github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 15:12:59 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
0853bd6885
linux/kernel
History
Eric Dumazet 4913daecd0 watch_queue: Free the page array when watch_queue is dismantled 
commit b490207017 upstream.

Commit 7ea1a0124b ("watch_queue: Free the alloc bitmap when the
watch_queue is torn down") took care of the bitmap, but not the page
array.

  BUG: memory leak
  unreferenced object 0xffff88810d9bc140 (size 32):
  comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s)
  hex dump (first 32 bytes):
    40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00  @.@.............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
     kmalloc_array include/linux/slab.h:621 [inline]
     kcalloc include/linux/slab.h:652 [inline]
     watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251
     pipe_ioctl+0x82/0x140 fs/pipe.c:632
     vfs_ioctl fs/ioctl.c:51 [inline]
     __do_sys_ioctl fs/ioctl.c:874 [inline]
     __se_sys_ioctl fs/ioctl.c:860 [inline]
     __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]

Reported-by: syzbot+25ea042ae28f3888727a@syzkaller.appspotmail.com
Fixes: c73be61ced ("pipe: Add general notification queue support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20220322004654.618274-1-eric.dumazet@gmail.com/
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:24:11 +02:00
..
bpf bpf: Fix UAF due to race between btf_try_get_module and load_module 2022-04-08 14:23:24 +02:00
cgroup cgroup-v1: Correct privileges check in release_agent writes 2022-03-02 11:47:47 +01:00
configs
debug kdb: Fix the putarea helper function 2022-04-08 14:23:51 +02:00
dma dma-debug: fix return value of __setup handlers 2022-04-08 14:23:47 +02:00
entry signal: Replace force_fatal_sig with force_exit_sig when in doubt 2021-11-25 09:49:07 +01:00
events perf/core: Fix address filter parser for multiple filters 2022-04-08 14:23:10 +02:00
gcov
irq PCI/MSI: Move non-mask check back into low level accessors 2021-11-18 19:17:14 +01:00
kcsan LKMM updates: 2021-09-02 13:00:15 -07:00
livepatch livepatch: Fix build failure on 32 bits processors 2022-04-08 14:23:29 +02:00
locking locking/lockdep: Iterate lock_classes directly when reading lockdep files 2022-04-08 14:23:57 +02:00
power PM: suspend: fix return value of __setup handler 2022-04-08 14:23:07 +02:00
printk printk: fix return value of printk.devkmsg __setup handler 2022-04-08 14:23:19 +02:00
rcu rcu: Mark writes to the rcu_segcblist structure's ->flags field 2022-04-08 14:23:55 +02:00
sched sched/rt: Plug rt_mutex_setprio() vs push_rt_task() race 2022-04-08 14:23:11 +02:00
time clocksource: Avoid accidental unstable marking of clocksources 2022-01-27 11:04:08 +01:00
trace tracing: Have TRACE_DEFINE_ENUM affect trace event types as well 2022-04-08 14:24:02 +02:00
.gitignore
acct.c kernel/acct.c: use dedicated helper to access rlimit values 2021-09-08 11:50:26 -07:00
async.c Revert "module, async: async_synchronize_full() on module init iff async is used" 2022-02-23 12:03:07 +01:00
audit_fsnotify.c
audit_tree.c
audit_watch.c
audit.c audit: improve audit queue handling when "audit=1" on cmdline 2022-02-08 18:34:03 +01:00
audit.h audit: log AUDIT_TIME_* records only from rules 2022-04-08 14:23:06 +02:00
auditfilter.c
auditsc.c audit: log AUDIT_TIME_* records only from rules 2022-04-08 14:23:06 +02:00
backtracetest.c
bounds.c
capability.c
cfi.c
compat.c arch: remove compat_alloc_user_space 2021-09-08 15:32:35 -07:00
configs.c
context_tracking.c
cpu_pm.c
cpu.c sched/scs: Reset task stack state in bringup_cpu() 2021-12-01 09:04:54 +01:00
crash_core.c kernel/crash_core: suppress unknown crashkernel parameter warning 2021-12-29 12:28:49 +01:00
crash_dump.c
cred.c ucounts: Base set_cred_ucounts changes on the real user 2022-02-23 12:03:20 +01:00
delayacct.c
dma.c
exec_domain.c
exit.c
extable.c
fail_function.c
fork.c sched: Fix yet more sched_fork() races 2022-03-08 19:12:49 +01:00
freezer.c
futex.c futex: Remove unused variable 'vpid' in futex_proxy_trylock_atomic() 2021-09-03 23:00:22 +02:00
gen_kheaders.sh
groups.c
hung_task.c
iomem.c
irq_work.c
jump_label.c
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kexec_core.c
kexec_elf.c
kexec_file.c
kexec_internal.h
kexec.c kexec: avoid compat_alloc_user_space 2021-09-08 15:32:34 -07:00
kheaders.c
kmod.c
kprobes.c kprobes: Limit max data_size of the kretprobe instances 2021-12-08 09:04:41 +01:00
ksysfs.c
kthread.c
latencytop.c
Makefile
module_signature.c
module_signing.c
module-internal.h
module.c Revert "module, async: async_synchronize_full() on module init iff async is used" 2022-02-23 12:03:07 +01:00
notifier.c
nsproxy.c memcg: enable accounting for new namesapces and struct nsproxy 2021-09-03 09:58:12 -07:00
padata.c
panic.c
params.c
pid_namespace.c memcg: enable accounting for new namesapces and struct nsproxy 2021-09-03 09:58:12 -07:00
pid.c
profile.c profiling: fix shift-out-of-bounds bugs 2021-09-08 11:50:26 -07:00
ptrace.c ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE 2022-04-08 14:22:50 +02:00
range.c
reboot.c
regset.c
relay.c
resource_kunit.c
resource.c kernel/resource: fix kfree() of bootmem memory again 2022-04-08 14:23:43 +02:00
rseq.c rseq: Remove broken uapi field layout on 32-bit little endian 2022-04-08 14:23:10 +02:00
scftorture.c
scs.c scs: Release kasan vmalloc poison in scs_free process 2021-11-18 19:16:29 +01:00
seccomp.c seccomp: Invalidate seccomp mode to catch death failures 2022-02-16 12:56:38 +01:00
signal.c signal: In get_signal test for signal_group_exit every time through the loop 2022-03-08 19:12:34 +01:00
smp.c
smpboot.c
smpboot.h
softirq.c
stackleak.c gcc-plugins/stackleak: Use noinstr in favor of notrace 2022-02-23 12:03:07 +01:00
stacktrace.c
static_call.c
stop_machine.c
sys_ni.c compat: remove some compat entry points 2021-09-08 15:32:35 -07:00
sys.c ucounts: Move RLIMIT_NPROC handling after set_user 2022-02-23 12:03:20 +01:00
sysctl-test.c
sysctl.c x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting 2022-03-11 12:22:31 +01:00
task_work.c
taskstats.c
test_kprobes.c
torture.c
tracepoint.c
tsacct.c taskstats: Cleanup the use of task->exit_code 2022-01-27 11:05:35 +01:00
ucount.c ucounts: Handle wrapping in is_ucounts_overlimit 2022-02-23 12:03:20 +01:00
uid16.c
uid16.h
umh.c
up.c
user_namespace.c ucounts: Fix systemd LimitNPROC with private users regression 2022-03-08 19:12:42 +01:00
user-return-notifier.c
user.c fs/epoll: use a per-cpu counter for user's watches count 2021-09-08 11:50:27 -07:00
usermode_driver.c
utsname_sysctl.c
utsname.c
watch_queue.c watch_queue: Free the page array when watch_queue is dismantled 2022-04-08 14:24:11 +02:00
watchdog_hld.c
watchdog.c
workqueue_internal.h
workqueue.c workqueue: Fix unbind_workers() VS wq_worker_running() race 2022-01-16 09:12:41 +01:00