Re: [PATCH] pidfd: fix memory leak in pidfd_getfd()
From: Christian Brauner
Date: Mon Jul 06 2020 - 08:58:09 EST
On Mon, Jul 06, 2020 at 06:22:55PM +0530, Vamshi K Sthambamkadi wrote:
> kmemleak backtrace:
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..............o.
> b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<8ff6a575>] __alloc_file+0x1e/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s)
> hex dump (first 16 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<8da987ad>] kmem_cache_alloc+0x199/0x4c0
> [<b67faec5>] security_file_alloc+0x20/0x90
> [<ed849d41>] __alloc_file+0x40/0xe0
> [<e1479798>] alloc_empty_file+0x45/0x100
> [<727fe6eb>] alloc_file+0x23/0xf0
> [<457148ef>] alloc_file_pseudo+0x98/0x100
> [<c104ed3d>] __shmem_file_setup.part.67+0x66/0x120
> [<5edc3e9b>] shmem_file_setup+0x4c/0x70
> [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0
> [<e129fc9c>] do_syscall_32_irqs_on+0x3d/0x260
> [<62569441>] do_fast_syscall_32+0x39/0xb0
> [<3c515b7e>] do_SYSENTER_32+0x15/0x20
> [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc
>
> This is because in pidfd_getfd(), the file->f_count is incremented twice
> 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files()
> 2) f_count is incremented While installing fd in __fd_install_received()
> i.e. get_file().
>
> Memory leak occurs because the refs count do not match, the struct file
> object is never freed.
>
> Secondly the error validity check (ret < 0) after the call to
> fd_install_received() is not needed since this function cannot return
> negative number after incrementing f_count. So it is wrong to call fput
> on condition (ret < 0).
>
> Change pidfd_getfd() to call fput() on file reference once its installed
> as new_fd in target process.
>
> Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@xxxxxxxxx>
> ---
What's the base commit for this fix? The fd_install_received() changes
are not upstream yet. Afaict, they are in Kees tree and in linux-next.
So this really isn't an applicable fix.
I really need to re-review the patches Kees sent. I haven't acked them
yet so we can't really take this patch now.
Thanks!
Christian