[Linux Kernel Bug] memory leak in dvb_dvr_do_ioctl

Chenyuan Yang <chenyuan0y@xxxxxxxxx> · Mon, 4 Mar 2024 20:44:22 -0600

Dear Linux Developers for DVB,

We encountered "memory leak in dvb_dvr_do_ioctl" when testing the
DVB driver with Syzkaller and our generated specifications.

The C reproducer and the config for the kernel are attached.

```
BUG: memory leak
unreferenced object 0xffffc9000ae81000 (size 4096):
  comm "syz-executor.0", pid 23888, jiffies 4295016268 (age 8.980s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8541ee5e>] create_object mm/kmemleak.c:761 [inline]
    [<ffffffff8541ee5e>] kmemleak_vmalloc+0x2e/0x90 mm/kmemleak.c:1082
    [<ffffffff816382f6>] __vmalloc_node_range+0xc76/0xdb0 mm/vmalloc.c:3348
    [<ffffffff816386c2>] __vmalloc_node mm/vmalloc.c:3385 [inline]
    [<ffffffff816386c2>] vmalloc+0x52/0x60 mm/vmalloc.c:3418
    [<ffffffff83db1c8c>] dvb_dvr_set_buffer_size
drivers/media/dvb-core/dmxdev.c:293 [inline]
    [<ffffffff83db1c8c>] dvb_dvr_do_ioctl+0x12c/0x2a0
drivers/media/dvb-core/dmxdev.c:1296
    [<ffffffff83db1252>] dvb_usercopy+0x82/0x220
drivers/media/dvb-core/dvbdev.c:986
    [<ffffffff83db1b11>] dvb_dvr_ioctl+0x31/0x40
drivers/media/dvb-core/dmxdev.c:1333
    [<ffffffff8171ca88>] vfs_ioctl fs/ioctl.c:51 [inline]
    [<ffffffff8171ca88>] __do_sys_ioctl fs/ioctl.c:871 [inline]
    [<ffffffff8171ca88>] __se_sys_ioctl fs/ioctl.c:857 [inline]
    [<ffffffff8171ca88>] __x64_sys_ioctl+0x108/0x150 fs/ioctl.c:857
    [<ffffffff8540b150>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    [<ffffffff8540b150>] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
    [<ffffffff8560008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
```

The memory leak originates from the allocated memory `newmem = vmalloc(size);`,
as referenced in the code at
[https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L293].
Besides, this memory leak is triggered when enabling
`CONFIG_DVB_MMAP=y`, which will be used when freeing the memory in
`dvb_dvr_release`
(https://elixir.bootlin.com/linux/latest/source/drivers/media/dvb-core/dmxdev.c#L214).

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx>

Best,
Chenyuan
Attachment:
config

Description: Binary data
Attachment:
dvb_ioctl_memleak.c

Description: Binary data