Hello,
The following program causes struct pid memory leak:
// autogenerated by syzkaller (
http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>
long r[37];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
r[0] = syscall(SYS_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
break;
case 1:
r[1] = syscall(SYS_socketpair, 0x1ul, 0x2ul, 0x0ul, 0x20000ffcul, 0,
0);
if (r[1] != -1)
r[2] = *(uint32_t*)0x20001000;
break;
case 2:
r[3] =
syscall(SYS_accept, r[2], 0x20000ffbul, 0x20000ffful, 0, 0, 0);
break;
case 3:
r[4] = syscall(SYS_socketpair, 0x1ul, 0x1ul, 0x0ul, 0x20001ff8ul, 0,
0);
if (r[4] != -1)
r[5] = *(uint32_t*)0x20001ff8;
if (r[4] != -1)
r[6] = *(uint32_t*)0x20001ffc;
break;
case 4:
memcpy((void*)0x2000bf5c,
"\xd4\x37\x4c\x81\xff\x25\x00\xf7\x44\x0d\x1a\xe2\x4d\xae"
"\x17\x36\xb0\xef\x85\xd0\xb6\xa2\x0a\x4c\x29\xf0\x43\x3c"
"\x2b\xab\xdf\x9f\x3e\x4b\x9c\x1b\xb0\x36\xce\xe7\x14\x2b"
"\xa4\x33\x47\xd5\x58\x76\x63\x83\x71\xb3\x95\x37\xca\x25"
"\x93\x3f\x46\xd7\xc0\x8f\x8e\x2a\xcf\x0d\x60\xb7\x62\xac"
"\xd9\xaf\x6e\x88\x3f\xe0\xbf\x94\xc3\x57\x74\x8d\x22\xed"
"\x61\x71\x85\x10\x64\x2d\x50\xdf\xae\x9a\xdd\xa2\x5e\x28"
"\xa3\xf8\x14\xf0\x94\x4a\xac\x82\x45\xed\x85\x7a\xb6\x2b"
"\xef\xb4\x0b\x78\xb8\x92\x30\xcc\x5d\xcc\x07\xbf\x70\x4e"
"\x1c\x10\x38\xde\x89\x58\x8b\x87\x97\xc9\x6a\x62\x84\x3b"
"\xcd\x37\xbb\x8d\x41\x50\x65\x24\xa8\x90\x85\xa7\x51\x32"
"\x58\xf9\x71\xb3\x0b\xf0\x0f\xe6\xc4\x81",
164);
r[8] = syscall(SYS_write, r[5], 0x2000bf5cul, 0xa4ul, 0, 0, 0);
break;
case 5:
*(uint32_t*)0x2000cb16 = (uint32_t)0x20;
*(uint32_t*)0x2000cb1a = (uint32_t)0xfffffffffffffffd;
*(uint64_t*)0x2000cb1e = (uint64_t)0x1;
*(uint32_t*)0x2000cb26 = (uint32_t)0xd51;
*(uint32_t*)0x2000cb2a = (uint32_t)0x3;
*(uint32_t*)0x2000cb2e = (uint32_t)0x9;
*(uint32_t*)0x2000cb32 = (uint32_t)0x9;
r[16] = syscall(SYS_write, r[5], 0x2000cb16ul, 0x20ul, 0, 0, 0);
break;
case 6:
*(uint32_t*)0x20005ffc = (uint32_t)0x7;
r[18] = syscall(SYS_setsockopt, r[6], 0x1ul, 0x10ul, 0x20005ffcul,
0x4ul, 0);
break;
case 7:
memcpy((void*)0x20003000,
"\xad\xd4\xf6\xb6\x5d\x21\x41\x96\x29\xc7\x46\x59\xb5\x12"
"\x13\x1f\xc2\xab\x18\x66\x38\x2f\x01\xd0\x78\x07\x19\xe4"
"\x2f\xac\xa5\x81\xc9\x01\x6f\x8d\xeb\x2f\x06\x23\xc8\x42"
"\xf8\x6e\x04\xf6\xcf\x7e\x76\x1a\xb8\xe3\xff\x45\x30\x9b"
"\x0a\x9a\x0d\x1a\x6d\xfe\x01\x94\xc3\xc6\xfb\xc7\xd2\x7d"
"\xe3\x5f\xc9\xdb\xa8\xfc\x9a\x0c\xdf\x4a\xf9\x6c\xf5\xcd"
"\x20\x90\x16\xd6\x2a\xec\x79\xac\x6a\x04\x9d\x92\xd3\x7d"
"\x2c\xf5\x24\x60\xcc\x57\xb1\x1e\x2a\xf9\x33\x54\x7b\xd8"
"\x5b\x23\x26\x79\xdb\x89\x72\xf7\x17\xe0\x1c\x1f\x2e\xc0"
"\x23\x94\xc5\xb1\x7d\xea\x84\xd1\x40\x43\x8a\xc1\x89\xa2"
"\x72\xd8\x8a\xff\xf7\x30\xc9\x96\x5c\x84\x58\x4f\x7e\x04"
"\x84\x45\x1b\x83\x51\xb6\x90\x4a\x17\x4e\x95\x09\xb9\x37"
"\x6e\xe6\xb0\x5e\xb5\x11\xb6\x2f\x06\x75\x31\x57\xda\xc2"
"\xfe\x5d\x84\x0e\x6a\x29\xb7\xe6\x22\xf2\xc9\x00\xa5\x80"
"\x0f\x48\x42\x38\x5a\x66\x32\x91\x5a\xe5\x5e\xfe\xce\xc0"
"\x98\x16\x19\x39\x21\x4b\x60\xe1\xa5\x7a\xba\x62\xd4\x38"
"\x96\x2d\x79\x09\x30\x2c\x75\x54\x68\xca",
234);
r[20] = syscall(SYS_sendto, r[5], 0x20003000ul, 0xeaul, 0x4000ul,
0x20003000ul, 0x0ul);
break;
case 8:
*(uint64_t*)0x2000a000 = (uint64_t)0x2000a000;
*(uint32_t*)0x2000a008 = (uint32_t)0x1c;
*(uint64_t*)0x2000a010 = (uint64_t)0x2000ac60;
*(uint64_t*)0x2000a018 = (uint64_t)0x4;
*(uint64_t*)0x2000a020 = (uint64_t)0x2000a8b3;
*(uint64_t*)0x2000a028 = (uint64_t)0x1000;
*(uint32_t*)0x2000a030 = (uint32_t)0x0;
*(uint64_t*)0x2000ac60 = (uint64_t)0x2000afb4;
*(uint64_t*)0x2000ac68 = (uint64_t)0x7a;
*(uint64_t*)0x2000ac70 = (uint64_t)0x2000affe;
*(uint64_t*)0x2000ac78 = (uint64_t)0x10;
*(uint64_t*)0x2000ac80 = (uint64_t)0x2000afe2;
*(uint64_t*)0x2000ac88 = (uint64_t)0x2f;
*(uint64_t*)0x2000ac90 = (uint64_t)0x2000afdb;
*(uint64_t*)0x2000ac98 = (uint64_t)0xd4;
r[36] =
syscall(SYS_recvmsg, r[6], 0x2000a000ul, 0x12100ul, 0, 0, 0);
break;
}
return 0;
}
int main()
{
long i;
pthread_t th[9];
memset(r, -1, sizeof(r));
for (i = 0; i < 9; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
usleep(10000);
}
for (i = 0; i < 9; i++) {
pthread_create(&th[i], 0, thr, (void*)i);
if (i % 2 == 0)
usleep(10000);
}
usleep(100000);
return 0;
}
unreferenced object 0xffff8800324af200 (size 112):
comm "syz-executor", pid 18413, jiffies 4295500287 (age 14.321s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff86315673>] kmemleak_alloc+0x63/0xa0 mm/kmemleak.c:916
[< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47
[< inline >] slab_post_alloc_hook mm/slub.c:1337
[< inline >] slab_alloc_node mm/slub.c:2596
[< inline >] slab_alloc mm/slub.c:2604
[<ffffffff81758b49>] kmem_cache_alloc+0x149/0x2d0 mm/slub.c:2609
[<ffffffff813adabd>] alloc_pid+0x5d/0xc90 kernel/pid.c:306
[<ffffffff8134de09>] copy_process.part.35+0x3759/0x57a0 kernel/fork.c:1462
[< inline >] copy_process kernel/fork.c:1274
[<ffffffff8135017c>] _do_fork+0x1bc/0xcb0 kernel/fork.c:1723
[< inline >] SYSC_clone kernel/fork.c:1832
[<ffffffff81350d47>] SyS_clone+0x37/0x50 kernel/fork.c:1826
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
[<ffffffffffffffff>] 0xffffffffffffffff
# cat /proc/slabinfo | grep pid
pid 297 532 576 28 4 : tunables 0 0
0 : slabdata 19 19 0
...
pid 412 532 576 28 4 : tunables 0 0
0 : slabdata 19 19 0
...
pid 1107 1176 576 28 4 : tunables 0 0
0 : slabdata 42 42 0
...
pid 1545 1652 576 28 4 : tunables 0 0
0 : slabdata 59 59 0
On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2 (Jan 20).