On Thu, Feb 4, 2016 at 12:27 AM, Peter Hurley <[email protected]> wrote: > Hi Dmitry, > > On 02/03/2016 08:26 AM, Dmitry Vyukov wrote: >> On Wed, Feb 3, 2016 at 5:10 PM, Dmitry Vyukov <[email protected]> wrote: >>> Hello, >>> >>> The following program causes tty_struct memory leak: >>> >>> // autogenerated by syzkaller (http://github.com/google/syzkaller) >>> #include <pthread.h> >>> #include <stdint.h> >>> #include <string.h> >>> #include <sys/syscall.h> >>> #include <unistd.h> >>> >>> int main() >>> { >>> alarm(1); >>> syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0); >>> return 0; >>> } > > Going to need more information than this because the reproducer > above does not generate a tty_struct memory leak. > > Here's what I did: > > Enabled tty debugging and added patch below [1] to show kfree(tty), then: > > $ sudo modprobe ircomm > $ ./reproducer > > Here's what I got: > > [ 1436.864342] tty_ldisc_open: ircomm ircomm7: ffff8802aa3b3410: opened > [ 1436.864352] tty_open: ircomm ircomm7: opening (count=1) > [ 1437.863994] tty_open: ircomm ircomm7: open error -512, releasing > [ 1437.864051] tty_release: ircomm ircomm7: releasing (count=1) > [ 1437.864055] tty_wait_until_sent: ircomm ircomm7: wait until sent, > timeout=7500 > [ 1437.864110] tty_release: ircomm ircomm7: final close > [ 1437.864120] tty_ldisc_close: ircomm ircomm7: ffff8802aa3b3410: closed > [ 1437.864124] tty_ldisc_release: ircomm ircomm7: released > [ 1437.864130] tty_release: ircomm ircomm7: release > [ 1437.864148] release_one_tty: ircomm ircomm7: freeing structure > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Note that release_one_tty() ends in kfree(tty)
There seems to be some race, please try this one: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <pthread.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/syscall.h> #include <unistd.h> #include <sys/types.h> #include <sys/wait.h> void work() { alarm(1); syscall(SYS_open, "/dev/ircomm7", 0x12d401ul, 0, 0, 0); } int main() { int running, status; for (;;) { while (running < 32) { if (fork() == 0) { work(); exit(0); } running++; } if (wait(&status) > 0) running--; } } If I sample /proc/slabinfo while it runs: # cat /proc/slabinfo | egrep "^kmalloc-2048" Number of allocated objects constantly grow.
