| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 May 2019 08:22:57 +0200
From: Michal Hocko <mhocko@...nel.org>
To: Shakeel Butt <shakeelb@...gle.com>
Cc: Kirill Tkhai <ktkhai@...tuozzo.com>,
Vladimir Davydov <vdavydov.dev@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
syzbot+f90a420dfe2b1b03cb2c@...kaller.appspotmail.com
Subject: Re: [PATCH] list_lru: fix memory leak in __memcg_init_list_lru_node
On Mon 27-05-19 21:32:02, Shakeel Butt wrote:
> Syzbot reported following memory leak:
>
> ffffffffda RBX: 0000000000000003 RCX: 0000000000441f79
> BUG: memory leak
> unreferenced object 0xffff888114f26040 (size 32):
> comm "syz-executor626", pid 7056, jiffies 4294948701 (age 39.410s)
> hex dump (first 32 bytes):
> 40 60 f2 14 81 88 ff ff 40 60 f2 14 81 88 ff ff @`......@.......
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<0000000018f36b56>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
> [<0000000018f36b56>] slab_post_alloc_hook mm/slab.h:439 [inline]
> [<0000000018f36b56>] slab_alloc mm/slab.c:3326 [inline]
> [<0000000018f36b56>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
> [<0000000055b9a1a5>] kmalloc include/linux/slab.h:547 [inline]
> [<0000000055b9a1a5>] __memcg_init_list_lru_node+0x58/0xf0 mm/list_lru.c:352
> [<000000001356631d>] memcg_init_list_lru_node mm/list_lru.c:375 [inline]
> [<000000001356631d>] memcg_init_list_lru mm/list_lru.c:459 [inline]
> [<000000001356631d>] __list_lru_init+0x193/0x2a0 mm/list_lru.c:626
> [<00000000ce062da3>] alloc_super+0x2e0/0x310 fs/super.c:269
> [<000000009023adcf>] sget_userns+0x94/0x2a0 fs/super.c:609
> [<0000000052182cd8>] sget+0x8d/0xb0 fs/super.c:660
> [<0000000006c24238>] mount_nodev+0x31/0xb0 fs/super.c:1387
> [<0000000006016a76>] fuse_mount+0x2d/0x40 fs/fuse/inode.c:1236
> [<000000009a61ec1d>] legacy_get_tree+0x27/0x80 fs/fs_context.c:661
> [<0000000096cd9ef8>] vfs_get_tree+0x2e/0x120 fs/super.c:1476
> [<000000005b8f472d>] do_new_mount fs/namespace.c:2790 [inline]
> [<000000005b8f472d>] do_mount+0x932/0xc50 fs/namespace.c:3110
> [<00000000afb009b4>] ksys_mount+0xab/0x120 fs/namespace.c:3319
> [<0000000018f8c8ee>] __do_sys_mount fs/namespace.c:3333 [inline]
> [<0000000018f8c8ee>] __se_sys_mount fs/namespace.c:3330 [inline]
> [<0000000018f8c8ee>] __x64_sys_mount+0x26/0x30 fs/namespace.c:3330
> [<00000000f42066da>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
> [<0000000043d74ca0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> This is a simple off by one bug on the error path.
I suspect fault injection has been used here because the object is tiny
to fail the allocation but definitely worth fixing. Thanks!
> Reported-by: syzbot+f90a420dfe2b1b03cb2c@...kaller.appspotmail.com
> Signed-off-by: Shakeel Butt <shakeelb@...gle.com>
Acked-by: Michal Hocko <mhocko@...e.com>
> ---
> mm/list_lru.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mm/list_lru.c b/mm/list_lru.c
> index 0bdf3152735e..92870be4a322 100644
> --- a/mm/list_lru.c
> +++ b/mm/list_lru.c
> @@ -358,7 +358,7 @@ static int __memcg_init_list_lru_node(struct list_lru_memcg *memcg_lrus,
> }
> return 0;
> fail:
> - __memcg_destroy_list_lru_node(memcg_lrus, begin, i - 1);
> + __memcg_destroy_list_lru_node(memcg_lrus, begin, i);
> return -ENOMEM;
> }
>
> --
> 2.22.0.rc1.257.g3120a18244-goog
>
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists