From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: David Miller <davem@davemloft.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net: memory leak in socket
Date: Tue, 9 Jan 2018 18:53:51 +0000 [thread overview]
Message-ID: <20180109185351.GE13338@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CACT4Y+afcR2=wsmG_DObzG04JvVX-8X-4_zK4WYp1EAMhbbGEg@mail.gmail.com>
On Tue, Jan 09, 2018 at 07:39:50PM +0100, Dmitry Vyukov wrote:
> Hello,
>
> syzkaller has hit the following memory leak on 4.15-rc7:
>
> unreferenced object 0xffff88002713fb20 (size 16):
> comm "syz-executor3", pid 6576, jiffies 4295029354 (age 10.166s)
> hex dump (first 16 bytes):
> 69 6e 73 6d 6f 64 5f 74 00 00 d9 1c 00 88 ff ff insmod_t........
> backtrace:
> [<00000000da8d6b27>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000da8d6b27>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000da8d6b27>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000da8d6b27>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000da8d6b27>] __kmalloc_track_caller+0x183/0x310 mm/slub.c:4290
> [<000000001aa62b7a>] kstrdup+0x39/0x70 mm/util.c:56
> [<00000000fa6a957e>] security_netlbl_sid_to_secattr+0xbc/0x1a0
> security/selinux/ss/services.c:3522
> [<0000000054674134>] selinux_netlbl_sock_genattr+0xef/0x410
> security/selinux/netlabel.c:94
> [<000000002338a05c>] selinux_netlbl_socket_post_create+0x79/0x160
> security/selinux/netlabel.c:341
> [<0000000059825908>] selinux_socket_post_create+0x37f/0xa60
> security/selinux/hooks.c:4399
> [<00000000fff6c966>] security_socket_post_create+0x8b/0xd0
> security/security.c:1344
> [<000000005786c830>] __sock_create+0x758/0x920 net/socket.c:1281
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007c3bba80 (size 992):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> 40 2e 5a 2c 00 88 ff ff 00 00 00 00 00 00 00 00 @.Z,............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<00000000d243ce94>] sock_alloc_inode+0x70/0x300 net/socket.c:250
> [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88002c5a2e40 (size 128):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
> ff ff ff ff ff ff ff ff c0 da db 88 ff ff ff ff ................
> backtrace:
> [<00000000696a590c>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000696a590c>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000696a590c>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000696a590c>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000696a590c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
> [<00000000551c8f10>] kmalloc include/linux/slab.h:499 [inline]
> [<00000000551c8f10>] sock_alloc_inode+0xb4/0x300 net/socket.c:253
> [<000000005a0b3852>] alloc_inode+0x65/0x190 fs/inode.c:208
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007310f680 (size 96):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> b0 ba 3b 7c 00 88 ff ff 88 f6 10 73 00 88 ff ff ..;|.......s....
> 88 f6 10 73 00 88 ff ff dd 00 00 00 dd 00 00 00 ...s............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<00000000094ffa79>] kmem_cache_zalloc include/linux/slab.h:678 [inline]
> [<00000000094ffa79>] inode_alloc_security
> security/selinux/hooks.c:234 [inline]
> [<00000000094ffa79>] selinux_inode_alloc_security+0xf9/0x390
> security/selinux/hooks.c:2885
> [<0000000082b97b6d>] security_inode_alloc+0x92/0xe0 security/security.c:437
> [<000000009683bb60>] inode_init_always+0x64f/0xca0 fs/inode.c:167
> [<00000000a71f5b21>] alloc_inode+0x82/0x190 fs/inode.c:215
> [<000000004af29540>] new_inode_pseudo+0x69/0x1a0 fs/inode.c:890
> [<0000000074cb6753>] sock_alloc+0x41/0x280 net/socket.c:569
> [<00000000cc5c2e64>] __sock_create+0x161/0x920 net/socket.c:1229
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
> unreferenced object 0xffff88007127bf00 (size 2528):
> comm "syz-executor3", pid 6576, jiffies 4295029368 (age 10.153s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
> backtrace:
> [<00000000ff3d837a>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<00000000ff3d837a>] slab_post_alloc_hook mm/slab.h:440 [inline]
> [<00000000ff3d837a>] slab_alloc_node mm/slub.c:2725 [inline]
> [<00000000ff3d837a>] slab_alloc mm/slub.c:2733 [inline]
> [<00000000ff3d837a>] kmem_cache_alloc+0x110/0x280 mm/slub.c:2738
> [<0000000021d2cae7>] sk_prot_alloc+0x69/0x2f0 net/core/sock.c:1463
> [<0000000088be91b8>] sk_alloc+0x109/0x1740 net/core/sock.c:1523
> [<00000000bbd7f0e5>] inet_create+0x4f8/0x10a0 net/ipv4/af_inet.c:319
> [<00000000c0aa842f>] __sock_create+0x521/0x920 net/socket.c:1265
> [<00000000e7afba0a>] sock_create net/socket.c:1305 [inline]
> [<00000000e7afba0a>] SYSC_socket net/socket.c:1335 [inline]
> [<00000000e7afba0a>] SyS_socket+0x102/0x1f0 net/socket.c:1315
> [<000000007df77eb7>] entry_SYSCALL_64_fastpath+0x23/0x9a
> [<00000000921bbbd9>] 0xffffffffffffffff
>
>
>
> Reproducer:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <sys/time.h>
> #include <sys/resource.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
>
> int main()
> {
> struct rlimit rlim;
> rlim.rlim_cur = 0;
> rlim.rlim_max = 0;
> setrlimit(RLIMIT_NOFILE, &rlim);
> socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
> return 0;
> }
Argh... Got broken by "make sock_alloc_file() do sock_release() on failures" -
cleanup after sock_map_fd() failure got pulled all the way into sock_alloc_file(),
but it used to serve the case when sock_map_fd() failed *before* getting to
sock_alloc_file().
Fixes: commit 8e1611e23579 (make sock_alloc_file() do sock_release() on failures)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/net/socket.c b/net/socket.c
index bbd2e9ceb692..1536515b6437 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -430,8 +430,10 @@ static int sock_map_fd(struct socket *sock, int flags)
{
struct file *newfile;
int fd = get_unused_fd_flags(flags);
- if (unlikely(fd < 0))
+ if (unlikely(fd < 0)) {
+ sock_release(sock);
return fd;
+ }
newfile = sock_alloc_file(sock, flags, NULL);
if (likely(!IS_ERR(newfile))) {
next prev parent reply other threads:[~2018-01-09 18:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 18:39 net: memory leak in socket Dmitry Vyukov
2018-01-09 18:53 ` Al Viro [this message]
2018-01-09 18:58 ` Dmitry Vyukov
2018-01-09 20:53 ` Al Viro
2018-01-10 9:30 ` Sergei Shtylyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180109185351.GE13338@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).