| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251208094551.46184-1-kuniyu@google.com>
Date: Mon, 8 Dec 2025 09:45:45 +0000
From: Kuniyuki Iwashima <kuniyu@...gle.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "Rafael J. Wysocki" <rafael@...nel.org>,
Danilo Krummrich <dakr@...nel.org>, Christian Brauner <brauner@...nel.org>
Cc: NeilBrown <neil@...wn.name>, Kuniyuki Iwashima <kuniyu@...gle.com>,
Kuniyuki Iwashima <kuni1840@...il.com>, linux-kernel@...r.kernel.org,
syzbot+3d7ca9c802c547f8550a@...kaller.appspotmail.com
Subject: [PATCH] debugfs: Fix memleak in debugfs_change_name().
syzbot reported memleak in debugfs_change_name(). [0]
When lookup_noperm_unlocked() fails, new_name is leaked.
Let's fix it by reusing to kfree_const() at the end of
debugfs_change_name().
[0]:
BUG: memory leak
unreferenced object 0xffff8881110bb308 (size 8):
comm "syz.0.17", pid 6090, jiffies 4294942958
hex dump (first 8 bytes):
2e 00 00 00 00 00 00 00 ........
backtrace (crc ecfc7064):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5258 [inline]
__do_kmalloc_node mm/slub.c:5651 [inline]
__kmalloc_node_track_caller_noprof+0x3b2/0x670 mm/slub.c:5759
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x3c/0x80 mm/util.c:84
kstrdup_const+0x63/0x80 mm/util.c:104
kvasprintf_const+0xca/0x110 lib/kasprintf.c:48
debugfs_change_name+0xf6/0x5d0 fs/debugfs/inode.c:854
cfg80211_dev_rename+0xd8/0x110 net/wireless/core.c:149
nl80211_set_wiphy+0x102/0x1770 net/wireless/nl80211.c:3844
genl_family_rcv_msg_doit+0x11e/0x190 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x93/0x1d0 net/netlink/af_netlink.c:2550
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
netlink_unicast+0x3a3/0x4f0 net/netlink/af_netlink.c:1344
netlink_sendmsg+0x335/0x6b0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:733 [inline]
____sys_sendmsg+0x562/0x5a0 net/socket.c:2608
___sys_sendmsg+0xc8/0x130 net/socket.c:2662
__sys_sendmsg+0xc7/0x140 net/socket.c:2694
Fixes: 833d2b3a072f7 ("Add start_renaming_two_dentries()")
Reported-by: syzbot+3d7ca9c802c547f8550a@...kaller.appspotmail.com
Closes: https://lore.kernel.org/all/69369d82.a70a0220.38f243.009f.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
---
fs/debugfs/inode.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 4b263c328ed29..4005d21cf009c 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -841,8 +841,10 @@ int __printf(2, 3) debugfs_change_name(struct dentry *dentry, const char *fmt, .
rd.new_parent = rd.old_parent;
rd.flags = RENAME_NOREPLACE;
target = lookup_noperm_unlocked(&QSTR(new_name), rd.new_parent);
- if (IS_ERR(target))
- return PTR_ERR(target);
+ if (IS_ERR(target)) {
+ error = PTR_ERR(target);
+ goto out_free;
+ }
error = start_renaming_two_dentries(&rd, dentry, target);
if (error) {
@@ -862,6 +864,7 @@ int __printf(2, 3) debugfs_change_name(struct dentry *dentry, const char *fmt, .
out:
dput(rd.old_parent);
dput(target);
+out_free:
kfree_const(new_name);
return error;
}
--
2.52.0.223.gf5cc29aaa4-goog
Powered by blists - more mailing lists