From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net: memory leak in socket
Date: Tue, 9 Jan 2018 18:53:51 +0000 [thread overview]
Message-ID: <20180109185351.GE13338@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CACT4Y+afcR2=wsmG_DObzG04JvVX-8X-4_zK4WYp1EAMhbbGEg@mail.gmail.com>
On Tue, Jan 09, 2018 at 07:39:50PM +0100, Dmitry Vyukov wrote:
> Hello,
>
> syzkaller has hit the following memory leak on 4.15-rc7:
>
> unreferenced object 0xffff88002713fb20 (size 16):
> comm "syz-executor3", pid 6576, jiffies 4295029354 (age 10.166s)
> hex dump (first 16 bytes):
> 69 6e 73 6d 6f 64 5f 74 00 00 d9 1c 00 88 ff ff insmod_t........
> backtrace:
> [<00000000da8d6b27>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000da8d6b27>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000da8d6b27>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000da8d6b27>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000da8d6b27>] __kmalloc_track_caller+0x183/0x310 mm/slub.c:4290
> [<000000001aa62b7a>] kstrdup+0x39/0x70 mm/util.c:56
> [<00000000fa6a957e>] security_netlbl_sid_to_secattr+0xbc/0x1a0
> security/selinux/ss/services.c:3522
> [<0000000054674134>] selinux_netlbl_sock_genattr+0xef/0x410
> security/selinux/netlabel.c:94
> [<000000002338a05c>] selinux_netlbl_socket_post_create+0x79/0x160
> security/selinux/netlabel.c:341
> [<0000000059825908>] selinux_socket_post_create+0x37f/0xa60
> security/selinux/hooks.c:4399
> [<00000000fff6c966>] security_socket_post_create+0x8b/0xd0
> security/security.c:1344
> [<000000005786c830>] __sock_create+0x758/0x920 net/socket.c:1281
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007c3bba80 (size 992):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> 40 2e 5a 2c 00 88 ff ff 00 00 00 00 00 00 00 00 @.Z,............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<00000000d243ce94>] sock_alloc_inode+0x70/0x300 net/socket.c:250
> [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88002c5a2e40 (size 128):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
> ff ff ff ff ff ff ff ff c0 da db 88 ff ff ff ff ................
> backtrace:
> [<00000000696a590c>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000696a590c>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000696a590c>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000696a590c>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000696a590c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
> [<00000000551c8f10>] kmalloc include/linux/slab.h:499 [inline]
> [<00000000551c8f10>] sock_alloc_inode+0xb4/0x300 net/socket.c:253
> [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007310f680 (size 96):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> b0 ba 3b 7c 00 88 ff ff 88 f6 10 73 00 88 ff ff ..;|.......s....
> 88 f6 10 73 00 88 ff ff dd 00 00 00 dd 00 00 00 ...s............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<00000000094ffa79>] kmem_cache_zalloc include/linux/slab.h:678 [inline]
> [<00000000094ffa79>] inode_alloc_security
> security/selinux/hooks.c:234 [inline]
> [<00000000094ffa79>] selinux_inode_alloc_security+0xf9/0x390
> security/selinux/hooks.c:2885
> [<0000000082b97b6d>] security_inode_alloc+0x92/0xe0 security/security.c:437
> [<000000009683bb60>] inode_init_always+0x64f/0xca0 fs/inode.c:167
> [<00000000a71f5b21>] alloc_inode+0x82/0x190 fs/inode.c:215
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007127bf00 (size 2528):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<0000000021d2cae7>] sk_prot_alloc+0x69/0x2f0 net/core/sock.c:1463
> [<0000000088be91b8>] sk_alloc+0x109/0x1740 net/core/sock.c:1523
> [<00000000bbd7f0e5>] inet_create+0x4f8/0x10a0 net/ipv4/af_inet.c:319
> [<00000000c0aa842f>] __sock_create+0x521/0x920 net/socket.c:1265
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
>
>
> Reproducer:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <sys/time.h>
> #include <sys/resource.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
>
> int main()
> {
> struct rlimit rlim;
> rlim.rlim_cur = 0;
> rlim.rlim_max = 0;
> setrlimit(RLIMIT_NOFILE, &rlim);
> socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
> return 0;
> }
Argh... Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
but it used to serve the case when sock_map_fd() failed *before* getting to
sock_alloc_file().
Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
{
struct file *newfile;
int fd = get_unused_fd_flags(flags);
- if (unlikely(fd < 0))
+ if (unlikely(fd < 0)) {
+ sock_release(sock);
return fd;
+ }
newfile = sock_alloc_file(sock, flags, NULL);
if (likely(!IS_ERR(newfile))) {
next prev parent reply other threads:[~2018-01-09 18:54 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 18:39 net: memory leak in socket Dmitry Vyukov
2018-01-09 18:53 ` Al Viro [this message]
2018-01-09 18:58 ` Dmitry Vyukov
2018-01-09 20:53 ` Al Viro
2018-01-10 9:30 ` Sergei Shtylyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180109185351.GE13338@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.