Patch "block: fix memleak when __blk_rq_map_user_iov() is failed" has been added to the 4.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 09 Jan 2020 15:43:08 -0500

This is a note to let you know that I've just added the patch titled

    block: fix memleak when __blk_rq_map_user_iov() is failed

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     block-fix-memleak-when-__blk_rq_map_user_iov-is-fail.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit df2e7e028666afd77a336d5227031dac54aac950
Author: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date:   Wed Dec 18 16:44:04 2019 +0800

    block: fix memleak when __blk_rq_map_user_iov() is failed
    
    [ Upstream commit 3b7995a98ad76da5597b488fa84aa5a56d43b608 ]
    
    When I doing fuzzy test, get the memleak report:
    
    BUG: memory leak
    unreferenced object 0xffff88837af80000 (size 4096):
      comm "memleak", pid 3557, jiffies 4294817681 (age 112.499s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        20 00 00 00 10 01 00 00 00 00 00 00 01 00 00 00   ...............
      backtrace:
        [<000000001c894df8>] bio_alloc_bioset+0x393/0x590
        [<000000008b139a3c>] bio_copy_user_iov+0x300/0xcd0
        [<00000000a998bd8c>] blk_rq_map_user_iov+0x2f1/0x5f0
        [<000000005ceb7f05>] blk_rq_map_user+0xf2/0x160
        [<000000006454da92>] sg_common_write.isra.21+0x1094/0x1870
        [<00000000064bb208>] sg_write.part.25+0x5d9/0x950
        [<000000004fc670f6>] sg_write+0x5f/0x8c
        [<00000000b0d05c7b>] __vfs_write+0x7c/0x100
        [<000000008e177714>] vfs_write+0x1c3/0x500
        [<0000000087d23f34>] ksys_write+0xf9/0x200
        [<000000002c8dbc9d>] do_syscall_64+0x9f/0x4f0
        [<00000000678d8e9a>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    If __blk_rq_map_user_iov() is failed in blk_rq_map_user_iov(),
    the bio(s) which is allocated before this failing will leak. The
    refcount of the bio(s) is init to 1 and increased to 2 by calling
    bio_get(), but __blk_rq_unmap_user() only decrease it to 1, so
    the bio cannot be freed. Fix it by calling blk_rq_unmap_user().
    
    Reviewed-by: Bob Liu <bob.liu@xxxxxxxxxx>
    Reported-by: Hulk Robot <hulkci@xxxxxxxxxx>
    Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/block/blk-map.c b/block/blk-map.c
index a8b4f526d8bb..52edbe6b9380 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -142,7 +142,7 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 	return 0;
 
 unmap_rq:
-	__blk_rq_unmap_user(bio);
+	blk_rq_unmap_user(bio);
 fail:
 	rq->bio = NULL;
 	return ret;






