Re: Fw:Re: [PATCH] fs: nilfs2: fix memory leak in nilfs sysfs create device group

From: Dongliang Mu
Date: Mon Mar 07 2022 - 21:22:38 EST


On Sat, Jan 22, 2022 at 12:22 PM Ryusuke Konishi
<konishi.ryusuke@xxxxxxxxx> wrote:
>
> Hi Dongliang,
>
> On Sat, Jan 22, 2022 at 9:31 AM Dongliang Mu <mudongliangabcd@xxxxxxxxx> wrote:
> > > (added Nanyong Sun to CC)
> > > Hi Dongliang,
> > >
> > > On Thu, Jan 20, 2022 at 11:07 PM Pavel Skripkin <paskripkin@xxxxxxxxx> wrote:
> > >
> > >
> > > Hi Dongliang,
> > >
> > > On 1/20/22 16:44, Dongliang Mu wrote:
> > >
> > > The preivous commit 8fd0c1b0647a ("nilfs2: fix memory leak in
> > > nilfs_sysfs_delete_device_group") only handles the memory leak in the
> > > nilfs_sysfs_delete_device_group. However, the similar memory leak still
> > > occurs in the nilfs_sysfs_create_device_group.
> > >
> > > Fix it by adding kobject_del when
> > > kobject_init_and_add succeeds, but one of the following calls fails.
> > >
> > > Fixes: 8fd0c1b0647a ("nilfs2: fix memory leak in nilfs_sysfs_delete_device_group")
> > >
> > >
> > > Why Fixes tag points to my commit? This issue was introduced before my patch
> > >
> > >
> > > As Pavel pointed out, this patch is independent of his patch.
> > > The following one ?
> >
> > Hi Pavel,
> >
> > This is an incorrect fixes tag. I need to dig more about `git log -p
> > fs/nilfs2/sysfs.c`.
> >
> > I wonder if there are any automatic or semi-automatic ways to capture
> > this fixes tag. Or how do you guys identify the fixes tag?
>
> I guess `git blame fs/nilfs2/sysfs.c` may help you to confirm where the change
> came from. It shows information of commits for every line of the input file.
> If you are using github, 'blame button' is available.
>
> If an issue is reproducible, we use `git bisect` to identify the patch
> that caused the
> issue, however, even then, try to understand why and how it affected
> by looking at
> source code and the commit.
>
> >
> > >
> > > 5f5dec07aca7 ("nilfs2: fix memory leak in nilfs_sysfs_create_device_group")
> > >
> > > Signed-off-by: Dongliang Mu <dzm91@xxxxxxxxxxx>
> > > ---
> > > fs/nilfs2/sysfs.c | 5 ++++-
> > > 1 file changed, 4 insertions(+), 1 deletion(-)
> > >
> > >
> > > Can you describe what memory leak issue does this patch actually fix ?
> > >
> > > It looks like kobject_put() can call __kobject_del() unless circular
> > > references exist.
> > >
> > > kobject_put() -> kref_put() -> kobject_release() ->
> > > kobject_cleanup() -> __kobject_del()
> > >
> > > As explained in Documentation/core-api/kobject.rst,
> > >
> > > kobject_del() can be used to drop the reference to the parent object, if
> > > circular references are constructed.
> > >
> > > But, at least, the parent object is NULL in this case.
> > > I really want to understand what the real problem is.
> > >
> > > Thanks,
> > > Ryusuke Konishi
> >
> > I know where my problem is. From the disconnect function, I think the
> > kobject_del and kobject_put are both necessary without checking the
> > documentation of kobjects.
> >
> > Then I think the current error handling may miss kobject_del, and this
> > patch is generated.
> >
> > As a result, I think we can ignore this patch. Sorry for my false alarm.
>
> Okay, thank you for your reply.
> If you notice anything we missed on this difference, please let us know.

Hi Ryusuke,

My local syzkaller instance always complains about the following crash
report no matter how many times I clean up the generated crash
reports.

BUG: memory leak
unreferenced object 0xffff88812e902be0 (size 32):
comm "syz-executor.2", pid 25972, jiffies 4295025942 (age 12.490s)
hex dump (first 32 bytes):
6c 6f 6f 70 32 00 00 00 00 00 00 00 00 00 00 00 loop2...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8148a466>] kstrdup+0x36/0x70 mm/util.c:60
[<ffffffff8148a4f3>] kstrdup_const+0x53/0x80 mm/util.c:83
[<ffffffff8228dcd2>] kvasprintf_const+0xc2/0x110 lib/kasprintf.c:48
[<ffffffff8238ca5b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
[<ffffffff8238d3bd>] kobject_add_varg lib/kobject.c:384 [inline]
[<ffffffff8238d3bd>] kobject_init_and_add+0x6d/0xc0 lib/kobject.c:473
[<ffffffff81d39d3a>] nilfs_sysfs_create_device_group+0x9a/0x3d0
fs/nilfs2/sysfs.c:991
[<ffffffff81d22ee0>] init_nilfs+0x420/0x580 fs/nilfs2/the_nilfs.c:637
[<ffffffff81d108e2>] nilfs_fill_super fs/nilfs2/super.c:1046 [inline]
[<ffffffff81d108e2>] nilfs_mount+0x532/0x8c0 fs/nilfs2/super.c:1316
[<ffffffff815de0db>] legacy_get_tree+0x2b/0x90 fs/fs_context.c:610
[<ffffffff81579ba8>] vfs_get_tree+0x28/0x100 fs/super.c:1497
[<ffffffff815bb582>] do_new_mount fs/namespace.c:3024 [inline]
[<ffffffff815bb582>] path_mount+0xb92/0xfe0 fs/namespace.c:3354
[<ffffffff815bba71>] do_mount+0xa1/0xc0 fs/namespace.c:3367
[<ffffffff815bc084>] __do_sys_mount fs/namespace.c:3575 [inline]
[<ffffffff815bc084>] __se_sys_mount fs/namespace.c:3552 [inline]
[<ffffffff815bc084>] __x64_sys_mount+0xf4/0x160 fs/namespace.c:3552
[<ffffffff843dd8e5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff843dd8e5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Unfortunately, there is no reproducer attached to the crash report.
But I still think there should be another issue in the code.

>
> Regards,
> Ryusuke Konishi