[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <f6595321-fc08-6c5a-c39c-dc3a2fbb83ed@kernel.dk>
Date: Tue, 11 Aug 2020 09:49:28 -0600
From: Jens Axboe <axboe@...nel.dk>
To: syzbot <syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com>,
io-uring@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
viro@...iv.linux.org.uk
Subject: Re: memory leak in io_submit_sqes
On 8/11/20 9:23 AM, Jens Axboe wrote:
> On 8/11/20 8:59 AM, Jens Axboe wrote:
>> On 8/11/20 7:57 AM, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=13cb0762900000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=42163327839348a9
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=a730016dc0bdce4f6ff5
>>> compiler: gcc (GCC) 10.1.0-syz 20200507
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16e877dc900000
>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1608291a900000
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+a730016dc0bdce4f6ff5@...kaller.appspotmail.com
>>>
>>> executing program
>>> executing program
>>> executing program
>>> executing program
>>> executing program
>>> BUG: memory leak
>>> unreferenced object 0xffff888124949100 (size 256):
>>> comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>>> hex dump (first 32 bytes):
>>> 00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00 .xt*............
>>> 90 b0 51 81 ff ff ff ff 00 00 00 00 00 00 00 00 ..Q.............
>>> backtrace:
>>> [<0000000084e46f34>] io_alloc_req fs/io_uring.c:1503 [inline]
>>> [<0000000084e46f34>] io_submit_sqes+0x5dc/0xc00 fs/io_uring.c:6306
>>> [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>>> [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>> [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>>
>>> BUG: memory leak
>>> unreferenced object 0xffff88811751d200 (size 96):
>>> comm "syz-executor808", pid 6480, jiffies 4294949911 (age 33.960s)
>>> hex dump (first 32 bytes):
>>> 00 78 74 2a 81 88 ff ff 00 00 00 00 00 00 00 00 .xt*............
>>> 0e 01 00 00 00 00 75 22 00 00 00 00 00 0f 1f 04 ......u"........
>>> backtrace:
>>> [<00000000073ea2ba>] kmalloc include/linux/slab.h:555 [inline]
>>> [<00000000073ea2ba>] io_arm_poll_handler fs/io_uring.c:4773 [inline]
>>> [<00000000073ea2ba>] __io_queue_sqe+0x445/0x6b0 fs/io_uring.c:5988
>>> [<000000001551bde0>] io_queue_sqe+0x309/0x550 fs/io_uring.c:6060
>>> [<000000002dfb908f>] io_submit_sqe fs/io_uring.c:6130 [inline]
>>> [<000000002dfb908f>] io_submit_sqes+0x8b8/0xc00 fs/io_uring.c:6327
>>> [<000000006d4e19eb>] __do_sys_io_uring_enter+0x582/0x830 fs/io_uring.c:8036
>>> [<00000000a4116b07>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>>> [<0000000067b2aefc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> This one looks very odd, and I cannot reproduce it. The socket() calls
>> reliably fails for me, and even if I hack it to use 0 for protocol instead
>> of 2, I don't see anything interesting happening here. An IORING_OP_WRITEV
>> is submitted on the socket, which just fails with ENOTCONN.
>
> Dug a bit deeper and found the missing option, I can now reproduce this!
> I'll take a look.
This should fix it.
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 99582cf5106b..8a2afd8c33c9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4883,7 +4883,7 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
io_async_wake);
- if (ret) {
+ if (ret || ipt.error) {
io_poll_remove_double(req, apoll->double_poll);
spin_unlock_irq(&ctx->completion_lock);
kfree(apoll->double_poll);
--
Jens Axboe
Powered by blists - more mailing lists