Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp1613034rdb; Wed, 20 Sep 2023 14:26:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFykAEPzPljbgMQ5aQEne2WJwYdRAFOwNbLLTFc1/3NykhknZoRrqbPgihN5hj5s33R3tD6 X-Received: by 2002:a17:902:ced2:b0:1bc:5e50:9345 with SMTP id d18-20020a170902ced200b001bc5e509345mr4016032plg.50.1695245185684; Wed, 20 Sep 2023 14:26:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695245185; cv=none; d=google.com; s=arc-20160816; b=Uuc18pHyPFBxTWbgpb3EbqWr2vV0WSc1nHnTwPyout9cOUZQQnvz/zqvQ55+xUsVvY 4lpoDaFN9Twgf9chNMfTZGhRxfx8lo3lY2wWAYRzXSXHT2TwLkKE1Lfcbjpez43bpcqo sU6zaJCw2C+enpHYesfNeNLQ/A585MfV1doV0WJj6rAEOOo2BkEhF/1i1MHlVTPfRuRr WFoBmsJRmZdIkrJGNtMxE03Bj4HU9ykLkdQieQwmRU9c2b+RZ8yyoFzABy1l32qwuTYG jqlfsvjX/btBhJBHx9/S17lImaWnf6wtH905AOZmYDoaOi16HVY7wQWsbRWHP+YTBL4B rrHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jEEeLZLXwYnJULKPI0eYCU9izt3LSF3bxQksK1K3Iaw=; fh=qORY6oz+QcxsW6LzUP5u7Znz+xr4jILL/t6OKjtJU14=; b=lY9b0mPTqA908dAmQIWCQchIExOxGfHxofsMqAW5VTrAzDfiO0MiHaYp1HVHGVCYIz RAdJYYn0Yr8HiAfrCp2o0afhwQLEKgwyoPFmjanl6cwnaOBHS6cqS0BBTkZyrWDqpf04 vB4BFEHiTX3I2tmNCJBjulfVJoLJ2GJcz5NfK/cAMx2DhtRe7847UtFLu+m0NGk9Uj3D dYzD1ADAU/90ENArpKzAE8TSO5rjb6xKgPD2mKtal66bEOwYNrv3ky3cf65LtbuODJVK ZEDO4dMfTd9Mi85BfYGaD6PI+pMa/NAMgb+IFMDgxMFJS2YsicqkPu/u4MygACwF+6yI RdjA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uqPrVtb2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id n3-20020a170903110300b001bb993caaedsi13499942plh.173.2023.09.20.14.26.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Sep 2023 14:26:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uqPrVtb2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id A05EC802D15B; Wed, 20 Sep 2023 05:43:45 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236202AbjITMnq (ORCPT + 99 others); Wed, 20 Sep 2023 08:43:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235865AbjITMno (ORCPT ); Wed, 20 Sep 2023 08:43:44 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B79192; Wed, 20 Sep 2023 05:43:37 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AABF6C433C8; Wed, 20 Sep 2023 12:43:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1695213817; bh=1lsykaBiC2ne8L48egVY6hjV0FSbNOuPb96blJ1MO/c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uqPrVtb2sXZk7IyKJw+acox9WTiVznumufUnveonTUkj5Yma7YqJwHz2fYLsmhqCq wKX5qCBC9mNDBur0ofFytP6LhoST/YafZh/An1mjq0NpNEXQa6liJYL5t0KZrzaUQ7 EwQvrc2t4pn9aokZjqgyguv3UAeQZR7qVn65Okxc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com, Takeshi Misawa , Fedor Pchelkin , Alexey Khoroshilov , Ian Kent , Matthew Wilcox , Andrei Vagin , autofs@vger.kernel.org, linux-kernel@vger.kernel.org, Christian Brauner , Sasha Levin Subject: [PATCH 5.15 001/110] autofs: fix memory leak of waitqueues in autofs_catatonic_mode Date: Wed, 20 Sep 2023 13:30:59 +0200 Message-ID: <20230920112830.432240248@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230920112830.377666128@linuxfoundation.org> References: <20230920112830.377666128@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 20 Sep 2023 05:43:45 -0700 (PDT) 5.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Fedor Pchelkin [ Upstream commit ccbe77f7e45dfb4420f7f531b650c00c6e9c7507 ] Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [] kmalloc include/linux/slab.h:576 [inline] [] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:870 [inline] [] __se_sys_ioctl fs/ioctl.c:856 [inline] [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com Suggested-by: Takeshi Misawa Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Signed-off-by: Ian Kent Cc: Matthew Wilcox Cc: Andrei Vagin Cc: autofs@vger.kernel.org Cc: linux-kernel@vger.kernel.org Message-Id: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index 54c1f8b8b0757..efdc76732faed 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name - wq->offset); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ -- 2.40.1