* [syzbot] memory leak in setup_mq_sysctls
@ 2022-06-20 6:52 syzbot
2022-06-21 9:54 ` Alexey Gladkov
0 siblings, 1 reply; 8+ messages in thread
From: syzbot @ 2022-06-20 6:52 UTC (permalink / raw)
To: ebiederm, legion, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
executing program
BUG: memory leak
unreferenced object 0xffff888112fc9200 (size 512):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
[<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
[<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fd5f00 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fbba00 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
[<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
[<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fbb900 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
[<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
[<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in setup_mq_sysctls
2022-06-20 6:52 [syzbot] memory leak in setup_mq_sysctls syzbot
@ 2022-06-21 9:54 ` Alexey Gladkov
2022-06-21 14:30 ` Eric W. Biederman
0 siblings, 1 reply; 8+ messages in thread
From: Alexey Gladkov @ 2022-06-21 9:54 UTC (permalink / raw)
To: syzbot; +Cc: ebiederm, linux-kernel, syzkaller-bugs
On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
I'm working on a fix that will remove this memory allocation entirely.
> executing program
> BUG: memory leak
> unreferenced object 0xffff888112fc9200 (size 512):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
> 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fd5f00 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fbba00 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fbb900 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
--
Rgrds, legion
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in setup_mq_sysctls
2022-06-21 9:54 ` Alexey Gladkov
@ 2022-06-21 14:30 ` Eric W. Biederman
2022-06-21 22:41 ` Alexey Gladkov
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Eric W. Biederman @ 2022-06-21 14:30 UTC (permalink / raw)
To: Alexey Gladkov; +Cc: syzbot, linux-kernel, syzkaller-bugs, Catalin Marinas
Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
>> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
>
> I'm working on a fix that will remove this memory allocation entirely.
Hmm. The memory should be freed when the corresponding namespace exits.
I see retire_mq_sysctls is being called to free this memory. Alex do
you see any leaks when you read that code?
So it looks like either someone broke this in linux-next or there
is a bug in the memory leak detector, or something truly strange
like a memory stop is going on.
I don't see any changes to the ipc subdirectory since v5.19-rc1 in
commit 979086f5e006 ("Merge tag 'fs.fixes.v5.19-rc3' of git://git.k.." )
so the idea that the code is broken in linux-next is out.
Which leaves the memory leak detector having trouble with this,
or something like a memory stomp is causing problems.
Catalin is it possible that the clever use of ctl_table_arg to hold the
reference to the table before it is freed is confusing the memory leak
detector? The idiom is old enough I don't expect so, but I have seen
bugs lurk for a long time.
Which leaves just a memory stomp or something even stranger in the code.
syzkaller can you reproduce this on Linus's branch?
Eric
>> executing program
>> BUG: memory leak
>> unreferenced object 0xffff888112fc9200 (size 512):
>> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
>> hex dump (first 32 bytes):
>> ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
>> 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
>> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
>> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
>> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
>> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
>> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
>> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
>> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
>> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
>> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
>> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
>> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>
>> BUG: memory leak
>> unreferenced object 0xffff888112fd5f00 (size 256):
>> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
>> hex dump (first 32 bytes):
>> 00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
>> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
>> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
>> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
>> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
>> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
>> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
>> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
>> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
>> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
>> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
>> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
>> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
>> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>
>> BUG: memory leak
>> unreferenced object 0xffff888112fbba00 (size 256):
>> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
>> hex dump (first 32 bytes):
>> 78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
>> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
>> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
>> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
>> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
>> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
>> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
>> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
>> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
>> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
>> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
>> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
>> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
>> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
>> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
>> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>
>> BUG: memory leak
>> unreferenced object 0xffff888112fbb900 (size 256):
>> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
>> hex dump (first 32 bytes):
>> 78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
>> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
>> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
>> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
>> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
>> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
>> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
>> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
>> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
>> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
>> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
>> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
>> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
>> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
>> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
>> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this issue, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in setup_mq_sysctls
2022-06-21 14:30 ` Eric W. Biederman
@ 2022-06-21 22:41 ` Alexey Gladkov
2022-06-22 7:39 ` Dmitry Vyukov
2022-06-22 17:16 ` Catalin Marinas
2022-06-22 20:07 ` [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed Alexey Gladkov
2 siblings, 1 reply; 8+ messages in thread
From: Alexey Gladkov @ 2022-06-21 22:41 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: syzbot, linux-kernel, syzkaller-bugs, Catalin Marinas
On Tue, Jun 21, 2022 at 09:30:57AM -0500, Eric W. Biederman wrote:
> Alexey Gladkov <gladkov.alexey@gmail.com> writes:
>
> > On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
> >> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
> >
> > I'm working on a fix that will remove this memory allocation entirely.
>
> Hmm. The memory should be freed when the corresponding namespace exits.
> I see retire_mq_sysctls is being called to free this memory. Alex do
> you see any leaks when you read that code?
I don't see a leak either. retire_mq_sysctls and retire_ipc_sysctls
functions are identical and are called one by one. I don't understand how
there can be an mq leak without an ipc leak. Unless it has something to do
with mq_init_ns (just guess).
> So it looks like either someone broke this in linux-next or there
> is a bug in the memory leak detector, or something truly strange
> like a memory stop is going on.
I will take a look.
> I don't see any changes to the ipc subdirectory since v5.19-rc1 in
> commit 979086f5e006 ("Merge tag 'fs.fixes.v5.19-rc3' of git://git.k.." )
> so the idea that the code is broken in linux-next is out.
>
> Which leaves the memory leak detector having trouble with this,
> or something like a memory stomp is causing problems.
>
> Catalin is it possible that the clever use of ctl_table_arg to hold the
> reference to the table before it is freed is confusing the memory leak
> detector? The idiom is old enough I don't expect so, but I have seen
> bugs lurk for a long time.
>
> Which leaves just a memory stomp or something even stranger in the code.
> syzkaller can you reproduce this on Linus's branch?
>
> Eric
>
> >> executing program
> >> BUG: memory leak
> >> unreferenced object 0xffff888112fc9200 (size 512):
> >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> >> hex dump (first 32 bytes):
> >> ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
> >> 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
> >> backtrace:
> >> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
> >> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
> >> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
> >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> >>
> >> BUG: memory leak
> >> unreferenced object 0xffff888112fd5f00 (size 256):
> >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> >> hex dump (first 32 bytes):
> >> 00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
> >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >> backtrace:
> >> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> >>
> >> BUG: memory leak
> >> unreferenced object 0xffff888112fbba00 (size 256):
> >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> >> hex dump (first 32 bytes):
> >> 78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >> backtrace:
> >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> >>
> >> BUG: memory leak
> >> unreferenced object 0xffff888112fbb900 (size 256):
> >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> >> hex dump (first 32 bytes):
> >> 78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> >> backtrace:
> >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> >>
> >>
> >>
> >> ---
> >> This report is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >>
> >> syzbot will keep track of this issue. See:
> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >> syzbot can test patches for this issue, for details see:
> >> https://goo.gl/tpsmEJ#testing-patches
> >>
>
--
Rgrds, legion
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in setup_mq_sysctls
2022-06-21 22:41 ` Alexey Gladkov
@ 2022-06-22 7:39 ` Dmitry Vyukov
0 siblings, 0 replies; 8+ messages in thread
From: Dmitry Vyukov @ 2022-06-22 7:39 UTC (permalink / raw)
To: Alexey Gladkov
Cc: Eric W. Biederman, syzbot, linux-kernel, syzkaller-bugs, Catalin Marinas
On Wed, 22 Jun 2022 at 00:41, Alexey Gladkov <legion@kernel.org> wrote:
>
> On Tue, Jun 21, 2022 at 09:30:57AM -0500, Eric W. Biederman wrote:
> > Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> >
> > > On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote:
> > >> Hello,
> > >>
> > >> syzbot found the following issue on:
> > >>
> > >> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
> > >> git tree: upstream
> > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
> > >> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
> > >> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
> > >> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
> > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
> > >>
> > >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > >> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
> > >
> > > I'm working on a fix that will remove this memory allocation entirely.
> >
> > Hmm. The memory should be freed when the corresponding namespace exits.
> > I see retire_mq_sysctls is being called to free this memory. Alex do
> > you see any leaks when you read that code?
>
> I don't see a leak either. retire_mq_sysctls and retire_ipc_sysctls
> functions are identical and are called one by one. I don't understand how
> there can be an mq leak without an ipc leak. Unless it has something to do
> with mq_init_ns (just guess).
Are they feed on this error path:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/ipc/namespace.c?id=979086f5e0066b4eff66e1eee123da228489985c#n64
?
I don't see where it calls retire_mq_sysctls.
> > So it looks like either someone broke this in linux-next or there
> > is a bug in the memory leak detector, or something truly strange
> > like a memory stop is going on.
>
> I will take a look.
>
> > I don't see any changes to the ipc subdirectory since v5.19-rc1 in
> > commit 979086f5e006 ("Merge tag 'fs.fixes.v5.19-rc3' of git://git.k.." )
> > so the idea that the code is broken in linux-next is out.
> >
> > Which leaves the memory leak detector having trouble with this,
> > or something like a memory stomp is causing problems.
> >
> > Catalin is it possible that the clever use of ctl_table_arg to hold the
> > reference to the table before it is freed is confusing the memory leak
> > detector? The idiom is old enough I don't expect so, but I have seen
> > bugs lurk for a long time.
> >
> > Which leaves just a memory stomp or something even stranger in the code.
> > syzkaller can you reproduce this on Linus's branch?
> >
> > Eric
> >
> > >> executing program
> > >> BUG: memory leak
> > >> unreferenced object 0xffff888112fc9200 (size 512):
> > >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> > >> hex dump (first 32 bytes):
> > >> ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
> > >> 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
> > >> backtrace:
> > >> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
> > >> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
> > >> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
> > >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> > >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> > >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> > >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> > >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> > >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> > >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> > >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> > >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > >>
> > >> BUG: memory leak
> > >> unreferenced object 0xffff888112fd5f00 (size 256):
> > >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> > >> hex dump (first 32 bytes):
> > >> 00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
> > >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > >> backtrace:
> > >> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
> > >> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
> > >> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
> > >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> > >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> > >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> > >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> > >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> > >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> > >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> > >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> > >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> > >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > >>
> > >> BUG: memory leak
> > >> unreferenced object 0xffff888112fbba00 (size 256):
> > >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> > >> hex dump (first 32 bytes):
> > >> 78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> > >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > >> backtrace:
> > >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> > >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> > >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> > >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> > >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> > >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> > >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> > >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> > >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> > >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> > >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> > >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> > >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> > >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> > >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > >>
> > >> BUG: memory leak
> > >> unreferenced object 0xffff888112fbb900 (size 256):
> > >> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> > >> hex dump (first 32 bytes):
> > >> 78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> > >> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > >> backtrace:
> > >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> > >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> > >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> > >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> > >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> > >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> > >> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> > >> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> > >> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> > >> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> > >> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> > >> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> > >> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> > >> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> > >> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > >> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> > >> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > >>
> > >>
> > >>
> > >> ---
> > >> This report is generated by a bot. It may contain errors.
> > >> See https://goo.gl/tpsmEJ for more information about syzbot.
> > >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >>
> > >> syzbot will keep track of this issue. See:
> > >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > >> syzbot can test patches for this issue, for details see:
> > >> https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [syzbot] memory leak in setup_mq_sysctls
2022-06-21 14:30 ` Eric W. Biederman
2022-06-21 22:41 ` Alexey Gladkov
@ 2022-06-22 17:16 ` Catalin Marinas
2022-06-22 20:07 ` [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed Alexey Gladkov
2 siblings, 0 replies; 8+ messages in thread
From: Catalin Marinas @ 2022-06-22 17:16 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: Alexey Gladkov, syzbot, linux-kernel, syzkaller-bugs
On Tue, Jun 21, 2022 at 09:30:57AM -0500, Eric W. Biederman wrote:
> Alexey Gladkov <gladkov.alexey@gmail.com> writes:
> > On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote:
> >> syzbot found the following issue on:
> >>
> >> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2
> >> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
> >
> > I'm working on a fix that will remove this memory allocation entirely.
[...]
> Catalin is it possible that the clever use of ctl_table_arg to hold the
> reference to the table before it is freed is confusing the memory leak
> detector? The idiom is old enough I don't expect so, but I have seen
> bugs lurk for a long time.
As long as the addresses are not obfuscated and can be reached from some
root object (e.g. in the .data/.bss section), there shouldn't be a
problem. There are some occasional brief false positives as kmemleak
doesn't stop the world during scanning but IIRC syszbot does the
scanning twice to reduce them.
Some comments in the traces below:
> >> backtrace:
> >> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
> >> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
> >> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
This one allocate a struct ctl_table.
> >> backtrace:
> >> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
This allocates struct ctl_table_header and IIUC, it stores a pointer to
the table allocated above. So if this one leaks, the ctl_table object
would also be reported as a leak.
> >> backtrace:
> >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[...]
> >> backtrace:
> >> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> >> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> >> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> >> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> >> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> >> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
These two places allocate a struct ctl_dir. Are the ctl_dir objects
supposed to have a pointer to the previously allocated header or the
other way around? At a quick look, I think it's the latter as
insert_header() stores 'dir' into header->parent. Anyway, for some
reason kmemleak cannot reach the ctl_dir or ctl_table_header objects.
If one refers the other, we should focus on tracking down the parent
object.
I'll stare at the code a bit more tomorrow.
--
Catalin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed
2022-06-21 14:30 ` Eric W. Biederman
2022-06-21 22:41 ` Alexey Gladkov
2022-06-22 17:16 ` Catalin Marinas
@ 2022-06-22 20:07 ` Alexey Gladkov
2022-06-22 22:55 ` Eric W. Biederman
2 siblings, 1 reply; 8+ messages in thread
From: Alexey Gladkov @ 2022-06-22 20:07 UTC (permalink / raw)
To: LKML, Linux Containers, Dmitry Vyukov, Eric W. Biederman,
Catalin Marinas, syzkaller-bugs, syzbot+b4b0d1b35442afbf6fd2
The problem that Dmitry Vyukov pointed out is that if setup_ipc_sysctls fails,
mq_sysctls must be freed before return.
executing program
BUG: memory leak
unreferenced object 0xffff888112fc9200 (size 512):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
[<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
[<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fd5f00 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fbba00 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
[<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
[<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: memory leak
unreferenced object 0xffff888112fbb900 (size 256):
comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
hex dump (first 32 bytes):
78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
[<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
[<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
[<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
[<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
[<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
[<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
[<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
[<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
[<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
[<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
[<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
[<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
[<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
[<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
Signed-off-by: Alexey Gladkov <legion@kernel.org>
---
ipc/namespace.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/ipc/namespace.c b/ipc/namespace.c
index 754f3237194a..e1fcaedba4fa 100644
--- a/ipc/namespace.c
+++ b/ipc/namespace.c
@@ -64,7 +64,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
goto fail_put;
if (!setup_ipc_sysctls(ns))
- goto fail_put;
+ goto fail_mq;
sem_init_ns(ns);
msg_init_ns(ns);
@@ -72,6 +72,9 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
return ns;
+fail_mq:
+ retire_mq_sysctls(ns);
+
fail_put:
put_user_ns(ns->user_ns);
ns_free_inum(&ns->ns);
--
2.33.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed
2022-06-22 20:07 ` [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed Alexey Gladkov
@ 2022-06-22 22:55 ` Eric W. Biederman
0 siblings, 0 replies; 8+ messages in thread
From: Eric W. Biederman @ 2022-06-22 22:55 UTC (permalink / raw)
To: Alexey Gladkov
Cc: LKML, Linux Containers, Dmitry Vyukov, Catalin Marinas,
syzkaller-bugs, syzbot+b4b0d1b35442afbf6fd2
Alexey Gladkov <legion@kernel.org> writes:
> The problem that Dmitry Vyukov pointed out is that if setup_ipc_sysctls fails,
> mq_sysctls must be freed before return.
Can we get a tested-by from syzbot?
It would be nice to confirm that this bug is the one syzbot was seeing.
Thank you,
Eric
> executing program
> BUG: memory leak
> unreferenced object 0xffff888112fc9200 (size 512):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> ef d3 60 85 ff ff ff ff 0c 9b d2 12 81 88 ff ff ..`.............
> 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff814b6eb3>] kmemdup+0x23/0x50 mm/util.c:129
> [<ffffffff82219a9b>] kmemdup include/linux/fortify-string.h:456 [inline]
> [<ffffffff82219a9b>] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fd5f00 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 00 92 fc 12 81 88 ff ff 00 00 00 00 01 00 00 00 ................
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fea1b>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fea1b>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fea1b>] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fbba00 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 78 ba fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> BUG: memory leak
> unreferenced object 0xffff888112fbb900 (size 256):
> comm "syz-executor237", pid 3648, jiffies 4294970469 (age 12.270s)
> hex dump (first 32 bytes):
> 78 b9 fb 12 81 88 ff ff 00 00 00 00 01 00 00 00 x...............
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff816fef49>] kmalloc include/linux/slab.h:605 [inline]
> [<ffffffff816fef49>] kzalloc include/linux/slab.h:733 [inline]
> [<ffffffff816fef49>] new_dir fs/proc/proc_sysctl.c:978 [inline]
> [<ffffffff816fef49>] get_subdir fs/proc/proc_sysctl.c:1022 [inline]
> [<ffffffff816fef49>] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373
> [<ffffffff82219b7a>] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112
> [<ffffffff822197f2>] create_ipc_ns ipc/namespace.c:63 [inline]
> [<ffffffff822197f2>] copy_ipcs+0x292/0x390 ipc/namespace.c:91
> [<ffffffff8127de7c>] create_new_namespaces+0xdc/0x4f0 kernel/nsproxy.c:90
> [<ffffffff8127e89b>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226
> [<ffffffff8123f92e>] ksys_unshare+0x2fe/0x600 kernel/fork.c:3165
> [<ffffffff8123fc42>] __do_sys_unshare kernel/fork.c:3236 [inline]
> [<ffffffff8123fc42>] __se_sys_unshare kernel/fork.c:3234 [inline]
> [<ffffffff8123fc42>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3234
> [<ffffffff845aab45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff845aab45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
>
> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com
> Signed-off-by: Alexey Gladkov <legion@kernel.org>
> ---
> ipc/namespace.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/ipc/namespace.c b/ipc/namespace.c
> index 754f3237194a..e1fcaedba4fa 100644
> --- a/ipc/namespace.c
> +++ b/ipc/namespace.c
> @@ -64,7 +64,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
> goto fail_put;
>
> if (!setup_ipc_sysctls(ns))
> - goto fail_put;
> + goto fail_mq;
>
> sem_init_ns(ns);
> msg_init_ns(ns);
> @@ -72,6 +72,9 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns,
>
> return ns;
>
> +fail_mq:
> + retire_mq_sysctls(ns);
> +
> fail_put:
> put_user_ns(ns->user_ns);
> ns_free_inum(&ns->ns);
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-06-22 23:26 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-20 6:52 [syzbot] memory leak in setup_mq_sysctls syzbot
2022-06-21 9:54 ` Alexey Gladkov
2022-06-21 14:30 ` Eric W. Biederman
2022-06-21 22:41 ` Alexey Gladkov
2022-06-22 7:39 ` Dmitry Vyukov
2022-06-22 17:16 ` Catalin Marinas
2022-06-22 20:07 ` [PATCH] ipc: Free mq_sysctls if ipc namespace creation failed Alexey Gladkov
2022-06-22 22:55 ` Eric W. Biederman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.