From: Arnd Bergmann <arnd@kernel.org>
To: syzbot <syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux Media Mailing List <linux-media@vger.kernel.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Sakari Ailus <sakari.ailus@linux.intel.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: memory leak in video_usercopy
Date: Sat, 19 Dec 2020 15:08:14 +0100 [thread overview]
Message-ID: <CAK8P3a3AF4yFUcOEzMPf7SGkf6YVPJthHLzGtM==oGkSj+=mtg@mail.gmail.com> (raw)
In-Reply-To: <00000000000025169705b6d100fa@google.com>
,On Sat, Dec 19, 2020 at 2:15 PM syzbot
<syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: a409ed15 Merge tag 'gpio-v5.11-1' of git://git.kernel.org/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10a5880f500000
> kernel config: https://syzkaller.appspot.com/x/.config?x=37c889fb8b2761af
> dashboard link: https://syzkaller.appspot.com/bug?extid=1115e79c8df6472c612b
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14d18f9b500000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=106a2c13500000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com
>
> Debian GNU/Linux 9 syzkaller ttyS0
> Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts.
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff88810fb12300 (size 256):
> comm "syz-executor399", pid 8472, jiffies 4294942333 (age 13.960s)
> hex dump (first 32 bytes):
> 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<000000009fd00995>] kmalloc_node include/linux/slab.h:575 [inline]
> [<000000009fd00995>] kvmalloc_node+0x61/0xf0 mm/util.c:575
> [<0000000096a57c4a>] kvmalloc include/linux/mm.h:773 [inline]
> [<0000000096a57c4a>] video_usercopy+0x991/0xa50 drivers/media/v4l2-core/v4l2-ioctl.c:3303
> [<00000000f7529cc2>] v4l2_ioctl+0x77/0x90 drivers/media/v4l2-core/v4l2-dev.c:360
> [<0000000061b5e6a9>] vfs_ioctl fs/ioctl.c:48 [inline]
> [<0000000061b5e6a9>] __do_sys_ioctl fs/ioctl.c:753 [inline]
> [<0000000061b5e6a9>] __se_sys_ioctl fs/ioctl.c:739 [inline]
> [<0000000061b5e6a9>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
> [<000000000139479b>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> [<00000000d6de1c9c>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
It seems there are commands that need both a buffer for the direct ioc
argument and for array_args. If that happens, we have two kvmalloc() calls
but only one kvfree(), and that would correctly trigger the leak detector.
The direct ioc argument copy happens for arguments over 128 bytes.
Checking the sizes of the comands with array args shows
VIDIOC_PREPARE_BUF, VIDIOC_QUERYBUF, VIDIOC_QBUF, VIDIOC_DQBUF:
v4l2_buffer, 84 bytes or less
VIDIOC_G_EDID, VIDIOC_S_EDID:
v4l2_edid, 40 bytes or less
VIDIOC_G_EXT_CTRLS, VIDIOC_S_EXT_CTRLS, VIDIOC_TRY_EXT_CTRLS:
v4l2_ext_controls, 32 bytes or less
VIDIOC_G_FMT, VIDIOC_S_FMT, VIDIOC_TRY_FMT:
v4l2_format, 204 or 208 bytes
I would conclude it's one of the last three commands, and it could be
avoided either by increasing the on-stack buffer to sizeof(struct v4l2_format),
or by restructuring this function again to have two separate pointers
for alloc/free.
Arnd
next prev parent reply other threads:[~2020-12-19 14:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-19 13:14 memory leak in video_usercopy syzbot
2020-12-19 14:08 ` Arnd Bergmann [this message]
2020-12-19 22:41 ` Sakari Ailus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK8P3a3AF4yFUcOEzMPf7SGkf6YVPJthHLzGtM==oGkSj+=mtg@mail.gmail.com' \
--to=arnd@kernel.org \
--cc=arnd@arndb.de \
--cc=hverkuil-cisco@xs4all.nl \
--cc=laurent.pinchart@ideasonboard.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sakari.ailus@linux.intel.com \
--cc=syzbot+1115e79c8df6472c612b@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).