[RFC] futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error
Commit Message
In a scenario where kcalloc() fails to allocate memory, the futex_waitv
system call immediately returns -ENOMEM without invoking
destroy_hrtimer_on_stack(). When CONFIG_DEBUG_OBJECTS_TIMERS=y, this
results in leaking a timer debug object.
Fixes: bf69bad38cf6 ("futex: Implement sys_futex_waitv()")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andre Almeida <andrealmeid@collabora.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: stable@vger.kernel.org # v5.16+
---
kernel/futex/syscalls.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
Comments
On Wed, 14 Dec 2022, Mathieu Desnoyers wrote:
>In a scenario where kcalloc() fails to allocate memory, the futex_waitv
>system call immediately returns -ENOMEM without invoking
>destroy_hrtimer_on_stack(). When CONFIG_DEBUG_OBJECTS_TIMERS=y, this
>results in leaking a timer debug object.
>
>Fixes: bf69bad38cf6 ("futex: Implement sys_futex_waitv()")
>Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>Cc: Andre Almeida <andrealmeid@collabora.com>
>Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
>Cc: Thomas Gleixner <tglx@linutronix.de>
>Cc: Ingo Molnar <mingo@redhat.com>
>Cc: Darren Hart <dvhart@infradead.org>
>Cc: Davidlohr Bueso <dave@stgolabs.net>
>Cc: stable@vger.kernel.org # v5.16+
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
@@ -286,19 +286,22 @@ SYSCALL_DEFINE5(futex_waitv, struct futex_waitv __user *, waiters,
}
futexv = kcalloc(nr_futexes, sizeof(*futexv), GFP_KERNEL);
- if (!futexv)
- return -ENOMEM;
+ if (!futexv) {
+ ret = -ENOMEM;
+ goto destroy_timer;
+ }
ret = futex_parse_waitv(futexv, waiters, nr_futexes);
if (!ret)
ret = futex_wait_multiple(futexv, nr_futexes, timeout ? &to : NULL);
+ kfree(futexv);
+
+destroy_timer:
if (timeout) {
hrtimer_cancel(&to.timer);
destroy_hrtimer_on_stack(&to.timer);
}
-
- kfree(futexv);
return ret;
}