iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/mm
History
Baokun Li 2f06c8293d kfence: fix memory leak when cat kfence objects 
commit 0129ab1f268b6cf88825eae819b9b84aa0a85634 upstream.

Hulk robot reported a kmemleak problem:

    unreferenced object 0xffff93d1d8cc02e8 (size 248):
      comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s)
      hex dump (first 32 bytes):
        00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00  .@..............
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
         seq_open+0x2a/0x80
         full_proxy_open+0x167/0x1e0
         do_dentry_open+0x1e1/0x3a0
         path_openat+0x961/0xa20
         do_filp_open+0xae/0x120
         do_sys_openat2+0x216/0x2f0
         do_sys_open+0x57/0x80
         do_syscall_64+0x33/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
    unreferenced object 0xffff93d419854000 (size 4096):
      comm "cat", pid 23327, jiffies 4624670141 (age 495992.217s)
      hex dump (first 32 bytes):
        6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30  kfence-#250: 0x0
        30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d  0000000754bda12-
      backtrace:
         seq_read_iter+0x313/0x440
         seq_read+0x14b/0x1a0
         full_proxy_read+0x56/0x80
         vfs_read+0xa5/0x1b0
         ksys_read+0xa0/0xf0
         do_syscall_64+0x33/0x40
         entry_SYSCALL_64_after_hwframe+0x44/0xa9

I find that we can easily reproduce this problem with the following
commands:

	cat /sys/kernel/debug/kfence/objects
	echo scan > /sys/kernel/debug/kmemleak
	cat /sys/kernel/debug/kmemleak

The leaked memory is allocated in the stack below:

    do_syscall_64
      do_sys_open
        do_dentry_open
          full_proxy_open
            seq_open            ---> alloc seq_file
      vfs_read
        full_proxy_read
          seq_read
            seq_read_iter
              traverse          ---> alloc seq_buf

And it should have been released in the following process:

    do_syscall_64
      syscall_exit_to_user_mode
        exit_to_user_mode_prepare
          task_work_run
            ____fput
              __fput
                full_proxy_release  ---> free here

However, the release function corresponding to file_operations is not
implemented in kfence.  As a result, a memory leak occurs.  Therefore,
the solution to this problem is to implement the corresponding release
function.

Link: https://lkml.kernel.org/r/20211206133628.2822545-1-libaokun1@huawei.com
Fixes: 0ce20dd84089 ("mm: add Kernel Electric-Fence infrastructure")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reported-by: Hulk Robot <hulkci@huawei.com>
Acked-by: Marco Elver <elver@google.com>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-29 12:29:00 +01:00
..
damon
mm/damon/dbgfs: protect targets destructions with kdamond_lock
2021-12-29 12:28:58 +01:00
kasan
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
kfence
kfence: fix memory leak when cat kfence objects
2021-12-29 12:29:00 +01:00
backing-dev.c
mm: bdi: initialize bdi_min_ratio when bdi is unregistered
2021-12-14 10:57:11 +01:00
balloon_compaction.c
mm: fix typos in comments
2021-05-07 00:26:35 -07:00
bootmem_info.c
mm/bootmem_info.c: mark __init on register_page_bootmem_info_section
2021-09-03 09:58:14 -07:00
cleancache.c
cma_debug.c
mm/cma: change cma mutex to irq safe spinlock
2021-05-05 11:27:21 -07:00
cma_sysfs.c
mm: cma: support sysfs
2021-05-05 11:27:24 -07:00
cma.c
mm: use proper type for cma_[alloc|release]
2021-05-05 11:27:24 -07:00
cma.h
mm: cma: support sysfs
2021-05-05 11:27:24 -07:00
compaction.c
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
debug_page_ref.c
debug_vm_pgtable.c
mm/debug_vm_pgtable: fix corrupted page flag
2021-09-03 09:58:10 -07:00
debug.c
mm/debug: sync up latest migrate_reason to migrate_reason_names
2021-09-24 16:13:35 -07:00
dmapool.c
mm/dmapool: use DEVICE_ATTR_RO macro
2021-06-29 10:53:52 -07:00
early_ioremap.c
mm/early_ioremap.c: remove redundant early_ioremap_shutdown()
2021-09-08 11:50:24 -07:00
fadvise.c
mm, fadvise: improve the expensive remote LRU cache draining after FADV_DONTNEED
2020-10-13 18:38:29 -07:00
failslab.c
filemap.c
mm/filemap.c: remove bogus VM_BUG_ON
2021-11-18 19:17:16 +01:00
frontswap.c
mm/mempool: minor coding style tweaks
2021-05-05 11:27:27 -07:00
gup_test.c
selftests/vm: gup_test: test faulting in kernel, and verify pinnable pages
2021-05-05 11:27:26 -07:00
gup_test.h
selftests/vm: gup_test: fix test flag
2021-05-05 11:27:26 -07:00
gup.c
Revert "mm/gup: remove try_get_page(), call try_get_compound_head() directly"
2021-09-07 11:03:45 -07:00
highmem.c
kmap_local: don't assume kmap PTEs are linear arrays in memory
2021-11-25 09:48:43 +01:00
hmm.c
mm/hmm: bypass devmap pte when all pfn requested flags are fulfilled
2021-09-08 18:45:52 -07:00
huge_memory.c
mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
2021-10-28 17:18:55 -07:00
hugetlb_cgroup.c
hugetlb: make free_huge_page irq safe
2021-05-05 11:27:22 -07:00
hugetlb_vmemmap.c
mm: hugetlb: introduce CONFIG_HUGETLB_PAGE_FREE_VMEMMAP_DEFAULT_ON
2021-06-30 20:47:26 -07:00
hugetlb_vmemmap.h
mm: hugetlb: introduce nr_free_vmemmap_pages in the struct hstate
2021-06-30 20:47:25 -07:00
hugetlb.c
hugetlbfs: flush TLBs correctly after huge_pmd_unshare
2021-11-25 09:49:07 +01:00
hwpoison-inject.c
mm: hwpoison: don't drop slab caches for offlining non-LRU page
2021-09-03 09:58:15 -07:00
init-mm.c
mm: add setup_initial_init_mm() helper
2021-07-08 11:48:21 -07:00
internal.h
mm/numa: automatically generate node migration order
2021-09-03 09:58:16 -07:00
interval_tree.c
mm/interval_tree: add comments to improve code readability
2021-04-30 11:20:38 -07:00
io-mapping.c
mm: add a io_mapping_map_user helper
2021-04-30 11:20:39 -07:00
ioremap.c
mm: move ioremap_page_range to vmalloc.c
2021-09-08 11:50:24 -07:00
Kconfig
kmap_local: don't assume kmap PTEs are linear arrays in memory
2021-11-25 09:48:43 +01:00
Kconfig.debug
mm, page_poison: remove CONFIG_PAGE_POISONING_ZERO
2020-12-15 12:13:46 -08:00
khugepaged.c
mm: khugepaged: skip huge page collapse for special files
2021-10-28 17:18:55 -07:00
kmemleak.c
mm/kmemleak: allow __GFP_NOLOCKDEP passed to kmemleak's gfp
2021-09-08 18:45:53 -07:00
ksm.c
mm/ksm: remove old GCC 4.9+ check
2021-09-13 10:18:28 -07:00
list_lru.c
mm: vmscan: consolidate shrinker_maps handling code
2021-05-05 11:27:23 -07:00
maccess.c
ARM: 9115/1: mm/maccess: fix unaligned copy_{from,to}_kernel_nofault
2021-08-20 11:39:25 +01:00
madvise.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
Makefile
mm: introduce Data Access MONitor (DAMON)
2021-09-08 11:50:24 -07:00
mapping_dirty_helpers.c
mm/mapping_dirty_helpers: remove double Note in kerneldoc
2021-07-01 11:06:02 -07:00
memblock.c
memblock: exclude MEMBLOCK_NOMAP regions from kmemleak
2021-10-21 18:30:49 -10:00
memcontrol.c
memcg: prohibit unconditional exceeding the limit of dying tasks
2021-11-18 19:17:16 +01:00
memfd.c
Reimplement RLIMIT_MEMLOCK on top of ucounts
2021-04-30 14:14:02 -05:00
memory_hotplug.c
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
memory-failure.c
mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page()
2021-12-29 12:28:58 +01:00
memory.c
mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
2021-10-28 17:18:55 -07:00
mempolicy.c
mm: mempolicy: fix THP allocations escaping mempolicy restrictions
2021-12-29 12:28:58 +01:00
mempool.c
kasan: use separate (un)poison implementation for integrated init
2021-06-04 19:32:21 +01:00
memremap.c
mm/memory_hotplug: remove nid parameter from arch_remove_memory()
2021-09-08 11:50:23 -07:00
memtest.c
migrate.c
mm/migrate: fix CPUHP state to update node demotion order
2021-10-18 20:22:03 -10:00
mincore.c
inode: make init and permission helpers idmapped mount aware
2021-01-24 14:27:16 +01:00
mlock.c
mm: introduce memfd_secret system call to create "secret" memory areas
2021-07-08 11:48:21 -07:00
mm_init.c
include/linux/page-flags-layout.h: cleanups
2021-04-30 11:20:42 -07:00
mmap_lock.c
mm: mmap_lock: fix disabling preemption directly
2021-07-23 17:43:28 -07:00
mmap.c
Merge tag 'denywrite-for-5.15' of git://github.com/davidhildenbrand/linux
2021-09-04 11:35:47 -07:00
mmu_gather.c
mm: eliminate "expecting prototype" kernel-doc warnings
2021-04-16 16:10:36 -07:00
mmu_notifier.c
mm/mmu_notifiers: ensure range_end() is paired with range_start()
2021-03-25 09:22:55 -07:00
mmzone.c
mm/lru: replace pgdat lru_lock with lruvec lock
2020-12-15 14:48:04 -08:00
mprotect.c
mm: device exclusive memory access
2021-07-01 11:06:03 -07:00
mremap.c
mm/mremap: fix memory account on do_munmap() failure
2021-09-03 09:58:14 -07:00
msync.c
mm/msync: exit early when the flags is an MS_ASYNC and start < vm_start
2021-04-30 11:20:37 -07:00
nommu.c
Merge tag 'denywrite-for-5.15' of git://github.com/davidhildenbrand/linux
2021-09-04 11:35:47 -07:00
oom_kill.c
mm, oom: do not trigger out_of_memory from the #PF
2021-11-18 19:17:16 +01:00
page_alloc.c
mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
2021-10-28 17:18:55 -07:00
page_counter.c
mm: page_counter: mitigate consequences of a page_counter underflow
2021-04-30 11:20:38 -07:00
page_ext.c
mm/migrate: add CPU hotplug to demotion #ifdef
2021-10-18 20:22:02 -10:00
page_idle.c
mm/idle_page_tracking: make PG_idle reusable
2021-09-08 11:50:24 -07:00
page_io.c
swap: fix swapfile read/write offset
2021-03-02 17:25:46 -07:00
page_isolation.c
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
page_owner.c
mm: remove pfn_valid_within() and CONFIG_HOLES_IN_ZONE
2021-09-08 11:50:22 -07:00
page_poison.c
mm: page_poison: print page info when corruption is caught
2021-04-30 11:20:36 -07:00
page_reporting.c
mm/page_reporting: allow driver to specify reporting order
2021-06-29 10:53:47 -07:00
page_reporting.h
mm/page_reporting: export reporting order as module parameter
2021-06-29 10:53:47 -07:00
page_vma_mapped.c
mm: device exclusive memory access
2021-07-01 11:06:03 -07:00
page-writeback.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
pagewalk.c
mm: pagewalk: fix walk for hugepage tables
2021-06-29 10:53:49 -07:00
percpu-internal.h
Merge branch 'for-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/dennis/percpu
2021-07-01 17:17:24 -07:00
percpu-km.c
percpu: flush tlb in pcpu_reclaim_populated()
2021-07-04 18:30:17 +00:00
percpu-stats.c
percpu: rework memcg accounting
2021-06-05 20:43:15 +00:00
percpu-vm.c
percpu: flush tlb in pcpu_reclaim_populated()
2021-07-04 18:30:17 +00:00
percpu.c
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
pgalloc-track.h
mm: fix typos in comments
2021-05-07 00:26:35 -07:00
pgtable-generic.c
mm/thp: fix __split_huge_pmd_locked() on shmem migration entry
2021-06-16 09:24:42 -07:00
process_vm_access.c
mm/process_vm_access.c: remove duplicate include
2021-05-05 11:27:27 -07:00
ptdump.c
mm: ptdump: fix build failure
2021-04-16 16:10:37 -07:00
readahead.c
mm: Protect operations adding pages to page cache with invalidate_lock
2021-07-13 13:14:27 +02:00
rmap.c
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
rodata_test.c
mm/rodata_test.c: fix missing function declaration
2020-08-21 09:52:53 -07:00
secretmem.c
mm/secretmem: avoid letting secretmem_users drop to zero
2021-10-28 17:18:55 -07:00
shmem.c
mm/shmem.c: fix judgment error in shmem_is_huge()
2021-09-24 16:13:34 -07:00
shuffle.c
mm: eliminate "expecting prototype" kernel-doc warnings
2021-04-16 16:10:36 -07:00
shuffle.h
mm/shuffle: fix section mismatch warning
2021-05-22 15:09:07 -10:00
slab_common.c
mm: slub: move flush_cpu_slab() invocations __free_slab() invocations out of IRQ context
2021-09-04 01:12:23 +02:00
slab.c
mm/migrate: add CPU hotplug to demotion #ifdef
2021-10-18 20:22:02 -10:00
slab.h
mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
2021-11-25 09:48:42 +01:00
slob.c
mm: Don't build mm_dump_obj() on CONFIG_PRINTK=n kernels
2021-03-08 14:18:46 -08:00
slub.c
mm/slub: fix endianness bug for alloc/free_traces attributes
2021-12-14 10:57:11 +01:00
sparse-vmemmap.c
mm: sparsemem: split the huge PMD mapping of vmemmap pages
2021-06-30 20:47:26 -07:00
sparse.c
mm: introduce memmap_alloc() to unify memory map allocation
2021-09-03 09:58:15 -07:00
swap_cgroup.c
swap_slots.c
mm: Replace deprecated CPU-hotplug functions.
2021-08-28 01:46:17 +02:00
swap_state.c
Revert "mm: swap: check if swap backing device is congested or not"
2021-08-20 11:31:42 -07:00
swap.c
mm: fs: invalidate bh_lrus for only cold path
2021-09-24 16:13:35 -07:00
swapfile.c
mm, memcg: inline swap-related functions to improve disabled memcg config
2021-09-03 09:58:12 -07:00
truncate.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
usercopy.c
mm/usercopy.c: delete duplicated word
2020-08-12 10:57:58 -07:00
userfaultfd.c
userfaultfd: change mmap_changing to atomic
2021-09-03 09:58:16 -07:00
util.c
mm: fix uninitialized use in overcommit_policy_handler
2021-09-24 16:13:35 -07:00
vmacache.c
vmalloc.c
mm/vmalloc: fix numa spreading for large hash tables
2021-10-28 17:18:55 -07:00
vmpressure.c
mm/vmpressure: replace vmpressure_to_css() with vmpressure_to_memcg()
2021-09-03 09:58:17 -07:00
vmscan.c
mm,vmscan: fix divide by zero in get_scan_count
2021-09-08 18:45:53 -07:00
vmstat.c
mm/vmstat: protect per cpu variables with preempt disable on RT
2021-09-08 15:32:34 -07:00
workingset.c
memcg: flush lruvec stats in the refault
2021-09-23 10:09:13 -07:00
z3fold.c
mm/z3fold: add kerneldoc fields for z3fold_pool
2021-07-01 11:06:03 -07:00
zbud.c
mm/zbud: add kerneldoc fields for zbud_pool
2021-07-01 11:06:03 -07:00
zpool.c
mm: fix typos in comments
2021-05-07 00:26:35 -07:00
zsmalloc.c
mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
2021-11-18 19:17:10 +01:00
zswap.c
mm/zswap.c: fix two bugs in zswap_writeback_entry()
2021-06-30 20:47:31 -07:00