| Message ID | 20240321161700.2926-1-hannes@cmpxchg.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ALSA: control: fix memory leak in snd_ctl_elem_read_user() | expand |
On Thu, Mar 21, 2024 at 12:17:00PM -0400, Johannes Weiner wrote: > With 6.9, I noticed kmalloc-2k blowing up to tens of gigabytes over > several days. Kmemleak shows a long string of these: > > unreferenced object 0xffff8f1bddbce800 (size 2048): > comm "wireplumber", pid 1058, jiffies 4294690193 > hex dump (first 32 bytes): > 14 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ > 4d 61 73 74 65 72 20 50 6c 61 79 62 61 63 6b 20 Master Playback > backtrace (crc bd965d91): > [<ffffffff85ac328b>] __kmalloc_node_track_caller+0x25b/0x370 > [<ffffffff85a79375>] memdup_user+0x25/0x80 > [<ffffffff85fa5d63>] snd_ctl_ioctl+0x753/0x880 > [<ffffffff85b18119>] __x64_sys_ioctl+0x89/0xb0 > [<ffffffff861ee190>] do_syscall_64+0x80/0x170 > [<ffffffff862000ab>] entry_SYSCALL_64_after_hwframe+0x46/0x4e > > When 1052d9882269 ("ALSA: control: Use automatic cleanup of kfree()") > converted a few sites to automatic freeing, it removed the kfree from > snd_ctl_elem_read_user() but forgot to add the __free hook. > > Fixes: 1052d9882269 ("ALSA: control: Use automatic cleanup of kfree()") > Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Oh, I just noticed there is a pending fix at https://lore.kernel.org/linux-sound/20240320062722.31325-1-tiwai@suse.de/ Sorry about the noise!
diff --git a/sound/core/control.c b/sound/core/control.c index 8367fd485371..7da0d6afb766 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1275,7 +1275,7 @@ static int snd_ctl_elem_read(struct snd_card *card, static int snd_ctl_elem_read_user(struct snd_card *card, struct snd_ctl_elem_value __user *_control) { - struct snd_ctl_elem_value *control; + struct snd_ctl_elem_value *control __free(kfree) = NULL; int result; control = memdup_user(_control, sizeof(*control));
With 6.9, I noticed kmalloc-2k blowing up to tens of gigabytes over several days. Kmemleak shows a long string of these: unreferenced object 0xffff8f1bddbce800 (size 2048): comm "wireplumber", pid 1058, jiffies 4294690193 hex dump (first 32 bytes): 14 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................ 4d 61 73 74 65 72 20 50 6c 61 79 62 61 63 6b 20 Master Playback backtrace (crc bd965d91): [<ffffffff85ac328b>] __kmalloc_node_track_caller+0x25b/0x370 [<ffffffff85a79375>] memdup_user+0x25/0x80 [<ffffffff85fa5d63>] snd_ctl_ioctl+0x753/0x880 [<ffffffff85b18119>] __x64_sys_ioctl+0x89/0xb0 [<ffffffff861ee190>] do_syscall_64+0x80/0x170 [<ffffffff862000ab>] entry_SYSCALL_64_after_hwframe+0x46/0x4e When 1052d9882269 ("ALSA: control: Use automatic cleanup of kfree()") converted a few sites to automatic freeing, it removed the kfree from snd_ctl_elem_read_user() but forgot to add the __free hook. Fixes: 1052d9882269 ("ALSA: control: Use automatic cleanup of kfree()") Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> --- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)