futex: Fix futex_waitv() hrtimer debug object leak on kcalloc error

commit 94cd8fa09f5f1ebdd4e90964b08b7f2cc4b36c43 upstream.

In a scenario where kcalloc() fails to allocate memory, the futex_waitv
system call immediately returns -ENOMEM without invoking
destroy_hrtimer_on_stack(). When CONFIG_DEBUG_OBJECTS_TIMERS=y, this
results in leaking a timer debug object.

Fixes: bf69bad38cf6 ("futex: Implement sys_futex_waitv()")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: stable@vger.kernel.org
Cc: stable@vger.kernel.org # v5.16+
Link: https://lore.kernel.org/r/20221214222008.200393-1-mathieu.desnoyers@efficios.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 086a22d..a807407 100644 (file)
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -286,19 +286,22 @@ SYSCALL_DEFINE5(futex_waitv, struct futex_waitv __user *, waiters,
        }
 
        futexv = kcalloc(nr_futexes, sizeof(*futexv), GFP_KERNEL);
-       if (!futexv)
-               return -ENOMEM;
+       if (!futexv) {
+               ret = -ENOMEM;
+               goto destroy_timer;
+       }
 
        ret = futex_parse_waitv(futexv, waiters, nr_futexes);
        if (!ret)
                ret = futex_wait_multiple(futexv, nr_futexes, timeout ? &to : NULL);
 
+       kfree(futexv);
+
+destroy_timer:
        if (timeout) {
                hrtimer_cancel(&to.timer);
                destroy_hrtimer_on_stack(&to.timer);
        }
-
-       kfree(futexv);
        return ret;
 }