All of lore.kernel.org
 help / color / mirror / Atom feed
* memory leak in prepare_creds
@ 2020-08-27 22:28 syzbot
  2020-11-28  3:47 ` syzbot
       [not found] ` <20201128080016.9132-1-hdanton@sina.com>
  0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2020-08-27 22:28 UTC (permalink / raw)
  To: akpm, bernd.edlinger, dhowells, ebiederm, keescook, linux-kernel,
	mhocko, shakeelb, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    c3d8f220 Merge tag 'kbuild-fixes-v5.9' of git://git.kernel..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14bf4f5e900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=948134d9ff96e950
dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=115a5519900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88812a413f00 (size 168):
  comm "syz-executor.0", pid 6554, jiffies 4294953946 (age 13.120s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000008b882031>] prepare_creds+0x25/0x2f0 kernel/cred.c:258
    [<000000001d1756e8>] copy_creds+0x2e/0x1d1 kernel/cred.c:358
    [<00000000a3a640ca>] copy_process+0x50c/0x1f20 kernel/fork.c:1949
    [<00000000a1ad8dee>] _do_fork+0xad/0x530 kernel/fork.c:2428
    [<0000000070af4cd7>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2545
    [<000000001470b5cf>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b4c4b313>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811b54e440 (size 32):
  comm "syz-executor.0", pid 6554, jiffies 4294953946 (age 13.120s)
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000138403e6>] kmalloc include/linux/slab.h:559 [inline]
    [<00000000138403e6>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000138403e6>] lsm_cred_alloc security/security.c:532 [inline]
    [<00000000138403e6>] security_prepare_creds+0x97/0xc0 security/security.c:1631
    [<0000000051662e48>] prepare_creds+0x1e1/0x2f0 kernel/cred.c:285
    [<000000001d1756e8>] copy_creds+0x2e/0x1d1 kernel/cred.c:358
    [<00000000a3a640ca>] copy_process+0x50c/0x1f20 kernel/fork.c:1949
    [<00000000a1ad8dee>] _do_fork+0xad/0x530 kernel/fork.c:2428
    [<0000000070af4cd7>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2545
    [<000000001470b5cf>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b4c4b313>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812a657a00 (size 256):
  comm "syz-executor.0", pid 6790, jiffies 4294953946 (age 13.120s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    a0 e1 14 2b 81 88 ff ff 80 74 8f 16 81 88 ff ff  ...+.....t......
  backtrace:
    [<0000000053e1d866>] kmem_cache_zalloc include/linux/slab.h:656 [inline]
    [<0000000053e1d866>] __alloc_file+0x23/0x120 fs/file_table.c:101
    [<000000000d5d3703>] alloc_empty_file+0x4f/0xe0 fs/file_table.c:151
    [<0000000091abea17>] alloc_file+0x31/0x160 fs/file_table.c:193
    [<000000004bfab74c>] alloc_file_pseudo+0xae/0x120 fs/file_table.c:233
    [<00000000fc9b3b90>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
    [<00000000fc9b3b90>] anon_inode_getfile+0x8e/0x100 fs/anon_inodes.c:74
    [<00000000cbd9d057>] anon_inode_getfd+0x42/0x90 fs/anon_inodes.c:136
    [<00000000589d6af2>] bpf_map_new_fd kernel/bpf/syscall.c:686 [inline]
    [<00000000589d6af2>] bpf_map_new_fd kernel/bpf/syscall.c:678 [inline]
    [<00000000589d6af2>] map_create kernel/bpf/syscall.c:872 [inline]
    [<00000000589d6af2>] __do_sys_bpf+0x67c/0x2450 kernel/bpf/syscall.c:4160
    [<000000001470b5cf>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b4c4b313>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812a73db50 (size 16):
  comm "syz-executor.0", pid 6790, jiffies 4294953946 (age 13.120s)
  hex dump (first 16 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000008ddd472b>] kmem_cache_zalloc include/linux/slab.h:656 [inline]
    [<000000008ddd472b>] lsm_file_alloc security/security.c:567 [inline]
    [<000000008ddd472b>] security_file_alloc+0x2e/0xc0 security/security.c:1455
    [<0000000079d891d7>] __alloc_file+0x61/0x120 fs/file_table.c:106
    [<000000000d5d3703>] alloc_empty_file+0x4f/0xe0 fs/file_table.c:151
    [<0000000091abea17>] alloc_file+0x31/0x160 fs/file_table.c:193
    [<000000004bfab74c>] alloc_file_pseudo+0xae/0x120 fs/file_table.c:233
    [<00000000fc9b3b90>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
    [<00000000fc9b3b90>] anon_inode_getfile+0x8e/0x100 fs/anon_inodes.c:74
    [<00000000cbd9d057>] anon_inode_getfd+0x42/0x90 fs/anon_inodes.c:136
    [<00000000589d6af2>] bpf_map_new_fd kernel/bpf/syscall.c:686 [inline]
    [<00000000589d6af2>] bpf_map_new_fd kernel/bpf/syscall.c:678 [inline]
    [<00000000589d6af2>] map_create kernel/bpf/syscall.c:872 [inline]
    [<00000000589d6af2>] __do_sys_bpf+0x67c/0x2450 kernel/bpf/syscall.c:4160
    [<000000001470b5cf>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b4c4b313>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812a419240 (size 168):
  comm "syz-executor.0", pid 6554, jiffies 4294954493 (age 7.650s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000008b882031>] prepare_creds+0x25/0x2f0 kernel/cred.c:258
    [<000000001d1756e8>] copy_creds+0x2e/0x1d1 kernel/cred.c:358
    [<00000000a3a640ca>] copy_process+0x50c/0x1f20 kernel/fork.c:1949
    [<00000000a1ad8dee>] _do_fork+0xad/0x530 kernel/fork.c:2428
    [<0000000070af4cd7>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2545
    [<000000001470b5cf>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b4c4b313>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: memory leak in prepare_creds
  2020-08-27 22:28 memory leak in prepare_creds syzbot
@ 2020-11-28  3:47 ` syzbot
  2020-11-30 18:52   ` Eric W. Biederman
       [not found] ` <20201128080016.9132-1-hdanton@sina.com>
  1 sibling, 1 reply; 5+ messages in thread
From: syzbot @ 2020-11-28  3:47 UTC (permalink / raw)
  To: akpm, bernd.edlinger, chris, dhowells, ebiederm, guro, keescook,
	linux-kernel, mhocko, shakeelb, syzkaller-bugs

syzbot has found a reproducer for the following issue on:

HEAD commit:    99c710c4 Merge tag 'platform-drivers-x86-v5.10-2' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a77ddd500000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c7a27a77f20fbc95
dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d6161d500000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f15e65500000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888101401300 (size 168):
  comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000caa0de2b>] prepare_creds+0x25/0x390 kernel/cred.c:258
    [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
    [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
    [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
    [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
    [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b0a6f20 (size 32):
  comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
  hex dump (first 32 bytes):
    b0 6e 93 00 81 88 ff ff 00 00 00 00 00 00 00 00  .n..............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000007d750ba1>] kmalloc include/linux/slab.h:557 [inline]
    [<000000007d750ba1>] kzalloc include/linux/slab.h:664 [inline]
    [<000000007d750ba1>] lsm_cred_alloc security/security.c:533 [inline]
    [<000000007d750ba1>] security_prepare_creds+0xa5/0xd0 security/security.c:1632
    [<00000000ba63fcc7>] prepare_creds+0x277/0x390 kernel/cred.c:285
    [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
    [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
    [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
    [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
    [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888101ea2200 (size 256):
  comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
  backtrace:
    [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
    [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
    [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
    [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
    [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
    [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
    [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
    [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
    [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
    [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
    [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: memory leak in prepare_creds
  2020-11-28  3:47 ` syzbot
@ 2020-11-30 18:52   ` Eric W. Biederman
  0 siblings, 0 replies; 5+ messages in thread
From: Eric W. Biederman @ 2020-11-30 18:52 UTC (permalink / raw)
  To: syzbot
  Cc: akpm, bernd.edlinger, chris, dhowells, guro, keescook,
	linux-kernel, mhocko, shakeelb, syzkaller-bugs, Jens Axboe,
	Tetsuo Handa

syzbot <syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com> writes:

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    99c710c4 Merge tag 'platform-drivers-x86-v5.10-2' of git:/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12a77ddd500000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=c7a27a77f20fbc95
> dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d6161d500000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f15e65500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com

My guess is someones error cleanup somewhere did the wrong thing.

It looks like there was one forced failure in tomoyo and the rest were
in io_uring.  Adding the relevant maintainers perhaps one of them can
see the problem.

>
> BUG: memory leak
> unreferenced object 0xffff888101401300 (size 168):
>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000caa0de2b>] prepare_creds+0x25/0x390 kernel/cred.c:258
>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b0a6f20 (size 32):
>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     b0 6e 93 00 81 88 ff ff 00 00 00 00 00 00 00 00  .n..............
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<000000007d750ba1>] kmalloc include/linux/slab.h:557 [inline]
>     [<000000007d750ba1>] kzalloc include/linux/slab.h:664 [inline]
>     [<000000007d750ba1>] lsm_cred_alloc security/security.c:533 [inline]
>     [<000000007d750ba1>] security_prepare_creds+0xa5/0xd0 security/security.c:1632
>     [<00000000ba63fcc7>] prepare_creds+0x277/0x390 kernel/cred.c:285
>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff888101ea2200 (size 256):
>   comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
>   backtrace:
>     [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
>     [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
>     [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
>     [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
>     [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
>     [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
>     [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
>     [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
>     [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
>     [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Eric

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: memory leak in prepare_creds
       [not found] ` <20201128080016.9132-1-hdanton@sina.com>
@ 2020-12-06 13:31   ` Pavel Begunkov
  0 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2020-12-06 13:31 UTC (permalink / raw)
  To: Hillf Danton, syzbot; +Cc: axboe, io-uring, linux-kernel, syzkaller-bugs

On 28/11/2020 08:00, Hillf Danton wrote:
> On Fri, 27 Nov 2020 19:47:15 -0800
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit:    99c710c4 Merge tag 'platform-drivers-x86-v5.10-2' of git:/..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12a77ddd500000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=c7a27a77f20fbc95
>> dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d6161d500000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f15e65500000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com
>>
>> BUG: memory leak
>> unreferenced object 0xffff888101401300 (size 168):
>>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>   backtrace:
>>     [<00000000caa0de2b>] prepare_creds+0x25/0x390 kernel/cred.c:258
>>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> BUG: memory leak
>> unreferenced object 0xffff88810b0a6f20 (size 32):
>>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     b0 6e 93 00 81 88 ff ff 00 00 00 00 00 00 00 00  .n..............
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>   backtrace:
>>     [<000000007d750ba1>] kmalloc include/linux/slab.h:557 [inline]
>>     [<000000007d750ba1>] kzalloc include/linux/slab.h:664 [inline]
>>     [<000000007d750ba1>] lsm_cred_alloc security/security.c:533 [inline]
>>     [<000000007d750ba1>] security_prepare_creds+0xa5/0xd0 security/security.c:1632
>>     [<00000000ba63fcc7>] prepare_creds+0x277/0x390 kernel/cred.c:285
>>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Fail to spot the cred leak.
>>
>> BUG: memory leak
>> unreferenced object 0xffff888101ea2200 (size 256):
>>   comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>     20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
>>   backtrace:
>>     [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
>>     [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
>>     [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
>>     [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
>>     [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
>>     [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
>>     [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
>>     [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
>>     [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
>>     [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
> Put file as part of the error handling after getting a new one.

Looks genuine to me, would you send a real patch?

> 
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -9182,6 +9182,7 @@ static int io_uring_get_fd(struct io_rin
>  {
>  	struct file *file;
>  	int ret;
> +	int fd;
>  
>  #if defined(CONFIG_UNIX)
>  	ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
> @@ -9190,28 +9191,29 @@ static int io_uring_get_fd(struct io_rin
>  		return ret;
>  #endif
>  
> -	ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
> +	ret = fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
>  	if (ret < 0)
>  		goto err;
>  
>  	file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
>  					O_RDWR | O_CLOEXEC);
>  	if (IS_ERR(file)) {
> -err_fd:
> -		put_unused_fd(ret);
>  		ret = PTR_ERR(file);
> +		put_unused_fd(fd);
>  		goto err;
>  	}
>  
>  #if defined(CONFIG_UNIX)
>  	ctx->ring_sock->file = file;
>  #endif
> -	if (unlikely(io_uring_add_task_file(ctx, file))) {
> -		file = ERR_PTR(-ENOMEM);
> -		goto err_fd;
> +	ret = io_uring_add_task_file(ctx, file);
> +	if (ret) {
> +		fput(file);
> +		put_unused_fd(fd);
> +		goto err;
>  	}
>  	fd_install(ret, file);
> -	return ret;
> +	return 0;
>  err:
>  #if defined(CONFIG_UNIX)
>  	sock_release(ctx->ring_sock);
> 

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 5+ messages in thread
* memory leak in prepare_creds
@ 2022-01-27 13:31 INT MAX
  0 siblings, 0 replies; 5+ messages in thread
From: INT MAX @ 2022-01-27 13:31 UTC (permalink / raw)
  To: linux-fsdevel, linux-kernel

Dear maintainers,

I've found a memory leak bug in prepare_creds in kernel v5.16
(df0cc57e057f18e44dac8e6c18aba47ab53202f9) using Syzkaller. It happens after
fork-pipe2-close_range (a stable reproducer attached below). It's possibly
caused by incorrect reference counting of credentials after pipe2-close_range.

I tried adding some debug messages to trace "get_cred" and "put_cred" but it
seems the reference count is changed somewhere else. Unfortunately, adding more
debug messages makes it no longer reproducible. But there is one thing for sure
the reported leaked cred was indeed not freed by "__put_cred".

Attached are the following for your reference:

1. Syzkaller report (including a C reproducer at the end of the report with
   some extra debug info added by me): https://pastebin.com/xMWNhf5r.
   The reproducer will usually report the leak after 2 or more iterations, but
   the actual leak may happen in the first iteration by inspecting the debug
   output where the leaked "cred" object was reported to be created as early as
   in the first iteration, and never get destroyed. In addition, the number of
   iterations required for triggering the leak goes down to 1 after running the
   reproducer multiple times.
2. Debug output (added by me) during the lifecycle of "ls" (no leak) as
   reference: https://pastebin.com/L45kbnwt.
3. Debug output during the lifecycle of "sleep 0" (no leak) as reference:
   https://pastebin.com/XFM5r1sF.
4. Debug output during the lifecycle of "repro" (the C reproducer; leaked):
   https://pastebin.com/yj2evZbX.
5. The kernel config: https://pastebin.com/DU0VVviE.

[This email is resent to the two mailing lists because the previous
email sent via outlook is blocked.]

Best regards,
Untitled YAN

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-27 13:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-27 22:28 memory leak in prepare_creds syzbot
2020-11-28  3:47 ` syzbot
2020-11-30 18:52   ` Eric W. Biederman
     [not found] ` <20201128080016.9132-1-hdanton@sina.com>
2020-12-06 13:31   ` Pavel Begunkov
2022-01-27 13:31 INT MAX

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.