lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4dcf783e-c79b-486a-b4a5-e35681cb8306@oracle.com>
Date: Thu, 15 May 2025 11:06:21 -0400
From: Sidhartha Kumar <sidhartha.kumar@...cle.com>
To: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
        Jared Kangas <jkangas@...hat.com>
Cc: willy@...radead.org, akpm@...ux-foundation.org,
        linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, Liam Howlett <liam.howlett@...cle.com>
Subject: Re: [PATCH] XArray: fix kmemleak false positive in xas_shrink()

On 5/15/25 10:01 AM, Lorenzo Stoakes wrote:
> +cc Liam, Sid.
> 
> Andrew - please drop this patch until this is fixed.
> 
> Hi Jared,
> 
> This breaks the xarray and vma userland testing. Please ensure that any
> required stub are set up there to allow for your fix to work correctly.
> 
> Once moved to mm-unstable, or at least -next this would get caught by bots
> (hopefully :) so this is a mandatory pre-requisite to this being merged.
> 
> Cheers, Lorenzo
> 
> P.S. Liam, Sid - do you think it might be useful to add us 3 as reviewers
> to the xarray entry in MAINTAINERS so we pick up on this sooner?

I would be fine being a reviewer to catch any breakage to the usersland 
test suite.

Thanks,
Sid

> 
> $ cd tools/testing/radix-tree
> $ make
> cp ../shared/autoconf.h generated/autoconf.h
> cc -I../shared -I. -I../../include -I../../../lib -g -Og -Wall -D_LGPL_SOURCE -fsanitize=address -fsanitize=undefined   -c -o main.o main.c
> cc -c -I../shared -I. -I../../include -I../../../lib -g -Og -Wall -D_LGPL_SOURCE -fsanitize=address -fsanitize=undefined ../shared/xarray-shared.c -o xarray-shared.o
> In file included from ../shared/xarray-shared.c:5:
> ../shared/../../../lib/xarray.c: In function ‘xas_shrink’:
> ../shared/../../../lib/xarray.c:480:17: error: implicit declaration of function ‘kmemleak_transient_leak’ [-Wimplicit-function-declaration]
>    480 |                 kmemleak_transient_leak(node);
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~
> make: *** [../shared/shared.mk:37: xarray-shared.o] Error 1
> $ cd ../vma
> $ make
> cc -c -I../shared -I. -I../../include -I../../../lib -g -Og -Wall -D_LGPL_SOURCE -fsanitize=address -fsanitize=undefined ../shared/xarray-shared.c -o xarray-shared.o
> In file included from ../shared/xarray-shared.c:5:
> ../shared/../../../lib/xarray.c: In function ‘xas_shrink’:
> ../shared/../../../lib/xarray.c:480:17: error: implicit declaration of function ‘kmemleak_transient_leak’ [-Wimplicit-function-declaration]
>    480 |                 kmemleak_transient_leak(node);
>        |                 ^~~~~~~~~~~~~~~~~~~~~~~
> make: *** [../shared/shared.mk:37: xarray-shared.o] Error 1
> 
> On Mon, May 12, 2025 at 12:17:07PM -0700, Jared Kangas wrote:
>> Kmemleak periodically produces a false positive report that resembles
>> the following:
>>
>> unreferenced object 0xffff0000c105ed08 (size 576):
>>    comm "swapper/0", pid 1, jiffies 4294937478
>>    hex dump (first 32 bytes):
>>      00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>      d8 e7 0a 8b 00 80 ff ff 20 ed 05 c1 00 00 ff ff  ........ .......
>>    backtrace (crc 69e99671):
>>      kmemleak_alloc+0xb4/0xc4
>>      kmem_cache_alloc_lru+0x1f0/0x244
>>      xas_alloc+0x2a0/0x3a0
>>      xas_expand.constprop.0+0x144/0x4dc
>>      xas_create+0x2b0/0x484
>>      xas_store+0x60/0xa00
>>      __xa_alloc+0x194/0x280
>>      __xa_alloc_cyclic+0x104/0x2e0
>>      dev_index_reserve+0xd8/0x18c
>>      register_netdevice+0x5e8/0xf90
>>      register_netdev+0x28/0x50
>>      loopback_net_init+0x68/0x114
>>      ops_init+0x90/0x2c0
>>      register_pernet_operations+0x20c/0x554
>>      register_pernet_device+0x3c/0x8c
>>      net_dev_init+0x5cc/0x7d8
>>
>> This transient leak can be traced to xas_shrink(): when the xarray's
>> head is reassigned, kmemleak may have already started scanning the
>> xarray. When this happens, if kmemleak fails to scan the new xa_head
>> before it moves, kmemleak will see it as a leak until the xarray is
>> scanned again.
>>
>> The report can be reproduced by running the xdp_bonding BPF selftest,
>> although it doesn't appear consistently due to the bug's transience.
>> In my testing, the following script has reliably triggered the report in
>> under an hour on a debug kernel with kmemleak enabled, where KSELFTESTS
>> is set to the install path for the kernel selftests:
>>
>>          #!/bin/sh
>>          set -eu
>>
>>          echo 1 >/sys/module/kmemleak/parameters/verbose
>>          echo scan=1 >/sys/kernel/debug/kmemleak
>>
>>          while :; do
>>                  $KSELFTESTS/bpf/test_progs -t xdp_bonding
>>          done
>>
>> To prevent this false positive report, mark the new xa_head in
>> xas_shrink() as a transient leak.
>>
>> Signed-off-by: Jared Kangas <jkangas@...hat.com>
>> ---
>>   lib/xarray.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/lib/xarray.c b/lib/xarray.c
>> index 9644b18af18d1..51314fa157b31 100644
>> --- a/lib/xarray.c
>> +++ b/lib/xarray.c
>> @@ -8,6 +8,7 @@
>>
>>   #include <linux/bitmap.h>
>>   #include <linux/export.h>
>> +#include <linux/kmemleak.h>
>>   #include <linux/list.h>
>>   #include <linux/slab.h>
>>   #include <linux/xarray.h>
>> @@ -476,6 +477,7 @@ static void xas_shrink(struct xa_state *xas)
>>   			break;
>>   		node = xa_to_node(entry);
>>   		node->parent = NULL;
>> +		kmemleak_transient_leak(node);
>>   	}
>>   }
>>
>> --
>> 2.49.0
>>
>>
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ