traing: Fix memory leak of iter->temp when reading trace_pipe

Message ID 20230713141435.1133021-1-zhengyejian1@huawei.com
State New
Headers
Series traing: Fix memory leak of iter->temp when reading trace_pipe |

Commit Message

Zheng Yejian July 13, 2023, 2:14 p.m. UTC
  kmemleak reports:
  unreferenced object 0xffff88814d14e200 (size 256):
    comm "cat", pid 336, jiffies 4294871818 (age 779.490s)
    hex dump (first 32 bytes):
      04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00  ................
      0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff  .........Z......
    backtrace:
      [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140
      [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0
      [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0
      [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950
      [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0
      [<ffffffff9bf03a43>] vfs_read+0x143/0x520
      [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160
      [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90
      [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8

when reading file 'trace_pipe', 'iter->temp' is allocated or relocated
in trace_find_next_entry() but not freed before 'trace_pipe' is closed.

To fix it, free 'iter->temp' in tracing_release_pipe().

Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
---
 kernel/trace/trace.c | 1 +
 1 file changed, 1 insertion(+)
  

Comments

Zheng Yejian July 13, 2023, 2:23 p.m. UTC | #1
On 2023/7/13 22:14, Zheng Yejian wrote:
> kmemleak reports:
>    unreferenced object 0xffff88814d14e200 (size 256):
>      comm "cat", pid 336, jiffies 4294871818 (age 779.490s)
>      hex dump (first 32 bytes):
>        04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00  ................
>        0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff  .........Z......
>      backtrace:
>        [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140
>        [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0
>        [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0
>        [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950
>        [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0
>        [<ffffffff9bf03a43>] vfs_read+0x143/0x520
>        [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160
>        [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90
>        [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> 
> when reading file 'trace_pipe', 'iter->temp' is allocated or relocated
> in trace_find_next_entry() but not freed before 'trace_pipe' is closed.
> 
> To fix it, free 'iter->temp' in tracing_release_pipe().
> 

Sorry, forget the Fixes tag:(

Is following Fixes right?
Fixes: ff895103a84a ("tracing: Save off entry when peeking at next entry")

> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> ---
>   kernel/trace/trace.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 4529e264cb86..94cfaa884578 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -6764,6 +6764,7 @@ static int tracing_release_pipe(struct inode *inode, struct file *file)
>   
>   	free_cpumask_var(iter->started);
>   	kfree(iter->fmt);
> +	kfree(iter->temp);
>   	mutex_destroy(&iter->mutex);
>   	kfree(iter);
>
  
Steven Rostedt July 13, 2023, 2:33 p.m. UTC | #2
On Thu, 13 Jul 2023 22:14:35 +0800
Zheng Yejian <zhengyejian1@huawei.com> wrote:

> kmemleak reports:
>   unreferenced object 0xffff88814d14e200 (size 256):
>     comm "cat", pid 336, jiffies 4294871818 (age 779.490s)
>     hex dump (first 32 bytes):
>       04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00  ................
>       0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff  .........Z......
>     backtrace:
>       [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140
>       [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0
>       [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0
>       [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950
>       [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0
>       [<ffffffff9bf03a43>] vfs_read+0x143/0x520
>       [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160
>       [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90
>       [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> 
> when reading file 'trace_pipe', 'iter->temp' is allocated or relocated
> in trace_find_next_entry() but not freed before 'trace_pipe' is closed.
> 
> To fix it, free 'iter->temp' in tracing_release_pipe().
> 
> Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>

Why is it that every time I send a pull request to Linus, I get another fix???

Anyway, Linus, hold off. I'll send a v3 with this included as well.

-- Steve

> ---
>  kernel/trace/trace.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 4529e264cb86..94cfaa884578 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -6764,6 +6764,7 @@ static int tracing_release_pipe(struct inode *inode, struct file *file)
>  
>  	free_cpumask_var(iter->started);
>  	kfree(iter->fmt);
> +	kfree(iter->temp);
>  	mutex_destroy(&iter->mutex);
>  	kfree(iter);
>
  
Steven Rostedt July 13, 2023, 2:47 p.m. UTC | #3
On Thu, 13 Jul 2023 22:23:20 +0800
Zheng Yejian <zhengyejian1@huawei.com> wrote:

> On 2023/7/13 22:14, Zheng Yejian wrote:
> > kmemleak reports:
> >    unreferenced object 0xffff88814d14e200 (size 256):
> >      comm "cat", pid 336, jiffies 4294871818 (age 779.490s)
> >      hex dump (first 32 bytes):
> >        04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00  ................
> >        0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff  .........Z......
> >      backtrace:
> >        [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140
> >        [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0
> >        [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0
> >        [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950
> >        [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0
> >        [<ffffffff9bf03a43>] vfs_read+0x143/0x520
> >        [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160
> >        [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90
> >        [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> > 
> > when reading file 'trace_pipe', 'iter->temp' is allocated or relocated
> > in trace_find_next_entry() but not freed before 'trace_pipe' is closed.
> > 
> > To fix it, free 'iter->temp' in tracing_release_pipe().
> >   
> 
> Sorry, forget the Fixes tag:(
> 
> Is following Fixes right?
> Fixes: ff895103a84a ("tracing: Save off entry when peeking at next entry")

That's the one I already added ;-)

Don't worry too much about adding fixes, I will always analyze a fix patch
to find out what it actually fixes. If you add one, I'll still confirm it.

-- Steve

> 
> > Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
> > ---
> >   kernel/trace/trace.c | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> > index 4529e264cb86..94cfaa884578 100644
> > --- a/kernel/trace/trace.c
> > +++ b/kernel/trace/trace.c
> > @@ -6764,6 +6764,7 @@ static int tracing_release_pipe(struct inode *inode, struct file *file)
> >   
> >   	free_cpumask_var(iter->started);
> >   	kfree(iter->fmt);
> > +	kfree(iter->temp);
> >   	mutex_destroy(&iter->mutex);
> >   	kfree(iter);
> >
  
Steven Rostedt July 13, 2023, 2:51 p.m. UTC | #4
On Thu, 13 Jul 2023 14:44:04 +0000
"Zhengyejian (Zetta)" <zhengyejian1@huawei.com> wrote:

> Hi, Steve,
> 
> Please correct a typo in title: trainy -> tracing

 traing -> tracing ;-)

> 
> I'm a little hurry home from work :(
> I'll pay attention to it next time.

No problem. I made the fix.

But seriously, thanks for all the fixes you are sending my way!

-- Steve
  
Zheng Yejian July 14, 2023, 1:40 a.m. UTC | #5
On 2023/7/13 22:51, Steven Rostedt wrote:
> On Thu, 13 Jul 2023 14:44:04 +0000
> "Zhengyejian (Zetta)" <zhengyejian1@huawei.com> wrote:
> 
>> Hi, Steve,
>>
>> Please correct a typo in title: trainy -> tracing
> 
>   traing -> tracing ;-)

Emm, my anothor typo 'trainy'. Phone's keyboard is hard to use :)

> 
>>
>> I'm a little hurry home from work :(
>> I'll pay attention to it next time.
> 
> No problem. I made the fix.
> 
> But seriously, thanks for all the fixes you are sending my way!
> 

You're welcome! I am happy to do it and have learned a lot :)

> -- Steve
> 
> 
--
Thanks,
Zheng Yejian
  

Patch

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 4529e264cb86..94cfaa884578 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6764,6 +6764,7 @@  static int tracing_release_pipe(struct inode *inode, struct file *file)
 
 	free_cpumask_var(iter->started);
 	kfree(iter->fmt);
+	kfree(iter->temp);
 	mutex_destroy(&iter->mutex);
 	kfree(iter);