From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 1 Aug 2016 11:57:50 -0700 From: Davidlohr Bueso To: Fabian Frederick Cc: Davidlohr Bueso , Manfred Spraul , stable@vger.kernel.org, linux-kernel@vger.kernel.org, Andrew Morton Subject: Re: [PATCH V2 linux-next] ipc/msg.c: fix memory leak in do_msgsnd() Message-ID: <20160801185750.GC31421@linux-80c1.suse> References: <1470051658-11821-1-git-send-email-fabf@skynet.be> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1470051658-11821-1-git-send-email-fabf@skynet.be> Sender: linux-kernel-owner@vger.kernel.org List-ID: On Mon, 01 Aug 2016, Fabian Frederick wrote: >Commit 53dad6d3a8e5 >("ipc: fix race with LSMs") updated ipc_rcu_putref() to receive >rcu freeing function but used generic ipc_rcu_free() instead >of msg_rcu_free() which does security cleaning. > >Running LTP msgsnd06 with kmemleak gives the following: > >cat /sys/kernel/debug/kmemleak > >unreferenced object 0xffff88003c0a11f8 (size 8): > comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s) > hex dump (first 8 bytes): > 1b 00 00 00 01 00 00 00 ........ > backtrace: > [] kmemleak_alloc+0x23/0x40 > [] kmem_cache_alloc_trace+0xe1/0x180 > [] selinux_msg_queue_alloc_security+0x3f/0xd0 > [] security_msg_queue_alloc+0x2e/0x40 > [] newque+0x4e/0x150 > [] ipcget+0x159/0x1b0 > [] SyS_msgget+0x39/0x40 > [] entry_SYSCALL_64_fastpath+0x13/0x8f > [] 0xffffffffffffffff > >Signed-off-by: Fabian Frederick >--- >V2: Update description with original commit and cc stable >(Suggested by Manfred Spraul) Ideally we would have the fix for sem.c in the same patch, under, ie: "sysv, ipc: fix security-layer leaking" Just like with shm and msg, the only caller of ipc_rcu_free() should be a failed security allocation in newary(). Thanks, Davidlohr