Received: by 2002:a05:7412:d008:b0:f9:6acb:47ec with SMTP id bd8csp146120rdb; Tue, 19 Dec 2023 11:55:08 -0800 (PST) X-Google-Smtp-Source: AGHT+IFxcx/t+chBPPer9HASaBqYIG2NTMyk7CdilveCL1Aklc/ThpLtk0jyjsJxKvxfrD3O8mNp X-Received: by 2002:a17:906:86:b0:a1f:a6bf:4e5f with SMTP id 6-20020a170906008600b00a1fa6bf4e5fmr7289258ejc.151.1703015707933; Tue, 19 Dec 2023 11:55:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703015707; cv=none; d=google.com; s=arc-20160816; b=O5TtHwz7EiTW0HAh/T3MlsZYWmk0L0um5c3f+znpSuruMQm0/QwfpIZvTxE0vvzUKW AiOx2/1OBwFEmGqg8xiknIiWQqtUvFBcV9G2q9q29qM4L289Z3+OfJpdagc+CFVeL/el nkTjfQh1ehO7FXQLkbi2y97JKS4mwOMl7g+msvDxpct7rrRoUw4HBKbqMDVfK6qgBVYF eAfECyipfYhbWoYL1v9J/sbmnpVJNJtpFSjAETEPQ++upmrAGX9pDTodKUck6hB+hHHr q4Hag/5SkiNnuTqMycUuvhF7S17aNuBu6K3MS7D7m3LyZoxa+38alt9UOIdGU3wwwJGS RI7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:subject:references:in-reply-to :message-id:cc:to:from:date:dkim-signature; bh=HmwwUSeyrYCgHBvw5mHE/b1bJ1ioEpUS68KBkhFzJSo=; fh=NFPp1oM7D6UYAScp7XKkK/s2Aq+7oTp7T3bTuwjUQrM=; b=ASFEEJhm//QTfSwWJwZy0PrWX5aB84aJje73Vd9G2Sm5QDJ5xnH10Lx+epHBUu6KJt X9SVhwC0CZuxCI797IE/KmJav5v892OXtrJ0XyKQlN4hvlIyNaLou9CAt9NQm4RPi80N 03CXZF45DWIc5SLPNNUU862AHT0F7z+z3yqkn3tA9+8m7BEcXiUVukDczBENA4FNVdJ4 nXZDpD2iKZkTvTjTSipxAm14DRwRkAYdw9MwCd7PLFXTOMp7QbU2sk3KQfC2IFklLe90 3xlveEtoDSZDwwE+FsVfQ/j3aasrTNXksK8iGdZF1hDo16B0xnKxCbs1oJdDi3AycMiU FV3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=b7qYD2Q9; spf=pass (google.com: domain of linux-kernel+bounces-5889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5889-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id s2-20020a170906500200b00a1e269eba03si10977547ejj.593.2023.12.19.11.55.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 11:55:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-5889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=b7qYD2Q9; spf=pass (google.com: domain of linux-kernel+bounces-5889-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5889-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 863801F250BD for ; Tue, 19 Dec 2023 19:55:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9A69A39AD0; Tue, 19 Dec 2023 19:54:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="b7qYD2Q9" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED4A238FBE; Tue, 19 Dec 2023 19:54:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6d9344f30caso24443b3a.1; Tue, 19 Dec 2023 11:54:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703015692; x=1703620492; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=HmwwUSeyrYCgHBvw5mHE/b1bJ1ioEpUS68KBkhFzJSo=; b=b7qYD2Q931MOXAJno00mPYc+Ez35bRD2xNYGBcJKFoU472aLiYY2MZq/qa5zMCAXpO 1JMRCrOfYMimUeHtCZegxePsG1erNoc5KVj9JhXxGBNWceaPranYRi1Gyw1vVWiC/YkC tcOI+3YOwopnff0x+b68ZAi66SV3w7O+80KVTGTidhjHwXOpLErFQ7dtyygizgO7URLB Dz3UoEmO+NKndAAne1I8L1VSC+642KrY6O0rdL4DU5X3E9kAuzM0myQKFFSzm4iIA7O4 uSNWlp2mSnJjfst8NQCjt4cBA+HZLUznZKLDEQGhjY7MVOqxduymr97h0MIdnb+pC7iF FaMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703015692; x=1703620492; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=HmwwUSeyrYCgHBvw5mHE/b1bJ1ioEpUS68KBkhFzJSo=; b=Kal5UrA0YmhW00OBTYynlu1bD8G9A/C6ZqbFIlfukOAvzZwVSKRZJ5JNar7beB824Y UAhfycO+rASk8mTysvEenkpjQp6NOeksiZIPa18R5WHEZBfGJsIWOLC3wWtLnm4Ce0+k mbCgQ1QxnyR2L7RzBt4IOizGllIvNWBKISx8d5qmtsHA1hMq30l343htd4n6SZ+6nf9f vTYma5Urhby6fv+GR4Lp/f7jDVH0US99OwU8MNsXIk8aYCLIuCaxGnp5Zkv11OhYQrHe YPzEXQv79aUWTjBtlbALwVFHRYAhKdXT/TaNz3iEKgnc/A62DkzeFyfFoNmkTFK3zmDf rR8Q== X-Gm-Message-State: AOJu0Yz7JGBRn7tJj7EFew33FM+NmIJwpKeu2oAfoskEuP1ysz1JpIU2 xp1vNpf3+hNOv5Ye417gQl0= X-Received: by 2002:a05:6a00:27a4:b0:6cd:dc48:1fff with SMTP id bd36-20020a056a0027a400b006cddc481fffmr2413330pfb.0.1703015692173; Tue, 19 Dec 2023 11:54:52 -0800 (PST) Received: from localhost ([98.97.32.4]) by smtp.gmail.com with ESMTPSA id h21-20020a056a00171500b006d9367f57d1sm1739361pfc.88.2023.12.19.11.54.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 11:54:51 -0800 (PST) Date: Tue, 19 Dec 2023 11:54:49 -0800 From: John Fastabend To: Kuniyuki Iwashima , xrivendell7@gmail.com Cc: alexander@mihalicyn.com, bpf@vger.kernel.org, daan.j.demeyer@gmail.com, davem@davemloft.net, dhowells@redhat.com, edumazet@google.com, john.fastabend@gmail.com, kuba@kernel.org, kuniyu@amazon.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pabeni@redhat.com Message-ID: <6581f509a56ea_90e25208c7@john.notmuch> In-Reply-To: <20231219155057.12716-1-kuniyu@amazon.com> References: <20231219155057.12716-1-kuniyu@amazon.com> Subject: Re: memory leak in unix_create1/copy_process/security_prepare_creds Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Kuniyuki Iwashima wrote: > From: xingwei lee > Date: Tue, 19 Dec 2023 17:12:25 +0800 > > Hello I found a bug in net/af_unix in the lastest upstream linux > > 6.7.rc5 and comfired in lastest net/net-next/bpf/bpf-next tree. > > Titled "TITLE: memory leak in unix_create1=E2=80=9D and I also upload= the > > repro.c and repro.txt. > > = > > If you fix this issue, please add the following tag to the commit: > > Reported-by: xingwei Lee > = > Thanks for reporting! > = > It seems 8866730aed510 forgot to add sock_put(). > I've confirmed that the diff below silenced kmemleak but will check > more before posting a patch. Did it really silence the memleak? > = > ---8<--- > diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c > index 7ea7c3a0d0d0..32daba9e7f8b 100644 > --- a/net/unix/unix_bpf.c > +++ b/net/unix/unix_bpf.c > @@ -164,6 +164,7 @@ int unix_stream_bpf_update_proto(struct sock *sk, s= truct sk_psock *psock, bool r > if (restore) { > sk->sk_write_space =3D psock->saved_write_space; > sock_replace_proto(sk, psock->sk_proto); > + sock_put(psock->sk_pair); > return 0; The reason the sock_put is not in this routine but in the sk_psock_destor= y is because we need to wait a RCU grace period for any pending queued BPF sends to also be flushed. > } > = > ---8<--- > = > Thanks! > = > = I'm also trying to understand how this adds up to unix_stream_bpf_update_proto() issue. The reproduce has a map_create followed by two map_delete() calls. I can't see how the unix socket ever got added to the BPF map and the deletes should be empty? > > = > > lastest net tree: 979e90173af8d2f52f671d988189aab98c6d1be6 > > Kernel config: https://syzkaller.appspot.com/text?tag=3DKernelConfig&= x=3D8c4e4700f1727d30 > > = > > in the lastest net tree, the crash like: > > Linux syzkaller 6.7.0-rc5-00172-g979e90173af8 #4 SMP PREEMPT_DYNAMIC > > Tue Dec 19 11:03:58 HKT 2023 x86_4 > > = > > TITLE: memory leak in security_prepare_creds > > [] copy_process+0x6aa/0x25c0 kernel/fork.c:2366 > > [] kernel_clone+0x11b/0x690 kernel/fork.c:2907 > > [] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3050 > > [] do_syscall_x64 arch/x86/entry/common.c:52 [in= line] > > [] do_syscall_64+0x3f/0x110 arch/x86/entry/commo= n.c:83 > > [] entry_SYSCALL_64_after_hwframe+0x63/0x6b ... > > uint64_t r[1] =3D {0xffffffffffffffff}; > > = > > void execute_one(void) { > > intptr_t res =3D 0; > > syscall(__NR_socketpair, /*domain=3D*/1ul, /*type=3D*/1ul, /*proto=3D= */0, > > /*fds=3D*/0x20000000ul); > > *(uint32_t*)0x200000c0 =3D 0x12; > > *(uint32_t*)0x200000c4 =3D 2; > > *(uint32_t*)0x200000c8 =3D 4; > > *(uint32_t*)0x200000cc =3D 1; > > *(uint32_t*)0x200000d0 =3D 0; > > *(uint32_t*)0x200000d4 =3D -1; > > *(uint32_t*)0x200000d8 =3D 0; > > memset((void*)0x200000dc, 0, 16); > > *(uint32_t*)0x200000ec =3D 0; > > *(uint32_t*)0x200000f0 =3D -1; > > *(uint32_t*)0x200000f4 =3D 0; > > *(uint32_t*)0x200000f8 =3D 0; > > *(uint32_t*)0x200000fc =3D 0; > > *(uint64_t*)0x20000100 =3D 0; > > res =3D syscall(__NR_bpf, /*cmd=3D*/0ul, /*arg=3D*/0x200000c0ul, /*s= ize=3D*/0x48ul); mapfd =3D map_create( bpf_attr { SOCKHASH, 1 entry, 0 flags, ...} ) > > if (res !=3D -1) r[0] =3D res; > > *(uint32_t*)0x200003c0 =3D r[0]; > > *(uint64_t*)0x200003c8 =3D 0x20000040; > > *(uint64_t*)0x200003d0 =3D 0x20000000; > > *(uint64_t*)0x200003d8 =3D 0; > > syscall(__NR_bpf, /*cmd=3D*/2ul, /*arg=3D*/0x200003c0ul, /*size=3D*/= 0x20ul); map_delete(mapfd, key=3D0x20000040, value=3D0x20000000, flags =3D 0) > > *(uint32_t*)0x200003c0 =3D r[0]; > > *(uint64_t*)0x200003c8 =3D 0x20000040; > > *(uint64_t*)0x200003d0 =3D 0x20000000; > > *(uint64_t*)0x200003d8 =3D 0; > > syscall(__NR_bpf, /*cmd=3D*/2ul, /*arg=3D*/0x200003c0ul, /*size=3D*/= 0x20ul); map_delete(mapfd, key=3D0x20000040, value=3D0x20000000, flags =3D 0) so same as repro.txt below makes sense. But, if the sockets are never added to the sockhash then we never touched the proto from BPF side. And both of these deletes should return errors. > > } > > int main(void) { > > syscall(__NR_mmap, /*addr=3D*/0x1ffff000ul, /*len=3D*/0x1000ul, /*pr= ot=3D*/0ul, > > /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); > > syscall(__NR_mmap, /*addr=3D*/0x20000000ul, /*len=3D*/0x1000000ul, /= *prot=3D*/7ul, > > /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); > > syscall(__NR_mmap, /*addr=3D*/0x21000000ul, /*len=3D*/0x1000ul, /*pr= ot=3D*/0ul, > > /*flags=3D*/0x32ul, /*fd=3D*/-1, /*offset=3D*/0ul); > > setup_leak(); > > loop(); > > return 0; > > } > > = > > = > > = > > =3D* repro.txt =3D* > > socketpair(0x1, 0x1, 0x0, &(0x7f0000000000)) > > r0 =3D bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=3D@base=3D{0x12, 0x2, 0x= 4, 0x1}, 0x48) > > bpf$MAP_DELETE_ELEM(0x2, &(0x7f00000003c0)=3D{r0, &(0x7f0000000040), > > 0x20000000}, 0x20) > > bpf$MAP_DELETE_ELEM(0x2, &(0x7f00000003c0)=3D{r0, &(0x7f0000000040), > > 0x20000000}, 0x20) So not making sense to me how we got to blaming the proto delete logic here. It doesn't look like we ever added the psock and configured the proto? Did a bisect really blame the mentioned patch? I can likely try here as well. Thanks, John=