From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF290C19F2B for ; Wed, 3 Aug 2022 22:24:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235882AbiHCWYL (ORCPT ); Wed, 3 Aug 2022 18:24:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48392 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229579AbiHCWYK (ORCPT ); Wed, 3 Aug 2022 18:24:10 -0400 Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 718A850186; Wed, 3 Aug 2022 15:24:07 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id c3so13869483qko.1; Wed, 03 Aug 2022 15:24:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bIH5s7GF6nzPQ/hRzBmgueYl4MrTkMyCP5UL1r27IIo=; b=Q8kdhewgKpenh0lGOkj+H9rDCKL2Gygmc0X5mYzDCPH2yACEOyROLDkE/uawpoW6G7 b5tgZBp5ExBxH57L67YPhdD5r38lxLT3oF9tT4jYdVCtkFgvdIcZGTh/LhyoUmDf9Wpx Y3z2jzfs/wD9zyFZAil+M0+eNG+Su+vi0m24DBXI1cgARmN4v2nTTsf6bO0yoIrYncBW clJ9ktW43flAeq36VbqYuRHL8IBkj8XQANRujDTu0rTqO70dlKyHM8MYhQTqADj5zjPL cnW4go2+11abpmMiBOyC5yWkeZZEZeluuR4tg8MR24sJbqTpFlunoalgslAnuft13XZr PDLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bIH5s7GF6nzPQ/hRzBmgueYl4MrTkMyCP5UL1r27IIo=; b=tl3zspfho5IQGzINgZo8DJG1+SSSoEs6z2NCnlwjQnrZHYrKfZnaE2BWpJ4AO4Z4qG R2hulJu0vbrXrOSclbSchOg2RzVnSKDojFTs1zUW1sG5l00KOqU1iwvmLZcWoc1zsIkl qm5Lyu4G9tDCLHigT6uU2qmeJcCTL1Wt0y8aMuw5ZdM/ooZwiANA6pvYBaFRQ8Rj5WUq OKCAbAMG2c/b3vWHliYImFppnABlhbAa6Y6jPOdTrH1g29zrBhyBzZuLktvlyrgwanQe d9Jyb+XvZgRhZB/T70SlDQX44Wkh+0LUYFa3aJOJR1f+iM9Nb6h8kSHb/3k2ZQ2ekUL2 EKjg== X-Gm-Message-State: AJIora9PZBQOcmjGApssBG/SMDFBLP8zL9wfI4lwwD/KLMCRJTvgDKkf ukvqireUih+6vuCy+EXuEw== X-Google-Smtp-Source: AGRyM1su5PXPoWPyT7ZUOgJqvRZ1saahDdsrEsHaE9Lm/eUMBJ2QkorNFMgK+yfYCqrhvQDrjpiOCw== X-Received: by 2002:a05:620a:1707:b0:6b5:f93a:ee54 with SMTP id az7-20020a05620a170700b006b5f93aee54mr19682643qkb.158.1659565446431; Wed, 03 Aug 2022 15:24:06 -0700 (PDT) Received: from bytedance.bytedance.net ([74.199.177.246]) by smtp.gmail.com with ESMTPSA id h3-20020ae9ec03000000b006af10bd3635sm12511008qkg.57.2022.08.03.15.24.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Aug 2022 15:24:05 -0700 (PDT) From: Peilin Ye To: Jens Axboe , Pavel Begunkov , Paul Moore , Eric Paris Cc: Peilin Ye , io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com, Peilin Ye Subject: [PATCH v2] audit, io_uring, io-wq: Fix memory leak in io_sq_thread() and io_wqe_worker() Date: Wed, 3 Aug 2022 15:23:43 -0700 Message-Id: <20220803222343.31673-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220803050230.30152-1-yepeilin.cs@gmail.com> References: <20220803050230.30152-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org From: Peilin Ye Currently @audit_context is allocated twice for io_uring workers: 1. copy_process() calls audit_alloc(); 2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which is effectively audit_alloc()) and overwrites @audit_context, causing: BUG: memory leak unreferenced object 0xffff888144547400 (size 1024): <...> hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] audit_alloc+0x133/0x210 [] copy_process+0xcd3/0x2340 [] create_io_thread+0x63/0x90 [] create_io_worker+0xb4/0x230 [] io_wqe_enqueue+0x248/0x3b0 [] io_queue_iowq+0xba/0x200 [] io_queue_async+0x113/0x180 [] io_req_task_submit+0x18f/0x1a0 [] io_apoll_task_func+0xdd/0x120 [] tctx_task_work+0x11f/0x570 [] task_work_run+0x7e/0xc0 [] get_signal+0xc18/0xf10 [] arch_do_signal_or_restart+0x2b/0x730 [] exit_to_user_mode_prepare+0x5e/0x180 [] syscall_exit_to_user_mode+0x12/0x20 [] do_syscall_64+0x40/0x80 Then, 3. io_sq_thread() or io_wqe_worker() frees @audit_context using audit_free(); 4. do_exit() eventually calls audit_free() again, which is okay because audit_free() does a NULL check. As suggested by Paul Moore, fix it by deleting audit_alloc_kernel() and redundant audit_free() calls. Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring") Suggested-by: Paul Moore Cc: stable@vger.kernel.org Signed-off-by: Peilin Ye --- Change since v1: - Delete audit_alloc_kernel() (Paul Moore) fs/io-wq.c | 3 --- fs/io_uring.c | 4 ---- include/linux/audit.h | 5 ----- kernel/auditsc.c | 25 ------------------------- 4 files changed, 37 deletions(-) diff --git a/fs/io-wq.c b/fs/io-wq.c index 824623bcf1a5..4d8a77a2a150 100644 --- a/fs/io-wq.c +++ b/fs/io-wq.c @@ -634,8 +634,6 @@ static int io_wqe_worker(void *data) snprintf(buf, sizeof(buf), "iou-wrk-%d", wq->task->pid); set_task_comm(current, buf); - audit_alloc_kernel(current); - while (!test_bit(IO_WQ_BIT_EXIT, &wq->state)) { long ret; @@ -670,7 +668,6 @@ static int io_wqe_worker(void *data) if (test_bit(IO_WQ_BIT_EXIT, &wq->state)) io_worker_handle_work(worker); - audit_free(current); io_worker_exit(worker); return 0; } diff --git a/fs/io_uring.c b/fs/io_uring.c index e8e769be9ed0..e0da0d2f71f2 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -9208,8 +9208,6 @@ static int io_sq_thread(void *data) set_cpus_allowed_ptr(current, cpu_online_mask); current->flags |= PF_NO_SETAFFINITY; - audit_alloc_kernel(current); - mutex_lock(&sqd->lock); while (1) { bool cap_entries, sqt_spin = false; @@ -9283,8 +9281,6 @@ static int io_sq_thread(void *data) io_run_task_work(); mutex_unlock(&sqd->lock); - audit_free(current); - complete(&sqd->exited); do_exit(0); } diff --git a/include/linux/audit.h b/include/linux/audit.h index cece70231138..c313df466e6e 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -287,7 +287,6 @@ static inline int audit_signal_info(int sig, struct task_struct *t) /* These are defined in auditsc.c */ /* Public API */ extern int audit_alloc(struct task_struct *task); -extern int audit_alloc_kernel(struct task_struct *task); extern void __audit_free(struct task_struct *task); extern void __audit_uring_entry(u8 op); extern void __audit_uring_exit(int success, long code); @@ -580,10 +579,6 @@ static inline int audit_alloc(struct task_struct *task) { return 0; } -static inline int audit_alloc_kernel(struct task_struct *task) -{ - return 0; -} static inline void audit_free(struct task_struct *task) { } static inline void audit_uring_entry(u8 op) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3a8c9d744800..dd8d9ab747c3 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1073,31 +1073,6 @@ int audit_alloc(struct task_struct *tsk) return 0; } -/** - * audit_alloc_kernel - allocate an audit_context for a kernel task - * @tsk: the kernel task - * - * Similar to the audit_alloc() function, but intended for kernel private - * threads. Returns zero on success, negative values on failure. - */ -int audit_alloc_kernel(struct task_struct *tsk) -{ - /* - * At the moment we are just going to call into audit_alloc() to - * simplify the code, but there two things to keep in mind with this - * approach: - * - * 1. Filtering internal kernel tasks is a bit laughable in almost all - * cases, but there is at least one case where there is a benefit: - * the '-a task,never' case allows the admin to effectively disable - * task auditing at runtime. - * - * 2. The {set,clear}_task_syscall_work() ops likely have zero effect - * on these internal kernel tasks, but they probably don't hurt either. - */ - return audit_alloc(tsk); -} - static inline void audit_free_context(struct audit_context *context) { /* resetting is extra work, but it is likely just noise */ -- 2.20.1