From: Dmitry Vyukov <dvyukov@google.com>
To: syzbot <syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com>
Cc: Christian Brauner <christian@brauner.io>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
Minchan Kim <minchan@kernel.org>, Oleg Nesterov <oleg@redhat.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
andrii@kernel.org, bpf <bpf@vger.kernel.org>,
netdev <netdev@vger.kernel.org>
Subject: Re: [syzbot] memory leak in copy_process (2)
Date: Mon, 15 Mar 2021 08:28:13 +0100 [thread overview]
Message-ID: <CACT4Y+Z+ph1d4gVhhDSYuRH67g7t211503JyeMbd+13bCKs7rw@mail.gmail.com> (raw)
In-Reply-To: <000000000000c7910505bd889abc@google.com>
On Mon, Mar 15, 2021 at 1:48 AM syzbot
<syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 88fe4924 Merge tag 'char-misc-5.12-rc3' of git://git.kerne..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10252462d00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=815a716b5d0a8bdf
> dashboard link: https://syzkaller.appspot.com/bug?extid=44908bb56d2bfe56b28e
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14180dc6d00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167cf68ad00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com
+bpf maintainers
Looking at the reproducer I think it's an issue in bpf_preload.
> Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts.
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff888101b41d00 (size 120):
> comm "kworker/u4:0", pid 8, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff8125dc56>] alloc_pid+0x66/0x560 kernel/pid.c:180
> [<ffffffff81226405>] copy_process+0x1465/0x25e0 kernel/fork.c:2115
> [<ffffffff81227943>] kernel_clone+0xf3/0x670 kernel/fork.c:2493
> [<ffffffff812281a1>] kernel_thread+0x61/0x80 kernel/fork.c:2545
> [<ffffffff81253464>] call_usermodehelper_exec_work kernel/umh.c:172 [inline]
> [<ffffffff81253464>] call_usermodehelper_exec_work+0xc4/0x120 kernel/umh.c:158
> [<ffffffff812591c9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
> [<ffffffff81259ab9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
> [<ffffffff812611c8>] kthread+0x178/0x1b0 kernel/kthread.c:292
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110ef5c00 (size 232):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> e0 b7 04 01 81 88 ff ff c0 56 ba 0f 81 88 ff ff .........V......
> backtrace:
> [<ffffffff8154a0cf>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff8154a0cf>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ab22>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
> [<ffffffff81559218>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
> [<ffffffff8126c793>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110cafc90 (size 24):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 24 bytes):
> 00 00 00 00 00 00 00 00 b0 0e 94 00 81 88 ff ff ................
> 00 00 00 00 00 00 00 00 ........
> backtrace:
> [<ffffffff820e15ca>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff820e15ca>] lsm_file_alloc security/security.c:569 [inline]
> [<ffffffff820e15ca>] security_file_alloc+0x2a/0xb0 security/security.c:1470
> [<ffffffff8154a10d>] __alloc_file+0x5d/0xf0 fs/file_table.c:106
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ab22>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
> [<ffffffff81559218>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
> [<ffffffff8126c793>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110ef5e00 (size 232):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> e0 b7 04 01 81 88 ff ff 00 59 ba 0f 81 88 ff ff .........Y......
> backtrace:
> [<ffffffff8154a0cf>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff8154a0cf>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ac22>] alloc_file_clone+0x22/0x70 fs/file_table.c:244
> [<ffffffff81559262>] create_pipe_files+0x182/0x2e0 fs/pipe.c:922
> [<ffffffff8126c80d>] umd_setup+0xad/0x220 kernel/usermode_driver.c:115
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
> BUG: memory leak
> unreferenced object 0xffff888110cafc18 (size 24):
> comm "kworker/u4:0", pid 8414, jiffies 4294944270 (age 12.780s)
> hex dump (first 24 bytes):
> 00 00 00 00 00 00 00 00 b0 0e 94 00 81 88 ff ff ................
> 00 00 00 00 00 00 00 00 ........
> backtrace:
> [<ffffffff820e15ca>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
> [<ffffffff820e15ca>] lsm_file_alloc security/security.c:569 [inline]
> [<ffffffff820e15ca>] security_file_alloc+0x2a/0xb0 security/security.c:1470
> [<ffffffff8154a10d>] __alloc_file+0x5d/0xf0 fs/file_table.c:106
> [<ffffffff8154a809>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
> [<ffffffff8154a8f3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
> [<ffffffff8154ac22>] alloc_file_clone+0x22/0x70 fs/file_table.c:244
> [<ffffffff81559262>] create_pipe_files+0x182/0x2e0 fs/pipe.c:922
> [<ffffffff8126c80d>] umd_setup+0xad/0x220 kernel/usermode_driver.c:115
> [<ffffffff81253574>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
> [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/000000000000c7910505bd889abc%40google.com.
parent reply other threads:[~2021-03-15 7:29 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <000000000000c7910505bd889abc@google.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACT4Y+Z+ph1d4gVhhDSYuRH67g7t211503JyeMbd+13bCKs7rw@mail.gmail.com \
--to=dvyukov@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=christian@brauner.io \
--cc=daniel@iogearbox.net \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=minchan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=syzbot+44908bb56d2bfe56b28e@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).