The following memory leak was reported after unbinding /dev/cachefiles:
==================================================================
unreferenced object 0xffff9b674176e3c0 (size 192):
comm "cachefilesd2", pid 680, jiffies 4294881224
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ea38a44b):
[<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
[<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
[<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
[<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
[<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
[<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
[<ffffffff8ebc5069>] ksys_write+0x69/0xf0
[<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
[<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
==================================================================
Put the reference count of cache_cred in cachefiles_daemon_unbind() to
fix the problem. And also put cache_cred in cachefiles_add_cache() error
branch to avoid memory leaks.
Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
CC: [email protected]
Signed-off-by: Baokun Li <[email protected]>
---
fs/cachefiles/cache.c | 2 ++
fs/cachefiles/daemon.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c
index 7077f72e6f47..f449f7340aad 100644
--- a/fs/cachefiles/cache.c
+++ b/fs/cachefiles/cache.c
@@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache)
dput(root);
error_open_root:
cachefiles_end_secure(cache, saved_cred);
+ put_cred(cache->cache_cred);
+ cache->cache_cred = NULL;
error_getsec:
fscache_relinquish_cache(cache_cookie);
cache->cache = NULL;
diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
index 3f24905f4066..6465e2574230 100644
--- a/fs/cachefiles/daemon.c
+++ b/fs/cachefiles/daemon.c
@@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache)
cachefiles_put_directory(cache->graveyard);
cachefiles_put_directory(cache->store);
mntput(cache->mnt);
+ put_cred(cache->cache_cred);
kfree(cache->rootdirname);
kfree(cache->secctx);
--
2.31.1
On 2/17/24 4:14 PM, Baokun Li wrote:
> The following memory leak was reported after unbinding /dev/cachefiles:
>
> ==================================================================
> unreferenced object 0xffff9b674176e3c0 (size 192):
> comm "cachefilesd2", pid 680, jiffies 4294881224
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc ea38a44b):
> [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
> [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
> [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
> [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
> [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
> [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
> [<ffffffff8ebc5069>] ksys_write+0x69/0xf0
> [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
> [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
> ==================================================================
>
> Put the reference count of cache_cred in cachefiles_daemon_unbind() to
> fix the problem. And also put cache_cred in cachefiles_add_cache() error
> branch to avoid memory leaks.
>
> Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
> CC: [email protected]
> Signed-off-by: Baokun Li <[email protected]>
LGTM.
Reviewed-by: Jingbo Xu <[email protected]>
> ---
> fs/cachefiles/cache.c | 2 ++
> fs/cachefiles/daemon.c | 1 +
> 2 files changed, 3 insertions(+)
>
> diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c
> index 7077f72e6f47..f449f7340aad 100644
> --- a/fs/cachefiles/cache.c
> +++ b/fs/cachefiles/cache.c
> @@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache)
> dput(root);
> error_open_root:
> cachefiles_end_secure(cache, saved_cred);
> + put_cred(cache->cache_cred);
> + cache->cache_cred = NULL;
> error_getsec:
> fscache_relinquish_cache(cache_cookie);
> cache->cache = NULL;
> diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
> index 3f24905f4066..6465e2574230 100644
> --- a/fs/cachefiles/daemon.c
> +++ b/fs/cachefiles/daemon.c
> @@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache)
> cachefiles_put_directory(cache->graveyard);
> cachefiles_put_directory(cache->store);
> mntput(cache->mnt);
> + put_cred(cache->cache_cred);
>
> kfree(cache->rootdirname);
> kfree(cache->secctx);
--
Thanks,
Jingbo
On Sat, 2024-02-17 at 16:14 +0800, Baokun Li wrote:
> The following memory leak was reported after unbinding /dev/cachefiles:
>
> ==================================================================
> unreferenced object 0xffff9b674176e3c0 (size 192):
> comm "cachefilesd2", pid 680, jiffies 4294881224
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc ea38a44b):
> [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
> [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
> [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
> [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
> [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
> [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
> [<ffffffff8ebc5069>] ksys_write+0x69/0xf0
> [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
> [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
> ==================================================================
>
> Put the reference count of cache_cred in cachefiles_daemon_unbind() to
> fix the problem. And also put cache_cred in cachefiles_add_cache() error
> branch to avoid memory leaks.
>
> Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
> CC: [email protected]
> Signed-off-by: Baokun Li <[email protected]>
> ---
> fs/cachefiles/cache.c | 2 ++
> fs/cachefiles/daemon.c | 1 +
> 2 files changed, 3 insertions(+)
>
> diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c
> index 7077f72e6f47..f449f7340aad 100644
> --- a/fs/cachefiles/cache.c
> +++ b/fs/cachefiles/cache.c
> @@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache)
> dput(root);
> error_open_root:
> cachefiles_end_secure(cache, saved_cred);
> + put_cred(cache->cache_cred);
> + cache->cache_cred = NULL;
> error_getsec:
> fscache_relinquish_cache(cache_cookie);
> cache->cache = NULL;
> diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
> index 3f24905f4066..6465e2574230 100644
> --- a/fs/cachefiles/daemon.c
> +++ b/fs/cachefiles/daemon.c
> @@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache)
> cachefiles_put_directory(cache->graveyard);
> cachefiles_put_directory(cache->store);
> mntput(cache->mnt);
> + put_cred(cache->cache_cred);
>
> kfree(cache->rootdirname);
> kfree(cache->secctx);
Looks reasonable to me too. Nice catch:
Reviewed-by: Jeff Layton <[email protected]>
Hi Christian,
Could you take this through your VFS tree please?
> The following memory leak was reported after unbinding /dev/cachefiles:
>
> ==================================================================
> unreferenced object 0xffff9b674176e3c0 (size 192):
> comm "cachefilesd2", pid 680, jiffies 4294881224
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc ea38a44b):
> [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
> [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
> [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
> [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
> [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
> [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
> [<ffffffff8ebc5069>] ksys_write+0x69/0xf0
> [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
> [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
> ==================================================================
>
> Put the reference count of cache_cred in cachefiles_daemon_unbind() to
> fix the problem. And also put cache_cred in cachefiles_add_cache() error
> branch to avoid memory leaks.
>
> Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem")
> CC: [email protected]
> Signed-off-by: Baokun Li <[email protected]>
and add:
Reviewed-by: Jingbo Xu <[email protected]>
Reviewed-by: Jeff Layton <[email protected]>
Acked-by: David Howells <[email protected]>
On Sat, 17 Feb 2024 16:14:31 +0800, Baokun Li wrote:
> The following memory leak was reported after unbinding /dev/cachefiles:
>
> ==================================================================
> unreferenced object 0xffff9b674176e3c0 (size 192):
> comm "cachefilesd2", pid 680, jiffies 4294881224
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace (crc ea38a44b):
> [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370
> [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0
> [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120
> [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0
> [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0
> [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520
> [<ffffffff8ebc5069>] ksys_write+0x69/0xf0
> [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140
> [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
> ==================================================================
>
> [...]
Sorry for the delay, David.
---
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] cachefiles: fix memory leak in cachefiles_add_cache()
https://git.kernel.org/vfs/vfs/c/e21a2f17566c