Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp5031552iog; Wed, 22 Jun 2022 10:29:56 -0700 (PDT) X-Google-Smtp-Source: AGRyM1v4S4y1cAkqbkG9xUivB97BoFHfHlcQmyibB1tSk61RUWxN0AJE0U0ClRvp9aeAvTP8+cwX X-Received: by 2002:a17:906:1018:b0:718:dd3f:f28c with SMTP id 24-20020a170906101800b00718dd3ff28cmr4313584ejm.55.1655918996198; Wed, 22 Jun 2022 10:29:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655918996; cv=none; d=google.com; s=arc-20160816; b=TRA8rxMZc34crYwgQwiSFHCYQj/uPmHqpsBmZyL063F9UG8vXmhXXFYPgQBf+QJT/l jV0IDMehwPnWq7kPPkU35+xrAk9jZZWbOWIvYQcYOkRO65k3tDl8l0asWNraCiLWsUQj StnbhoQ2mXV3E3m94RoYlluKIThtllfCcdq14+U3ICxtM9LHE/sk/qq0zogBfMAk1/pV Ptw7sEkuh7ataTkgctzcVbKp38uE/5qp+z0y9+b7ojSl9nsWnuBz0Y5ZlWsQJkf7WYES M2EdytRt5ocFKdv+d2jZG/qZ2FqEAj8Pw64NQ/vE/Rh4bzw4191cVPUhQpMZCvp7s8IJ PkyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=z3ics1vXtCv1CWOFU63eYT8qq3J7YULA3CRgWCYiG7s=; b=YGRm84ly0yoDTAzNYPQ3LYohx61mgPiMrYDKW9Gx+JxGTIbQ+9iMNBynrYyZJMkWpX vQZw/43zmEV9+06hq4w8lNwlYYSdAnSYiwJZBpplhvKcYzZMVCbg45W9LX/WnMpxkmS+ udkIwPT310uaMDnG92r5SeYBEnbIv2763qy8wxaVJD+JpDHagfVQ71bRZtVqunJiNKcN 6Til1WK06XpuNChXVI4O1u9VWU1TVUTSLFVWrY+t9csmgq9n6D2MYR39HZwyLYjQO9lj IOgWjUfMZ06ri5q4ihHS5Ki3FmnKo2EaqKnCJtWR+IGEG7E2ZyxcqGIUXsb6hlrQWKuW voxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 26-20020a17090600da00b006ff2b8755a6si6761663eji.393.2022.06.22.10.29.30; Wed, 22 Jun 2022 10:29:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377302AbiFVRQ1 (ORCPT + 99 others); Wed, 22 Jun 2022 13:16:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1358257AbiFVRQ0 (ORCPT ); Wed, 22 Jun 2022 13:16:26 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CF49B98 for ; Wed, 22 Jun 2022 10:16:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 88EFF61BF2 for ; Wed, 22 Jun 2022 17:16:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96A3CC34114; Wed, 22 Jun 2022 17:16:22 +0000 (UTC) Date: Wed, 22 Jun 2022 18:16:18 +0100 From: Catalin Marinas To: "Eric W. Biederman" Cc: Alexey Gladkov , syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] memory leak in setup_mq_sysctls Message-ID: References: <000000000000f5004705e1db8bad@google.com> <8735fyhyvy.fsf@email.froward.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8735fyhyvy.fsf@email.froward.int.ebiederm.org> X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 21, 2022 at 09:30:57AM -0500, Eric W. Biederman wrote: > Alexey Gladkov writes: > > On Sun, Jun 19, 2022 at 11:52:25PM -0700, syzbot wrote: > >> syzbot found the following issue on: > >> > >> HEAD commit: 979086f5e006 Merge tag 'fs.fixes.v5.19-rc3' of git://git.k.. > >> git tree: upstream > >> console output: https://syzkaller.appspot.com/x/log.txt?x=1284331bf00000 > >> kernel config: https://syzkaller.appspot.com/x/.config?x=c696a83383a77f81 > >> dashboard link: https://syzkaller.appspot.com/bug?extid=b4b0d1b35442afbf6fd2 > >> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=163e740ff00000 > >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132b758bf00000 > >> > >> IMPORTANT: if you fix the issue, please add the following tag to the commit: > >> Reported-by: syzbot+b4b0d1b35442afbf6fd2@syzkaller.appspotmail.com > > > > I'm working on a fix that will remove this memory allocation entirely. [...] > Catalin is it possible that the clever use of ctl_table_arg to hold the > reference to the table before it is freed is confusing the memory leak > detector? The idiom is old enough I don't expect so, but I have seen > bugs lurk for a long time. As long as the addresses are not obfuscated and can be reached from some root object (e.g. in the .data/.bss section), there shouldn't be a problem. There are some occasional brief false positives as kmemleak doesn't stop the world during scanning but IIRC syszbot does the scanning twice to reduce them. Some comments in the traces below: > >> backtrace: > >> [] kmemdup+0x23/0x50 mm/util.c:129 > >> [] kmemdup include/linux/fortify-string.h:456 [inline] > >> [] setup_mq_sysctls+0x4b/0x1c0 ipc/mq_sysctl.c:89 This one allocate a struct ctl_table. > >> backtrace: > >> [] kmalloc include/linux/slab.h:605 [inline] > >> [] kzalloc include/linux/slab.h:733 [inline] > >> [] __register_sysctl_table+0x7b/0x7f0 fs/proc/proc_sysctl.c:1344 > >> [] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112 This allocates struct ctl_table_header and IIUC, it stores a pointer to the table allocated above. So if this one leaks, the ctl_table object would also be reported as a leak. > >> backtrace: > >> [] kmalloc include/linux/slab.h:605 [inline] > >> [] kzalloc include/linux/slab.h:733 [inline] > >> [] new_dir fs/proc/proc_sysctl.c:978 [inline] > >> [] get_subdir fs/proc/proc_sysctl.c:1022 [inline] > >> [] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373 > >> [] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112 [...] > >> backtrace: > >> [] kmalloc include/linux/slab.h:605 [inline] > >> [] kzalloc include/linux/slab.h:733 [inline] > >> [] new_dir fs/proc/proc_sysctl.c:978 [inline] > >> [] get_subdir fs/proc/proc_sysctl.c:1022 [inline] > >> [] __register_sysctl_table+0x5a9/0x7f0 fs/proc/proc_sysctl.c:1373 > >> [] setup_mq_sysctls+0x12a/0x1c0 ipc/mq_sysctl.c:112 These two places allocate a struct ctl_dir. Are the ctl_dir objects supposed to have a pointer to the previously allocated header or the other way around? At a quick look, I think it's the latter as insert_header() stores 'dir' into header->parent. Anyway, for some reason kmemleak cannot reach the ctl_dir or ctl_table_header objects. If one refers the other, we should focus on tracking down the parent object. I'll stare at the code a bit more tomorrow. -- Catalin