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp805691rdb; Tue, 5 Dec 2023 23:41:19 -0800 (PST) X-Google-Smtp-Source: AGHT+IGsWy4BMxKRC++Y9pO6X5S1z0jWCVLQF1UQER2oP+vD9ZxVYex67fhUXPp2pGEb2N+vGkTF X-Received: by 2002:a05:6a20:5482:b0:18f:d8b3:d926 with SMTP id i2-20020a056a20548200b0018fd8b3d926mr197060pzk.91.1701848479025; Tue, 05 Dec 2023 23:41:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701848479; cv=none; d=google.com; s=arc-20160816; b=FqgrYhO+KQotw0bDfNtsCWU1dgnki+L0W+oIrHfvS2/N0cvpyP1RiApM1SEIU/1Gq8 ASXPWSu5NgDPOWJQxGAd3TrtmkZoQjNX/VK/fVyulWjVnYhwiWyg1yb+tfOp2sttC7tX x1UPZlzEt7ZjoLiXCCSvAKuB8PHHy3E2CV3TbJqxCE3G/6jTc0FrugWnDSHk4mGWzPwp szqf90ClqDFpzJirpaaH96OsIV4grpXkfGDWNlZQCULYI0tCD/bHNIQml2cCPrIpgnx2 sFboAbXpoYHvTW9bGJ7MSfjmOeCOKVpmbZuME+Y+GySSQ3TWP6pTmhTcc8LHnBEV8SNY rP0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=eVS3de0oe5vtYsI1efQTrlzPTT2Z9dNbMes4tir7hTs=; fh=gOLl6R9+BLlmToIomp3b0cNOemc6Q2xfVe50oCq1Es4=; b=mT4WJweS1lNXbqN6S2r2K5gyEZG7XPLlAxIriNlXhKQbT73qCrscwRmiOrvibvHZCN OngM227B3YSX6/CF12vBhr08IanhRYSIuX4h5e3qbZ9Zpm6XbTzD9pOf3RfgcuXTtJxQ DlJv3djJfbxwNbV4UL1i+LAErmYufmgabywadDjgPI9ihmXBwzP5mREpv4JQoRYTe3nZ NN7coX/zjPQofzc7Zn9mkjLVD/0FoUGi1IEUiJ2mTsbwYAGNMxggivIa550/mP30T6lF hFWr9cC0qgCy9H6yE6Rfxb6nvL1O9QtxKYtqxsfp8svq7bfMcoQWeWVqMSW7qCBK6WL8 Mc0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxhound.fi Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id s8-20020a170902ea0800b001cfd24c7b81si3541561plg.216.2023.12.05.23.41.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Dec 2023 23:41:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxhound.fi Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 1E54C82D7557; Tue, 5 Dec 2023 23:40:34 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376738AbjLFHjP (ORCPT + 99 others); Wed, 6 Dec 2023 02:39:15 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235209AbjLFHij (ORCPT ); Wed, 6 Dec 2023 02:38:39 -0500 Received: from 13.mo582.mail-out.ovh.net (13.mo582.mail-out.ovh.net [188.165.56.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FE4A1FCB for ; Tue, 5 Dec 2023 23:37:55 -0800 (PST) Received: from director1.ghost.mail-out.ovh.net (unknown [10.109.143.223]) by mo582.mail-out.ovh.net (Postfix) with ESMTP id E380226B8D for ; Wed, 6 Dec 2023 07:18:26 +0000 (UTC) Received: from ghost-submission-6684bf9d7b-q659j (unknown [10.110.115.40]) by director1.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 971DE1FD9C; Wed, 6 Dec 2023 07:18:25 +0000 (UTC) Received: from foxhound.fi ([37.59.142.95]) by ghost-submission-6684bf9d7b-q659j with ESMTPSA id A1YgHUEgcGUGAgAAR7yEqA (envelope-from ); Wed, 06 Dec 2023 07:18:25 +0000 Authentication-Results: garm.ovh; auth=pass (GARM-95G0017f6f2474-d401-4c27-b95a-0dbe6361eaae, FCDADBFD6B1B663F5159E0C54ABC6405D1BD97D1) smtp.auth=jose.pekkarinen@foxhound.fi X-OVh-ClientIp: 87.249.133.109 From: =?UTF-8?q?Jos=C3=A9=20Pekkarinen?= To: viro@zeniv.linux.org.uk Cc: =?UTF-8?q?Jos=C3=A9=20Pekkarinen?= , linux-kernel@vger.kernel.org, syzbot+cb729843d0f42a5c1a50@syzkaller.appspotmail.com Subject: [PATCH RESEND] iov_iter: fix memleak in iov_iter_extract_pages Date: Wed, 6 Dec 2023 09:18:08 +0200 Message-Id: <20231206071808.7646-1-jose.pekkarinen@foxhound.fi> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 2324420358037480968 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedvkedrudejledgledvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffogggtgfesthekredtredtjeenucfhrhhomheplfhoshorucfrvghkkhgrrhhinhgvnhcuoehjohhsvgdrphgvkhhkrghrihhnvghnsehfohighhhouhhnugdrfhhiqeenucggtffrrghtthgvrhhnpeevveeileeukeefjeevkeffudehhedtvdeuhffgteelvdejieefheffveelhfekheenucffohhmrghinhepshihiihkrghllhgvrhdrrghpphhsphhothdrtghomhenucfkphepuddvjedrtddrtddruddpkeejrddvgeelrddufeefrddutdelpdefjedrheelrddugedvrdelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoehjohhsvgdrphgvkhhkrghrihhnvghnsehfohighhhouhhnugdrfhhiqedpnhgspghrtghpthhtohepuddprhgtphhtthhopehlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdpoffvtefjohhsthepmhhoheekvddpmhhouggvpehsmhhtphhouhht X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 05 Dec 2023 23:40:34 -0800 (PST) syzbot reports there is a memory leak in iov_iter_extract_pages where in the unlikely case of having an error in pin_user_pages_fast, the pages aren't free. This patch will free it before returning. Output of mem leak follows: BUG: memory leak unreferenced object 0xffff888109d2e400 (size 1024): comm "syz-executor121", pid 5006, jiffies 4294943225 (age 17.760s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __do_kmalloc_node mm/slab_common.c:984 [inline] [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 [] kmalloc_node include/linux/slab.h:602 [inline] [] kvmalloc_node+0x99/0x170 mm/util.c:604 [] kvmalloc include/linux/slab.h:720 [inline] [] kvmalloc_array include/linux/slab.h:738 [inline] [] want_pages_array lib/iov_iter.c:985 [inline] [] iov_iter_extract_user_pages lib/iov_iter.c:1765 [inline] [] iov_iter_extract_pages+0x1ee/0xa40 lib/iov_iter.c:1831 [] bio_map_user_iov+0x167/0x5d0 block/blk-map.c:297 [] blk_rq_map_user_iov+0x3e3/0xb30 block/blk-map.c:664 [] blk_rq_map_user block/blk-map.c:691 [inline] [] blk_rq_map_user_io+0x143/0x160 block/blk-map.c:724 [] sg_io+0x285/0x510 drivers/scsi/scsi_ioctl.c:456 [] scsi_cdrom_send_packet+0x1b5/0x480 drivers/scsi/scsi_ioctl.c:820 [] scsi_ioctl+0xca/0xd30 drivers/scsi/scsi_ioctl.c:903 [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:870 [inline] [] __se_sys_ioctl fs/ioctl.c:856 [inline] [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd BUG: memory leak unreferenced object 0xffff888109d2dc00 (size 1024): comm "syz-executor121", pid 5007, jiffies 4294943747 (age 12.540s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __do_kmalloc_node mm/slab_common.c:984 [inline] [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 [] kmalloc_node include/linux/slab.h:602 [inline] [] kvmalloc_node+0x99/0x170 mm/util.c:604 [] kvmalloc include/linux/slab.h:720 [inline] [] kvmalloc_array include/linux/slab.h:738 [inline] [] want_pages_array lib/iov_iter.c:985 [inline] [] iov_iter_extract_user_pages lib/iov_iter.c:1765 [inline] [] iov_iter_extract_pages+0x1ee/0xa40 lib/iov_iter.c:1831 [] bio_map_user_iov+0x167/0x5d0 block/blk-map.c:297 [] blk_rq_map_user_iov+0x3e3/0xb30 block/blk-map.c:664 [] blk_rq_map_user block/blk-map.c:691 [inline] [] blk_rq_map_user_io+0x143/0x160 block/blk-map.c:724 [] sg_io+0x285/0x510 drivers/scsi/scsi_ioctl.c:456 [] scsi_cdrom_send_packet+0x1b5/0x480 drivers/scsi/scsi_ioctl.c:820 [] scsi_ioctl+0xca/0xd30 drivers/scsi/scsi_ioctl.c:903 [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:870 [inline] [] __se_sys_ioctl fs/ioctl.c:856 [inline] [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd BUG: memory leak unreferenced object 0xffff888109d2d800 (size 1024): comm "syz-executor121", pid 5010, jiffies 4294944269 (age 7.320s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __do_kmalloc_node mm/slab_common.c:984 [inline] [] __kmalloc_node+0x4b/0x150 mm/slab_common.c:992 [] kmalloc_node include/linux/slab.h:602 [inline] [] kvmalloc_node+0x99/0x170 mm/util.c:604 [] kvmalloc include/linux/slab.h:720 [inline] [] kvmalloc_array include/linux/slab.h:738 [inline] [] want_pages_array lib/iov_iter.c:985 [inline] [] iov_iter_extract_user_pages lib/iov_iter.c:1765 [inline] [] iov_iter_extract_pages+0x1ee/0xa40 lib/iov_iter.c:1831 [] bio_map_user_iov+0x167/0x5d0 block/blk-map.c:297 [] blk_rq_map_user_iov+0x3e3/0xb30 block/blk-map.c:664 [] blk_rq_map_user block/blk-map.c:691 [inline] [] blk_rq_map_user_io+0x143/0x160 block/blk-map.c:724 [] sg_io+0x285/0x510 drivers/scsi/scsi_ioctl.c:456 [] scsi_cdrom_send_packet+0x1b5/0x480 drivers/scsi/scsi_ioctl.c:820 [] scsi_ioctl+0xca/0xd30 drivers/scsi/scsi_ioctl.c:903 [] sg_ioctl+0x5f4/0x10a0 drivers/scsi/sg.c:1163 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:870 [inline] [] __se_sys_ioctl fs/ioctl.c:856 [inline] [] __x64_sys_ioctl+0xf2/0x140 fs/ioctl.c:856 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd Reported-by: syzbot+cb729843d0f42a5c1a50@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=99c8551967f413d108cfdd2950a0cb5652de07b8 Fixes: 7d58fe7310281 ("iov_iter: Add a function to extract a page list from an iterator") Signed-off-by: José Pekkarinen --- lib/iov_iter.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 27234a820eeb..c3fd0448dead 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1780,8 +1780,10 @@ static ssize_t iov_iter_extract_user_pages(struct iov_iter *i, if (!maxpages) return -ENOMEM; res = pin_user_pages_fast(addr, maxpages, gup_flags, *pages); - if (unlikely(res <= 0)) + if (unlikely(res <= 0)) { + kvfree(*pages); return res; + } maxsize = min_t(size_t, maxsize, res * PAGE_SIZE - offset); iov_iter_advance(i, maxsize); return maxsize; -- 2.39.2