memory leak in new_inode_pseudo

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: f49aa1de Merge tag 'for-5.2-rc1-tag' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12dccd9ca00000
kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
dashboard link: https://syzkaller.appspot.com/bug?extid=111cb28d9f583693aefa
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1587839ca00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16fdb38ca00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+111cb2...@syzkaller.appspotmail.com

e list of known hosts.
executing program
BUG: memory leak
unreferenced object 0xffff888121bdfd00 (size 632):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
80 1e b6 1f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000088b15f0d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000088b15f0d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000088b15f0d>] slab_alloc mm/slab.c:3326 [inline]
[<0000000088b15f0d>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<000000001a541de3>] sock_alloc_inode+0x1d/0xe0 net/socket.c:252
[<00000000226aca0e>] alloc_inode+0x2c/0xe0 fs/inode.c:226
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811fb61e80 (size 64):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
00 00 00 00 81 88 ff ff 88 1e b6 1f 81 88 ff ff ................
88 1e b6 1f 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000008c8eddf3>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000008c8eddf3>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000008c8eddf3>] slab_alloc mm/slab.c:3326 [inline]
[<000000008c8eddf3>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<000000005afcf70e>] kmalloc include/linux/slab.h:547 [inline]
[<000000005afcf70e>] sock_alloc_inode+0x44/0xe0 net/socket.c:255
[<00000000226aca0e>] alloc_inode+0x2c/0xe0 fs/inode.c:226
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811dd21c08 (size 56):
comm "syz-executor073", pid 7035, jiffies 4294943279 (age 8.130s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
30 fd bd 21 81 88 ff ff 20 1c d2 1d 81 88 ff ff 0..!.... .......
backtrace:
[<0000000088b15f0d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000088b15f0d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000088b15f0d>] slab_alloc mm/slab.c:3326 [inline]
[<0000000088b15f0d>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<00000000dec41212>] kmem_cache_zalloc include/linux/slab.h:732 [inline]
[<00000000dec41212>] lsm_inode_alloc security/security.c:523 [inline]
[<00000000dec41212>] security_inode_alloc+0x33/0xb0
security/security.c:876
[<0000000093ac97c3>] inode_init_always+0x108/0x200 fs/inode.c:168
[<000000006cedb4e8>] alloc_inode+0x49/0xe0 fs/inode.c:233
[<0000000054963a4b>] new_inode_pseudo+0x18/0x70 fs/inode.c:915
[<00000000a577ddf0>] sock_alloc+0x1c/0x90 net/socket.c:575
[<000000000e50448f>] __sock_create+0x8f/0x250 net/socket.c:1394
[<00000000248d5219>] sock_create_kern+0x3b/0x50 net/socket.c:1499
[<0000000081cd440d>] io_uring_get_fd fs/io_uring.c:2997 [inline]
[<0000000081cd440d>] io_uring_create fs/io_uring.c:3080 [inline]
[<0000000081cd440d>] io_uring_setup+0x4ea/0x990 fs/io_uring.c:3128
[<00000000b95ec5c9>] __do_sys_io_uring_setup fs/io_uring.c:3141 [inline]
[<00000000b95ec5c9>] __se_sys_io_uring_setup fs/io_uring.c:3138 [inline]
[<00000000b95ec5c9>] __x64_sys_io_uring_setup+0x1a/0x20
fs/io_uring.c:3138
[<0000000072749d9e>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000053106e40>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Eric Biggers]

From: Eric Biggers <ebig...@google.com>

Opening and closing an io_uring instance leaks a UNIX domain socket
inode. This is because the ->file of the io_uring instance's internal
UNIX domain socket is set to point to the io_uring file, but then
sock_release() sees the non-NULL ->file and assumes the inode reference
is held by the file so doesn't call iput(). That's not the case here,
since the reference is still meant to be held by the socket; the actual
inode of the io_uring file is different.

Fix this leak by NULL-ing out ->file before releasing the socket.

Reported-by: syzbot+111cb2...@syzkaller.appspotmail.com
Fixes: 2b188cc1bb85 ("Add io_uring IO interface")
Cc: <sta...@vger.kernel.org> # v5.1+
Signed-off-by: Eric Biggers <ebig...@google.com>
---
fs/io_uring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 0fbb486a320e9..86a2bd7219005 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2777,8 +2777,10 @@ static void io_ring_ctx_free(struct io_ring_ctx *ctx)
io_eventfd_unregister(ctx);

#if defined(CONFIG_UNIX)
- if (ctx->ring_sock)
+ if (ctx->ring_sock) {
+ ctx->ring_sock->file = NULL; /* so that iput() is called */
sock_release(ctx->ring_sock);
+ }
#endif

io_mem_free(ctx->sq_ring);
--
2.22.0.rc2.383.gf4fbbf30c2-goog

[Jens Axboe]

On 6/12/19 3:58 PM, Eric Biggers wrote:
> From: Eric Biggers <ebig...@google.com>
>
> Opening and closing an io_uring instance leaks a UNIX domain socket
> inode. This is because the ->file of the io_uring instance's internal
> UNIX domain socket is set to point to the io_uring file, but then
> sock_release() sees the non-NULL ->file and assumes the inode reference
> is held by the file so doesn't call iput(). That's not the case here,
> since the reference is still meant to be held by the socket; the actual
> inode of the io_uring file is different.
>
> Fix this leak by NULL-ing out ->file before releasing the socket.

Thanks, applied.

--
Jens Axboe