lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 30 Mar 2023 15:56:18 -0400
From:   Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org, Shakeel Butt <shakeelb@...gle.com>,
        Marek Szyprowski <m.szyprowski@...sung.com>,
        linux-mm@...ck.org, stable@...r.kernel.org
Subject: Re: [PATCH 1/1] mm: Fix memory leak on mm_init error handling

On 2023-03-30 15:42, Andrew Morton wrote:
> On Thu, 30 Mar 2023 09:38:22 -0400 Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
> 
>> commit f1a7941243c1 ("mm: convert mm's rss stats into percpu_counter")
>> introduces a memory leak by missing a call to destroy_context() when a
>> percpu_counter fails to allocate.
>>
>> Before introducing the per-cpu counter allocations, init_new_context()
>> was the last call that could fail in mm_init(), and thus there was no
>> need to ever invoke destroy_context() in the error paths. Adding the
>> following percpu counter allocations adds error paths after
>> init_new_context(), which means its associated destroy_context() needs
>> to be called when percpu counters fail to allocate.
>>
>> ...
>>
>> --- a/kernel/fork.c
>> +++ b/kernel/fork.c
>> @@ -1171,6 +1171,7 @@ static struct mm_struct *mm_init(struct mm_struct *mm, struct task_struct *p,
>>   fail_pcpu:
>>   	while (i > 0)
>>   		percpu_counter_destroy(&mm->rss_stat[--i]);
>> +	destroy_context(mm);
>>   fail_nocontext:
>>   	mm_free_pgd(mm);
>>   fail_nopgd:
> 
> Is there really a leak?  I wasn't able to find a version of
> init_new_context() which performs allocation.

AFAIU, at least on powerpc:

arch/powerpc/mm/book3s64/mmu_context.c: init_new_context() calls 
radix__init_new_context() or hash__init_new_context() which
leak IDs through ida_alloc_range.

Thanks,

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ