Re: [PATCH 6/6] mqueue: fix mq_open() file descriptor leak on user-space processes

[Xiaotian Feng]

On Tue, Feb 23, 2010 at 3:04 PM, Andrà Goddard Rosa
<andre.goddard@xxxxxxxxx> wrote:
> It can be triggered by the following test program:
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <mqueue.h>
> #include <fcntl.h>
> #include <errno.h>
> #include <sys/stat.h>
> #include <sys/resource.h>
>
> int main(int argc, char *argv[])
> {
> Â Â Â Âstruct rlimit limit;
> Â Â Â Âchar queue_name[] = "/mq_open/bug";
> Â Â Â Âchar tmp_name[] Â = "/tmp/tmp";
> Â Â Â Âint fd, i = 1;
>
> Â Â Â Âif (getrlimit(RLIMIT_NOFILE, &limit) != 0) {
> Â Â Â Â Â Â Â Âprintf("%s\n", "Failed to get RLIMIT_NOFILE");
> Â Â Â Â Â Â Â Âreturn EXIT_FAILURE;
> Â Â Â Â}
> Â Â Â Âprintf("Max number of open files is: %d\n", limit.rlim_cur);
>
> Â Â Â Âwhile (i <= limit.rlim_cur) {
> Â Â Â Â Â Â Â Âmqd_t queue;
>
> Â Â Â Â Â Â Â Âerrno = 0;
> Â Â Â Â Â Â Â Âqueue = mq_open(queue_name, O_CREAT |O_RDWR, S_IRUSR | S_IWUSR
> Â Â Â Â Â Â Â Â Â Â, NULL);
> Â Â Â Â Â Â Â Âif (queue != (mqd_t)-1) {
> Â Â Â Â Â Â Â Â Â Â Â Â/* Success opening mqueue, no leak will happen */
> Â Â Â Â Â Â Â Â Â Â Â Âprintf("Successfully opened an mqueue[%d]\n", queue);
> Â Â Â Â Â Â Â Â Â Â Â Âprintf("mq_close(%d) = %d\n", queue, mq_close(queue));
> Â Â Â Â Â Â Â Â Â Â Â Âreturn EXIT_SUCCESS;
> Â Â Â Â Â Â Â Â}
> Â Â Â Â Â Â Â Â/* Failed to open mqueue, maybe a leak is happening... */
> Â Â Â Â Â Â Â Âif (errno == EMFILE)
> Â Â Â Â Â Â Â Â{
> Â Â Â Â Â Â Â Â Â Â Â Âprintf("\nRun out of file descriptors");
> Â Â Â Â Â Â Â Â Â Â Â Âbreak;
> Â Â Â Â Â Â Â Â}
> Â Â Â Â Â Â Â Âprintf("\rLeaking [%d] files?!?!", i++);
> Â Â Â Â Â Â Â Âfflush(stdout);
> Â Â Â Â Â Â Â Âusleep(500);
> Â Â Â Â}
> Â Â Â Â/* Double check that no file descriptor is available anymore indeed */
> Â Â Â Âputchar('\n');
> Â Â Â Âerrno = 0;
> Â Â Â Âfd = open(tmp_name, O_CREAT | O_RDWR, S_IRUSR | S_IWUSR);
> Â Â Â Âif (fd == -1) {
> Â Â Â Â Â Â Â Âprintf("open() failed: %s\n", strerror(errno));
> Â Â Â Â Â Â Â Âif (errno == EMFILE) {
> Â Â Â Â Â Â Â Â Â Â Â Âprintf("%s\n", "Cannot open new files, fds exhausted");
> Â Â Â Â Â Â Â Â Â Â Â Âreturn EXIT_FAILURE;
> Â Â Â Â Â Â Â Â}
> Â Â Â Â} else
> Â Â Â Â Â Â Â Âprintf("close(%d) = %d\n", fd, close(fd));
> Â Â Â Âprintf("%s\n", "Expected output: kernel is not leaking any fds!");
>
> Â Â Â Âreturn EXIT_SUCCESS;
> }
>
> ## Preparing for testing
>
> $ touch /tmp/tmp
> $ gcc -g main_mq_open_fd_leak.c -lrt
>
> ## Linux kernel with the fix applied:
>
> $ ./a.out
> Max number of open files is: 1024
> Leaking [1024] files?!?!
> close(3) = 0
> Expected output: kernel is not leaking any fds!
>
> ## Linux kernel without the fix:
>
> ## Shell execution:
>
> $ ./a.out
> Max number of open files is: 1024
> Leaking [1019] files?!?!
> Run out of file descriptors
> Segmentation fault
>
> ## Valgrind execution:
>
> $ valgrind --track-fds=yes ./a.out
> ==2895== Memcheck, a memory error detector
> ==2895== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
> ==2895== Using Valgrind-3.6.0.SVN and LibVEX; rerun with -h for copyright info
> ==2895== Command: ./a.out
> ==2895==
> Max number of open files is: 1024
> Leaking [1024] files?!?!
> open() failed: Too many open files
> Cannot open new files, fds exhausted
> ==2895==
> ==2895== FILE DESCRIPTORS: 5 open at exit.
> ==2895== Open file descriptor 13:
> ==2895== Â Â<inherited from parent>
> ==2895==
> ==2895== Open file descriptor 12:
> ==2895== Â Â<inherited from parent>
> ==2895==
> ==2895== Open file descriptor 2: /dev/pts/1
> ==2895== Â Â<inherited from parent>
> ==2895==
> ==2895== Open file descriptor 1: /dev/pts/1
> ==2895== Â Â<inherited from parent>
> ==2895==
> ==2895== Open file descriptor 0: /dev/pts/1
> ==2895== Â Â<inherited from parent>
> ==2895==
> ==2895==
> ==2895== HEAP SUMMARY:
> ==2895== Â Â in use at exit: 0 bytes in 0 blocks
> ==2895== Â total heap usage: 0 allocs, 0 frees, 0 bytes allocated
> ==2895==
> ==2895== All heap blocks were freed -- no leaks are possible
> ==2895==
> ==2895== For counts of detected and suppressed errors, rerun with: -v
> ==2895== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)
>
> When not running valgrind, user-space program segfaults trying to execute
> strerror(errno). With valgrind, it executes successfully and prints the
> 5 open files: stdin, stdout, stderr, pipe[0] and pipe[1].
>
> Signed-off-by: Andrà Goddard Rosa <andre.goddard@xxxxxxxxx>

If kernel failed to lookup the dentry in mqueue,  the fd allocated by
get_unused_fd_flags will be leaked then.
I think this is a good catch ;-)

Acked-by: Xiaotian Feng <xtfeng@xxxxxxxxx>

> ---
> Âipc/mqueue.c | Â Â3 +--
> Â1 files changed, 1 insertions(+), 2 deletions(-)
>
> diff --git a/ipc/mqueue.c b/ipc/mqueue.c
> index e47c9eb..b6cb064 100644
> --- a/ipc/mqueue.c
> +++ b/ipc/mqueue.c
> @@ -710,7 +710,7 @@ SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, mode_t, mode,
> Â Â Â Âdentry = lookup_one_len(name, ipc_ns->mq_mnt->mnt_root, strlen(name));
> Â Â Â Âif (IS_ERR(dentry)) {
> Â Â Â Â Â Â Â Âerror = PTR_ERR(dentry);
> - Â Â Â Â Â Â Â goto out_err;
> + Â Â Â Â Â Â Â goto out_putfd;
> Â Â Â Â}
> Â Â Â Âmntget(ipc_ns->mq_mnt);
>
> @@ -749,7 +749,6 @@ out:
> Â Â Â Âmntput(ipc_ns->mq_mnt);
> Âout_putfd:
> Â Â Â Âput_unused_fd(fd);
> -out_err:
> Â Â Â Âfd = error;
> Âout_upsem:
> Â Â Â Âmutex_unlock(&ipc_ns->mq_mnt->mnt_root->d_inode->i_mutex);
> --
> 1.7.0.87.g0901d
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at Âhttp://vger.kernel.org/majordomo-info.html
> Please read the FAQ at Âhttp://www.tux.org/lkml/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/