From nobody Sat Feb 7 17:55:42 2026 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D490315D32 for ; Fri, 14 Nov 2025 13:29:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763126975; cv=none; b=iiI9k9baktlGpJfhwyAZGLzUX9yrMSgYoU/Nn2/nWGoXVegYV05tSzosmnmd4ElkZ3X/gW/Qc54t6rcmNm4CmNakdmuhtcqQzWu0TSSK6MCtyba1SvEPGoF82CzBvKkUa6FY/rgxWLmGXSpiwH2kCRc1NWR+DMjPTaweY5hjHZg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763126975; c=relaxed/simple; bh=RPr6Y94igV9MviQXqu1SpckLhZYVrpO5qzPOvkIQCtI=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=Tnrp0IBsUezVjb7ub1uqh7PGf9bzDWvuAu0WaBcgdOkPf7cJmmpQu/toG4T3T1ReE7tOU3cAJaqJUX5Xs5W317EScq8X7f+W1NXHElOA72dtYu/Nx9rVpCY101U2xJ6J+Ek9d6S+rHw3yeXB5E4FxDtv22KTVOLiVHgZmD0m3Vw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=ZG2mmlYY; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=CmGa78cD; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="ZG2mmlYY"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="CmGa78cD" From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1763126972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VWjQmpJQEqpFA7WUGbOeqe17BRpuFq+s1N6ubK4XVbI=; b=ZG2mmlYYWMxHe05zNYDXt1BEw+nLK4/Q+AbLkRoB7YJ8GCd/xGlP2S5luWxlQMT0niJffu gpJFNkjeOoGcpSEtT8zsYvZe1LaRdQyJetHcvV7TQQ3rx1z1YpkqdSOnhXOC0kBd9IXfHW iHcvZulI3gwB62BcRdf6vEoMy3WVyHskNwylceSUtZrVl/d/foX66uwOcsWTGTpvkbEzIA +7rLptHDK0uJjNGZVQztPExbX13I89SCR4qxXCznO/aeA2VNoS/q3nwGlZ5hFb4WbH1NDd SJvAd4ROX/aQWYMC7UyPqbnYaD4w7a/Y7dtzOyR36i8OKmfvKDTo5/L+FaLxCQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1763126972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=VWjQmpJQEqpFA7WUGbOeqe17BRpuFq+s1N6ubK4XVbI=; b=CmGa78cDStDX3IK/YGU8BrE413DWrCqv82KtBF5ZR2euYJfDQXmUcxqD6B2lsggI7dZQpy ulbN8xmx8ozddeBw== To: syzbot , anna-maria@linutronix.de, frederic@kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] posix-timers: Plug a potential memory leak In-Reply-To: <69155df4.a70a0220.3124cb.0017.GAE@google.com> References: <69155df4.a70a0220.3124cb.0017.GAE@google.com> Date: Fri, 14 Nov 2025 14:29:30 +0100 Message-ID: <87zf8obv45.ffs@tglx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When posix timer creation is set to allocate a given timer ID and the access to the user space value faults, the function terminates without freeing the already allocated posix timer structure. Move the allocation after the user space access to cure that. Fixes: ec2d0c04624b ("posix-timers: Provide a mechanism to allocate a given= timer ID") Reported-by: syzbot+9c47ad18f978d4394986@syzkaller.appspotmail.com Signed-off-by: Thomas Gleixner Closes: https://lore.kernel.org/all/69155df4.a70a0220.3124cb.0017.GAE@googl= e.com --- kernel/time/posix-timers.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/kernel/time/posix-timers.c +++ b/kernel/time/posix-timers.c @@ -475,12 +475,6 @@ static int do_timer_create(clockid_t whi if (!kc->timer_create) return -EOPNOTSUPP; =20 - new_timer =3D alloc_posix_timer(); - if (unlikely(!new_timer)) - return -EAGAIN; - - spin_lock_init(&new_timer->it_lock); - /* Special case for CRIU to restore timers with a given timer ID. */ if (unlikely(current->signal->timer_create_restore_ids)) { if (copy_from_user(&req_id, created_timer_id, sizeof(req_id))) @@ -490,6 +484,12 @@ static int do_timer_create(clockid_t whi return -EINVAL; } =20 + new_timer =3D alloc_posix_timer(); + if (unlikely(!new_timer)) + return -EAGAIN; + + spin_lock_init(&new_timer->it_lock); + /* * Add the timer to the hash table. The timer is not yet valid * after insertion, but has a unique ID allocated.