* memory leak in cap_inode_getsecurity
@ 2019-10-03 19:59 syzbot
2022-07-31 15:12 ` [syzbot] " syzbot
2022-08-03 4:36 ` Miklos Szeredi
0 siblings, 2 replies; 8+ messages in thread
From: syzbot @ 2019-10-03 19:59 UTC (permalink / raw)
To: linux-fsdevel, linux-kernel, syzkaller-bugs, viro
Hello,
syzbot found the following crash on:
HEAD commit: 0f1a7b3f timer-of: don't use conditional expression with m..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1329640d600000
kernel config: https://syzkaller.appspot.com/x/.config?x=9d66badf12ef344c
dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1107b513600000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com
2019/10/03 14:00:37 executed programs: 36
2019/10/03 14:00:43 executed programs: 44
2019/10/03 14:00:49 executed programs: 63
BUG: memory leak
unreferenced object 0xffff8881202cb480 (size 32):
comm "syz-executor.0", pid 7246, jiffies 4294946879 (age 14.010s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000a8379648>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000a8379648>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<00000000a8379648>] slab_alloc mm/slab.c:3319 [inline]
[<00000000a8379648>] __do_kmalloc mm/slab.c:3653 [inline]
[<00000000a8379648>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3670
[<000000008858463c>] __do_krealloc mm/slab_common.c:1638 [inline]
[<000000008858463c>] krealloc+0x7f/0xb0 mm/slab_common.c:1689
[<0000000057f9eb8e>] vfs_getxattr_alloc+0x100/0x180 fs/xattr.c:289
[<00000000c2154e30>] cap_inode_getsecurity+0x9c/0x2c0
security/commoncap.c:389
[<00000000b2664a09>] security_inode_getsecurity+0x4c/0x90
security/security.c:1314
[<00000000921624c0>] xattr_getsecurity fs/xattr.c:244 [inline]
[<00000000921624c0>] vfs_getxattr+0xf2/0x1a0 fs/xattr.c:332
[<000000001ff6977b>] getxattr+0x97/0x240 fs/xattr.c:538
[<00000000b945681f>] path_getxattr+0x6b/0xc0 fs/xattr.c:566
[<000000001a9d3fce>] __do_sys_getxattr fs/xattr.c:578 [inline]
[<000000001a9d3fce>] __se_sys_getxattr fs/xattr.c:575 [inline]
[<000000001a9d3fce>] __x64_sys_getxattr+0x28/0x30 fs/xattr.c:575
[<000000002e998337>] do_syscall_64+0x73/0x1f0
arch/x86/entry/common.c:290
[<00000000f252aa21>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [syzbot] memory leak in cap_inode_getsecurity 2019-10-03 19:59 memory leak in cap_inode_getsecurity syzbot @ 2022-07-31 15:12 ` syzbot 2022-08-01 10:11 ` Miklos Szeredi 2022-08-01 12:20 ` Miklos Szeredi 2022-08-03 4:36 ` Miklos Szeredi 1 sibling, 2 replies; 8+ messages in thread From: syzbot @ 2022-07-31 15:12 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, marka, phind.uet, syzkaller-bugs, viro syzbot has found a reproducer for the following issue on: HEAD commit: 6a010258447d Merge tag 'for-linus' of git://git.armlinux.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15883fee080000 kernel config: https://syzkaller.appspot.com/x/.config?x=2a1dcc1942e30704 dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1568846a080000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f5e536080000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com executing program BUG: memory leak unreferenced object 0xffff88810f0ac060 (size 32): comm "syz-executor240", pid 3622, jiffies 4294961303 (age 14.040s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff814c6ecd>] __do_krealloc mm/slab_common.c:1185 [inline] [<ffffffff814c6ecd>] krealloc+0x4d/0xb0 mm/slab_common.c:1218 [<ffffffff8162625c>] vfs_getxattr_alloc+0x13c/0x1c0 fs/xattr.c:379 [<ffffffff822374b2>] cap_inode_getsecurity+0xb2/0x500 security/commoncap.c:400 [<ffffffff8223d88c>] security_inode_getsecurity+0x7c/0xb0 security/security.c:1441 [<ffffffff81625a0a>] xattr_getsecurity fs/xattr.c:327 [inline] [<ffffffff81625a0a>] vfs_getxattr+0x22a/0x290 fs/xattr.c:423 [<ffffffff81c0ab02>] ovl_xattr_get+0x62/0xa0 fs/overlayfs/inode.c:404 [<ffffffff81624742>] __vfs_getxattr+0x72/0xa0 fs/xattr.c:401 [<ffffffff82236f52>] cap_inode_need_killpriv+0x22/0x40 security/commoncap.c:301 [<ffffffff8223d773>] security_inode_need_killpriv+0x23/0x60 security/security.c:1419 [<ffffffff8161074e>] dentry_needs_remove_privs fs/inode.c:1992 [inline] [<ffffffff8161074e>] dentry_needs_remove_privs+0x4e/0xa0 fs/inode.c:1982 [<ffffffff815cfead>] do_truncate+0x7d/0x130 fs/open.c:57 [<ffffffff815d0169>] vfs_truncate+0x209/0x240 fs/open.c:111 [<ffffffff815d0268>] do_sys_truncate.part.0+0xc8/0xe0 fs/open.c:134 [<ffffffff815d0303>] do_sys_truncate fs/open.c:128 [inline] [<ffffffff815d0303>] __do_sys_truncate fs/open.c:146 [inline] [<ffffffff815d0303>] __se_sys_truncate fs/open.c:144 [inline] [<ffffffff815d0303>] __x64_sys_truncate+0x33/0x50 fs/open.c:144 [<ffffffff845b1955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff845b1955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in cap_inode_getsecurity 2022-07-31 15:12 ` [syzbot] " syzbot @ 2022-08-01 10:11 ` Miklos Szeredi 2022-08-01 10:29 ` syzbot 2022-08-01 12:20 ` Miklos Szeredi 1 sibling, 1 reply; 8+ messages in thread From: Miklos Szeredi @ 2022-08-01 10:11 UTC (permalink / raw) To: syzbot Cc: linux-fsdevel, linux-kernel, marka, phind.uet, syzkaller-bugs, Al Viro [-- Attachment #1: Type: text/plain, Size: 3041 bytes --] #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master On Sun, 31 Jul 2022 at 17:13, syzbot <syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com> wrote: > > syzbot has found a reproducer for the following issue on: > > HEAD commit: 6a010258447d Merge tag 'for-linus' of git://git.armlinux.o.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=15883fee080000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2a1dcc1942e30704 > dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1568846a080000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f5e536080000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com > > executing program > BUG: memory leak > unreferenced object 0xffff88810f0ac060 (size 32): > comm "syz-executor240", pid 3622, jiffies 4294961303 (age 14.040s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<ffffffff814c6ecd>] __do_krealloc mm/slab_common.c:1185 [inline] > [<ffffffff814c6ecd>] krealloc+0x4d/0xb0 mm/slab_common.c:1218 > [<ffffffff8162625c>] vfs_getxattr_alloc+0x13c/0x1c0 fs/xattr.c:379 > [<ffffffff822374b2>] cap_inode_getsecurity+0xb2/0x500 security/commoncap.c:400 > [<ffffffff8223d88c>] security_inode_getsecurity+0x7c/0xb0 security/security.c:1441 > [<ffffffff81625a0a>] xattr_getsecurity fs/xattr.c:327 [inline] > [<ffffffff81625a0a>] vfs_getxattr+0x22a/0x290 fs/xattr.c:423 > [<ffffffff81c0ab02>] ovl_xattr_get+0x62/0xa0 fs/overlayfs/inode.c:404 > [<ffffffff81624742>] __vfs_getxattr+0x72/0xa0 fs/xattr.c:401 > [<ffffffff82236f52>] cap_inode_need_killpriv+0x22/0x40 security/commoncap.c:301 > [<ffffffff8223d773>] security_inode_need_killpriv+0x23/0x60 security/security.c:1419 > [<ffffffff8161074e>] dentry_needs_remove_privs fs/inode.c:1992 [inline] > [<ffffffff8161074e>] dentry_needs_remove_privs+0x4e/0xa0 fs/inode.c:1982 > [<ffffffff815cfead>] do_truncate+0x7d/0x130 fs/open.c:57 > [<ffffffff815d0169>] vfs_truncate+0x209/0x240 fs/open.c:111 > [<ffffffff815d0268>] do_sys_truncate.part.0+0xc8/0xe0 fs/open.c:134 > [<ffffffff815d0303>] do_sys_truncate fs/open.c:128 [inline] > [<ffffffff815d0303>] __do_sys_truncate fs/open.c:146 [inline] > [<ffffffff815d0303>] __se_sys_truncate fs/open.c:144 [inline] > [<ffffffff815d0303>] __x64_sys_truncate+0x33/0x50 fs/open.c:144 > [<ffffffff845b1955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] > [<ffffffff845b1955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > [-- Attachment #2: fix-leak-in-cap_inode_getsecurity.patch --] [-- Type: text/x-patch, Size: 1601 bytes --] --- security/commoncap.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) --- a/security/commoncap.c +++ b/security/commoncap.c @@ -401,8 +401,8 @@ int cap_inode_getsecurity(struct user_na &tmpbuf, size, GFP_NOFS); dput(dentry); - if (ret < 0 || !tmpbuf) - return ret; + if (ret < 0) + goto out_free; fs_ns = inode->i_sb->s_user_ns; cap = (struct vfs_cap_data *) tmpbuf; @@ -412,7 +412,7 @@ int cap_inode_getsecurity(struct user_na nscap = (struct vfs_ns_cap_data *) tmpbuf; root = le32_to_cpu(nscap->rootid); } else { - size = -EINVAL; + ret = -EINVAL; goto out_free; } @@ -431,7 +431,7 @@ int cap_inode_getsecurity(struct user_na /* v2 -> v3 conversion */ nscap = kzalloc(size, GFP_ATOMIC); if (!nscap) { - size = -ENOMEM; + ret = -ENOMEM; goto out_free; } nsmagic = VFS_CAP_REVISION_3; @@ -447,11 +447,11 @@ int cap_inode_getsecurity(struct user_na nscap->rootid = cpu_to_le32(mappedroot); *buffer = nscap; } - goto out_free; + goto success; } if (!rootid_owns_currentns(kroot)) { - size = -EOVERFLOW; + ret = -EOVERFLOW; goto out_free; } @@ -462,7 +462,7 @@ int cap_inode_getsecurity(struct user_na /* v3 -> v2 conversion */ cap = kzalloc(size, GFP_ATOMIC); if (!cap) { - size = -ENOMEM; + ret = -ENOMEM; goto out_free; } magic = VFS_CAP_REVISION_2; @@ -477,9 +477,11 @@ int cap_inode_getsecurity(struct user_na } *buffer = cap; } +success: + ret = size; out_free: kfree(tmpbuf); - return size; + return ret; } /** ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in cap_inode_getsecurity 2022-08-01 10:11 ` Miklos Szeredi @ 2022-08-01 10:29 ` syzbot 0 siblings, 0 replies; 8+ messages in thread From: syzbot @ 2022-08-01 10:29 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, marka, miklos, phind.uet, syzkaller-bugs, viro Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com Tested on: commit: 3d7cb6b0 Linux 5.19 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10aa0c2e080000 kernel config: https://syzkaller.appspot.com/x/.config?x=5466231eb53fa40e dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=10e003a6080000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in cap_inode_getsecurity 2022-07-31 15:12 ` [syzbot] " syzbot 2022-08-01 10:11 ` Miklos Szeredi @ 2022-08-01 12:20 ` Miklos Szeredi 2022-08-01 12:37 ` syzbot 1 sibling, 1 reply; 8+ messages in thread From: Miklos Szeredi @ 2022-08-01 12:20 UTC (permalink / raw) To: syzbot Cc: linux-fsdevel, linux-kernel, marka, phind.uet, syzkaller-bugs, Al Viro [-- Attachment #1: Type: text/plain, Size: 3041 bytes --] #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master On Sun, 31 Jul 2022 at 17:13, syzbot <syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com> wrote: > > syzbot has found a reproducer for the following issue on: > > HEAD commit: 6a010258447d Merge tag 'for-linus' of git://git.armlinux.o.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=15883fee080000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2a1dcc1942e30704 > dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1568846a080000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f5e536080000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com > > executing program > BUG: memory leak > unreferenced object 0xffff88810f0ac060 (size 32): > comm "syz-executor240", pid 3622, jiffies 4294961303 (age 14.040s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<ffffffff814c6ecd>] __do_krealloc mm/slab_common.c:1185 [inline] > [<ffffffff814c6ecd>] krealloc+0x4d/0xb0 mm/slab_common.c:1218 > [<ffffffff8162625c>] vfs_getxattr_alloc+0x13c/0x1c0 fs/xattr.c:379 > [<ffffffff822374b2>] cap_inode_getsecurity+0xb2/0x500 security/commoncap.c:400 > [<ffffffff8223d88c>] security_inode_getsecurity+0x7c/0xb0 security/security.c:1441 > [<ffffffff81625a0a>] xattr_getsecurity fs/xattr.c:327 [inline] > [<ffffffff81625a0a>] vfs_getxattr+0x22a/0x290 fs/xattr.c:423 > [<ffffffff81c0ab02>] ovl_xattr_get+0x62/0xa0 fs/overlayfs/inode.c:404 > [<ffffffff81624742>] __vfs_getxattr+0x72/0xa0 fs/xattr.c:401 > [<ffffffff82236f52>] cap_inode_need_killpriv+0x22/0x40 security/commoncap.c:301 > [<ffffffff8223d773>] security_inode_need_killpriv+0x23/0x60 security/security.c:1419 > [<ffffffff8161074e>] dentry_needs_remove_privs fs/inode.c:1992 [inline] > [<ffffffff8161074e>] dentry_needs_remove_privs+0x4e/0xa0 fs/inode.c:1982 > [<ffffffff815cfead>] do_truncate+0x7d/0x130 fs/open.c:57 > [<ffffffff815d0169>] vfs_truncate+0x209/0x240 fs/open.c:111 > [<ffffffff815d0268>] do_sys_truncate.part.0+0xc8/0xe0 fs/open.c:134 > [<ffffffff815d0303>] do_sys_truncate fs/open.c:128 [inline] > [<ffffffff815d0303>] __do_sys_truncate fs/open.c:146 [inline] > [<ffffffff815d0303>] __se_sys_truncate fs/open.c:144 [inline] > [<ffffffff815d0303>] __x64_sys_truncate+0x33/0x50 fs/open.c:144 > [<ffffffff845b1955>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] > [<ffffffff845b1955>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > [<ffffffff84600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd > > [-- Attachment #2: vfs_getxattr_alloc-dont-allocate-buf-on-failure.patch --] [-- Type: text/x-patch, Size: 384 bytes --] --- fs/xattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/fs/xattr.c +++ b/fs/xattr.c @@ -383,7 +383,10 @@ vfs_getxattr_alloc(struct user_namespace } error = handler->get(handler, dentry, inode, name, value, error); - *xattr_value = value; + if (error < 0 && value != *xattr_value) + kfree(value); + else + *xattr_value = value; return error; } ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in cap_inode_getsecurity 2022-08-01 12:20 ` Miklos Szeredi @ 2022-08-01 12:37 ` syzbot 0 siblings, 0 replies; 8+ messages in thread From: syzbot @ 2022-08-01 12:37 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, marka, miklos, phind.uet, syzkaller-bugs, viro Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com Tested on: commit: 3d7cb6b0 Linux 5.19 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14385261080000 kernel config: https://syzkaller.appspot.com/x/.config?x=5466231eb53fa40e dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=14edd10e080000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: memory leak in cap_inode_getsecurity 2019-10-03 19:59 memory leak in cap_inode_getsecurity syzbot 2022-07-31 15:12 ` [syzbot] " syzbot @ 2022-08-03 4:36 ` Miklos Szeredi 2022-08-03 4:53 ` [syzbot] " syzbot 1 sibling, 1 reply; 8+ messages in thread From: Miklos Szeredi @ 2022-08-03 4:36 UTC (permalink / raw) To: syzbot; +Cc: linux-fsdevel, linux-kernel, syzkaller-bugs, viro [-- Attachment #1: Type: text/plain, Size: 3137 bytes --] #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master On Thu, 3 Oct 2019 at 21:59, syzbot <syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot found the following crash on: > > HEAD commit: 0f1a7b3f timer-of: don't use conditional expression with m.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=1329640d600000 > kernel config: https://syzkaller.appspot.com/x/.config?x=9d66badf12ef344c > dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1107b513600000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com > > 2019/10/03 14:00:37 executed programs: 36 > 2019/10/03 14:00:43 executed programs: 44 > 2019/10/03 14:00:49 executed programs: 63 > BUG: memory leak > unreferenced object 0xffff8881202cb480 (size 32): > comm "syz-executor.0", pid 7246, jiffies 4294946879 (age 14.010s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<00000000a8379648>] kmemleak_alloc_recursive > include/linux/kmemleak.h:43 [inline] > [<00000000a8379648>] slab_post_alloc_hook mm/slab.h:586 [inline] > [<00000000a8379648>] slab_alloc mm/slab.c:3319 [inline] > [<00000000a8379648>] __do_kmalloc mm/slab.c:3653 [inline] > [<00000000a8379648>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3670 > [<000000008858463c>] __do_krealloc mm/slab_common.c:1638 [inline] > [<000000008858463c>] krealloc+0x7f/0xb0 mm/slab_common.c:1689 > [<0000000057f9eb8e>] vfs_getxattr_alloc+0x100/0x180 fs/xattr.c:289 > [<00000000c2154e30>] cap_inode_getsecurity+0x9c/0x2c0 > security/commoncap.c:389 > [<00000000b2664a09>] security_inode_getsecurity+0x4c/0x90 > security/security.c:1314 > [<00000000921624c0>] xattr_getsecurity fs/xattr.c:244 [inline] > [<00000000921624c0>] vfs_getxattr+0xf2/0x1a0 fs/xattr.c:332 > [<000000001ff6977b>] getxattr+0x97/0x240 fs/xattr.c:538 > [<00000000b945681f>] path_getxattr+0x6b/0xc0 fs/xattr.c:566 > [<000000001a9d3fce>] __do_sys_getxattr fs/xattr.c:578 [inline] > [<000000001a9d3fce>] __se_sys_getxattr fs/xattr.c:575 [inline] > [<000000001a9d3fce>] __x64_sys_getxattr+0x28/0x30 fs/xattr.c:575 > [<000000002e998337>] do_syscall_64+0x73/0x1f0 > arch/x86/entry/common.c:290 > [<00000000f252aa21>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches [-- Attachment #2: vfs_getxattr_alloc-dont-allocate-buf-on-failure.patch --] [-- Type: text/x-patch, Size: 1091 bytes --] From: Miklos Szeredi <mszeredi@redhat.com> Subject: vfs_getxattr_alloc(): don't allocate buf on failure Some callers of vfs_getxattr_alloc() assume that on failure the allocated buffer does not need to be freed. Callers could be fixed, but fixing the semantics of vfs_getxattr_alloc() is simpler and makes sure that this class of bugs does not occur again. If this was called in a loop (i.e. xattr_value contains an already allocated buffer), then caller will still need to clean up after an error. Reported-and-tested-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com Fixes: 1601fbad2b14 ("xattr: define vfs_getxattr_alloc and vfs_xattr_cmp") Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> --- fs/xattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/fs/xattr.c +++ b/fs/xattr.c @@ -383,7 +383,10 @@ vfs_getxattr_alloc(struct user_namespace } error = handler->get(handler, dentry, inode, name, value, error); - *xattr_value = value; + if (error < 0 && *xattr_value == NULL) + kfree(value); + else + *xattr_value = value; return error; } ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in cap_inode_getsecurity 2022-08-03 4:36 ` Miklos Szeredi @ 2022-08-03 4:53 ` syzbot 0 siblings, 0 replies; 8+ messages in thread From: syzbot @ 2022-08-03 4:53 UTC (permalink / raw) To: linux-fsdevel, linux-kernel, miklos, syzkaller-bugs, viro Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+942d5390db2d9624ced8@syzkaller.appspotmail.com Tested on: commit: e2b54210 Merge tag 'flexible-array-transformations-UAP.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12c050a2080000 kernel config: https://syzkaller.appspot.com/x/.config?x=f5367bd9b8d9fa72 dashboard link: https://syzkaller.appspot.com/bug?extid=942d5390db2d9624ced8 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 patch: https://syzkaller.appspot.com/x/patch.diff?x=17a74536080000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-08-03 4:53 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-10-03 19:59 memory leak in cap_inode_getsecurity syzbot 2022-07-31 15:12 ` [syzbot] " syzbot 2022-08-01 10:11 ` Miklos Szeredi 2022-08-01 10:29 ` syzbot 2022-08-01 12:20 ` Miklos Szeredi 2022-08-01 12:37 ` syzbot 2022-08-03 4:36 ` Miklos Szeredi 2022-08-03 4:53 ` [syzbot] " syzbot
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.