syzbot


memory leak in prepare_creds (2)

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: f60a85cad677 bpf: Fix umd memory leak in copy_process()
First crash: 556d, last: 460d
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in prepare_creds (3) C 2 52d 160d 0/24 upstream: reported C repro on 2022/04/21 02:56
upstream memory leak in prepare_creds C 10 587d 761d 21/24 fixed on 2021/03/10 01:48

Sample crash report:
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810183d540 (size 168):
  comm "kworker/u4:4", pid 3058, jiffies 4294944447 (age 13.330s)
  hex dump (first 32 bytes):
    02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81268577>] prepare_creds+0x27/0x410 kernel/cred.c:258
    [<ffffffff812692ba>] copy_creds+0x3a/0x230 kernel/cred.c:358
    [<ffffffff812256bd>] copy_process+0x6cd/0x25e0 kernel/fork.c:1983
    [<ffffffff81227993>] kernel_clone+0xf3/0x670 kernel/fork.c:2500
    [<ffffffff812281f1>] kernel_thread+0x61/0x80 kernel/fork.c:2552
    [<ffffffff812534c4>] call_usermodehelper_exec_work kernel/umh.c:172 [inline]
    [<ffffffff812534c4>] call_usermodehelper_exec_work+0xc4/0x120 kernel/umh.c:158
    [<ffffffff81259539>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
    [<ffffffff81259e29>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
    [<ffffffff81261538>] kthread+0x178/0x1b0 kernel/kthread.c:292
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff888101066c00 (size 120):
  comm "kworker/u4:4", pid 3058, jiffies 4294944447 (age 13.330s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff8125dfc6>] alloc_pid+0x66/0x560 kernel/pid.c:180
    [<ffffffff81226455>] copy_process+0x1465/0x25e0 kernel/fork.c:2123
    [<ffffffff81227993>] kernel_clone+0xf3/0x670 kernel/fork.c:2500
    [<ffffffff812281f1>] kernel_thread+0x61/0x80 kernel/fork.c:2552
    [<ffffffff812534c4>] call_usermodehelper_exec_work kernel/umh.c:172 [inline]
    [<ffffffff812534c4>] call_usermodehelper_exec_work+0xc4/0x120 kernel/umh.c:158
    [<ffffffff81259539>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
    [<ffffffff81259e29>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
    [<ffffffff81261538>] kthread+0x178/0x1b0 kernel/kthread.c:292
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff8881016de100 (size 232):
  comm "kworker/u4:4", pid 8422, jiffies 4294944447 (age 13.330s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    60 3e ca 02 81 88 ff ff 00 ec 4e 0f 81 88 ff ff  `>........N.....
  backtrace:
    [<ffffffff8154ad9f>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
    [<ffffffff8154ad9f>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
    [<ffffffff8154b4d9>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
    [<ffffffff8154b5c3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
    [<ffffffff8154b7f2>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
    [<ffffffff81559ee8>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
    [<ffffffff8126cad3>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
    [<ffffffff812535d4>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff88810eb61498 (size 24):
  comm "kworker/u4:4", pid 8422, jiffies 4294944447 (age 13.330s)
  hex dump (first 24 bytes):
    00 00 00 00 00 00 00 00 b0 0e 94 00 81 88 ff ff  ................
    00 00 00 00 00 00 00 00                          ........
  backtrace:
    [<ffffffff820e2ada>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
    [<ffffffff820e2ada>] lsm_file_alloc security/security.c:569 [inline]
    [<ffffffff820e2ada>] security_file_alloc+0x2a/0xb0 security/security.c:1470
    [<ffffffff8154addd>] __alloc_file+0x5d/0xf0 fs/file_table.c:106
    [<ffffffff8154b4d9>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
    [<ffffffff8154b5c3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
    [<ffffffff8154b7f2>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:232
    [<ffffffff81559ee8>] create_pipe_files+0x138/0x2e0 fs/pipe.c:911
    [<ffffffff8126cad3>] umd_setup+0x33/0x220 kernel/usermode_driver.c:104
    [<ffffffff812535d4>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff888111e46400 (size 232):
  comm "kworker/u4:4", pid 8422, jiffies 4294944447 (age 13.330s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    60 3e ca 02 81 88 ff ff 00 29 7d 0f 81 88 ff ff  `>.......)}.....
  backtrace:
    [<ffffffff8154ad9f>] kmem_cache_zalloc include/linux/slab.h:674 [inline]
    [<ffffffff8154ad9f>] __alloc_file+0x1f/0xf0 fs/file_table.c:101
    [<ffffffff8154b4d9>] alloc_empty_file+0x69/0x120 fs/file_table.c:150
    [<ffffffff8154b5c3>] alloc_file+0x33/0x1b0 fs/file_table.c:192
    [<ffffffff8154b8f2>] alloc_file_clone+0x22/0x70 fs/file_table.c:244
    [<ffffffff81559f32>] create_pipe_files+0x182/0x2e0 fs/pipe.c:922
    [<ffffffff8126cb4d>] umd_setup+0xad/0x220 kernel/usermode_driver.c:115
    [<ffffffff812535d4>] call_usermodehelper_exec_async+0xb4/0x1b0 kernel/umh.c:101
    [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294


Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-leak 2021/03/21 06:24 upstream 812da4d39463 17810eae .config log report syz C memory leak in prepare_creds
ci-upstream-gce-leak 2021/06/24 17:16 upstream 7426cedc7dad ec865f6a .config log report syz memory leak in prepare_creds
* Struck through repros no longer work on HEAD.