* memory leak in new_inode_pseudo
@ 2019-05-23 1:28 syzbot
2019-06-12 21:58 ` [PATCH] io_uring: fix memory leak of UNIX domain socket inode Eric Biggers
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-05-23 1:28 UTC (permalink / raw)
To: davem, linux-kernel, netdev, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: f49aa1de Merge tag 'for-5.2-rc1-tag' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12dccd9ca00000
kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
dashboard link: https://syzkaller.appspot.com/bug?extid=111cb28d9f583693aefa
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1587839ca00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fdb38ca00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
e list of known hosts.
executing program
BUG: memory leak
unreferenced object 0xffff888121bdfd00 (size 632):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
80 1e b6 1f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000088b15f0d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000088b15f0d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000088b15f0d>] slab_alloc mm/slab.c:3326 [inline]
[<0000000088b15f0d>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<000000001a541de3>] sock_alloc_inode+0x1d/0xe0 net/socket.c:252
[<00000000226aca0e>] alloc_inode+0x2c/0xe0 fs/inode.c:226
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811fb61e80 (size 64):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
00 00 00 00 81 88 ff ff 88 1e b6 1f 81 88 ff ff ................
88 1e b6 1f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000008c8eddf3>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000008c8eddf3>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000008c8eddf3>] slab_alloc mm/slab.c:3326 [inline]
[<000000008c8eddf3>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<000000005afcf70e>] kmalloc include/linux/slab.h:547 [inline]
[<000000005afcf70e>] sock_alloc_inode+0x44/0xe0 net/socket.c:255
[<00000000226aca0e>] alloc_inode+0x2c/0xe0 fs/inode.c:226
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811dd21c08 (size 56):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30 fd bd 21 81 88 ff ff 20 1c d2 1d 81 88 ff ff 0..!.... .......
backtrace:
[<0000000088b15f0d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000088b15f0d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000088b15f0d>] slab_alloc mm/slab.c:3326 [inline]
[<0000000088b15f0d>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<00000000dec41212>] kmem_cache_zalloc include/linux/slab.h:732 [inline]
[<00000000dec41212>] lsm_inode_alloc security/security.c:523 [inline]
[<00000000dec41212>] security_inode_alloc+0x33/0xb0
security/security.c:876
[<0000000093ac97c3>] inode_init_always+0x108/0x200 fs/inode.c:168
[<000000006cedb4e8>] alloc_inode+0x49/0xe0 fs/inode.c:233
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] io_uring: fix memory leak of UNIX domain socket inode
2019-05-23 1:28 memory leak in new_inode_pseudo syzbot
@ 2019-06-12 21:58 ` Eric Biggers
2019-06-13 8:40 ` Jens Axboe
0 siblings, 1 reply; 3+ messages in thread
From: Eric Biggers @ 2019-06-12 21:58 UTC (permalink / raw)
To: Jens Axboe, Alexander Viro, linux-block, linux-fsdevel
Cc: davem, linux-kernel, netdev, syzkaller-bugs, syzbot
From: Eric Biggers <ebiggers@google.com>
Opening and closing an io_uring instance leaks a UNIX domain socket
inode. This is because the ->file of the io_uring instance's internal
UNIX domain socket is set to point to the io_uring file, but then
sock_release() sees the non-NULL ->file and assumes the inode reference
is held by the file so doesn't call iput(). That's not the case here,
since the reference is still meant to be held by the socket; the actual
inode of the io_uring file is different.
Fix this leak by NULL-ing out ->file before releasing the socket.
Reported-by: syzbot+111cb28d9f583693aefa@syzkaller.appspotmail.com
Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
Cc: <stable@vger.kernel.org> # v5.1+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
fs/io_uring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 0fbb486a320e9..86a2bd7219005 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2777,8 +2777,10 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx)
io_eventfd_unregister(ctx);
#if defined(CONFIG_UNIX)
- if (ctx->ring_sock)
+ if (ctx->ring_sock) {
+ ctx->ring_sock->file = NULL; /* so that iput() is called */
sock_release(ctx->ring_sock);
+ }
#endif
io_mem_free(ctx->sq_ring);
--
2.22.0.rc2.383.gf4fbbf30c2-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] io_uring: fix memory leak of UNIX domain socket inode
2019-06-12 21:58 ` [PATCH] io_uring: fix memory leak of UNIX domain socket inode Eric Biggers
@ 2019-06-13 8:40 ` Jens Axboe
0 siblings, 0 replies; 3+ messages in thread
From: Jens Axboe @ 2019-06-13 8:40 UTC (permalink / raw)
To: Eric Biggers, Alexander Viro, linux-block, linux-fsdevel
Cc: davem, linux-kernel, netdev, syzkaller-bugs, syzbot
On 6/12/19 3:58 PM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Opening and closing an io_uring instance leaks a UNIX domain socket
> inode. This is because the ->file of the io_uring instance's internal
> UNIX domain socket is set to point to the io_uring file, but then
> sock_release() sees the non-NULL ->file and assumes the inode reference
> is held by the file so doesn't call iput(). That's not the case here,
> since the reference is still meant to be held by the socket; the actual
> inode of the io_uring file is different.
>
> Fix this leak by NULL-ing out ->file before releasing the socket.
Thanks, applied.
--
Jens Axboe
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-13 17:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-23 1:28 memory leak in new_inode_pseudo syzbot
2019-06-12 21:58 ` [PATCH] io_uring: fix memory leak of UNIX domain socket inode Eric Biggers
2019-06-13 8:40 ` Jens Axboe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.