Linux-mtd Archive on lore.kernel.org
 help / color / Atom feed
* memory leak in erase_aeb
@ 2019-12-08 19:35 syzbot
  2019-12-20  2:14 ` [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach Hou Tao
  2020-01-11 17:19 ` memory leak in erase_aeb syzbot
  0 siblings, 2 replies; 5+ messages in thread
From: syzbot @ 2019-12-08 19:35 UTC (permalink / raw)
  To: linux-kernel, linux-mtd, miquel.raynal, richard, syzkaller-bugs,
	vigneshr

Hello,

syzbot found the following crash on:

HEAD commit:    ad910e36 pipe: fix poll/select race introduced by the pipe..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16080232e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3beca47aecbf4a9c
dashboard link: https://syzkaller.appspot.com/bug?extid=f317896aae32eb281a58
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14b527f2e00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f317896aae32eb281a58@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881225039a0 (size 32):
   comm "syz-executor.0", pid 7318, jiffies 4294950453 (age 8.280s)
   hex dump (first 32 bytes):
     00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00  ................
     00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00  ................
   backtrace:
     [<000000003a9d0e7e>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000003a9d0e7e>] slab_post_alloc_hook mm/slab.h:586 [inline]
     [<000000003a9d0e7e>] slab_alloc mm/slab.c:3320 [inline]
     [<000000003a9d0e7e>] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3484
     [<00000000b53dfd0a>] erase_aeb+0x2a/0x100 drivers/mtd/ubi/wl.c:1691
     [<000000005ccfba82>] ubi_wl_init+0x1ae/0x600 drivers/mtd/ubi/wl.c:1758
     [<000000002350928f>] ubi_attach+0x665/0x18e7  
drivers/mtd/ubi/attach.c:1605
     [<0000000055aac88b>] ubi_attach_mtd_dev+0x5b3/0xd40  
drivers/mtd/ubi/build.c:946
     [<00000000071dc178>] ctrl_cdev_ioctl+0x149/0x1c0  
drivers/mtd/ubi/cdev.c:1043
     [<000000004c359338>] vfs_ioctl fs/ioctl.c:47 [inline]
     [<000000004c359338>] file_ioctl fs/ioctl.c:545 [inline]
     [<000000004c359338>] do_vfs_ioctl+0x551/0x890 fs/ioctl.c:732
     [<000000002f3b4a0e>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:749
     [<0000000071dee951>] __do_sys_ioctl fs/ioctl.c:756 [inline]
     [<0000000071dee951>] __se_sys_ioctl fs/ioctl.c:754 [inline]
     [<0000000071dee951>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:754
     [<0000000069d4ede5>] do_syscall_64+0x73/0x220  
arch/x86/entry/common.c:294
     [<000000001a44675f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach
  2019-12-08 19:35 memory leak in erase_aeb syzbot
@ 2019-12-20  2:14 ` Hou Tao
  2020-01-06  9:02   ` Sascha Hauer
  2020-01-11 17:19 ` memory leak in erase_aeb syzbot
  1 sibling, 1 reply; 5+ messages in thread
From: Hou Tao @ 2019-12-20  2:14 UTC (permalink / raw)
  To: linux-mtd, richard, s.hauer; +Cc: houtao1, vigneshr, miquel.raynal

When CONFIG_MTD_UBI_FASTMAP is enabled, fm_anchor will be assigned
a free PEB during ubi_wl_init() or ubi_update_fastmap(). However
if fastmap is not used or disabled on the MTD device, ubi_wl_entry
related with the PEB will not be freed during detach.

So Fix it by freeing the unused fastmap anchor during detach.

And also don't generate the initial fm_anchor when fastmap is disabled.

Fixes: f9c34bb52997 ("ubi: Fix producing anchor PEBs")
Reported-by: syzbot+f317896aae32eb281a58@syzkaller.appspotmail.com
Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 drivers/mtd/ubi/fastmap-wl.c | 15 +++++++++++++--
 drivers/mtd/ubi/wl.c         |  3 ++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
index 426820ab9afe..b486250923c5 100644
--- a/drivers/mtd/ubi/fastmap-wl.c
+++ b/drivers/mtd/ubi/fastmap-wl.c
@@ -39,6 +39,13 @@ static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root)
 	return victim;
 }
 
+static inline void return_unused_peb(struct ubi_device *ubi,
+				     struct ubi_wl_entry *e)
+{
+	wl_tree_add(e, &ubi->free);
+	ubi->free_count++;
+}
+
 /**
  * return_unused_pool_pebs - returns unused PEB to the free tree.
  * @ubi: UBI device description object
@@ -52,8 +59,7 @@ static void return_unused_pool_pebs(struct ubi_device *ubi,
 
 	for (i = pool->used; i < pool->size; i++) {
 		e = ubi->lookuptbl[pool->pebs[i]];
-		wl_tree_add(e, &ubi->free);
-		ubi->free_count++;
+		return_unused_peb(ubi, e);
 	}
 }
 
@@ -361,6 +367,11 @@ static void ubi_fastmap_close(struct ubi_device *ubi)
 	return_unused_pool_pebs(ubi, &ubi->fm_pool);
 	return_unused_pool_pebs(ubi, &ubi->fm_wl_pool);
 
+	if (ubi->fm_anchor) {
+		return_unused_peb(ubi, ubi->fm_anchor);
+		ubi->fm_anchor = NULL;
+	}
+
 	if (ubi->fm) {
 		for (i = 0; i < ubi->fm->used_blocks; i++)
 			kfree(ubi->fm->e[i]);
diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 5d77a38dba54..c6c2b8dc96c7 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1876,7 +1876,8 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
 		goto out_free;
 
 #ifdef CONFIG_MTD_UBI_FASTMAP
-	ubi_ensure_anchor_pebs(ubi);
+	if (!ubi->fm_disabled)
+		ubi_ensure_anchor_pebs(ubi);
 #endif
 	return 0;
 
-- 
2.22.0


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach
  2019-12-20  2:14 ` [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach Hou Tao
@ 2020-01-06  9:02   ` Sascha Hauer
  2020-01-12 22:51     ` Richard Weinberger
  0 siblings, 1 reply; 5+ messages in thread
From: Sascha Hauer @ 2020-01-06  9:02 UTC (permalink / raw)
  To: Hou Tao; +Cc: richard, linux-mtd, vigneshr, miquel.raynal

On Fri, Dec 20, 2019 at 10:14:49AM +0800, Hou Tao wrote:
> When CONFIG_MTD_UBI_FASTMAP is enabled, fm_anchor will be assigned
> a free PEB during ubi_wl_init() or ubi_update_fastmap(). However
> if fastmap is not used or disabled on the MTD device, ubi_wl_entry
> related with the PEB will not be freed during detach.
> 
> So Fix it by freeing the unused fastmap anchor during detach.
> 
> And also don't generate the initial fm_anchor when fastmap is disabled.

I think this part deserves an extra patch. Otherwise the changes look
good to me, so:

Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: memory leak in erase_aeb
  2019-12-08 19:35 memory leak in erase_aeb syzbot
  2019-12-20  2:14 ` [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach Hou Tao
@ 2020-01-11 17:19 ` syzbot
  1 sibling, 0 replies; 5+ messages in thread
From: syzbot @ 2020-01-11 17:19 UTC (permalink / raw)
  To: linux-kernel, linux-mtd, miquel.raynal, richard, syzkaller-bugs,
	vigneshr

syzbot has found a reproducer for the following crash on:

HEAD commit:    bef1d882 Merge tag 'pstore-v5.5-rc6' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158a51b9e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e479cb92d5ce3196
dashboard link: https://syzkaller.appspot.com/bug?extid=f317896aae32eb281a58
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=132269e1e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1247d58ee00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f317896aae32eb281a58@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888127cecb00 (size 32):
   comm "syz-executor527", pid 7144, jiffies 4294957528 (age 23.750s)
   hex dump (first 32 bytes):
     00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........".......
     00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00  ................
   backtrace:
     [<0000000029f9ef6c>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<0000000029f9ef6c>] slab_post_alloc_hook mm/slab.h:586 [inline]
     [<0000000029f9ef6c>] slab_alloc mm/slab.c:3320 [inline]
     [<0000000029f9ef6c>] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3484
     [<000000003092c936>] erase_aeb+0x2a/0x100 drivers/mtd/ubi/wl.c:1691
     [<00000000d507b66e>] ubi_wl_init+0x1ae/0x600 drivers/mtd/ubi/wl.c:1758
     [<0000000072e7d762>] ubi_attach+0x665/0x18e7  
drivers/mtd/ubi/attach.c:1605
     [<0000000024d645cb>] ubi_attach_mtd_dev+0x5b3/0xd40  
drivers/mtd/ubi/build.c:946
     [<00000000e6600cef>] ctrl_cdev_ioctl+0x149/0x1c0  
drivers/mtd/ubi/cdev.c:1043
     [<000000001253992f>] vfs_ioctl fs/ioctl.c:47 [inline]
     [<000000001253992f>] file_ioctl fs/ioctl.c:545 [inline]
     [<000000001253992f>] do_vfs_ioctl+0x551/0x890 fs/ioctl.c:732
     [<00000000c49e8c94>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:749
     [<00000000261db07c>] __do_sys_ioctl fs/ioctl.c:756 [inline]
     [<00000000261db07c>] __se_sys_ioctl fs/ioctl.c:754 [inline]
     [<00000000261db07c>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:754
     [<000000004f01dc3e>] do_syscall_64+0x73/0x220  
arch/x86/entry/common.c:294
     [<000000002de81d29>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888127cecb00 (size 32):
   comm "syz-executor527", pid 7144, jiffies 4294957528 (age 26.350s)
   hex dump (first 32 bytes):
     00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........".......
     00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00  ................
   backtrace:
     [<0000000029f9ef6c>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<0000000029f9ef6c>] slab_post_alloc_hook mm/slab.h:586 [inline]
     [<0000000029f9ef6c>] slab_alloc mm/slab.c:3320 [inline]
     [<0000000029f9ef6c>] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3484
     [<000000003092c936>] erase_aeb+0x2a/0x100 drivers/mtd/ubi/wl.c:1691
     [<00000000d507b66e>] ubi_wl_init+0x1ae/0x600 drivers/mtd/ubi/wl.c:1758
     [<0000000072e7d762>] ubi_attach+0x665/0x18e7  
drivers/mtd/ubi/attach.c:1605
     [<0000000024d645cb>] ubi_attach_mtd_dev+0x5b3/0xd40  
drivers/mtd/ubi/build.c:946
     [<00000000e6600cef>] ctrl_cdev_ioctl+0x149/0x1c0  
drivers/mtd/ubi/cdev.c:1043
     [<000000001253992f>] vfs_ioctl fs/ioctl.c:47 [inline]
     [<000000001253992f>] file_ioctl fs/ioctl.c:545 [inline]
     [<000000001253992f>] do_vfs_ioctl+0x551/0x890 fs/ioctl.c:732
     [<00000000c49e8c94>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:749
     [<00000000261db07c>] __do_sys_ioctl fs/ioctl.c:756 [inline]
     [<00000000261db07c>] __se_sys_ioctl fs/ioctl.c:754 [inline]
     [<00000000261db07c>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:754
     [<000000004f01dc3e>] do_syscall_64+0x73/0x220  
arch/x86/entry/common.c:294
     [<000000002de81d29>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888127cecb00 (size 32):
   comm "syz-executor527", pid 7144, jiffies 4294957528 (age 32.820s)
   hex dump (first 32 bytes):
     00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........".......
     00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00  ................
   backtrace:
     [<0000000029f9ef6c>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<0000000029f9ef6c>] slab_post_alloc_hook mm/slab.h:586 [inline]
     [<0000000029f9ef6c>] slab_alloc mm/slab.c:3320 [inline]
     [<0000000029f9ef6c>] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3484
     [<000000003092c936>] erase_aeb+0x2a/0x100 drivers/mtd/ubi/wl.c:1691
     [<00000000d507b66e>] ubi_wl_init+0x1ae/0x600 drivers/mtd/ubi/wl.c:1758
     [<0000000072e7d762>] ubi_attach+0x665/0x18e7  
drivers/mtd/ubi/attach.c:1605
     [<0000000024d645cb>] ubi_attach_mtd_dev+0x5b3/0xd40  
drivers/mtd/ubi/build.c:946
     [<00000000e6600cef>] ctrl_cdev_ioctl+0x149/0x1c0  
drivers/mtd/ubi/cdev.c:1043
     [<000000001253992f>] vfs_ioctl fs/ioctl.c:47 [inline]
     [<000000001253992f>] file_ioctl fs/ioctl.c:545 [inline]
     [<000000001253992f>] do_vfs_ioctl+0x551/0x890 fs/ioctl.c:732
     [<00000000c49e8c94>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:749
     [<00000000261db07c>] __do_sys_ioctl fs/ioctl.c:756 [inline]
     [<00000000261db07c>] __se_sys_ioctl fs/ioctl.c:754 [inline]
     [<00000000261db07c>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:754
     [<000000004f01dc3e>] do_syscall_64+0x73/0x220  
arch/x86/entry/common.c:294
     [<000000002de81d29>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

executing program
executing program
executing program
executing program
executing program


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach
  2020-01-06  9:02   ` Sascha Hauer
@ 2020-01-12 22:51     ` Richard Weinberger
  0 siblings, 0 replies; 5+ messages in thread
From: Richard Weinberger @ 2020-01-12 22:51 UTC (permalink / raw)
  To: Sascha Hauer
  Cc: Richard Weinberger, Miquel Raynal, linux-mtd,
	Vignesh Raghavendra, Hou Tao

On Mon, Jan 6, 2020 at 10:02 AM Sascha Hauer <s.hauer@pengutronix.de> wrote:
>
> On Fri, Dec 20, 2019 at 10:14:49AM +0800, Hou Tao wrote:
> > When CONFIG_MTD_UBI_FASTMAP is enabled, fm_anchor will be assigned
> > a free PEB during ubi_wl_init() or ubi_update_fastmap(). However
> > if fastmap is not used or disabled on the MTD device, ubi_wl_entry
> > related with the PEB will not be freed during detach.
> >
> > So Fix it by freeing the unused fastmap anchor during detach.
> >
> > And also don't generate the initial fm_anchor when fastmap is disabled.
>
> I think this part deserves an extra patch. Otherwise the changes look
> good to me, so:

Yes, please split this patch.

Thanks,
//richard

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-08 19:35 memory leak in erase_aeb syzbot
2019-12-20  2:14 ` [PATCH] UBI: Fastmap: free unused fastmap anchor peb during detach Hou Tao
2020-01-06  9:02   ` Sascha Hauer
2020-01-12 22:51     ` Richard Weinberger
2020-01-11 17:19 ` memory leak in erase_aeb syzbot

Linux-mtd Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mtd/0 linux-mtd/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mtd linux-mtd/ https://lore.kernel.org/linux-mtd \
		linux-mtd@lists.infradead.org
	public-inbox-index linux-mtd

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.infradead.lists.linux-mtd


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git