Re: Observation of a memory leak with commit 314001f0bf92 ("af_unix: Add OOB support")

From: Lukas Bulwahn
Date: Sat Jan 08 2022 - 23:11:24 EST


On Fri, Jan 7, 2022 at 6:55 PM Shoaib Rao <rao.shoaib@xxxxxxxxxx> wrote:
>
> Hi Lukas,
>
> I took a look at the patch and I fail to see how prepare_creds() could
> be impacted by the patch. The only reference to a cred in the patch is
> via maybe_add_creds().
>
> prepare_creds() is called to make a copy of the current creds which will
> be later modified. If there is any leak it would be in the caller not
> releasing the memory. The patch does not do anything with creds.
>
> If there is any more information that can help identify the issue, I
> will be happy to look into it.
>

Here is more information:

Here are all crash reports:

https://elisa-builder-00.iol.unh.edu/syzkaller-next/crash?id=1dcac8539d69ad9eb94ab2c8c0d99c11a0b516a3

and here at the bottom of the page is a C program that shows the
memory leak with the typical memory leak detections switched on:

https://elisa-builder-00.iol.unh.edu/syzkaller-next/report?id=1dcac8539d69ad9eb94ab2c8c0d99c11a0b516a3

Please try to reproduce this on your machine. If you need more
instructions on how to set up the kernel to get this program to
reproduce the issue, please let us know.

> Note that a lot of bugs are timing related, so while it might seem that
> a change is causing the problem, it may not be the cause, it may just be
> changing the environment for the bug to show up.
>

Well, we are pretty sure that this commit makes it show up and
disappear depending on where it is included or reverted, respectively,
tested now on multiple kernel versions. So, to resolve the issue, we
just need to revert the commit.

Lukas

> Shoaib
>
> On 1/6/22 22:48, Lukas Bulwahn wrote:
> > Dear Rao and David,
> >
> >
> > In our syzkaller instance running on linux-next,
> > https://urldefense.com/v3/__https://elisa-builder-00.iol.unh.edu/syzkaller-next/__;!!ACWV5N9M2RV99hQ!YR_lD5j1kvA5QfrbPcM5nMVZZkWNcF-UEE4vKA20TPkslzzGDVPqpL-6heEhBZ_e$ , we have been
> > observing a memory leak in prepare_creds,
> > https://urldefense.com/v3/__https://elisa-builder-00.iol.unh.edu/syzkaller-next/report?id=1dcac8539d69ad9eb94ab2c8c0d99c11a0b516a3__;!!ACWV5N9M2RV99hQ!YR_lD5j1kvA5QfrbPcM5nMVZZkWNcF-UEE4vKA20TPkslzzGDVPqpL-6hS1luOMv$ ,
> > for quite some time.
> >
> > It is reproducible on v5.15-rc1, v5.15, v5.16-rc8 and next-20220104.
> > So, it is in mainline, was released and has not been fixed in
> > linux-next yet.
> >
> > As syzkaller also provides a reproducer, we bisected this memory leak
> > to be introduced with commit 314001f0bf92 ("af_unix: Add OOB
> > support").
> >
> > We also tested that reverting this commit on torvalds' current tree
> > made the memory leak with the reproducer go away.
> >
> > Could you please have a look how your commit introduces this memory
> > leak? We will gladly support testing your fix in case help is needed.
> >
> >
> > Best regards,
> >
> > Lukas