From nobody Wed Sep 17 22:22:07 2025
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 991F5C001B2
	for <linux-kernel@archiver.kernel.org>; Wed, 14 Dec 2022 22:20:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229560AbiLNWUW (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 14 Dec 2022 17:20:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52250 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229611AbiLNWUU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Dec 2022 17:20:20 -0500
Received: from smtpout.efficios.com (smtpout.efficios.com [167.114.26.122])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77B6841992;
        Wed, 14 Dec 2022 14:20:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=efficios.com;
        s=smtpout1; t=1671056416;
        bh=oNv/gSWyb/MpDqS0P30UCCNCdFs5k2+DfmT7cH4zL1E=;
        h=From:To:Cc:Subject:Date:From;
        b=J4HP1YEUylZ4Twplg0KjRig3OwM1h23nU7ydzPq6I19c5zCoqj5qxM1lAxVBInCfI
         +VbRgaAsrgGuI93EKdy1e2+TbH0WG+I87Bn96TZTp37hQtZLRd7l9vmFpAFyWrRFxR
         0VWs3su9aZgQ7d/eMKIP79Fntx6kEj701HyzDPUBHgwTs1HfuuvXTGhKnweSKYYXXs
         V3w1nnOXumE2IhNRivgDzIWZsXmNZ2ef96WLQ/W6+WINMuwgG6phWxU2jt9lQUksJk
         Pi4HpOe31zh2G0SuuvYcNQaUrel3MusCxAO/1pgPduejbbE53a9JX9KYY2pUX23TOO
         BxOJw7c388LMQ==
Received: from localhost.localdomain (192-222-180-24.qc.cable.ebox.net
 [192.222.180.24])
        by smtpout.efficios.com (Postfix) with ESMTPSA id 4NXVDJ3VCjzbgh;
        Wed, 14 Dec 2022 17:20:16 -0500 (EST)
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: linux-kernel@vger.kernel.org,
        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
        Andre Almeida <andrealmeid@collabora.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        Darren Hart <dvhart@infradead.org>,
        Davidlohr Bueso <dave@stgolabs.net>, stable@vger.kernel.org
Subject: [RFC PATCH] futex: Fix futex_waitv() hrtimer debug object leak on
 kcalloc error
Date: Wed, 14 Dec 2022 17:20:08 -0500
Message-Id: <20221214222008.200393-1-mathieu.desnoyers@efficios.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

In a scenario where kcalloc() fails to allocate memory, the futex_waitv
system call immediately returns -ENOMEM without invoking
destroy_hrtimer_on_stack(). When CONFIG_DEBUG_OBJECTS_TIMERS=3Dy, this
results in leaking a timer debug object.

Fixes: bf69bad38cf6 ("futex: Implement sys_futex_waitv()")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Andre Almeida <andrealmeid@collabora.com>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Darren Hart <dvhart@infradead.org>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: stable@vger.kernel.org # v5.16+
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
---
 kernel/futex/syscalls.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 086a22d1adb7..a8074079b09e 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -286,19 +286,22 @@ SYSCALL_DEFINE5(futex_waitv, struct futex_waitv __use=
r *, waiters,
 	}
=20
 	futexv =3D kcalloc(nr_futexes, sizeof(*futexv), GFP_KERNEL);
-	if (!futexv)
-		return -ENOMEM;
+	if (!futexv) {
+		ret =3D -ENOMEM;
+		goto destroy_timer;
+	}
=20
 	ret =3D futex_parse_waitv(futexv, waiters, nr_futexes);
 	if (!ret)
 		ret =3D futex_wait_multiple(futexv, nr_futexes, timeout ? &to : NULL);
=20
+	kfree(futexv);
+
+destroy_timer:
 	if (timeout) {
 		hrtimer_cancel(&to.timer);
 		destroy_hrtimer_on_stack(&to.timer);
 	}
-
-	kfree(futexv);
 	return ret;
 }
=20
--=20
2.25.1