Re: [PATCH] tracing: fix memory leaks in __create_synth_event()
On Thu, Mar 04, 2021 at 09:40:49AM -0500, Steven Rostedt wrote: > On Thu, 4 Mar 2021 15:15:24 +0530 > Vamshi K Sthambamkadi wrote: > > Not anything to do with you. I have a set of fixes that I have queued that > requires a ~13 hour test to run before I push off to Linus. When it was > almost done, I discovered another bug. Fixed it. Killed the almost completed > running test, and restarted it for another 13 hour run. I woke up this > morning happy to see that it passed, but then found your patch. > > Wash, rinse, repeat! :-p Sorry for wrong timing of sending this patch :) Thanks for looking into it, and applying it. Regards, Vamshi
[PATCH] tracing: fix memory leaks in __create_synth_event()
kmemleak report:
unreferenced object 0xc5a6f708 (size 8):
comm "ftracetest", pid 1209, jiffies 4294911500 (age 6.816s)
hex dump (first 8 bytes):
00 c1 3d 60 14 83 1f 8a ..=`
backtrace:
[] __kmalloc_track_caller+0x2a6/0x460
[<7d3d60a6>] kstrndup+0x37/0x70
[<45a0e739>] argv_split+0x1c/0x120
[] __create_synth_event+0x192/0xb00
[<0708b8a3>] create_synth_event+0xbb/0x150
[<3d1941e1>] create_dyn_event+0x5c/0xb0
[<5cf8b9e3>] trace_parse_run_command+0xa7/0x140
[<04deb2ef>] dyn_event_write+0x10/0x20
[<8779ac95>] vfs_write+0xa9/0x3c0
[] ksys_write+0x89/0xc0
[] __ia32_sys_write+0x15/0x20
[<7ce02d85>] __do_fast_syscall_32+0x45/0x80
[] do_fast_syscall_32+0x29/0x60
[<2467454a>] do_SYSENTER_32+0x15/0x20
[<9beaa61d>] entry_SYSENTER_32+0xa9/0xfc
unreferenced object 0xc5a6f078 (size 8):
comm "ftracetest", pid 1209, jiffies 4294911500 (age 6.816s)
hex dump (first 8 bytes):
08 f7 a6 c5 00 00 00 00
backtrace:
[] __kmalloc+0x2b6/0x470
[] argv_split+0x82/0x120
[] __create_synth_event+0x192/0xb00
[<0708b8a3>] create_synth_event+0xbb/0x150
[<3d1941e1>] create_dyn_event+0x5c/0xb0
[<5cf8b9e3>] trace_parse_run_command+0xa7/0x140
[<04deb2ef>] dyn_event_write+0x10/0x20
[<8779ac95>] vfs_write+0xa9/0x3c0
[] ksys_write+0x89/0xc0
[] __ia32_sys_write+0x15/0x20
[<7ce02d85>] __do_fast_syscall_32+0x45/0x80
[] do_fast_syscall_32+0x29/0x60
[<2467454a>] do_SYSENTER_32+0x15/0x20
[<9beaa61d>] entry_SYSENTER_32+0xa9/0xfc
In __create_synth_event(),while iterating field/type arguments, the
argv_split() will return array of atleast 2 elements even when zero
arguments(argc=0) are passed. for e.g. when there is double delimiter
or string ends with delimiter
To fix call argv_free() even when argc=0.
Signed-off-by: Vamshi K Sthambamkadi
---
kernel/trace/trace_events_synth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events_synth.c
b/kernel/trace/trace_events_synth.c
index 2979a96595b4..8d71e6c83f10 100644
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -1225,8 +1225,10 @@ static int __create_synth_event(const char *name, const
char *raw_fields)
goto err;
}
- if (!argc)
+ if (!argc) {
+ argv_free(argv);
continue;
+ }
n_fields_this_loop = 0;
consumed = 0;
--
2.17.1
[PATCH v2] Bluetooth: btusb: fix memory leak on suspend and resume
kmemleak report: unreferenced object 0x9b1127f00500 (size 208): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ed 05 11 9b ff ff 00 00 00 00 00 00 00 00 .`.. backtrace: [<6ab3fd59>] kmem_cache_alloc_node+0x17a/0x480 [<51a5f6f9>] __alloc_skb+0x5b/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b1125c6ee00 (size 512): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 04 00 00 00 0d 00 00 00 05 0c 01 00 11 9b ff ff 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 backtrace: [<9f07c0cc>] slab_post_alloc_hook+0x59/0x270 [<49431dc2>] __kmalloc_node_track_caller+0x15f/0x330 [<027a42f6>] __kmalloc_reserve.isra.70+0x31/0x90 [<e8e3e76a>] __alloc_skb+0x87/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b112b395788 (size 8): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 8 bytes): 20 00 00 00 00 00 04 00 ... backtrace: [<52dc28d2>] kmem_cache_alloc_trace+0x15e/0x460 [<46147591>] alloc_ctrl_urb+0x52/0xe0 [btusb] [<a2ed3e9e>] btusb_send_frame+0x91/0x100 [btusb] [<1e66030e>] hci_send_frame+0x7e/0xf0 [bluetooth] [<bf6b7269>] hci_cmd_work+0xc5/0x130 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 In pm sleep-resume context, while the btusb device rebinds, it enters hci_unregister_dev(), whilst there is a possibility of hdev receiving PM_POST_SUSPEND suspend_notifier event, leading to generation of msg frames. When hci_unregister_dev() completes, i.e. hdev context is destroyed/freed, those intermittently sent msg frames cause memory leak. BUG details: Below is stack trace of thread that enters hci_unregister_dev(), marks the hdev flag HCI_UNREGISTER to 1, and then goes onto to wait on notifier lock - refer unregister_pm_notifier(). hci_unregister_dev+0xa5/0x320 [bluetoot] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x77/0x250 ? kernfs_remove_by_name_ns+0x75/0xa0 device_release_driver_internal+0xfe/0x1 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x192/0x3e0 ? usb_remove_ep_devs+0x1f/0x30 usb_disable_device+0x92/0x1b0 usb_disconnect+0xc2/0x270 hub_event+0x9f6/0x15d0 ? rpm_idle+0x23/0x360 ? rpm_idle+0x26b/0x360 process_one_work+0x209/0x3b0 worker_thread+0x34/0x400 ? process_one_work+0x3b0/0x3b0 kthread+0x126/0x140 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Below is stack trace of thread executing hci_suspend_notifier() which processes the PM_POST_SUSPEND event, while the unbinding thread is waiting on lock. hci_suspend_notifier.cold.39+0x5/0x2b [bluetooth] blocking_notifier_call_chain+0x69/0x90 pm_notifier_call_chain+0x1a/0x20 pm_suspend.cold.9+0x334/0x352 state_store+0x84/0xf0 kobj_attr_store+0x12/0x20 sysfs_kf_write+0x3b/0x40 kernfs_fop_write+0xda/0x1c0 vfs_write+0xbb/0x250 ksys_write+0x61/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix hci_suspend_notifer(), not to act on events when flag HCI_UNREGISTER is set. Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 9d
[PATCH] Bluetooth: btusb: fix memory leak on suspend and resume
kmemleak report: unreferenced object 0x9b1127f00500 (size 208): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ed 05 11 9b ff ff 00 00 00 00 00 00 00 00 .`.. backtrace: [<6ab3fd59>] kmem_cache_alloc_node+0x17a/0x480 [<51a5f6f9>] __alloc_skb+0x5b/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b1125c6ee00 (size 512): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 04 00 00 00 0d 00 00 00 05 0c 01 00 11 9b ff ff 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 backtrace: [<9f07c0cc>] slab_post_alloc_hook+0x59/0x270 [<49431dc2>] __kmalloc_node_track_caller+0x15f/0x330 [<027a42f6>] __kmalloc_reserve.isra.70+0x31/0x90 [<e8e3e76a>] __alloc_skb+0x87/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b112b395788 (size 8): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 8 bytes): 20 00 00 00 00 00 04 00 ... backtrace: [<52dc28d2>] kmem_cache_alloc_trace+0x15e/0x460 [<46147591>] alloc_ctrl_urb+0x52/0xe0 [btusb] [<a2ed3e9e>] btusb_send_frame+0x91/0x100 [btusb] [<1e66030e>] hci_send_frame+0x7e/0xf0 [bluetooth] [<bf6b7269>] hci_cmd_work+0xc5/0x130 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 In pm sleep-resume context, while the btusb device rebinds, it enters hci_unregister_dev(), whilst there is a possibility of hdev receiving PM_POST_SUSPEND suspend_notifier event, leading to generation of msg frames. When hci_unregister_dev() completes, i.e. hdev context is destroyed/freed, those intermittently sent msg frames cause memory leak. BUG details: Below is stack trace of thread that enters hci_unregister_dev(), marks the hdev flag HCI_UNREGISTER to 1, and then goes onto to wait on notifier lock - refer unregister_pm_notifier(). hci_unregister_dev+0xa5/0x320 [bluetoot] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x77/0x250 ? kernfs_remove_by_name_ns+0x75/0xa0 device_release_driver_internal+0xfe/0x1 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x192/0x3e0 ? usb_remove_ep_devs+0x1f/0x30 usb_disable_device+0x92/0x1b0 usb_disconnect+0xc2/0x270 hub_event+0x9f6/0x15d0 ? rpm_idle+0x23/0x360 ? rpm_idle+0x26b/0x360 process_one_work+0x209/0x3b0 worker_thread+0x34/0x400 ? process_one_work+0x3b0/0x3b0 kthread+0x126/0x140 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Below is stack trace of thread executing hci_suspend_notifier() which processes the PM_POST_SUSPEND event, while the unbinding thread is waiting on lock. hci_suspend_notifier.cold.39+0x5/0x2b [bluetooth] blocking_notifier_call_chain+0x69/0x90 pm_notifier_call_chain+0x1a/0x20 pm_suspend.cold.9+0x334/0x352 state_store+0x84/0xf0 kobj_attr_store+0x12/0x20 sysfs_kf_write+0x3b/0x40 kernfs_fop_write+0xda/0x1c0 vfs_write+0xbb/0x250 ksys_write+0x61/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix hci_suspend_notifer(), not to act on events when flag HCI_UNREGISTER is set. Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 9d
[tip: efi/urgent] efivarfs: fix memory leak in efivarfs_create()
The following commit has been merged into the efi/urgent branch of tip:
Commit-ID: fe5186cf12e30facfe261e9be6c7904a170bd822
Gitweb:
https://git.kernel.org/tip/fe5186cf12e30facfe261e9be6c7904a170bd822
Author:Vamshi K Sthambamkadi
AuthorDate:Fri, 23 Oct 2020 17:24:39 +05:30
Committer: Ard Biesheuvel
CommitterDate: Mon, 26 Oct 2020 08:15:24 +01:00
efivarfs: fix memory leak in efivarfs_create()
kmemleak report:
unreferenced object 0x9b8915fcb000 (size 4096):
comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s)
hex dump (first 32 bytes):
2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace:
[<cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0
[<7d1dfa72>] efivarfs_create+0x6e/0x1a0
[<e6ee18fc>] path_openat+0xe4b/0x1120
[<0ad0414f>] do_filp_open+0x91/0x100
[<ce93a198>] do_sys_openat2+0x20c/0x2d0
[<2a91be6d>] do_sys_open+0x46/0x80
[<0a854999>] __x64_sys_openat+0x20/0x30
[<c50d89c9>] do_syscall_64+0x38/0x90
[<cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
In efivarfs_create(), inode->i_private is setup with efivar_entry
object which is never freed.
Cc:
Signed-off-by: Vamshi K Sthambamkadi
Link: https://lore.kernel.org/r/20201023115429.GA2479@cosmos
Signed-off-by: Ard Biesheuvel
---
fs/efivarfs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 15880a6..f943fd0 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -21,6 +21,7 @@ LIST_HEAD(efivarfs_list);
static void efivarfs_evict_inode(struct inode *inode)
{
clear_inode(inode);
+ kfree(inode->i_private);
}
static const struct super_operations efivarfs_ops = {
[PATCH] efivarfs: fix memory leak in efivarfs_create()
kmemleak report:
unreferenced object 0x9b8915fcb000 (size 4096):
comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s)
hex dump (first 32 bytes):
2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace:
[<cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0
[<7d1dfa72>] efivarfs_create+0x6e/0x1a0
[<e6ee18fc>] path_openat+0xe4b/0x1120
[<0ad0414f>] do_filp_open+0x91/0x100
[<ce93a198>] do_sys_openat2+0x20c/0x2d0
[<2a91be6d>] do_sys_open+0x46/0x80
[<0a854999>] __x64_sys_openat+0x20/0x30
[<c50d89c9>] do_syscall_64+0x38/0x90
[<cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
In efivarfs_create(), inode->i_private is setup with efivar_entry
object which is never freed.
Signed-off-by: Vamshi K Sthambamkadi
---
fs/efivarfs/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c
index 15880a6..f943fd0 100644
--- a/fs/efivarfs/super.c
+++ b/fs/efivarfs/super.c
@@ -21,6 +21,7 @@ LIST_HEAD(efivarfs_list);
static void efivarfs_evict_inode(struct inode *inode)
{
clear_inode(inode);
+ kfree(inode->i_private);
}
static const struct super_operations efivarfs_ops = {
--
2.7.4
[PATCH] drm/nouveau: fix memory leak in iccsense/base.c
kmemleak report: unreferenced object 0x9071c65644e0 (size 96): comm "systemd-udevd", pid 347, jiffies 4294898424 (age 810.828s) hex dump (first 32 bytes): 02 01 00 00 00 00 00 00 00 00 10 00 02 04 00 00 00 00 00 00 00 00 a0 86 00 00 00 00 00 00 00 00 backtrace: [<7c0d0ac3>] __kmalloc+0x337/0x500 [<551bfaeb>] nvbios_iccsense_parse+0xf7/0x280 [nouveau] [<e3e8968b>] nvkm_iccsense_oneinit+0x6c/0x4e0 [nouveau] [<287e7701>] nvkm_subdev_init+0x58/0xd0 [nouveau] [<08e4793e>] nvkm_device_init+0x118/0x1a0 [nouveau] [<8cd3afa3>] nvkm_udevice_init+0x48/0x60 [nouveau] [<7e047aee>] nvkm_object_init+0x43/0x110 [nouveau] [<6c56b3a4>] nvkm_ioctl_new+0x184/0x210 [nouveau] [<80abc890>] nvkm_ioctl+0xf0/0x190 [nouveau] [<f35056a2>] nvkm_client_ioctl+0x12/0x20 [nouveau] [<0f001008>] nvif_object_ioctl+0x4f/0x60 [nouveau] [<98d66807>] nvif_object_ctor+0xfb/0x160 [nouveau] [<fe24934a>] nvif_device_ctor+0x24/0x70 [nouveau] [<878b3286>] nouveau_cli_init+0x1a3/0x460 [nouveau] [<a1578335>] nouveau_drm_device_init+0x77/0x740 [nouveau] [<faef6b28>] nouveau_drm_probe+0x132/0x1f0 [nouveau] Fix nvkm_iccsense_oneinit(), to free stbl.rail post iteration. Signed-off-by: Vamshi K Sthambamkadi --- drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c index fecfa6a..23d91b6 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c @@ -291,6 +291,7 @@ nvkm_iccsense_oneinit(struct nvkm_subdev *subdev) list_add_tail(>head, >rails); } } + kfree(stbl.rail); return 0; } -- 2.7.4
[tip: x86/urgent] tracing/kprobes, x86/ptrace: Fix regs argument order for i386
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: 2356bb4b8221d7dc8c7beb810418122ed90254c9
Gitweb:
https://git.kernel.org/tip/2356bb4b8221d7dc8c7beb810418122ed90254c9
Author:Vamshi K Sthambamkadi
AuthorDate:Fri, 28 Aug 2020 17:02:46 +05:30
Committer: Borislav Petkov
CommitterDate: Fri, 04 Sep 2020 14:40:42 +02:00
tracing/kprobes, x86/ptrace: Fix regs argument order for i386
On i386, the order of parameters passed on regs is eax,edx,and ecx
(as per regparm(3) calling conventions).
Change the mapping in regs_get_kernel_argument(), so that arg1=ax
arg2=dx, and arg3=cx.
Running the selftests testcase kprobes_args_use.tc shows the result
as passed.
Fixes: 3c88ee194c28 ("x86: ptrace: Add function argument access API")
Signed-off-by: Vamshi K Sthambamkadi
Signed-off-by: Borislav Petkov
Acked-by: Masami Hiramatsu
Acked-by: Peter Zijlstra (Intel)
Cc:
Link: https://lkml.kernel.org/r/20200828113242.GA1424@cosmos
---
arch/x86/include/asm/ptrace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 40aa69d..d8324a2 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -327,8 +327,8 @@ static inline unsigned long regs_get_kernel_argument(struct
pt_regs *regs,
static const unsigned int argument_offs[] = {
#ifdef __i386__
offsetof(struct pt_regs, ax),
- offsetof(struct pt_regs, cx),
offsetof(struct pt_regs, dx),
+ offsetof(struct pt_regs, cx),
#define NR_REG_ARGUMENTS 3
#else
offsetof(struct pt_regs, di),
[PATCH] kprobes, x86/ptrace.h: fix regs argument order for i386
On i386, the order of parameters passed on regs is eax,edx,and ecx
(as per regparm(3) calling conventions).
Change the mapping in regs_get_kernel_argument(), so that arg1=ax
arg2=dx, and arg3=cx.
Running the selftests testcase kprobes_args_use.tc shows the result
as passed.
Signed-off-by: Vamshi K Sthambamkadi
---
arch/x86/include/asm/ptrace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 40aa69d..d8324a2 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -327,8 +327,8 @@ static inline unsigned long regs_get_kernel_argument(struct
pt_regs *regs,
static const unsigned int argument_offs[] = {
#ifdef __i386__
offsetof(struct pt_regs, ax),
- offsetof(struct pt_regs, cx),
offsetof(struct pt_regs, dx),
+ offsetof(struct pt_regs, cx),
#define NR_REG_ARGUMENTS 3
#else
offsetof(struct pt_regs, di),
--
2.7.4
[PATCH] pidfd: fix memory leak in pidfd_getfd()
kmemleak backtrace: comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..o. b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 backtrace: [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 [<8ff6a575>] __alloc_file+0x1e/0xe0 [] alloc_empty_file+0x45/0x100 [<727fe6eb>] alloc_file+0x23/0xf0 [<457148ef>] alloc_file_pseudo+0x98/0x100 [] __shmem_file_setup.part.67+0x66/0x120 [<5edc3e9b>] shmem_file_setup+0x4c/0x70 [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 [] do_syscall_32_irqs_on+0x3d/0x260 [<62569441>] do_fast_syscall_32+0x39/0xb0 [<3c515b7e>] do_SYSENTER_32+0x15/0x20 [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) hex dump (first 16 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 [] security_file_alloc+0x20/0x90 [] __alloc_file+0x40/0xe0 [] alloc_empty_file+0x45/0x100 [<727fe6eb>] alloc_file+0x23/0xf0 [<457148ef>] alloc_file_pseudo+0x98/0x100 [] __shmem_file_setup.part.67+0x66/0x120 [<5edc3e9b>] shmem_file_setup+0x4c/0x70 [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 [] do_syscall_32_irqs_on+0x3d/0x260 [<62569441>] do_fast_syscall_32+0x39/0xb0 [<3c515b7e>] do_SYSENTER_32+0x15/0x20 [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc This is because in pidfd_getfd(), the file->f_count is incremented twice 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files() 2) f_count is incremented While installing fd in __fd_install_received() i.e. get_file(). Memory leak occurs because the refs count do not match, the struct file object is never freed. Secondly the error validity check (ret < 0) after the call to fd_install_received() is not needed since this function cannot return negative number after incrementing f_count. So it is wrong to call fput on condition (ret < 0). Change pidfd_getfd() to call fput() on file reference once its installed as new_fd in target process. Signed-off-by: Vamshi K Sthambamkadi --- kernel/pid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/pid.c b/kernel/pid.c index 5799ae5..d00139c 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd) return PTR_ERR(file); ret = fd_install_received(file, O_CLOEXEC); - if (ret < 0) - fput(file); + + fput(file); return ret; } -- 2.7.4
[PATCH] Bluetooth: fix kernel null pointer dereference error on suspend
BUG Call Trace: queue_work_on+0x39/0x40 hci_adv_monitors_clear+0x71/0x90 [bluetooth] hci_unregister_dev+0x18a/0x2f0 [bluetooth] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x7f/0x260 device_release_driver_internal+0xec/0x1b0 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x17d/0x3e0 usb_disable_device+0x9f/0x250 usb_disconnect+0xc6/0x270 hub_event+0x6da/0x18d0 process_one_work+0x20c/0x400 worker_thread+0x34/0x400 RIP: 0010:__queue_work+0x92/0x3f0 NULL deference occurs in hci_update_background_scan() while it tries to queue_work on already destroyed workqueues. Change hci_unregister_dev() to invoke destroy_workqueues after the call to hci_adv_monitors_clear(). Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 7959b85..5577cf9 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3795,9 +3795,6 @@ void hci_unregister_dev(struct hci_dev *hdev) kfree_const(hdev->hw_info); kfree_const(hdev->fw_info); - destroy_workqueue(hdev->workqueue); - destroy_workqueue(hdev->req_workqueue); - hci_dev_lock(hdev); hci_bdaddr_list_clear(>blacklist); hci_bdaddr_list_clear(>whitelist); @@ -3815,6 +3812,9 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_blocked_keys_clear(hdev); hci_dev_unlock(hdev); + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + hci_dev_put(hdev); ida_simple_remove(_index_ida, id); -- 2.7.4
[PATCH] tracing/probe: fix memleak in fetch_op_data operations
kmemleak report:
[<57dcc2ca>] __kmalloc_track_caller+0x139/0x2b0
[] kstrndup+0x37/0x80
[] parse_probe_arg.isra.7+0x3cc/0x630
[<055bf2ba>] traceprobe_parse_probe_arg+0x2f5/0x810
[<655a7766>] trace_kprobe_create+0x2ca/0x950
[<4fc6a02a>] create_or_delete_trace_kprobe+0xf/0x30
[<6d1c8a52>] trace_run_command+0x67/0x80
[] trace_parse_run_command+0xa7/0x140
[] probes_write+0x10/0x20
[<2027641c>] __vfs_write+0x30/0x1e0
[<6a4aeee1>] vfs_write+0x96/0x1b0
[<3517fb7d>] ksys_write+0x53/0xc0
[] __ia32_sys_write+0x15/0x20
[] do_syscall_32_irqs_on+0x3d/0x260
[] do_fast_syscall_32+0x39/0xb0
[] entry_SYSENTER_32+0xaf/0x102
Post parse_probe_arg(), the FETCH_OP_DATA operation type is overwritten
to FETCH_OP_ST_STRING, as a result memory is never freed since
traceprobe_free_probe_arg() iterates only over SYMBOL and DATA op types
Setup fetch string operation correctly after fetch_op_data operation.
Signed-off-by: Vamshi K Sthambamkadi
---
kernel/trace/trace_probe.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
index b8a928e..d2867cc 100644
--- a/kernel/trace/trace_probe.c
+++ b/kernel/trace/trace_probe.c
@@ -639,8 +639,8 @@ static int traceprobe_parse_probe_arg_body(char *arg,
ssize_t *size,
ret = -EINVAL;
goto fail;
}
- if ((code->op == FETCH_OP_IMM || code->op == FETCH_OP_COMM) ||
-parg->count) {
+ if ((code->op == FETCH_OP_IMM || code->op == FETCH_OP_COMM ||
+code->op == FETCH_OP_DATA) || parg->count) {
/*
* IMM, DATA and COMM is pointing actual address, those
* must be kept, and if parg->count != 0, this is an
--
2.7.4
[PATCH] mm/memory_hotplug: fix default_zone_for_pfn() to include highmem zone range
On x86_32, while onlining highmem sections, the func default_zone_for_pfn()
defaults target zone to ZONE_NORMAL (movable_node_enabled = 0). Onlining of
pages is successful, and these highmem pages are moved into zone_normal.
As a consequence, these pages are treated as low mem, and page addresses
are calculated using lowmem_page_address() which effectively overflows the
32 bit virtual addresses, leading to kernel panics and system becomes
unusable.
Change default_kernel_zone_for_pfn() to intersect highmem pfn range, and
calculate the default zone accordingly.
Signed-off-by: Vamshi K Sthambamkadi
---
mm/memory_hotplug.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index c4d5c45..30f101a 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -725,8 +725,13 @@ static struct zone *default_kernel_zone_for_pfn(int nid,
unsigned long start_pfn
{
struct pglist_data *pgdat = NODE_DATA(nid);
int zid;
+ int nr_zones = ZONE_NORMAL;
- for (zid = 0; zid <= ZONE_NORMAL; zid++) {
+#ifdef CONFIG_HIGHMEM
+ nr_zones = ZONE_HIGHMEM;
+#endif
+
+ for (zid = 0; zid <= nr_zones; zid++) {
struct zone *zone = >node_zones[zid];
if (zone_intersects(zone, start_pfn, nr_pages))
--
2.7.4
[tip: x86/boot] x86/boot: Add kstrtoul() from lib/
The following commit has been merged into the x86/boot branch of tip:
Commit-ID: 5fafbebc86a0043ca5bbd8d3ce4f63dc5a02ad8e
Gitweb:
https://git.kernel.org/tip/5fafbebc86a0043ca5bbd8d3ce4f63dc5a02ad8e
Author:Vamshi K Sthambamkadi
AuthorDate:Thu, 23 Apr 2020 18:09:47 +05:30
Committer: Borislav Petkov
CommitterDate: Mon, 04 May 2020 15:19:07 +02:00
x86/boot: Add kstrtoul() from lib/
Add kstrtoul() to ../boot/ to be used by facilities there too.
[
bp: Massage, make _kstrtoul() static. Prepend function names with
"boot_". This is a temporary workaround for build errors like:
ld: arch/x86/boot/compressed/acpi.o: in function
`count_immovable_mem_regions':
acpi.c:(.text+0x463): undefined reference to `_kstrtoul'
make[2]: *** [arch/x86/boot/compressed/Makefile:117:
arch/x86/boot/compressed/vmlinux] Error 1
due to the namespace clash between x86/boot/ and kernel proper.
Future reorg will get rid of the linux/linux/ namespace as much as
possible so that x86/boot/ can be independent from kernel proper. ]
Signed-off-by: Vamshi K Sthambamkadi
Signed-off-by: Borislav Petkov
Link:
https://lkml.kernel.org/r/1587645588-7130-2-git-send-email-vamshi.k.sthambamk...@gmail.com
---
arch/x86/boot/string.c | 43 -
arch/x86/boot/string.h | 1 +-
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c
index 8272a44..8a3fff9 100644
--- a/arch/x86/boot/string.c
+++ b/arch/x86/boot/string.c
@@ -117,7 +117,6 @@ static unsigned int simple_guess_base(const char *cp)
* @endp: A pointer to the end of the parsed string will be placed here
* @base: The number base to use
*/
-
unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int
base)
{
unsigned long long result = 0;
@@ -335,3 +334,45 @@ int kstrtoull(const char *s, unsigned int base, unsigned
long long *res)
s++;
return _kstrtoull(s, base, res);
}
+
+static int _kstrtoul(const char *s, unsigned int base, unsigned long *res)
+{
+ unsigned long long tmp;
+ int rv;
+
+ rv = kstrtoull(s, base, );
+ if (rv < 0)
+ return rv;
+ if (tmp != (unsigned long)tmp)
+ return -ERANGE;
+ *res = tmp;
+ return 0;
+}
+
+/**
+ * kstrtoul - convert a string to an unsigned long
+ * @s: The start of the string. The string must be null-terminated, and may
also
+ * include a single newline before its terminating null. The first character
+ * may also be a plus sign, but not a minus sign.
+ * @base: The number base to use. The maximum supported base is 16. If base is
+ * given as 0, then the base of the string is automatically detected with the
+ * conventional semantics - If it begins with 0x the number will be parsed as
a
+ * hexadecimal (case insensitive), if it otherwise begins with 0, it will be
+ * parsed as an octal number. Otherwise it will be parsed as a decimal.
+ * @res: Where to write the result of the conversion on success.
+ *
+ * Returns 0 on success, -ERANGE on overflow and -EINVAL on parsing error.
+ * Used as a replacement for the simple_strtoull.
+ */
+int boot_kstrtoul(const char *s, unsigned int base, unsigned long *res)
+{
+ /*
+* We want to shortcut function call, but
+* __builtin_types_compatible_p(unsigned long, unsigned long long) = 0.
+*/
+ if (sizeof(unsigned long) == sizeof(unsigned long long) &&
+ __alignof__(unsigned long) == __alignof__(unsigned long long))
+ return kstrtoull(s, base, (unsigned long long *)res);
+ else
+ return _kstrtoul(s, base, res);
+}
diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h
index 38d8f2f..995f7b7 100644
--- a/arch/x86/boot/string.h
+++ b/arch/x86/boot/string.h
@@ -30,4 +30,5 @@ extern unsigned long long simple_strtoull(const char *cp,
char **endp,
unsigned int base);
int kstrtoull(const char *s, unsigned int base, unsigned long long *res);
+int boot_kstrtoul(const char *s, unsigned int base, unsigned long *res);
#endif /* BOOT_STRING_H */
[tip: x86/boot] x86/boot: Fix -Wint-to-pointer-cast build warning
The following commit has been merged into the x86/boot branch of tip:
Commit-ID: 40ba9309c76f29d012a5cc0cf938f8ff7dc6fef2
Gitweb:
https://git.kernel.org/tip/40ba9309c76f29d012a5cc0cf938f8ff7dc6fef2
Author:Vamshi K Sthambamkadi
AuthorDate:Thu, 23 Apr 2020 18:09:48 +05:30
Committer: Borislav Petkov
CommitterDate: Mon, 04 May 2020 15:22:16 +02:00
x86/boot: Fix -Wint-to-pointer-cast build warning
Fix this warning when building 32-bit with
CONFIG_RANDOMIZE_BASE=y
CONFIG_MEMORY_HOTREMOVE=y
arch/x86/boot/compressed/acpi.c:316:9: warning: \
cast to pointer from integer of different size [-Wint-to-pointer-cast]
Have get_cmdline_acpi_rsdp() return unsigned long which is the proper
type to convert to a pointer of the respective width.
[ bp: Rewrite commit message, touch ups. ]
Signed-off-by: Vamshi K Sthambamkadi
Signed-off-by: Borislav Petkov
Link:
https://lkml.kernel.org/r/1587645588-7130-3-git-send-email-vamshi.k.sthambamk...@gmail.com
---
arch/x86/boot/compressed/acpi.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c
index ef2ad72..8bcbcee 100644
--- a/arch/x86/boot/compressed/acpi.c
+++ b/arch/x86/boot/compressed/acpi.c
@@ -280,9 +280,9 @@ acpi_physical_address get_rsdp_addr(void)
*/
#define MAX_ADDR_LEN 19
-static acpi_physical_address get_cmdline_acpi_rsdp(void)
+static unsigned long get_cmdline_acpi_rsdp(void)
{
- acpi_physical_address addr = 0;
+ unsigned long addr = 0;
#ifdef CONFIG_KEXEC
char val[MAX_ADDR_LEN] = { };
@@ -292,7 +292,7 @@ static acpi_physical_address get_cmdline_acpi_rsdp(void)
if (ret < 0)
return 0;
- if (kstrtoull(val, 16, ))
+ if (boot_kstrtoul(val, 16, ))
return 0;
#endif
return addr;
@@ -314,7 +314,6 @@ static unsigned long get_acpi_srat_table(void)
* different ideas about whether to trust a command-line parameter.
*/
rsdp = (struct acpi_table_rsdp *)get_cmdline_acpi_rsdp();
-
if (!rsdp)
rsdp = (struct acpi_table_rsdp *)(long)
boot_params->acpi_rsdp_addr;
