| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHKZfL0Ypbbz2hFiDPhAhvE5F3ZyrBy6V7OpzMyOJfoZ47cLRQ@mail.gmail.com>
Date: Thu, 14 Aug 2025 12:41:59 +0800
From: Huang Adrian <adrianhuang0701@...il.com>
To: Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
ahuang12@...ovo.com
Subject: Re: [PATCH 1/1] pidfs: Fix memory leak in pidfd_info()
On Wed, Aug 13, 2025 at 9:22 PM Adrian Huang (Lenovo)
<adrianhuang0701@...il.com> wrote:
>
> After running the program 'ioctl_pidfd03' of Linux Test Project (LTP) or
> the program 'pidfd_info_test' in 'tools/testing/selftests/pidfd' of the
> kernel source, kmemleak reports the following memory leaks:
>
> # cat /sys/kernel/debug/kmemleak
> unreferenced object 0xff110020e5988000 (size 8216):
> comm "ioctl_pidfd03", pid 10853, jiffies 4294800031
> hex dump (first 32 bytes):
> 02 40 00 00 00 00 00 00 10 00 00 00 00 00 00 00 .@..............
> 00 00 00 00 af 01 00 00 80 00 00 00 00 00 00 00 ................
> backtrace (crc 69483047):
> kmem_cache_alloc_node_noprof+0x2fb/0x410
> copy_process+0x178/0x1740
> kernel_clone+0x99/0x3b0
> __do_sys_clone3+0xbe/0x100
> do_syscall_64+0x7b/0x2c0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> ...
> unreferenced object 0xff11002097b70000 (size 8216):
> comm "pidfd_info_test", pid 11840, jiffies 4294889165
> hex dump (first 32 bytes):
> 06 40 00 00 00 00 00 00 10 00 00 00 00 00 00 00 .@..............
> 00 00 00 00 b5 00 00 00 80 00 00 00 00 00 00 00 ................
> backtrace (crc a6286bb7):
> kmem_cache_alloc_node_noprof+0x2fb/0x410
> copy_process+0x178/0x1740
> kernel_clone+0x99/0x3b0
> __do_sys_clone3+0xbe/0x100
> do_syscall_64+0x7b/0x2c0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> ...
>
> The leak occurs because pidfd_info() obtains a task_struct via
> get_pid_task() but never calls put_task_struct() to drop the reference,
> leaving task->usage unbalanced.
>
> Fix the issue by adding __free(put_task) to the local variable 'task',
> ensuring that put_task_struct() is automatically invoked when the
> variable goes out of scope.
>
> Fixes: 7477d7dce48a ("pidfs: allow to retrieve exit information")
> Signed-off-by: Adrian Huang (Lenovo) <adrianhuang0701@...il.com>
> ---
> fs/pidfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/pidfs.c b/fs/pidfs.c
> index edc35522d75c..857eb27c3d94 100644
> --- a/fs/pidfs.c
> +++ b/fs/pidfs.c
> @@ -296,12 +296,12 @@ static __u32 pidfs_coredump_mask(unsigned long mm_flags)
> static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
> {
> struct pidfd_info __user *uinfo = (struct pidfd_info __user *)arg;
> + struct task_struct *task __free(put_task);
Oops, forgot to assign NULL. This causes the regression (general
protection fault) for the error path in pidfd_info() when running the
program 'ioctl_pidfd05' of Linux Test Project (LTP).
Please ignore this patch, and I'll send a v2 shortly.
> struct pid *pid = pidfd_pid(file);
> size_t usize = _IOC_SIZE(cmd);
> struct pidfd_info kinfo = {};
> struct pidfs_exit_info *exit_info;
> struct user_namespace *user_ns;
> - struct task_struct *task;
> struct pidfs_attr *attr;
> const struct cred *c;
> __u64 mask;
> --
> 2.34.1
>
Powered by blists - more mailing lists