* [PATCH] pidfd: fix memory leak in pidfd_getfd()
@ 2020-07-06 12:52 Vamshi K Sthambamkadi
2020-07-06 12:58 ` Christian Brauner
2020-07-06 15:38 ` Kees Cook
0 siblings, 2 replies; 3+ messages in thread
From: Vamshi K Sthambamkadi @ 2020-07-06 12:52 UTC (permalink / raw)
To: christian; +Cc: linux-kernel
kmemleak backtrace:
comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..............o.
b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 ................
backtrace:
[<8da987ad>] kmem_cache_alloc+0x199/0x4c0
[<8ff6a575>] __alloc_file+0x1e/0xe0
[<e1479798>] alloc_empty_file+0x45/0x100
[<727fe6eb>] alloc_file+0x23/0xf0
[<457148ef>] alloc_file_pseudo+0x98/0x100
[<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
[<5edc3e9b>] shmem_file_setup+0x4c/0x70
[<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
[<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
[<62569441>] do_fast_syscall_32+0x39/0xb0
[<3c515b7e>] do_SYSENTER_32+0x15/0x20
[<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
hex dump (first 16 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<8da987ad>] kmem_cache_alloc+0x199/0x4c0
[<b67faec5>] security_file_alloc+0x20/0x90
[<ed849d41>] __alloc_file+0x40/0xe0
[<e1479798>] alloc_empty_file+0x45/0x100
[<727fe6eb>] alloc_file+0x23/0xf0
[<457148ef>] alloc_file_pseudo+0x98/0x100
[<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
[<5edc3e9b>] shmem_file_setup+0x4c/0x70
[<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
[<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
[<62569441>] do_fast_syscall_32+0x39/0xb0
[<3c515b7e>] do_SYSENTER_32+0x15/0x20
[<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
This is because in pidfd_getfd(), the file->f_count is incremented twice
1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
2) f_count is incremented While installing fd in __fd_install_received()
i.e. get_file().
Memory leak occurs because the refs count do not match, the struct file
object is never freed.
Secondly the error validity check (ret < 0) after the call to
fd_install_received() is not needed since this function cannot return
negative number after incrementing f_count. So it is wrong to call fput
on condition (ret < 0).
Change pidfd_getfd() to call fput() on file reference once its installed
as new_fd in target process.
Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
---
kernel/pid.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index 5799ae5..d00139c 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd)
return PTR_ERR(file);
ret = fd_install_received(file, O_CLOEXEC);
- if (ret < 0)
- fput(file);
+
+ fput(file);
return ret;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] pidfd: fix memory leak in pidfd_getfd()
2020-07-06 12:52 [PATCH] pidfd: fix memory leak in pidfd_getfd() Vamshi K Sthambamkadi
@ 2020-07-06 12:58 ` Christian Brauner
2020-07-06 15:38 ` Kees Cook
1 sibling, 0 replies; 3+ messages in thread
From: Christian Brauner @ 2020-07-06 12:58 UTC (permalink / raw)
To: Vamshi K Sthambamkadi; +Cc: christian, linux-kernel
On Mon, Jul 06, 2020 at 06:22:55PM +0530, Vamshi K Sthambamkadi wrote:
> kmemleak backtrace:
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..............o.
> b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<8ff6a575>] __alloc_file+0x1e/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 16 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<b67faec5>] security_file_alloc+0x20/0x90
> [<ed849d41>] __alloc_file+0x40/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> This is because in pidfd_getfd(), the file->f_count is incremented twice
> 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
> 2) f_count is incremented While installing fd in __fd_install_received()
> i.e. get_file().
>
> Memory leak occurs because the refs count do not match, the struct file
> object is never freed.
>
> Secondly the error validity check (ret < 0) after the call to
> fd_install_received() is not needed since this function cannot return
> negative number after incrementing f_count. So it is wrong to call fput
> on condition (ret < 0).
>
> Change pidfd_getfd() to call fput() on file reference once its installed
> as new_fd in target process.
>
> Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
> ---
What's the base commit for this fix? The fd_install_received() changes
are not upstream yet. Afaict, they are in Kees tree and in linux-next.
So this really isn't an applicable fix.
I really need to re-review the patches Kees sent. I haven't acked them
yet so we can't really take this patch now.
Thanks!
Christian
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] pidfd: fix memory leak in pidfd_getfd()
2020-07-06 12:52 [PATCH] pidfd: fix memory leak in pidfd_getfd() Vamshi K Sthambamkadi
2020-07-06 12:58 ` Christian Brauner
@ 2020-07-06 15:38 ` Kees Cook
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2020-07-06 15:38 UTC (permalink / raw)
To: Vamshi K Sthambamkadi; +Cc: christian, linux-kernel
Note: please review recent commit history for bug fixes like this -- I
introduced this bug. :)
On Mon, Jul 06, 2020 at 06:22:55PM +0530, Vamshi K Sthambamkadi wrote:
> kmemleak backtrace:
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..............o.
> b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<8ff6a575>] __alloc_file+0x1e/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 16 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<b67faec5>] security_file_alloc+0x20/0x90
> [<ed849d41>] __alloc_file+0x40/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> This is because in pidfd_getfd(), the file->f_count is incremented twice
> 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
> 2) f_count is incremented While installing fd in __fd_install_received()
> i.e. get_file().
>
> Memory leak occurs because the refs count do not match, the struct file
> object is never freed.
>
> Secondly the error validity check (ret < 0) after the call to
> fd_install_received() is not needed since this function cannot return
> negative number after incrementing f_count. So it is wrong to call fput
> on condition (ret < 0).
>
> Change pidfd_getfd() to call fput() on file reference once its installed
> as new_fd in target process.
>
> Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com>
Thanks! I'll get this fixed.
-Kees
> ---
> kernel/pid.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/pid.c b/kernel/pid.c
> index 5799ae5..d00139c 100644
> --- a/kernel/pid.c
> +++ b/kernel/pid.c
> @@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd)
> return PTR_ERR(file);
>
> ret = fd_install_received(file, O_CLOEXEC);
> - if (ret < 0)
> - fput(file);
> +
> + fput(file);
> return ret;
> }
>
> --
> 2.7.4
>
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-07-06 15:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 12:52 [PATCH] pidfd: fix memory leak in pidfd_getfd() Vamshi K Sthambamkadi
2020-07-06 12:58 ` Christian Brauner
2020-07-06 15:38 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).