* [PATCH] watch_queue: Free the real number of allocated pages
@ 2022-03-21 1:42 Fabio M. De Francesco
0 siblings, 0 replies; only message in thread
From: Fabio M. De Francesco @ 2022-03-21 1:42 UTC (permalink / raw)
To: David Howells, Christophe JAILLET, linux-kernel
Cc: Fabio M. De Francesco, syzbot+d55757faa9b80590767b
In the "error_p" label, the code calls __free_page() in a loop from
pages[0] to pages[nr_pages -1].
When pages[i] are allocated in a loop with calls to alloc_page() and one
of these allocations fails, the code jumps to the "error_p" label without
saving the real number of successful allocations and without using this
as the limit of the free cycle.
For the above-mentioned reasons, Syzbot reports a bug:
"[syzbot] KASAN: null-ptr-deref Read in __free_pages".[1]
Fix this bug by saving the real number of allocated pages and, in those
cases where the inth iteration of alloc_page() fails and the code jumps
to the "error_p" label, use that number as the upper limit for the index
of the 'for' loop that calls __free_pages(pages[i]).
[1] https://lore.kernel.org/lkml/00000000000084e0cf05daafb25f@google.com/T/#m143407dade7ed9126253175728d6f38505d2393c
Reported-and-tested-by: syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com
Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
---
kernel/watch_queue.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index 00703444a219..5b0531020cf8 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -220,7 +220,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
struct page **pages;
unsigned long *bitmap;
unsigned long user_bufs;
- int ret, i, nr_pages;
+ int ret, i, nr_pages, allocated_pages;
if (!wqueue)
return -ENODEV;
@@ -254,6 +254,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
for (i = 0; i < nr_pages; i++) {
pages[i] = alloc_page(GFP_KERNEL);
+ allocated_pages = i;
if (!pages[i])
goto error_p;
pages[i]->index = i * WATCH_QUEUE_NOTES_PER_PAGE;
@@ -271,7 +272,7 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
return 0;
error_p:
- for (i = 0; i < nr_pages; i++)
+ for (i = 0; i < allocated_pages; i++)
__free_page(pages[i]);
kfree(pages);
error:
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-03-21 1:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 1:42 [PATCH] watch_queue: Free the real number of allocated pages Fabio M. De Francesco
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.