lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f6595321-fc08-6c5a-c39c-dc3a2fbb83ed@kernel.dk>
Date:   Tue, 11 Aug 2020 09:49:28 -0600
From:   Jens Axboe <axboe@...nel.dk>
To:     syzbot <syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com>,
        io-uring@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk
Subject: Re: memory leak in io_submit_sqes

On 8/11/20 9:23 AM, Jens Axboe wrote:
> On 8/11/20 8:59 AM, Jens Axboe wrote:
>> On 8/11/20 7:57 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit:    d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
>>> git tree:       upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13cb0762900000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=42163327839348a9
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a730016dc0bdce4f6ff5
>>> compiler:       gcc (GCC) 10.1.0-syz 20200507
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16e877dc900000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1608291a900000
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com
>>>
>>> executing program
>>> executing program
>>> executing program
>>> executing program
>>> executing program
>>> BUG: memory leak
>>> unreferenced object 0xffff888124949100 (size 256):
>>>   comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>>>   hex dump (first 32 bytes):
>>>     00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00  .xt*............
>>>     90 b0 51 81 ff ff ff ff 00 00 00 00 00 00 00 00  ..Q.............
>>>   backtrace:
>>>     [<0000000084e46f34>] io_alloc_req fs/io_uring.c:1503 [inline]
>>>     [<0000000084e46f34>] io_submit_sqes+0x5dc/0xc00 fs/io_uring.c:6306
>>>     [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>>>     [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>>     [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>>
>>> BUG: memory leak
>>> unreferenced object 0xffff88811751d200 (size 96):
>>>   comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>>>   hex dump (first 32 bytes):
>>>     00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00  .xt*............
>>>     0e 01 00 00 00 00 75 22 00 00 00 00 00 0f 1f 04  ......u"........
>>>   backtrace:
>>>     [<00000000073ea2ba>] kmalloc include/linux/slab.h:555 [inline]
>>>     [<00000000073ea2ba>] io_arm_poll_handler fs/io_uring.c:4773 [inline]
>>>     [<00000000073ea2ba>] __io_queue_sqe+0x445/0x6b0 fs/io_uring.c:5988
>>>     [<000000001551bde0>] io_queue_sqe+0x309/0x550 fs/io_uring.c:6060
>>>     [<000000002dfb908f>] io_submit_sqe fs/io_uring.c:6130 [inline]
>>>     [<000000002dfb908f>] io_submit_sqes+0x8b8/0xc00 fs/io_uring.c:6327
>>>     [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>>>     [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>>     [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> This one looks very odd, and I cannot reproduce it. The socket() calls
>> reliably fails for me, and even if I hack it to use 0 for protocol instead
>> of 2, I don't see anything interesting happening here. An IORING_OP_WRITEV
>> is submitted on the socket, which just fails with ENOTCONN.
> 
> Dug a bit deeper and found the missing option, I can now reproduce this!
> I'll take a look.

This should fix it.

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 99582cf5106b..8a2afd8c33c9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4883,7 +4883,7 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
 
 	ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
 					io_async_wake);
-	if (ret) {
+	if (ret || ipt.error) {
 		io_poll_remove_double(req, apoll->double_poll);
 		spin_unlock_irq(&ctx->completion_lock);
 		kfree(apoll->double_poll);

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ