[Linux Kernel Bug] memory leak in dvb_dvr_do_ioctl

From: Chenyuan Yang
Date: Mon Mar 04 2024 - 21:45:12 EST

Next message: Jason Yan: "Re: [PATCH v5 3/7] scsi: pm80xx: Add libsas SATA sysfs attributes group"
Previous message: Jason Yan: "Re: [PATCH v5 2/7] scsi: libsas: Define NCQ Priority sysfs attributes for SATA devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Linux Developers for DVB,

We encountered "memory leak in dvb_dvr_do_ioctl" when testing the
DVB driver with Syzkaller and our generated specifications.

The C reproducer and the config for the kernel are attached.

```
BUG: memory leak
unreferenced object 0xffffc9000ae81000 (size 4096):
comm "syz-executor.0", pid 23888, jiffies 4295016268 (age 8.980s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8541ee5e>] create_object mm/kmemleak.c:761 [inline]
[<ffffffff8541ee5e>] kmemleak_vmalloc+0x2e/0x90 mm/kmemleak.c:1082
[<ffffffff816382f6>] __vmalloc_node_range+0xc76/0xdb0 mm/vmalloc.c:3348
[<ffffffff816386c2>] __vmalloc_node mm/vmalloc.c:3385 [inline]
[<ffffffff816386c2>] vmalloc+0x52/0x60 mm/vmalloc.c:3418
[<ffffffff83db1c8c>] dvb_dvr_set_buffer_size
drivers/media/dvb-core/dmxdev.c:293 [inline]
[<ffffffff83db1c8c>] dvb_dvr_do_ioctl+0x12c/0x2a0
drivers/media/dvb-core/dmxdev.c:1296
[<ffffffff83db1252>] dvb_usercopy+0x82/0x220
drivers/media/dvb-core/dvbdev.c:986
[<ffffffff83db1b11>] dvb_dvr_ioctl+0x31/0x40
drivers/media/dvb-core/dmxdev.c:1333
[<ffffffff8171ca88>] vfs_ioctl fs/ioctl.c:51 [inline]
[<ffffffff8171ca88>] __do_sys_ioctl fs/ioctl.c:871 [inline]
[<ffffffff8171ca88>] __se_sys_ioctl fs/ioctl.c:857 [inline]
[<ffffffff8171ca88>] __x64_sys_ioctl+0x108/0x150 fs/ioctl.c:857
[<ffffffff8540b150>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
[<ffffffff8540b150>] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
[<ffffffff8560008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
```

The memory leak originates from the allocated memory `newmem = vmalloc(size);`,
as referenced in the code at
[https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L293].
Besides, this memory leak is triggered when enabling
`CONFIG_DVB_MMAP=y`, which will be used when freeing the memory in
`dvb_dvr_release`
(https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L214).

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx>

Best,
Chenyuan

Attachment: config
Description: Binary data

Attachment: dvb_ioctl_memleak.c
Description: Binary data

Next message: Jason Yan: "Re: [PATCH v5 3/7] scsi: pm80xx: Add libsas SATA sysfs attributes group"
Previous message: Jason Yan: "Re: [PATCH v5 2/7] scsi: libsas: Define NCQ Priority sysfs attributes for SATA devices"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]