Merge branch 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull watch_queue fixes from David Howells:
"Here are fixes for a couple more watch_queue bugs, both found by syzbot:

- Fix error cleanup in watch_queue_set_size() where it tries to clean
up all the pointers in the page list, even if they've not been
allocated yet[1]. Unfortunately, __free_page() doesn't treat a NULL
pointer as being "do nothing".

A second report[2] looks like it's probably the same bug, but on
arm64 rather than x86_64, but there's no reproducer.

- Fix a missing kfree in free_watch() to actually free the watch[3]"

Link: https://lore.kernel.org/r/000000000000b1807c05daad8f98@google.com/ [1]
Link: https://lore.kernel.org/r/000000000000035b9c05daae8a5e@google.com/ [2]
Link: https://lore.kernel.org/r/000000000000bc8eaf05dab91c63@google.com/ [3]

* 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
watch_queue: Actually free the watch
watch_queue: Fix NULL dereference in error cleanup

Linus Torvalds 4 years ago 6ca014cd 8565d644

+2 -1

1 changed file

expand all

kernel

watch_queue.c

+2 -1

kernel/watch_queue.c

··· 271 271 return 0; 272 272 273 273 error_p: 274 - for (i = 0; i < nr_pages; i++) 274 + while (--i >= 0) 275 275 __free_page(pages[i]); 276 276 kfree(pages); 277 277 error: ··· 395 395 put_watch_queue(rcu_access_pointer(watch->queue)); 396 396 atomic_dec(&watch->cred->user->nr_watches); 397 397 put_cred(watch->cred); 398 + kfree(watch); 398 399 } 399 400 400 401 static void __put_watch(struct kref *kref)