From patchwork Fri Aug 4 05:33:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Kent X-Patchwork-Id: 130977 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:44a:b0:3f2:4152:657d with SMTP id ez10csp67649vqb; Thu, 3 Aug 2023 23:37:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG/6wRWOfBEoYn6CNzH/8UCd3LrPLQcmxQh+FKrged6mP+JDuKcn8yNCNEo5OtxzWRHoay3 X-Received: by 2002:a81:9e4a:0:b0:573:cacd:306 with SMTP id n10-20020a819e4a000000b00573cacd0306mr1310530ywj.16.1691131054230; Thu, 03 Aug 2023 23:37:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691131054; cv=none; d=google.com; s=arc-20160816; b=ezW+7rz+K6uhfQIIHzy+veae13s6ORnzW0ddXptps3q5e4eG2aXrLoXiZJG1eNyA4O SEe/BWfGRrQRx+gMhs5wJwaGsvhvYu6gGNo9BB1fkhfc26Lqv8Dqlnqw0gU+GAJ5dkzL twJCXh5L3ILjVDOsqLb2xLfMEIIQoKkR0dyj+Kwg0Zzf4AoPktINOXPJqLrAi90WYjiW nHoPuCyW4f3sSq7Sg5qNV+pO4um5uxZlrmCww2I9tKsnlI89Jwg2uPhoTioR/7qN6Hpw HEEluhlzJ5d8zvdTn6sy0s1Xv1xLUgEYHR+y/FG/FM6KsmbB6MZ2MkK6KnF57kRf9QAH m1Kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:message-id:date:cc:to:from:subject; bh=Fa3vLbuKAOa4N+EMJgKYdQfeKc9trEN7nDv6aYqTZQA=; fh=HyMFn70SBfxcLdBFbfHTPsucKGij4W5w+6oBv1I/GOk=; b=IdHC2mSBZNVbDF4kiWij+NkIgZhUalhlmn+v50noYuuptHjSaNZP7z3ssFVl16sfmv AK9bSIo5Seth1YTSS8auIqX0PrQkpDMK7mN/sk+Il9Csj1Euce281A8wQ5Yam5LipZbQ VCaKfXlyfMUmP7Caq/G5Cy6T6sfnHng2a/qlHGjgrpzpwqL5a5PCMCaJRrEKabDXhUof c/O2f4ZT2Dpnz7BoaH7Z3e+DzSQZFj0dCc931wFarQs1cog9pi/C4rMq0TF1pXOm/rX/ Q7WoFuZ3wG2jb3LZbRUTBuXdyDKSlszHZOXM3gQ0K7Zg0JXnu9XeV7eV2mIGVJvsbvrQ 7/vQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x8-20020a17090a530800b00263f3eb229fsi4405071pjh.47.2023.08.03.23.37.20; Thu, 03 Aug 2023 23:37:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232067AbjHDFkY (ORCPT + 99 others); Fri, 4 Aug 2023 01:40:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231907AbjHDFkK (ORCPT ); Fri, 4 Aug 2023 01:40:10 -0400 X-Greylist: delayed 404 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 03 Aug 2023 22:40:06 PDT Received: from smtp01.aussiebb.com.au (smtp01.aussiebb.com.au [121.200.0.92]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96D171B9; Thu, 3 Aug 2023 22:40:05 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 35B501006E0; Fri, 4 Aug 2023 15:33:15 +1000 (AEST) X-Virus-Scanned: Debian amavisd-new at smtp01.aussiebb.com.au Received: from smtp01.aussiebb.com.au ([127.0.0.1]) by localhost (smtp01.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58RXBqPWJhLw; Fri, 4 Aug 2023 15:33:15 +1000 (AEST) Received: by smtp01.aussiebb.com.au (Postfix, from userid 116) id 2CFAF10159A; Fri, 4 Aug 2023 15:33:15 +1000 (AEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from donald.themaw.net (2403-580e-4b40-0-7968-2232-4db8-a45e.ip6.aussiebb.net [IPv6:2403:580e:4b40:0:7968:2232:4db8:a45e]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 535EE1006E0; Fri, 4 Aug 2023 15:33:12 +1000 (AEST) Subject: [PATCH 1/2] autofs: fix memory leak of waitqueues in autofs_catatonic_mode From: Ian Kent To: Al Viro , Christian Brauner Cc: autofs mailing list , linux-fsdevel , Kernel Mailing List , Fedor Pchelkin , Takeshi Misawa , Alexey Khoroshilov , Matthew Wilcox , Andrey Vagin Date: Fri, 04 Aug 2023 13:33:12 +0800 Message-ID: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1773279436479211052 X-GMAIL-MSGID: 1773279436479211052 From: Fedor Pchelkin Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [] kmalloc include/linux/slab.h:576 [inline] [] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [] vfs_ioctl fs/ioctl.c:51 [inline] [] __do_sys_ioctl fs/ioctl.c:870 [inline] [] __se_sys_ioctl fs/ioctl.c:856 [inline] [] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk Reported-by: syzbot+5e53f70e69ff0c0a1c0c@syzkaller.appspotmail.com Suggested-by: Takeshi Misawa Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Signed-off-by: Ian Kent Cc: Matthew Wilcox Cc: Andrei Vagin Cc: autofs@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- fs/autofs/waitq.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index 54c1f8b8b075..efdc76732fae 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,8 +32,9 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name - wq->offset); wq->name.name = NULL; - wq->wait_ctr--; wake_up_interruptible(&wq->queue); + if (!--wq->wait_ctr) + kfree(wq); wq = nwq; } fput(sbi->pipe); /* Close the pipe */ From patchwork Fri Aug 4 05:33:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Kent X-Patchwork-Id: 130976 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:612c:44a:b0:3f2:4152:657d with SMTP id ez10csp63900vqb; Thu, 3 Aug 2023 23:26:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG6SUvo+hP92UAAuT2YccdLS29AaGX6VPHyfk9kW2rhk021+i+rPmUJtvSnHnLnrO4XNsYY X-Received: by 2002:ac2:5b5a:0:b0:4fd:fad6:5495 with SMTP id i26-20020ac25b5a000000b004fdfad65495mr519637lfp.18.1691130418563; Thu, 03 Aug 2023 23:26:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691130418; cv=none; d=google.com; s=arc-20160816; b=iWpTuxCfsBT3S+VIIqMhYmygWc8foojOc/ETVdXoQDJcQN07rBeeE8IhzVfjwfYfKM PZiE74OfwnTbDjrfJkbGHl4ol0/yKlww7dr5AUoLQqoSNBpKxV0rCkPLjHtBVgYht3Cj QJcmXiOs+zjIICc+eWBnuHii+cPaCZuacvMLz2UvZRS/kKcH3MJHuVL90OHEnuv/wIc6 hGaf96v/xA+Myda1YLd5akfvewUvJgG4khkWrpZzy2+ohQJ+X5IFA1xdiha6aevQts2A SYQlJ2y66d/QYQVxg+4z/trPj26w/PP3TPE7aLlEXNnbSN8q1plMDzxInsOvjHixSFuO /zMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject; bh=tttNzxnECBEGpOtOcBmMYNeXtvARAwVnw39wqL41p6Q=; fh=HyMFn70SBfxcLdBFbfHTPsucKGij4W5w+6oBv1I/GOk=; b=KA1LBWhZ/sL1VNsEmLbgooIkTqFiuAV7NPZGUFqhTwdG4Mht41EhCkGqSFrrZ97xEv 192uibL0nnlNRjdA8PqLAEgmEcBvLeRgGyignmkHH4FBCheXCvK/LKEiphd6gRUJdH5T KeVjGPHsVxCCj61uTtu+dZ4uKvVpPoV8Hg3NNqZwQoCdRPdFba+ca+R6Y5HW+dKR7f+O mb0W2HoJ5dplz4BJjECL7/1vdoHIIF83D6q02DzVtRdw9uXewDZOt9DYzjjTy5q4T4V2 pSHdmhx1dXP2/u7BgogsbQc3aZNI0Z8zFCaWTVSMn61rSCfYSi6ssFVB94UBuSkalNzd Osmg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e15-20020a50ec8f000000b0052228ec4a89si1089038edr.65.2023.08.03.23.26.34; Thu, 03 Aug 2023 23:26:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231951AbjHDFkQ (ORCPT + 99 others); Fri, 4 Aug 2023 01:40:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231835AbjHDFkK (ORCPT ); Fri, 4 Aug 2023 01:40:10 -0400 Received: from smtp01.aussiebb.com.au (smtp01.aussiebb.com.au [121.200.0.92]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 97688E46; Thu, 3 Aug 2023 22:40:05 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 6CB371015A9; Fri, 4 Aug 2023 15:33:19 +1000 (AEST) X-Virus-Scanned: Debian amavisd-new at smtp01.aussiebb.com.au Received: from smtp01.aussiebb.com.au ([127.0.0.1]) by localhost (smtp01.aussiebb.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WRgSlxFvley; Fri, 4 Aug 2023 15:33:19 +1000 (AEST) Received: by smtp01.aussiebb.com.au (Postfix, from userid 116) id 61AD71015A4; Fri, 4 Aug 2023 15:33:19 +1000 (AEST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from donald.themaw.net (2403-580e-4b40-0-7968-2232-4db8-a45e.ip6.aussiebb.net [IPv6:2403:580e:4b40:0:7968:2232:4db8:a45e]) by smtp01.aussiebb.com.au (Postfix) with ESMTP id 746C2101592; Fri, 4 Aug 2023 15:33:18 +1000 (AEST) Subject: [PATCH 2/2] autofs: use wake_up() instead of wake_up_interruptible(() From: Ian Kent To: Al Viro , Christian Brauner Cc: autofs mailing list , linux-fsdevel , Kernel Mailing List , Fedor Pchelkin , Takeshi Misawa , Alexey Khoroshilov , Matthew Wilcox , Andrey Vagin Date: Fri, 04 Aug 2023 13:33:18 +0800 Message-ID: <169112719813.7590.4971499386839952992.stgit@donald.themaw.net> In-Reply-To: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> References: <169112719161.7590.6700123246297365841.stgit@donald.themaw.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1773278769371827571 X-GMAIL-MSGID: 1773278769371827571 In autofs_wait_release() wake_up() is used to wake up processes waiting on a mount callback to complete which matches the wait_event_killable() in autofs_wait(). But in autofs_catatonic_mode() the wake_up_interruptible() was not also changed at the time autofs_wait_release() was changed. Signed-off-by: Ian Kent --- fs/autofs/waitq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/autofs/waitq.c b/fs/autofs/waitq.c index efdc76732fae..33dd4660d82f 100644 --- a/fs/autofs/waitq.c +++ b/fs/autofs/waitq.c @@ -32,7 +32,7 @@ void autofs_catatonic_mode(struct autofs_sb_info *sbi) wq->status = -ENOENT; /* Magic is gone - report failure */ kfree(wq->name.name - wq->offset); wq->name.name = NULL; - wake_up_interruptible(&wq->queue); + wake_up(&wq->queue); if (!--wq->wait_ctr) kfree(wq); wq = nwq;