Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp3855886rdb; Mon, 11 Dec 2023 01:49:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IHTAo/nARRxHnMiXMreFJj+W6ZPVOFCIvVHUvAVzxamJJG1GVF914Y36T1Mpg1b93Fiesmp X-Received: by 2002:a05:6a20:734f:b0:190:a95:ec72 with SMTP id v15-20020a056a20734f00b001900a95ec72mr5180965pzc.40.1702288148623; Mon, 11 Dec 2023 01:49:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702288148; cv=none; d=google.com; s=arc-20160816; b=eBE/qYaXahZgG60lxLLaPxPIQABASV8LWVKnaNSDkTzrn4ud9jJQzPR+2umcuF6ZMq sJgmEmraRYHKJhsHpe/4KyYaTB5q3Hoszc4V4tzpOVpXd+z6O91JjHjihQOArw0kt+P5 tfM4YaRlkm5Vq2THxw+AsQ1YWPwdK7qAJbTjwdi8qWg+e7z1AyJHuGRu9IEuM7WnxQEz VtXDo3mr40+nb5cLeYj94geZcM/bAY7eM6WGlnOv7IOlqDlICtv2/ceKTttKo0wEewj8 +zC+d+8U+K0zGZvAsdJBp8l6QggqCVpY1NLcFq50GARVdpMnMvBa8zzAUG42MgPOHYQg 4k3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=PoiiWUzRFeTheOdRjkrDEE8JNrQqQk/GgJ9siaFpBAU=; fh=BD+mLiKPNKPqqJcu7d/M2kF80bQmKtr/ze1MJwAIHRw=; b=oCc02BtCXFQPwltTQbtouAbwJVObfnO/LRNmj9nYEICGUYWnajLgNCJb+Uq/MyMlX0 aHBFfJLB/YFlQDpJIwejxRX92ngkb+X6ZR2NP8v6OWRqVmyTliT7Q5e08p5Tjd7lSptl yMv1PktUTZvGPldKpO9ciOoRWC8VRs8vlO16/wtb8vQW1lPIYcgDBPUo5H1tqF4vJ6wK PS73BpwaUcMexT2Lc1V5ebHgezRNJsjwoc4vmm24clvTt/oBcAUg/Lk9KoL6RE+lb6Gj GMTF94v31wLqMnlqFoxC4ujio/s146ZDVB+K3aHTtmtujprpEJHphoQGa5fkzkrfiwUa dT8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=eDWpKhKe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id bq5-20020a056a02044500b00573f94e8b83si5949659pgb.265.2023.12.11.01.49.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 01:49:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=eDWpKhKe; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=windriver.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id C15F3805DC07; Mon, 11 Dec 2023 01:49:07 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234612AbjLKJs4 (ORCPT + 99 others); Mon, 11 Dec 2023 04:48:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234646AbjLKJsz (ORCPT ); Mon, 11 Dec 2023 04:48:55 -0500 Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8FFC4D7; Mon, 11 Dec 2023 01:49:00 -0800 (PST) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 3BB5Eh5v030119; Mon, 11 Dec 2023 01:48:44 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding:content-type; s= PPS06212021; bh=PoiiWUzRFeTheOdRjkrDEE8JNrQqQk/GgJ9siaFpBAU=; b= eDWpKhKefghm9RTliDC4eJNHjb3aF2Lhv286zyaI0uUgc+dXWzis3f+vqmL71o2H LKJ26zOnT1zGXduqBKfUuAJbLY3PvfB/EtOPbx8mMrygysTWwiLu+4Qn8mQP1tQg e2xA2ODi1cUG4vJRdbWSwUjDcIihUGDCyUpSrnPXxdnMnqifnrljGxqpk0jnG15h U3AYxt6UI2y9NbMxO6rlJm96s3/PJSw4gcvQ7YuzT7BGFmPAPcYP3brJiXg8eYb5 z50SSoRSDaGQnm17ArbCZQfF0ZBxg+AQBXIeCq6GqR1iPeWBl2mipQ08q5TCwfLD Wu304vH33JT1KVC2Wp/h5A== Received: from ala-exchng01.corp.ad.wrs.com (ala-exchng01.wrs.com [147.11.82.252]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3uvmd49bg3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 11 Dec 2023 01:48:43 -0800 (PST) Received: from ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) by ala-exchng01.corp.ad.wrs.com (147.11.82.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Mon, 11 Dec 2023 01:48:47 -0800 Received: from pek-lpd-ccm6.wrs.com (147.11.136.210) by ALA-EXCHNG02.corp.ad.wrs.com (147.11.82.254) with Microsoft SMTP Server id 15.1.2507.35 via Frontend Transport; Mon, 11 Dec 2023 01:48:45 -0800 From: Lizhi Xu To: CC: , , , , , , , , Subject: [PATCH] radix-tree: fix memory leak in radix_tree_insert Date: Mon, 11 Dec 2023 17:48:39 +0800 Message-ID: <20231211094840.642118-1-lizhi.xu@windriver.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <000000000000bfba3a060bf4ffcf@google.com> References: <000000000000bfba3a060bf4ffcf@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Proofpoint-GUID: pNPi7wZfZzeAjCWv6vYlAjJ8orPVZAcd X-Proofpoint-ORIG-GUID: pNPi7wZfZzeAjCWv6vYlAjJ8orPVZAcd X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=900 bulkscore=0 phishscore=0 spamscore=0 adultscore=0 malwarescore=0 clxscore=1011 mlxscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2312110079 X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2,SORTED_RECIPS,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 11 Dec 2023 01:49:07 -0800 (PST) [Syz report] BUG: memory leak unreferenced object 0xffff88810bbf56d8 (size 576): comm "syz-executor250", pid 5051, jiffies 4294951219 (age 12.920s) hex dump (first 32 bytes): 3c 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 <............... f0 a9 2d 0c 81 88 ff ff f0 56 bf 0b 81 88 ff ff ..-......V...... backtrace: [] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [] slab_post_alloc_hook mm/slab.h:766 [inline] [] slab_alloc_node mm/slub.c:3478 [inline] [] slab_alloc mm/slub.c:3486 [inline] [] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] [] kmem_cache_alloc+0x298/0x430 mm/slub.c:3502 [] radix_tree_node_alloc.constprop.0+0x7c/0x1a0 lib/radix-tree.c:276 [] __radix_tree_create lib/radix-tree.c:624 [inline] [] radix_tree_insert+0x14f/0x360 lib/radix-tree.c:712 [] qrtr_tx_wait net/qrtr/af_qrtr.c:277 [inline] [] qrtr_node_enqueue+0x57d/0x630 net/qrtr/af_qrtr.c:348 [] qrtr_bcast_enqueue+0x66/0xd0 net/qrtr/af_qrtr.c:891 [] qrtr_sendmsg+0x232/0x450 net/qrtr/af_qrtr.c:992 [] sock_sendmsg_nosec net/socket.c:730 [inline] [] __sock_sendmsg+0x52/0xa0 net/socket.c:745 [] sock_write_iter+0xfb/0x180 net/socket.c:1158 [] call_write_iter include/linux/fs.h:2020 [inline] [] new_sync_write fs/read_write.c:491 [inline] [] vfs_write+0x327/0x590 fs/read_write.c:584 [] ksys_write+0x13b/0x170 fs/read_write.c:637 [] do_syscall_x64 arch/x86/entry/common.c:51 [inline] [] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82 [] entry_SYSCALL_64_after_hwframe+0x63/0x6b [Analysis] When creating child nodes, if not all child nodes used to store indexes are created, so the child nodes created before the failure should be released. Reported-and-tested-by: syzbot+006987d1be3586e13555@syzkaller.appspotmail.com Signed-off-by: Lizhi Xu --- lib/radix-tree.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/lib/radix-tree.c b/lib/radix-tree.c index a89df8afa510..c5caf5b7523a 100644 --- a/lib/radix-tree.c +++ b/lib/radix-tree.c @@ -616,9 +616,10 @@ static int __radix_tree_create(struct radix_tree_root *root, struct radix_tree_node *node = NULL, *child; void __rcu **slot = (void __rcu **)&root->xa_head; unsigned long maxindex; - unsigned int shift, offset = 0; + unsigned int shift, offset = 0, mmshift = 0; unsigned long max = index; gfp_t gfp = root_gfp_mask(root); + int ret; shift = radix_tree_load_root(root, &child, &maxindex); @@ -628,6 +629,7 @@ static int __radix_tree_create(struct radix_tree_root *root, if (error < 0) return error; shift = error; + mmshift = error; child = rcu_dereference_raw(root->xa_head); } @@ -637,8 +639,10 @@ static int __radix_tree_create(struct radix_tree_root *root, /* Have to add a child node. */ child = radix_tree_node_alloc(gfp, node, root, shift, offset, 0, 0); - if (!child) - return -ENOMEM; + if (!child) { + ret = -ENOMEM; + goto freec; + } rcu_assign_pointer(*slot, node_to_entry(child)); if (node) node->count++; @@ -656,6 +660,17 @@ static int __radix_tree_create(struct radix_tree_root *root, if (slotp) *slotp = slot; return 0; +freec: + if (mmshift > 0) { + struct radix_tree_node *pn; + while (shift < mmshift && node) { + pn = node->parent; + radix_tree_node_rcu_free(&node->rcu_head); + shift += RADIX_TREE_MAP_SHIFT; + node = pn; + } + } + return ret; } /* -- 2.43.0