lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 14 Sep 2021 11:13:32 +0800
From:   "Xu, Yanfei" <yanfei.xu@...driver.com>
To:     syzbot <syzbot+01321b15cc98e6bf96d6@...kaller.appspotmail.com>,
        axboe@...nel.dk, cgroups@...r.kernel.org,
        linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, tj@...nel.org
Subject: Re: [syzbot] memory leak in blk_iolatency_init



On 9/14/21 7:28 AM, syzbot wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
> 
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    a3fa7a101dcf Merge branches 'akpm' and 'akpm-hotfixes' (pa..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12b4a5b3300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=9ee3a4c022ccbbca
> dashboard link: https://syzkaller.appspot.com/bug?extid=01321b15cc98e6bf96d6
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=148c170b300000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+01321b15cc98e6bf96d6@...kaller.appspotmail.com
> 
> 2021/09/09 22:14:31 executed programs: 444
> BUG: memory leak
> unreferenced object 0xffff888129acdb80 (size 96):
>    comm "syz-executor.1", pid 12661, jiffies 4294962682 (age 15.220s)
>    hex dump (first 32 bytes):
>      20 47 c9 85 ff ff ff ff 20 d4 8e 29 81 88 ff ff   G...... ..)....
>      01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>    backtrace:
>      [<ffffffff82264ec8>] kmalloc include/linux/slab.h:591 [inline]
>      [<ffffffff82264ec8>] kzalloc include/linux/slab.h:721 [inline]
>      [<ffffffff82264ec8>] blk_iolatency_init+0x28/0x190 block/blk-iolatency.c:724
>      [<ffffffff8225b8c4>] blkcg_init_queue+0xb4/0x1c0 block/blk-cgroup.c:1185
>      [<ffffffff822253da>] blk_alloc_queue+0x22a/0x2e0 block/blk-core.c:566
>      [<ffffffff8223b175>] blk_mq_init_queue_data block/blk-mq.c:3100 [inline]
>      [<ffffffff8223b175>] __blk_mq_alloc_disk+0x25/0xd0 block/blk-mq.c:3124
>      [<ffffffff826a9303>] loop_add+0x1c3/0x360 drivers/block/loop.c:2344
>      [<ffffffff826a966e>] loop_control_get_free drivers/block/loop.c:2501 [inline]
>      [<ffffffff826a966e>] loop_control_ioctl+0x17e/0x2e0 drivers/block/loop.c:2516
>      [<ffffffff81597eec>] vfs_ioctl fs/ioctl.c:51 [inline]
>      [<ffffffff81597eec>] __do_sys_ioctl fs/ioctl.c:874 [inline]
>      [<ffffffff81597eec>] __se_sys_ioctl fs/ioctl.c:860 [inline]
>      [<ffffffff81597eec>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860
>      [<ffffffff843fa745>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>      [<ffffffff843fa745>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>      [<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> 

Hi Jens,

How about this fix?

    Once blk_throtl_init() queue init failed, blkcg_iolatency_exit() will
     not be invoked for cleanup. That leads a memory leak. Swap the
     blk_throtl_init() and blk_iolatency_init() calls can solve this.

     Reported-by: syzbot+01321b15cc98e6bf96d6@...kaller.appspotmail.com
     Fixes: 19688d7f9592 (block/blk-cgroup: Swap the blk_throtl_init() 
and blk_iolatency_init() calls)
     Signed-off-by: Yanfei Xu <yanfei.xu@...driver.com>

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 3c88a79a319b..1ded4181a6de 100644
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -1182,10 +1182,6 @@ int blkcg_init_queue(struct request_queue *q)
         if (preloaded)
                 radix_tree_preload_end();

-       ret = blk_iolatency_init(q);
-       if (ret)
-               goto err_destroy_all;
-
         ret = blk_ioprio_init(q);
         if (ret)
                 goto err_destroy_all;
@@ -1194,6 +1190,12 @@ int blkcg_init_queue(struct request_queue *q)
         if (ret)
                 goto err_destroy_all;

+       ret = blk_iolatency_init(q);
+       if (ret) {
+               blk_throtl_exit(q);
+               goto err_destroy_all;
+       }
+
         return 0;



> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ