linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Begunkov <asml.silence@gmail.com>
To: Hillf Danton <hdanton@sina.com>,
	syzbot <syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com>
Cc: axboe@kernel.dk, io-uring@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: memory leak in prepare_creds
Date: Sun, 6 Dec 2020 13:31:12 +0000	[thread overview]
Message-ID: <86f70001-fd2c-d17a-d79b-d2809a79ca0b@gmail.com> (raw)
In-Reply-To: <20201128080016.9132-1-hdanton@sina.com>

On 28/11/2020 08:00, Hillf Danton wrote:
> On Fri, 27 Nov 2020 19:47:15 -0800
>> syzbot has found a reproducer for the following issue on:
>>
>> HEAD commit:    99c710c4 Merge tag 'platform-drivers-x86-v5.10-2' of git:/..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=12a77ddd500000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=c7a27a77f20fbc95
>> dashboard link: https://syzkaller.appspot.com/bug?extid=71c4697e27c99fddcf17
>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d6161d500000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f15e65500000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com
>>
>> BUG: memory leak
>> unreferenced object 0xffff888101401300 (size 168):
>>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>   backtrace:
>>     [<00000000caa0de2b>] prepare_creds+0x25/0x390 kernel/cred.c:258
>>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> BUG: memory leak
>> unreferenced object 0xffff88810b0a6f20 (size 32):
>>   comm "syz-executor355", pid 8461, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     b0 6e 93 00 81 88 ff ff 00 00 00 00 00 00 00 00  .n..............
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>   backtrace:
>>     [<000000007d750ba1>] kmalloc include/linux/slab.h:557 [inline]
>>     [<000000007d750ba1>] kzalloc include/linux/slab.h:664 [inline]
>>     [<000000007d750ba1>] lsm_cred_alloc security/security.c:533 [inline]
>>     [<000000007d750ba1>] security_prepare_creds+0xa5/0xd0 security/security.c:1632
>>     [<00000000ba63fcc7>] prepare_creds+0x277/0x390 kernel/cred.c:285
>>     [<000000001821b99d>] copy_creds+0x3a/0x230 kernel/cred.c:358
>>     [<0000000022c32914>] copy_process+0x661/0x24d0 kernel/fork.c:1971
>>     [<00000000d3adca2d>] kernel_clone+0xf3/0x670 kernel/fork.c:2456
>>     [<00000000d11b7286>] __do_sys_clone+0x76/0xa0 kernel/fork.c:2573
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Fail to spot the cred leak.
>>
>> BUG: memory leak
>> unreferenced object 0xffff888101ea2200 (size 256):
>>   comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
>>   hex dump (first 32 bytes):
>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>     20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
>>   backtrace:
>>     [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
>>     [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
>>     [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
>>     [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
>>     [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
>>     [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
>>     [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
>>     [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
>>     [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
>>     [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
>>     [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>     [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
> Put file as part of the error handling after getting a new one.

Looks genuine to me, would you send a real patch?

> 
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -9182,6 +9182,7 @@ static int io_uring_get_fd(struct io_rin
>  {
>  	struct file *file;
>  	int ret;
> +	int fd;
>  
>  #if defined(CONFIG_UNIX)
>  	ret = sock_create_kern(&init_net, PF_UNIX, SOCK_RAW, IPPROTO_IP,
> @@ -9190,28 +9191,29 @@ static int io_uring_get_fd(struct io_rin
>  		return ret;
>  #endif
>  
> -	ret = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
> +	ret = fd = get_unused_fd_flags(O_RDWR | O_CLOEXEC);
>  	if (ret < 0)
>  		goto err;
>  
>  	file = anon_inode_getfile("[io_uring]", &io_uring_fops, ctx,
>  					O_RDWR | O_CLOEXEC);
>  	if (IS_ERR(file)) {
> -err_fd:
> -		put_unused_fd(ret);
>  		ret = PTR_ERR(file);
> +		put_unused_fd(fd);
>  		goto err;
>  	}
>  
>  #if defined(CONFIG_UNIX)
>  	ctx->ring_sock->file = file;
>  #endif
> -	if (unlikely(io_uring_add_task_file(ctx, file))) {
> -		file = ERR_PTR(-ENOMEM);
> -		goto err_fd;
> +	ret = io_uring_add_task_file(ctx, file);
> +	if (ret) {
> +		fput(file);
> +		put_unused_fd(fd);
> +		goto err;
>  	}
>  	fd_install(ret, file);
> -	return ret;
> +	return 0;
>  err:
>  #if defined(CONFIG_UNIX)
>  	sock_release(ctx->ring_sock);
> 

-- 
Pavel Begunkov

  parent reply	other threads:[~2020-12-06 13:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-27 22:28 memory leak in prepare_creds syzbot
2020-11-28  3:47 ` syzbot
2020-11-30 18:52   ` Eric W. Biederman
     [not found] ` <20201128080016.9132-1-hdanton@sina.com>
2020-12-06 13:31   ` Pavel Begunkov [this message]
2022-01-27 13:31 INT MAX

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=86f70001-fd2c-d17a-d79b-d2809a79ca0b@gmail.com \
    --to=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=hdanton@sina.com \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).