Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp627777pxy; Wed, 28 Apr 2021 10:46:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0n5R8RIsXsTGmE3rFANqc7yx9AWieBGOQlaMZmQxPFC5mVew8pDeb8gZEPqVoI26hG7NT X-Received: by 2002:a17:906:f283:: with SMTP id gu3mr29968899ejb.91.1619631982698; Wed, 28 Apr 2021 10:46:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619631982; cv=none; d=google.com; s=arc-20160816; b=uRNX2Ds9i6mduo7R0uykpa8SjX8ia8bTzKZ73uFs5PfhYL9q+B0VOJ6e/n4X3qIaOY TsS/kGHOfX7jjVEzblTNHbuaBzxDsHmrVdYrpzukgWwqbAIULvXv09XyT/Mr1K3J+07E 4vLGmak8T1PKDmUfjagbphCS9VzDLU4kauApis0p3hZmRsyKzMe+Uo3uIYNRnOO2ckC0 xXm2xtbf1QYhGk7XZSOqaudd3VRFmy/3PdQFs4a/5pSn+2nDXRL7HvSyDTXBHT9h/Vm1 s619Q+so2S152LyiAWzT5gYglaU3kwwb8kNNjLR3GjdyA6NPjnhfWS+lyR1lAEQkaL8Z dqqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=1XiDkDGEE4btr09JaX3wGmRBxeV6dNzC/hyl0FxehK8=; b=By5aE/qiQ/CY1qdhPg33LYRxrDiWrYsB5CaRAZQbf6slUtXgxifZdaEE5TMAZADUbs hOfVYMj5s0mMjktLu8vzAET0VGl9Ooqp4VOQUdll+d8KqzIACkS0yzM4Ybgu1V/r3XaT 0bE9UsHGERdppClGlFj+LIIl41FM1mQ+n5Ma8y8zXzv8ep+yo0RvHy77q+J/wUtgkapd 37udZSegFSxldGgTS1UEncedpHuftniPydSb32fO5eQHhkqORJ05nlNWNW8dN0zVwP9o XIakbP+qAH9g9S4y7mGPGhDY41lqd/nYWisaivnqmtSI69NAaqcGmEoOZiE5wKGE0O+5 z7yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GZpmsCnc; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t5si387681edd.272.2021.04.28.10.45.53; Wed, 28 Apr 2021 10:46:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=GZpmsCnc; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241632AbhD1R30 (ORCPT + 99 others); Wed, 28 Apr 2021 13:29:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241631AbhD1R30 (ORCPT ); Wed, 28 Apr 2021 13:29:26 -0400 Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0EFBBC061573; Wed, 28 Apr 2021 10:28:41 -0700 (PDT) Received: by mail-lj1-x22b.google.com with SMTP id u25so34837726ljg.7; Wed, 28 Apr 2021 10:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1XiDkDGEE4btr09JaX3wGmRBxeV6dNzC/hyl0FxehK8=; b=GZpmsCncjuprG6+asstSsX5oepVjz0xOWymnDCshF00N2Rw+nfY7cBxb+FvB9BJYfC qLg+aT6NgphyS7FPAVkomnO8r3tsQw/cEBtBRigNgQh6tPBEdAPlkRCAJWUDGSVm2dFT I4kgQSE1hD84pX/vSvoaEKkXChXxtaOl3D3I+r22AI2eoHxqvUAj/ej43NBolSLR3JoT NUr5ZUWkrGF+7IzWmFFjbb0ouDY0D3+cEmOENGDnVBFJ5LZcRb+fSPL34baHZCy+M0VJ auDF9Buu8HDPqM0MLh9xenjA0LxkliaGfkSivJS/J+kaY91zWv00+Rmm/SEF2BtDEKdD T2mQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1XiDkDGEE4btr09JaX3wGmRBxeV6dNzC/hyl0FxehK8=; b=tamR+SnwWIytnh9+Aia8+AxDyR7exILwDb7+VdLyQo2YGFIbaW6jCRoNj0Us3C4JMR Aaz0oqm7VlTZgkCdq2X4mBsbgeaM/ormi96aIvqFKtPy4u5c/roSlj+traUHv7bC7Oon wblHmvo5mmVGX56ZpQB4fcKiiyLI2UesiWRtRGuTiy+JWurbHmb5FYetKbSaeCVR54NZ rTaKDvoJM/gJransp0vxl/DAVPgor4lR53LHe/gda7x890bxm2HJ7aYotr8tGoMTi8Vz IA2z7I9mcZ57S8aNEjESlAQVFPOnQWlho2ctK862LYWRnzkEAgqE9mWrjTL3QYYce7Lz Zsag== X-Gm-Message-State: AOAM533uvB2Zs0BBCrrC1ELQxIOtjCuZEu0kSInHccaXpImfbTXkPUHa LWTpb2rdzuiPfFbEk/X+m40= X-Received: by 2002:a05:651c:513:: with SMTP id o19mr21519090ljp.291.1619630919562; Wed, 28 Apr 2021 10:28:39 -0700 (PDT) Received: from localhost.localdomain ([94.103.229.147]) by smtp.gmail.com with ESMTPSA id z145sm108539lfc.169.2021.04.28.10.28.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Apr 2021 10:28:38 -0700 (PDT) From: Pavel Skripkin To: tytso@mit.edu, adilger.kernel@dilger.ca Cc: linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, Pavel Skripkin , syzbot+d9e482e303930fa4f6ff@syzkaller.appspotmail.com Subject: [PATCH] ext4: fix memory leak in ext4_fill_super Date: Wed, 28 Apr 2021 20:28:28 +0300 Message-Id: <20210428172828.12589-1-paskripkin@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org syzbot reported memory leak in ext4 subsyetem. The problem appears, when thread_stop() call happens before wake_up_process(). Normally, this data will be freed by created thread, but if kthread_stop() returned -EINTR, this data should be freed manually Reported-by: syzbot+d9e482e303930fa4f6ff@syzkaller.appspotmail.com Tested-by: syzbot+d9e482e303930fa4f6ff@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- fs/ext4/super.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index b9693680463a..9c33e97bd5c5 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5156,8 +5156,10 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) failed_mount3: flush_work(&sbi->s_error_work); del_timer_sync(&sbi->s_err_report); - if (sbi->s_mmp_tsk) - kthread_stop(sbi->s_mmp_tsk); + if (sbi->s_mmp_tsk) { + if (kthread_stop(sbi->s_mmp_tsk) == -EINTR) + kfree(kthread_data(sbi->s_mmp_tsk)); + } failed_mount2: rcu_read_lock(); group_desc = rcu_dereference(sbi->s_group_desc); -- 2.31.1