potential memory leak may happen if user space pointer created_timer_id
is invallid. or the value it points to is invalid. the call will
prematurely return.

However it doesn't free the memory it allocates with
alloc_posix_timer(). This patch attemps to fix that.

Reported-and-tested-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
Signed-off-by: Eslam Khafagy <eslam.medhat1993@gmail.com>
---
 kernel/time/posix-timers.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index aa3120104a51..46ee10551c63 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -483,11 +483,15 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
 
 	/* Special case for CRIU to restore timers with a given timer ID. */
 	if (unlikely(current->signal->timer_create_restore_ids)) {
-		if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
+		if (copy_from_user(&req_id, created_timer_id, sizeof(req_id))) {
+			posixtimer_free_timer(new_timer);
 			return -EFAULT;
+		}
 		/* Valid IDs are 0..INT_MAX */
-		if ((unsigned int)req_id > INT_MAX)
+		if ((unsigned int)req_id > INT_MAX) {
+			posixtimer_free_timer(new_timer);
 			return -EINVAL;
+		}
 	}
 
 	/*
-- 
2.43.0

On Fri, Nov 14, 2025 at 07:06:21AM +0200, Eslam Khafagy wrote:
> potential memory leak may happen if user space pointer created_timer_id
> is invallid. or the value it points to is invalid. the call will
> prematurely return.
> 
> However it doesn't free the memory it allocates with
> alloc_posix_timer(). This patch attemps to fix that.
> 
> Reported-and-tested-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
> Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
> Signed-off-by: Eslam Khafagy <eslam.medhat1993@gmail.com>

Simply move parameters check _before_ new timer allocation please, this way you won't
need new code at all :)

On 11/14/25 11:29, Cyrill Gorcunov wrote:
> On Fri, Nov 14, 2025 at 07:06:21AM +0200, Eslam Khafagy wrote:
>> potential memory leak may happen if user space pointer created_timer_id
>> is invallid. or the value it points to is invalid. the call will
>> prematurely return.
>>
>> However it doesn't free the memory it allocates with
>> alloc_posix_timer(). This patch attemps to fix that.
>>
>> Reported-and-tested-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com
>> Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@google.com/T/
>> Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
>> Signed-off-by: Eslam Khafagy <eslam.medhat1993@gmail.com>
> Simply move parameters check _before_ new timer allocation please, this way you won't
> need new code at all :)

:)
v2 coming right up.