Re: [PATCH] posix-timers: Fix potential memory leak in do_timer_create()

[Cyrill Gorcunov]

On Fri, Nov 14, 2025 at 07:06:21AM +0200, Eslam Khafagy wrote:
> potential memory leak may happen if user space pointer created_timer_id
> is invallid. or the value it points to is invalid. the call will
> prematurely return.
>
> However it doesn't free the memory it allocates with
> alloc_posix_timer(). This patch attemps to fix that.
>
> Reported-and-tested-by: syzbot+9c47ad...@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69155df4.a70a022...@google.com/T/
> Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
> Signed-off-by: Eslam Khafagy <eslam.me...@gmail.com>

Simply move parameters check _before_ new timer allocation please, this way you won't
need new code at all :)

[Eslam Khafagy]

potential memory leak may happen if user space pointer created_timer_id
is invallid. or the value it points to is invalid. the call will
prematurely return.

However it doesn't free the memory it allocates with
alloc_posix_timer(). This patch attemps to fix that.

Reported-and-tested-by: syzbot+9c47ad...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69155df4.a70a022...@google.com/T/
Fixes: ec2d0c04624b3c8a7eb1682e006717fa20cfbe24 ("posix-timers: Provide a mechanism to allocate a given timer ID")
Signed-off-by: Eslam Khafagy <eslam.me...@gmail.com>

---
kernel/time/posix-timers.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index aa3120104a51..46ee10551c63 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -483,11 +483,15 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,

/* Special case for CRIU to restore timers with a given timer ID. */
if (unlikely(current->signal->timer_create_restore_ids)) {
- if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
+ if (copy_from_user(&req_id, created_timer_id, sizeof(req_id))) {
+ posixtimer_free_timer(new_timer);
return -EFAULT;
+ }
/* Valid IDs are 0..INT_MAX */
- if ((unsigned int)req_id > INT_MAX)
+ if ((unsigned int)req_id > INT_MAX) {
+ posixtimer_free_timer(new_timer);
return -EINVAL;
+ }
}

/*
--
2.43.0

[Eslam Khafagy]

:)
v2 coming right up.

[Eslam Khafagy]

On 11/14/25 11:29, Cyrill Gorcunov wrote:

[Eslam Khafagy]

potential memory leak may happen if user space pointer created_timer_id
is invallid. or the value it points to is invalid. the call will
prematurely return.
However it doesn't free the memory it allocates with

alloc_posix_timer(). This patch attempts to fix that by moving parameter
check before alloc_posix_timer().

Reported-by: syzbot+9c47ad...@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69155df4.a70a022...@google.com/T/
Fixes: ec2d0c04624b3 ("posix-timers: Provide a mechanism to allocate a given timer ID")
Suggested-by: Cyrill Gorcunov <gorc...@gmail.com>

Signed-off-by: Eslam Khafagy <eslam.me...@gmail.com>
---

v2:
* Move parameters check before new timer allocation, no need for new
code.
v1: https://lore.kernel.org/all/20251114050621.87513...@gmail.com/T/
---
kernel/time/posix-timers.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
index aa3120104a51..56e17b625c72 100644
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -475,12 +475,6 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
if (!kc->timer_create)
return -EOPNOTSUPP;

- new_timer = alloc_posix_timer();
- if (unlikely(!new_timer))
- return -EAGAIN;
-
- spin_lock_init(&new_timer->it_lock);
-

/* Special case for CRIU to restore timers with a given timer ID. */
if (unlikely(current->signal->timer_create_restore_ids)) {

if (copy_from_user(&req_id, created_timer_id, sizeof(req_id)))
@@ -490,6 +484,12 @@ static int do_timer_create(clockid_t which_clock, struct sigevent *event,
return -EINVAL;
}

+ new_timer = alloc_posix_timer();
+ if (unlikely(!new_timer))
+ return -EAGAIN;
+
+ spin_lock_init(&new_timer->it_lock);
+
/*
* Add the timer to the hash table. The timer is not yet valid
* after insertion, but has a unique ID allocated.
--
2.43.0

[Frederic Weisbecker]

Le Fri, Nov 14, 2025 at 02:27:39PM +0200, Eslam Khafagy a écrit :
> potential memory leak may happen if user space pointer created_timer_id
> is invallid. or the value it points to is invalid. the call will
> prematurely return.
> However it doesn't free the memory it allocates with
> alloc_posix_timer(). This patch attempts to fix that by moving parameter
> check before alloc_posix_timer().
>
> Reported-by: syzbot+9c47ad...@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69155df4.a70a022...@google.com/T/
> Fixes: ec2d0c04624b3 ("posix-timers: Provide a mechanism to allocate a given timer ID")
> Suggested-by: Cyrill Gorcunov <gorc...@gmail.com>
> Signed-off-by: Eslam Khafagy <eslam.me...@gmail.com>

Reviewed-by: Frederic Weisbecker <fred...@kernel.org>

--
Frederic Weisbecker
SUSE Labs