lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20211018132319.45350-1-bernard@vivo.com>
Date:   Mon, 18 Oct 2021 06:23:15 -0700
From:   Bernard Zhao <bernard@...o.com>
To:     "Theodore Ts'o" <tytso@....edu>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     Bernard Zhao <bernard@...o.com>
Subject: [PATCH] fs/ext4:bug fix of memory leak in ext4_mb_pa_alloc

This patch try to fix bug reported by syzkaller:
BUG: memory leak
unreferenced object 0xffff888112a84a28 (size 104):
  comm "kworker/u4:3", pid 948, jiffies 4294943272 (age 473.370s)
  hex dump (first 32 bytes):
    c0 53 8a 12 81 88 ff ff 22 01 00 00 00 00 ad de  .S......".......
    00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........".......
  backtrace:
    [<ffffffff817773cb>] kmem_cache_zalloc include/linux/slab.h:711 [inline]
    [<ffffffff817773cb>] ext4_mb_pa_alloc fs/ext4/mballoc.c:5046 [inline]
    [<ffffffff817773cb>] ext4_mb_new_blocks+0xd5b/0x18b0 fs/ext4/mballoc.c:5581
    [<ffffffff81731d2d>] ext4_ext_map_blocks+0xdfd/0x2940 fs/ext4/extents.c:4250
    [<ffffffff81754a03>] ext4_map_blocks+0x333/0xb10 fs/ext4/inode.c:637
    [<ffffffff8175c22b>] mpage_map_one_extent fs/ext4/inode.c:2393 [inline]
    [<ffffffff8175c22b>] mpage_map_and_submit_extent fs/ext4/inode.c:2446 [inline]
    [<ffffffff8175c22b>] ext4_writepages+0xc8b/0x19c0 fs/ext4/inode.c:2798
    [<ffffffff8145d19a>] do_writepages+0xfa/0x2a0 mm/page-writeback.c:2364
    [<ffffffff815cbdbe>] __writeback_single_inode+0x6e/0x520 fs/fs-writeback.c:1616
    [<ffffffff815cc924>] writeback_sb_inodes+0x2d4/0x710 fs/fs-writeback.c:1881
    [<ffffffff815ccdbb>] __writeback_inodes_wb+0x5b/0x150 fs/fs-writeback.c:1950
    [<ffffffff815cd2af>] wb_writeback+0x3ff/0x470 fs/fs-writeback.c:2055
    [<ffffffff815ced0a>] wb_check_old_data_flush fs/fs-writeback.c:2155 [inline]
    [<ffffffff815ced0a>] wb_do_writeback fs/fs-writeback.c:2208 [inline]
    [<ffffffff815ced0a>] wb_workfn+0x3fa/0x760 fs/fs-writeback.c:2237
    [<ffffffff81265d0f>] process_one_work+0x2cf/0x620 kernel/workqueue.c:2297
    [<ffffffff81266619>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2444
    [<ffffffff8126fb18>] kthread+0x188/0x1d0 kernel/kthread.c:319
    [<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff888112a84a90 (size 104):
  comm "kworker/u4:3", pid 948, jiffies 4294943272 (age 473.370s)
  hex dump (first 32 bytes):
    98 98 8a 12 81 88 ff ff 22 01 00 00 00 00 ad de  ........".......
    00 01 00 00 00 00 ad de 22 01 00 00 00 00 ad de  ........".......
  backtrace:
    [<ffffffff817773cb>] kmem_cache_zalloc include/linux/slab.h:711 [inline]
    [<ffffffff817773cb>] ext4_mb_pa_alloc fs/ext4/mballoc.c:5046 [inline]
    [<ffffffff817773cb>] ext4_mb_new_blocks+0xd5b/0x18b0 fs/ext4/mballoc.c:5581
    [<ffffffff81731d2d>] ext4_ext_map_blocks+0xdfd/0x2940 fs/ext4/extents.c:4250
    [<ffffffff81754a03>] ext4_map_blocks+0x333/0xb10 fs/ext4/inode.c:637
    [<ffffffff8175c22b>] mpage_map_one_extent fs/ext4/inode.c:2393 [inline]
    [<ffffffff8175c22b>] mpage_map_and_submit_extent fs/ext4/inode.c:2446 [inline]
    [<ffffffff8175c22b>] ext4_writepages+0xc8b/0x19c0 fs/ext4/inode.c:2798
    [<ffffffff8145d19a>] do_writepages+0xfa/0x2a0 mm/page-writeback.c:2364
    [<ffffffff815cbdbe>] __writeback_single_inode+0x6e/0x520 fs/fs-writeback.c:1616
    [<ffffffff815cc924>] writeback_sb_inodes+0x2d4/0x710 fs/fs-writeback.c:1881
    [<ffffffff815ccdbb>] __writeback_inodes_wb+0x5b/0x150 fs/fs-writeback.c:1950
    [<ffffffff815cd2af>] wb_writeback+0x3ff/0x470 fs/fs-writeback.c:2055
    [<ffffffff815ced0a>] wb_check_old_data_flush fs/fs-writeback.c:2155 [inline]
    [<ffffffff815ced0a>] wb_do_writeback fs/fs-writeback.c:2208 [inline]
    [<ffffffff815ced0a>] wb_workfn+0x3fa/0x760 fs/fs-writeback.c:2237
    [<ffffffff81265d0f>] process_one_work+0x2cf/0x620 kernel/workqueue.c:2297
    [<ffffffff81266619>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2444
    [<ffffffff8126fb18>] kthread+0x188/0x1d0 kernel/kthread.c:319
    [<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The full link:
https://syzkaller.appspot.com/bug?id=6b3fa085566c7c8c64e32a6747c0a2b2c039e364

Signed-off-by: Bernard Zhao <bernard@...o.com>
---
 fs/ext4/mballoc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 72bfac2d6dce..e767aacebdf0 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -5439,6 +5439,7 @@ static int ext4_mb_release_context(struct ext4_allocation_context *ac)
 		}
 
 		ext4_mb_put_pa(ac, ac->ac_sb, pa);
+		ext4_mb_pa_free(ac);
 	}
 	if (ac->ac_bitmap_page)
 		put_page(ac->ac_bitmap_page);
-- 
2.31.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ