From: Jiri Slaby <jirislaby@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
James Bond <jameslouisebond@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Michel Lespinasse <walken@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Denis Efremov <efremov@linux.com>,
linux-kernel@vger.kernel.org, Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH] tty/vt: fix a memory leak in con_insert_unipair
Date: Mon, 10 Aug 2020 10:14:35 +0200 [thread overview]
Message-ID: <08df63cd-c4b9-c16b-2e27-5d86580eebf2@kernel.org> (raw)
In-Reply-To: <20200810075122.GA1531406@kroah.com>
On 10. 08. 20, 9:51, Greg Kroah-Hartman wrote:
> On Mon, Aug 10, 2020 at 07:16:48AM +0200, Jiri Slaby wrote:
>> On 10. 08. 20, 0:14, James Bond wrote:
>>> Syzkaller find a memory leak in con_insert_unipair:
>>> BUG: memory leak
>>> unreferenced object 0xffff88804893d100 (size 256):
>>> comm "syz-executor.3", pid 16154, jiffies 4295043307 (age 2392.340s)
>>> hex dump (first 32 bytes):
>>> 80 af 88 4e 80 88 ff ff 00 a8 88 4e 80 88 ff ff ...N.......N....
>>> 80 ad 88 4e 80 88 ff ff 00 aa 88 4e 80 88 ff ff ...N.......N....
>>> backtrace:
>>> [<00000000f76ff1de>] kmalloc include/linux/slab.h:555 [inline]
>>> [<00000000f76ff1de>] kmalloc_array include/linux/slab.h:596 [inline]
>>> [<00000000f76ff1de>] con_insert_unipair+0x9e/0x1a0 drivers/tty/vt/consolemap.c:482
>>> [<000000002f1ad7da>] con_set_unimap+0x244/0x2a0 drivers/tty/vt/consolemap.c:595
>>> [<0000000046ccb106>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:297 [inline]
>>> [<0000000046ccb106>] vt_ioctl+0x863/0x12f0 drivers/tty/vt/vt_ioctl.c:1018
>>> [<00000000db1577ff>] tty_ioctl+0x4cd/0xa30 drivers/tty/tty_io.c:2656
>>> [<00000000e5cdf5ed>] vfs_ioctl fs/ioctl.c:48 [inline]
>>> [<00000000e5cdf5ed>] ksys_ioctl+0xa6/0xd0 fs/ioctl.c:753
>>> [<00000000fb4aa12c>] __do_sys_ioctl fs/ioctl.c:762 [inline]
>>> [<00000000fb4aa12c>] __se_sys_ioctl fs/ioctl.c:760 [inline]
>>> [<00000000fb4aa12c>] __x64_sys_ioctl+0x1a/0x20 fs/ioctl.c:760
>>> [<00000000f561f260>] do_syscall_64+0x4c/0xe0 arch/x86/entry/common.c:384
>>> [<0000000056206928>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>> BUG: leak checking failed
>>>
>>> To fix this issue, we need to release the pointer p1 when the call of
>>> the function kmalloc_array fail.
...
>> Do we have some annotations for this instead?
>
> We need something there, a comment saying "this is fine, don't touch
> it!" or something like that? We need that in a few other places in the
> vt code as well.
Sure, comment as the last resort (to silence patch writers). But I had
some kmemleak annotation (to silence the warning) in mind.
Or better fix/tune kmemleak: why it dares to think it's a mem leak in
the first place?
thanks,
--
js
prev parent reply other threads:[~2020-08-10 8:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-09 22:14 [PATCH] tty/vt: fix a memory leak in con_insert_unipair James Bond
2020-08-10 5:16 ` Jiri Slaby
2020-08-10 7:51 ` Greg Kroah-Hartman
2020-08-10 8:14 ` Jiri Slaby [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=08df63cd-c4b9-c16b-2e27-5d86580eebf2@kernel.org \
--to=jirislaby@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=efremov@linux.com \
--cc=gregkh@linuxfoundation.org \
--cc=jameslouisebond@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vbabka@suse.cz \
--cc=walken@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).