Linux Kernel Blk-Iolatency Memory Leak Vulnerability on Disk Initialization Errors

A memory leak vulnerability has been identified in the Linux kernel's block I/O latency management. This issue arises when a generic disk (gendisk) is initialized successfully, but the subsequent 'add_disk()' call fails—such as when a loop device is assigned an invalid number of minor device numbers. In these cases, the 'blkcg_init_disk()' function is executed during the initialization phase, but the corresponding 'blkcg_exit_disk()' function is not called during error handling. This oversight occurs because, under normal circumstances, the cleanup process is managed by 'del_gendisk()', which invokes 'rq_qos_exit()' to deactivate request queue quality of service (rq_qos) policies. The current implementation assumes that these policies can only be activated once the disk is fully registered and visible. While this assumption holds true for other rq_qos policies, it fails for iolatency, which is initialized before the disk is officially added. As a result, when an error occurs, the iolatency initialization is not properly reversed, leading to a memory leak. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability causes a memory leak, which can lead to increased memory usage and potential exhaustion of system resources over time.

Reproduction

To reproduce this vulnerability, initialize a generic disk and then induce a failure in the 'add_disk()' process by assigning an invalid number of minor device numbers. This will trigger the 'blkcg_exit_disk()' function without properly cleaning up the 'blk-iolatency' initialization, causing a memory leak.

Remediation

The vulnerability has been addressed in the Linux kernel by adding an extra call to 'rq_qos_exit()' in the 'blkcg_exit_disk()' function. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.