Message ID | 20240217081431.796809-1-libaokun1@huawei.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [RESEND] cachefiles: fix memory leak in cachefiles_add_cache() | expand |
On 2/17/24 4:14 PM, Baokun Li wrote: > The following memory leak was reported after unbinding /dev/cachefiles: > > ================================================================== > unreferenced object 0xffff9b674176e3c0 (size 192): > comm "cachefilesd2", pid 680, jiffies 4294881224 > hex dump (first 32 bytes): > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace (crc ea38a44b): > [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 > [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 > [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 > [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 > [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 > [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 > [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 > [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 > [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 > ================================================================== > > Put the reference count of cache_cred in cachefiles_daemon_unbind() to > fix the problem. And also put cache_cred in cachefiles_add_cache() error > branch to avoid memory leaks. > > Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") > CC: stable@vger.kernel.org > Signed-off-by: Baokun Li <libaokun1@huawei.com> LGTM. Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com> > --- > fs/cachefiles/cache.c | 2 ++ > fs/cachefiles/daemon.c | 1 + > 2 files changed, 3 insertions(+) > > diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c > index 7077f72e6f47..f449f7340aad 100644 > --- a/fs/cachefiles/cache.c > +++ b/fs/cachefiles/cache.c > @@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache) > dput(root); > error_open_root: > cachefiles_end_secure(cache, saved_cred); > + put_cred(cache->cache_cred); > + cache->cache_cred = NULL; > error_getsec: > fscache_relinquish_cache(cache_cookie); > cache->cache = NULL; > diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c > index 3f24905f4066..6465e2574230 100644 > --- a/fs/cachefiles/daemon.c > +++ b/fs/cachefiles/daemon.c > @@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache) > cachefiles_put_directory(cache->graveyard); > cachefiles_put_directory(cache->store); > mntput(cache->mnt); > + put_cred(cache->cache_cred); > > kfree(cache->rootdirname); > kfree(cache->secctx);
On Sat, 2024-02-17 at 16:14 +0800, Baokun Li wrote: > The following memory leak was reported after unbinding /dev/cachefiles: > > ================================================================== > unreferenced object 0xffff9b674176e3c0 (size 192): > comm "cachefilesd2", pid 680, jiffies 4294881224 > hex dump (first 32 bytes): > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace (crc ea38a44b): > [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 > [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 > [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 > [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 > [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 > [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 > [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 > [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 > [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 > ================================================================== > > Put the reference count of cache_cred in cachefiles_daemon_unbind() to > fix the problem. And also put cache_cred in cachefiles_add_cache() error > branch to avoid memory leaks. > > Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") > CC: stable@vger.kernel.org > Signed-off-by: Baokun Li <libaokun1@huawei.com> > --- > fs/cachefiles/cache.c | 2 ++ > fs/cachefiles/daemon.c | 1 + > 2 files changed, 3 insertions(+) > > diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c > index 7077f72e6f47..f449f7340aad 100644 > --- a/fs/cachefiles/cache.c > +++ b/fs/cachefiles/cache.c > @@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache) > dput(root); > error_open_root: > cachefiles_end_secure(cache, saved_cred); > + put_cred(cache->cache_cred); > + cache->cache_cred = NULL; > error_getsec: > fscache_relinquish_cache(cache_cookie); > cache->cache = NULL; > diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c > index 3f24905f4066..6465e2574230 100644 > --- a/fs/cachefiles/daemon.c > +++ b/fs/cachefiles/daemon.c > @@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache) > cachefiles_put_directory(cache->graveyard); > cachefiles_put_directory(cache->store); > mntput(cache->mnt); > + put_cred(cache->cache_cred); > > kfree(cache->rootdirname); > kfree(cache->secctx); Looks reasonable to me too. Nice catch: Reviewed-by: Jeff Layton <jlayton@kernel.org>
Hi Christian, Could you take this through your VFS tree please? > The following memory leak was reported after unbinding /dev/cachefiles: > > ================================================================== > unreferenced object 0xffff9b674176e3c0 (size 192): > comm "cachefilesd2", pid 680, jiffies 4294881224 > hex dump (first 32 bytes): > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace (crc ea38a44b): > [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 > [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 > [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 > [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 > [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 > [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 > [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 > [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 > [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 > ================================================================== > > Put the reference count of cache_cred in cachefiles_daemon_unbind() to > fix the problem. And also put cache_cred in cachefiles_add_cache() error > branch to avoid memory leaks. > > Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") > CC: stable@vger.kernel.org > Signed-off-by: Baokun Li <libaokun1@huawei.com> and add: Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Acked-by: David Howells <dhowells@redhat.com>
On Sat, 17 Feb 2024 16:14:31 +0800, Baokun Li wrote: > The following memory leak was reported after unbinding /dev/cachefiles: > > ================================================================== > unreferenced object 0xffff9b674176e3c0 (size 192): > comm "cachefilesd2", pid 680, jiffies 4294881224 > hex dump (first 32 bytes): > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace (crc ea38a44b): > [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 > [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 > [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 > [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 > [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 > [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 > [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 > [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 > [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 > ================================================================== > > [...] Sorry for the delay, David. --- Applied to the vfs.fixes branch of the vfs/vfs.git tree. Patches in the vfs.fixes branch should appear in linux-next soon. Please report any outstanding bugs that were missed during review in a new review to the original patch series allowing us to drop it. It's encouraged to provide Acked-bys and Reviewed-bys even though the patch has now been applied. If possible patch trailers will be updated. Note that commit hashes shown below are subject to change due to rebase, trailer updates or similar. If in doubt, please check the listed branch. tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git branch: vfs.fixes [1/1] cachefiles: fix memory leak in cachefiles_add_cache() https://git.kernel.org/vfs/vfs/c/e21a2f17566c
diff --git a/fs/cachefiles/cache.c b/fs/cachefiles/cache.c index 7077f72e6f47..f449f7340aad 100644 --- a/fs/cachefiles/cache.c +++ b/fs/cachefiles/cache.c @@ -168,6 +168,8 @@ int cachefiles_add_cache(struct cachefiles_cache *cache) dput(root); error_open_root: cachefiles_end_secure(cache, saved_cred); + put_cred(cache->cache_cred); + cache->cache_cred = NULL; error_getsec: fscache_relinquish_cache(cache_cookie); cache->cache = NULL; diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c index 3f24905f4066..6465e2574230 100644 --- a/fs/cachefiles/daemon.c +++ b/fs/cachefiles/daemon.c @@ -816,6 +816,7 @@ static void cachefiles_daemon_unbind(struct cachefiles_cache *cache) cachefiles_put_directory(cache->graveyard); cachefiles_put_directory(cache->store); mntput(cache->mnt); + put_cred(cache->cache_cred); kfree(cache->rootdirname); kfree(cache->secctx);
The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") CC: stable@vger.kernel.org Signed-off-by: Baokun Li <libaokun1@huawei.com> --- fs/cachefiles/cache.c | 2 ++ fs/cachefiles/daemon.c | 1 + 2 files changed, 3 insertions(+)