[syzbot] [comedi?] memory leak in do_cmd_ioctl

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 8f0b4cce4481 Linux 6.19-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17df89b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10bad11a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17d0411a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b3f098aba85/disk-8f0b4cce.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e249c8a4ce76/vmlinux-8f0b4cce.xz
kernel image: https://storage.googleapis.com/syzbot-assets/851cb7eb2c27/bzImage-8f0b4cce.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f238ba...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88811193c4d8 (size 8):
comm "syz.0.17", pid 6094, jiffies 4294942826
hex dump (first 8 bytes):
04 00 00 00 00 00 00 00 ........
backtrace (crc 844a0efa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
memdup_user+0x2a/0xe0 mm/util.c:221
memdup_array_user include/linux/string.h:39 [inline]
__comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811193c990 (size 8):
comm "syz.0.18", pid 6096, jiffies 4294942827
hex dump (first 8 bytes):
04 00 00 00 00 00 00 00 ........
backtrace (crc 844a0efa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
memdup_user+0x2a/0xe0 mm/util.c:221
memdup_array_user include/linux/string.h:39 [inline]
__comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811193cea0 (size 8):
comm "syz.0.19", pid 6099, jiffies 4294942829
hex dump (first 8 bytes):
04 00 00 00 00 00 00 00 ........
backtrace (crc 844a0efa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
memdup_user+0x2a/0xe0 mm/util.c:221
memdup_array_user include/linux/string.h:39 [inline]
__comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff888144d28bf8 (size 8):
comm "syz.0.20", pid 6124, jiffies 4294943361
hex dump (first 8 bytes):
04 00 00 00 00 00 00 00 ........
backtrace (crc 844a0efa):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4958 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
__do_kmalloc_node mm/slub.c:5656 [inline]
__kmalloc_node_track_caller_noprof+0x3af/0x670 mm/slub.c:5764
memdup_user+0x2a/0xe0 mm/util.c:221
memdup_array_user include/linux/string.h:39 [inline]
__comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2319
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: [PATCH] comedi: test memleak
Author: xiaop...@foxmail.com

From: Pei Xiao <xiao...@kylinos.cn>

#syz test
---
drivers/comedi/comedi_fops.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..60fb3b0656c1 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1893,6 +1893,8 @@ static int do_cmd_ioctl(struct comedi_device *dev,

ret = s->do_cmdtest(dev, s, &async->cmd);

+ kfree(cmd->chanlist); /* free kernel copy of user chanlist */
+
if (async->cmd.flags & CMDF_BOGUS || ret) {
dev_dbg(dev->class_dev, "test returned %d\n", ret);
*cmd = async->cmd;
--
2.25.1

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in do_cmd_ioctl

BUG: unable to handle page fault for address: ffffec5e00000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6735 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS: 00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
Call Trace:
<TASK>
do_cmd_ioctl.part.0+0x18a/0x360 drivers/comedi/comedi_fops.c:1896
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2321

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7feb6858f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feb67bfe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007feb687e5fa0 RCX: 00007feb6858f749
RDX: 0000200000000180 RSI: 0000000080506409 RDI: 0000000000000003
RBP: 00007feb68613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007feb687e6038 R14: 00007feb687e5fa0 R15: 00007fff6cee0be8
</TASK>
Modules linked in:
CR2: ffffec5e00000008
---[ end trace 0000000000000000 ]---
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS: 00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 80 48 01 df orb $0xdf,0x1(%rax)
4: 0f 82 6a 03 00 00 jb 0x374
a: 48 c7 c0 00 00 00 80 mov $0xffffffff80000000,%rax
11: 48 2b 05 66 9b 14 05 sub 0x5149b66(%rip),%rax # 0x5149b7e
18: 48 01 c7 add %rax,%rdi
1b: 48 c1 ef 0c shr $0xc,%rdi
1f: 48 c1 e7 06 shl $0x6,%rdi
23: 48 03 3d 44 9b 14 05 add 0x5149b44(%rip),%rdi # 0x5149b6e
* 2a: 48 8b 47 08 mov 0x8(%rdi),%rax <-- trapping instruction
2e: a8 01 test $0x1,%al
30: 4c 8d 60 ff lea -0x1(%rax),%r12
34: 4c 0f 44 e7 cmove %rdi,%r12
38: 41 80 7c 24 33 f5 cmpb $0xf5,0x33(%r12)
3e: 0f .byte 0xf
3f: 85 .byte 0x85


Tested on:

commit: 8f0b4cce Linux 6.19-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bd411a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=166d411a580000

[syzbot]

For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: [PATCH] comedi: test kmemleak

Author: xiaop...@foxmail.com

From: Pei Xiao <xiao...@kylinos.cn>

#syz test
---

drivers/comedi/comedi_fops.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..283a64613208 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1935,6 +1935,11 @@ static int do_cmd_ioctl(struct comedi_device *dev,
return 0;

cleanup:
+
+ if (async && async->cmd.chanlist) {
+ kfree(async->cmd.chanlist);
+ async->cmd.chanlist = NULL;
+ }
do_become_nonbusy(dev, s);

return ret;
--
2.25.1

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f238ba...@syzkaller.appspotmail.com
Tested-by: syzbot+f238ba...@syzkaller.appspotmail.com

Tested on:

commit: 8f0b4cce Linux 6.19-rc1
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=106c311a580000

kernel config: https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1744cd92580000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

syzbot reported a memory leak [1], because patch 4e1da516debb did
not consider the exceptional exit case in do_cmd_ioctl() where runflags
is not set.
This caused chanlist not to be properly freed by do_become_nonbusy(),
as it only frees chanlist when runflags is correctly set.

Added a check in do_become_nonbusy() for the case where runflags is not
set, to properly free the chanlist memory.

[1]
BUG: memory leak
backtrace (crc 844a0efa):

__comedi_get_user_chanlist drivers/comedi/comedi_fops.c:1815 [inline]
do_cmd_ioctl.part.0+0x112/0x350 drivers/comedi/comedi_fops.c:1890
do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]

Fixes: 4e1da516debb ("comedi: Add reference counting for Comedi command handling")
Reported-by: syzbot+f238ba...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/comedi/comedi_fops.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 657c98cd723e..003586a381ad 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -793,13 +793,15 @@ static void do_become_nonbusy(struct comedi_device *dev,
__comedi_clear_subdevice_runflags(s, COMEDI_SRF_RUNNING |
COMEDI_SRF_BUSY);
spin_unlock_irqrestore(&s->spin_lock, flags);
- if (comedi_is_runflags_busy(runflags)) {
+ if (async) {
/*
* "Run active" counter was set to 1 when setting up the
* command. Decrement it and wait for it to become 0.
*/
- comedi_put_is_subdevice_running(s);
- wait_for_completion(&async->run_complete);
+ if (comedi_is_runflags_busy(runflags)) {
+ comedi_put_is_subdevice_running(s);
+ wait_for_completion(&async->run_complete);
+ }
comedi_buf_reset(s);
async->inttrig = NULL;
kfree(async->cmd.chanlist);
--
2.43.0

[Ian Abbott]

The `if (async)` test is actually redundant (the code should not be
reachable if `async` is null), but harmless, and the pre-4e1da516debb
code tested it as a precaution, so no problem.

> /*
> * "Run active" counter was set to 1 when setting up the
> * command. Decrement it and wait for it to become 0.
> */
> - comedi_put_is_subdevice_running(s);
> - wait_for_completion(&async->run_complete);
> + if (comedi_is_runflags_busy(runflags)) {
> + comedi_put_is_subdevice_running(s);
> + wait_for_completion(&async->run_complete);
> + }
> comedi_buf_reset(s);
> async->inttrig = NULL;
> kfree(async->cmd.chanlist);

Thanks for the fix. Looks good!

Reviewed-by: Ian Abbott <abb...@mev.co.uk>

--
-=( Ian Abbott <abb...@mev.co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-