Re: [PATCH] tracing: fix memory leaks in __create_synth_event()
On Thu, Mar 04, 2021 at 09:40:49AM -0500, Steven Rostedt wrote: > On Thu, 4 Mar 2021 15:15:24 +0530 > Vamshi K Sthambamkadi wrote: > > Not anything to do with you. I have a set of fixes that I have queued that > requires a ~13 hour test to run before I push off to Linus. When it was > almost done, I discovered another bug. Fixed it. Killed the almost completed > running test, and restarted it for another 13 hour run. I woke up this > morning happy to see that it passed, but then found your patch. > > Wash, rinse, repeat! :-p Sorry for wrong timing of sending this patch :) Thanks for looking into it, and applying it. Regards, Vamshi
[PATCH] tracing: fix memory leaks in __create_synth_event()
kmemleak report: unreferenced object 0xc5a6f708 (size 8): comm "ftracetest", pid 1209, jiffies 4294911500 (age 6.816s) hex dump (first 8 bytes): 00 c1 3d 60 14 83 1f 8a ..=` backtrace: [] __kmalloc_track_caller+0x2a6/0x460 [<7d3d60a6>] kstrndup+0x37/0x70 [<45a0e739>] argv_split+0x1c/0x120 [] __create_synth_event+0x192/0xb00 [<0708b8a3>] create_synth_event+0xbb/0x150 [<3d1941e1>] create_dyn_event+0x5c/0xb0 [<5cf8b9e3>] trace_parse_run_command+0xa7/0x140 [<04deb2ef>] dyn_event_write+0x10/0x20 [<8779ac95>] vfs_write+0xa9/0x3c0 [] ksys_write+0x89/0xc0 [] __ia32_sys_write+0x15/0x20 [<7ce02d85>] __do_fast_syscall_32+0x45/0x80 [] do_fast_syscall_32+0x29/0x60 [<2467454a>] do_SYSENTER_32+0x15/0x20 [<9beaa61d>] entry_SYSENTER_32+0xa9/0xfc unreferenced object 0xc5a6f078 (size 8): comm "ftracetest", pid 1209, jiffies 4294911500 (age 6.816s) hex dump (first 8 bytes): 08 f7 a6 c5 00 00 00 00 backtrace: [] __kmalloc+0x2b6/0x470 [] argv_split+0x82/0x120 [] __create_synth_event+0x192/0xb00 [<0708b8a3>] create_synth_event+0xbb/0x150 [<3d1941e1>] create_dyn_event+0x5c/0xb0 [<5cf8b9e3>] trace_parse_run_command+0xa7/0x140 [<04deb2ef>] dyn_event_write+0x10/0x20 [<8779ac95>] vfs_write+0xa9/0x3c0 [] ksys_write+0x89/0xc0 [] __ia32_sys_write+0x15/0x20 [<7ce02d85>] __do_fast_syscall_32+0x45/0x80 [] do_fast_syscall_32+0x29/0x60 [<2467454a>] do_SYSENTER_32+0x15/0x20 [<9beaa61d>] entry_SYSENTER_32+0xa9/0xfc In __create_synth_event(),while iterating field/type arguments, the argv_split() will return array of atleast 2 elements even when zero arguments(argc=0) are passed. for e.g. when there is double delimiter or string ends with delimiter To fix call argv_free() even when argc=0. Signed-off-by: Vamshi K Sthambamkadi --- kernel/trace/trace_events_synth.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c index 2979a96595b4..8d71e6c83f10 100644 --- a/kernel/trace/trace_events_synth.c +++ b/kernel/trace/trace_events_synth.c @@ -1225,8 +1225,10 @@ static int __create_synth_event(const char *name, const char *raw_fields) goto err; } - if (!argc) + if (!argc) { + argv_free(argv); continue; + } n_fields_this_loop = 0; consumed = 0; -- 2.17.1
[PATCH v2] Bluetooth: btusb: fix memory leak on suspend and resume
kmemleak report: unreferenced object 0x9b1127f00500 (size 208): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ed 05 11 9b ff ff 00 00 00 00 00 00 00 00 .`.. backtrace: [<6ab3fd59>] kmem_cache_alloc_node+0x17a/0x480 [<51a5f6f9>] __alloc_skb+0x5b/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b1125c6ee00 (size 512): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 04 00 00 00 0d 00 00 00 05 0c 01 00 11 9b ff ff 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 backtrace: [<9f07c0cc>] slab_post_alloc_hook+0x59/0x270 [<49431dc2>] __kmalloc_node_track_caller+0x15f/0x330 [<027a42f6>] __kmalloc_reserve.isra.70+0x31/0x90 [<e8e3e76a>] __alloc_skb+0x87/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b112b395788 (size 8): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 8 bytes): 20 00 00 00 00 00 04 00 ... backtrace: [<52dc28d2>] kmem_cache_alloc_trace+0x15e/0x460 [<46147591>] alloc_ctrl_urb+0x52/0xe0 [btusb] [<a2ed3e9e>] btusb_send_frame+0x91/0x100 [btusb] [<1e66030e>] hci_send_frame+0x7e/0xf0 [bluetooth] [<bf6b7269>] hci_cmd_work+0xc5/0x130 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 In pm sleep-resume context, while the btusb device rebinds, it enters hci_unregister_dev(), whilst there is a possibility of hdev receiving PM_POST_SUSPEND suspend_notifier event, leading to generation of msg frames. When hci_unregister_dev() completes, i.e. hdev context is destroyed/freed, those intermittently sent msg frames cause memory leak. BUG details: Below is stack trace of thread that enters hci_unregister_dev(), marks the hdev flag HCI_UNREGISTER to 1, and then goes onto to wait on notifier lock - refer unregister_pm_notifier(). hci_unregister_dev+0xa5/0x320 [bluetoot] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x77/0x250 ? kernfs_remove_by_name_ns+0x75/0xa0 device_release_driver_internal+0xfe/0x1 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x192/0x3e0 ? usb_remove_ep_devs+0x1f/0x30 usb_disable_device+0x92/0x1b0 usb_disconnect+0xc2/0x270 hub_event+0x9f6/0x15d0 ? rpm_idle+0x23/0x360 ? rpm_idle+0x26b/0x360 process_one_work+0x209/0x3b0 worker_thread+0x34/0x400 ? process_one_work+0x3b0/0x3b0 kthread+0x126/0x140 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Below is stack trace of thread executing hci_suspend_notifier() which processes the PM_POST_SUSPEND event, while the unbinding thread is waiting on lock. hci_suspend_notifier.cold.39+0x5/0x2b [bluetooth] blocking_notifier_call_chain+0x69/0x90 pm_notifier_call_chain+0x1a/0x20 pm_suspend.cold.9+0x334/0x352 state_store+0x84/0xf0 kobj_attr_store+0x12/0x20 sysfs_kf_write+0x3b/0x40 kernfs_fop_write+0xda/0x1c0 vfs_write+0xbb/0x250 ksys_write+0x61/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix hci_suspend_notifer(), not to act on events when flag HCI_UNREGISTER is set. Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 9d
[PATCH] Bluetooth: btusb: fix memory leak on suspend and resume
kmemleak report: unreferenced object 0x9b1127f00500 (size 208): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ed 05 11 9b ff ff 00 00 00 00 00 00 00 00 .`.. backtrace: [<6ab3fd59>] kmem_cache_alloc_node+0x17a/0x480 [<51a5f6f9>] __alloc_skb+0x5b/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b1125c6ee00 (size 512): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 04 00 00 00 0d 00 00 00 05 0c 01 00 11 9b ff ff 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 backtrace: [<9f07c0cc>] slab_post_alloc_hook+0x59/0x270 [<49431dc2>] __kmalloc_node_track_caller+0x15f/0x330 [<027a42f6>] __kmalloc_reserve.isra.70+0x31/0x90 [<e8e3e76a>] __alloc_skb+0x87/0x1d0 [<37e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<10b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<1deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 unreferenced object 0x9b112b395788 (size 8): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 8 bytes): 20 00 00 00 00 00 04 00 ... backtrace: [<52dc28d2>] kmem_cache_alloc_trace+0x15e/0x460 [<46147591>] alloc_ctrl_urb+0x52/0xe0 [btusb] [<a2ed3e9e>] btusb_send_frame+0x91/0x100 [btusb] [<1e66030e>] hci_send_frame+0x7e/0xf0 [bluetooth] [<bf6b7269>] hci_cmd_work+0xc5/0x130 [bluetooth] [<2677dd79>] process_one_work+0x209/0x3b0 [<aaa62b07>] worker_thread+0x34/0x400 [<826d176c>] kthread+0x126/0x140 [<2305e558>] ret_from_fork+0x22/0x30 In pm sleep-resume context, while the btusb device rebinds, it enters hci_unregister_dev(), whilst there is a possibility of hdev receiving PM_POST_SUSPEND suspend_notifier event, leading to generation of msg frames. When hci_unregister_dev() completes, i.e. hdev context is destroyed/freed, those intermittently sent msg frames cause memory leak. BUG details: Below is stack trace of thread that enters hci_unregister_dev(), marks the hdev flag HCI_UNREGISTER to 1, and then goes onto to wait on notifier lock - refer unregister_pm_notifier(). hci_unregister_dev+0xa5/0x320 [bluetoot] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x77/0x250 ? kernfs_remove_by_name_ns+0x75/0xa0 device_release_driver_internal+0xfe/0x1 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x192/0x3e0 ? usb_remove_ep_devs+0x1f/0x30 usb_disable_device+0x92/0x1b0 usb_disconnect+0xc2/0x270 hub_event+0x9f6/0x15d0 ? rpm_idle+0x23/0x360 ? rpm_idle+0x26b/0x360 process_one_work+0x209/0x3b0 worker_thread+0x34/0x400 ? process_one_work+0x3b0/0x3b0 kthread+0x126/0x140 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Below is stack trace of thread executing hci_suspend_notifier() which processes the PM_POST_SUSPEND event, while the unbinding thread is waiting on lock. hci_suspend_notifier.cold.39+0x5/0x2b [bluetooth] blocking_notifier_call_chain+0x69/0x90 pm_notifier_call_chain+0x1a/0x20 pm_suspend.cold.9+0x334/0x352 state_store+0x84/0xf0 kobj_attr_store+0x12/0x20 sysfs_kf_write+0x3b/0x40 kernfs_fop_write+0xda/0x1c0 vfs_write+0xbb/0x250 ksys_write+0x61/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix hci_suspend_notifer(), not to act on events when flag HCI_UNREGISTER is set. Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 9d
[tip: efi/urgent] efivarfs: fix memory leak in efivarfs_create()
The following commit has been merged into the efi/urgent branch of tip: Commit-ID: fe5186cf12e30facfe261e9be6c7904a170bd822 Gitweb: https://git.kernel.org/tip/fe5186cf12e30facfe261e9be6c7904a170bd822 Author:Vamshi K Sthambamkadi AuthorDate:Fri, 23 Oct 2020 17:24:39 +05:30 Committer: Ard Biesheuvel CommitterDate: Mon, 26 Oct 2020 08:15:24 +01:00 efivarfs: fix memory leak in efivarfs_create() kmemleak report: unreferenced object 0x9b8915fcb000 (size 4096): comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s) hex dump (first 32 bytes): 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0 [<7d1dfa72>] efivarfs_create+0x6e/0x1a0 [<e6ee18fc>] path_openat+0xe4b/0x1120 [<0ad0414f>] do_filp_open+0x91/0x100 [<ce93a198>] do_sys_openat2+0x20c/0x2d0 [<2a91be6d>] do_sys_open+0x46/0x80 [<0a854999>] __x64_sys_openat+0x20/0x30 [<c50d89c9>] do_syscall_64+0x38/0x90 [<cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 In efivarfs_create(), inode->i_private is setup with efivar_entry object which is never freed. Cc: Signed-off-by: Vamshi K Sthambamkadi Link: https://lore.kernel.org/r/20201023115429.GA2479@cosmos Signed-off-by: Ard Biesheuvel --- fs/efivarfs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 15880a6..f943fd0 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -21,6 +21,7 @@ LIST_HEAD(efivarfs_list); static void efivarfs_evict_inode(struct inode *inode) { clear_inode(inode); + kfree(inode->i_private); } static const struct super_operations efivarfs_ops = {
[PATCH] efivarfs: fix memory leak in efivarfs_create()
kmemleak report: unreferenced object 0x9b8915fcb000 (size 4096): comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s) hex dump (first 32 bytes): 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0 [<7d1dfa72>] efivarfs_create+0x6e/0x1a0 [<e6ee18fc>] path_openat+0xe4b/0x1120 [<0ad0414f>] do_filp_open+0x91/0x100 [<ce93a198>] do_sys_openat2+0x20c/0x2d0 [<2a91be6d>] do_sys_open+0x46/0x80 [<0a854999>] __x64_sys_openat+0x20/0x30 [<c50d89c9>] do_syscall_64+0x38/0x90 [<cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 In efivarfs_create(), inode->i_private is setup with efivar_entry object which is never freed. Signed-off-by: Vamshi K Sthambamkadi --- fs/efivarfs/super.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/efivarfs/super.c b/fs/efivarfs/super.c index 15880a6..f943fd0 100644 --- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -21,6 +21,7 @@ LIST_HEAD(efivarfs_list); static void efivarfs_evict_inode(struct inode *inode) { clear_inode(inode); + kfree(inode->i_private); } static const struct super_operations efivarfs_ops = { -- 2.7.4
[PATCH] drm/nouveau: fix memory leak in iccsense/base.c
kmemleak report: unreferenced object 0x9071c65644e0 (size 96): comm "systemd-udevd", pid 347, jiffies 4294898424 (age 810.828s) hex dump (first 32 bytes): 02 01 00 00 00 00 00 00 00 00 10 00 02 04 00 00 00 00 00 00 00 00 a0 86 00 00 00 00 00 00 00 00 backtrace: [<7c0d0ac3>] __kmalloc+0x337/0x500 [<551bfaeb>] nvbios_iccsense_parse+0xf7/0x280 [nouveau] [<e3e8968b>] nvkm_iccsense_oneinit+0x6c/0x4e0 [nouveau] [<287e7701>] nvkm_subdev_init+0x58/0xd0 [nouveau] [<08e4793e>] nvkm_device_init+0x118/0x1a0 [nouveau] [<8cd3afa3>] nvkm_udevice_init+0x48/0x60 [nouveau] [<7e047aee>] nvkm_object_init+0x43/0x110 [nouveau] [<6c56b3a4>] nvkm_ioctl_new+0x184/0x210 [nouveau] [<80abc890>] nvkm_ioctl+0xf0/0x190 [nouveau] [<f35056a2>] nvkm_client_ioctl+0x12/0x20 [nouveau] [<0f001008>] nvif_object_ioctl+0x4f/0x60 [nouveau] [<98d66807>] nvif_object_ctor+0xfb/0x160 [nouveau] [<fe24934a>] nvif_device_ctor+0x24/0x70 [nouveau] [<878b3286>] nouveau_cli_init+0x1a3/0x460 [nouveau] [<a1578335>] nouveau_drm_device_init+0x77/0x740 [nouveau] [<faef6b28>] nouveau_drm_probe+0x132/0x1f0 [nouveau] Fix nvkm_iccsense_oneinit(), to free stbl.rail post iteration. Signed-off-by: Vamshi K Sthambamkadi --- drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c index fecfa6a..23d91b6 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/iccsense/base.c @@ -291,6 +291,7 @@ nvkm_iccsense_oneinit(struct nvkm_subdev *subdev) list_add_tail(>head, >rails); } } + kfree(stbl.rail); return 0; } -- 2.7.4
[tip: x86/urgent] tracing/kprobes, x86/ptrace: Fix regs argument order for i386
The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 2356bb4b8221d7dc8c7beb810418122ed90254c9 Gitweb: https://git.kernel.org/tip/2356bb4b8221d7dc8c7beb810418122ed90254c9 Author:Vamshi K Sthambamkadi AuthorDate:Fri, 28 Aug 2020 17:02:46 +05:30 Committer: Borislav Petkov CommitterDate: Fri, 04 Sep 2020 14:40:42 +02:00 tracing/kprobes, x86/ptrace: Fix regs argument order for i386 On i386, the order of parameters passed on regs is eax,edx,and ecx (as per regparm(3) calling conventions). Change the mapping in regs_get_kernel_argument(), so that arg1=ax arg2=dx, and arg3=cx. Running the selftests testcase kprobes_args_use.tc shows the result as passed. Fixes: 3c88ee194c28 ("x86: ptrace: Add function argument access API") Signed-off-by: Vamshi K Sthambamkadi Signed-off-by: Borislav Petkov Acked-by: Masami Hiramatsu Acked-by: Peter Zijlstra (Intel) Cc: Link: https://lkml.kernel.org/r/20200828113242.GA1424@cosmos --- arch/x86/include/asm/ptrace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 40aa69d..d8324a2 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -327,8 +327,8 @@ static inline unsigned long regs_get_kernel_argument(struct pt_regs *regs, static const unsigned int argument_offs[] = { #ifdef __i386__ offsetof(struct pt_regs, ax), - offsetof(struct pt_regs, cx), offsetof(struct pt_regs, dx), + offsetof(struct pt_regs, cx), #define NR_REG_ARGUMENTS 3 #else offsetof(struct pt_regs, di),
[PATCH] kprobes, x86/ptrace.h: fix regs argument order for i386
On i386, the order of parameters passed on regs is eax,edx,and ecx (as per regparm(3) calling conventions). Change the mapping in regs_get_kernel_argument(), so that arg1=ax arg2=dx, and arg3=cx. Running the selftests testcase kprobes_args_use.tc shows the result as passed. Signed-off-by: Vamshi K Sthambamkadi --- arch/x86/include/asm/ptrace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h index 40aa69d..d8324a2 100644 --- a/arch/x86/include/asm/ptrace.h +++ b/arch/x86/include/asm/ptrace.h @@ -327,8 +327,8 @@ static inline unsigned long regs_get_kernel_argument(struct pt_regs *regs, static const unsigned int argument_offs[] = { #ifdef __i386__ offsetof(struct pt_regs, ax), - offsetof(struct pt_regs, cx), offsetof(struct pt_regs, dx), + offsetof(struct pt_regs, cx), #define NR_REG_ARGUMENTS 3 #else offsetof(struct pt_regs, di), -- 2.7.4
[PATCH] pidfd: fix memory leak in pidfd_getfd()
kmemleak backtrace: comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 90 da d8 f6 80 d5 6f f2 ..o. b8 fb 9b ea c0 91 99 d1 00 00 00 00 00 00 00 00 backtrace: [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 [<8ff6a575>] __alloc_file+0x1e/0xe0 [] alloc_empty_file+0x45/0x100 [<727fe6eb>] alloc_file+0x23/0xf0 [<457148ef>] alloc_file_pseudo+0x98/0x100 [] __shmem_file_setup.part.67+0x66/0x120 [<5edc3e9b>] shmem_file_setup+0x4c/0x70 [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 [] do_syscall_32_irqs_on+0x3d/0x260 [<62569441>] do_fast_syscall_32+0x39/0xb0 [<3c515b7e>] do_SYSENTER_32+0x15/0x20 [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc comm "pidfd_getfd_tes", pid 1406, jiffies 4294936898 (age 8.644s) hex dump (first 16 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<8da987ad>] kmem_cache_alloc+0x199/0x4c0 [] security_file_alloc+0x20/0x90 [] __alloc_file+0x40/0xe0 [] alloc_empty_file+0x45/0x100 [<727fe6eb>] alloc_file+0x23/0xf0 [<457148ef>] alloc_file_pseudo+0x98/0x100 [] __shmem_file_setup.part.67+0x66/0x120 [<5edc3e9b>] shmem_file_setup+0x4c/0x70 [<9c446684>] __ia32_sys_memfd_create+0x122/0x1c0 [] do_syscall_32_irqs_on+0x3d/0x260 [<62569441>] do_fast_syscall_32+0x39/0xb0 [<3c515b7e>] do_SYSENTER_32+0x15/0x20 [<69819a3a>] entry_SYSENTER_32+0xa9/0xfc This is because in pidfd_getfd(), the file->f_count is incremented twice 1) __pidfd_fget() gets file ref by incrementing f_count in __fget_files() 2) f_count is incremented While installing fd in __fd_install_received() i.e. get_file(). Memory leak occurs because the refs count do not match, the struct file object is never freed. Secondly the error validity check (ret < 0) after the call to fd_install_received() is not needed since this function cannot return negative number after incrementing f_count. So it is wrong to call fput on condition (ret < 0). Change pidfd_getfd() to call fput() on file reference once its installed as new_fd in target process. Signed-off-by: Vamshi K Sthambamkadi --- kernel/pid.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/pid.c b/kernel/pid.c index 5799ae5..d00139c 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -653,8 +653,8 @@ static int pidfd_getfd(struct pid *pid, int fd) return PTR_ERR(file); ret = fd_install_received(file, O_CLOEXEC); - if (ret < 0) - fput(file); + + fput(file); return ret; } -- 2.7.4
[PATCH] Bluetooth: fix kernel null pointer dereference error on suspend
BUG Call Trace: queue_work_on+0x39/0x40 hci_adv_monitors_clear+0x71/0x90 [bluetooth] hci_unregister_dev+0x18a/0x2f0 [bluetooth] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x7f/0x260 device_release_driver_internal+0xec/0x1b0 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x17d/0x3e0 usb_disable_device+0x9f/0x250 usb_disconnect+0xc6/0x270 hub_event+0x6da/0x18d0 process_one_work+0x20c/0x400 worker_thread+0x34/0x400 RIP: 0010:__queue_work+0x92/0x3f0 NULL deference occurs in hci_update_background_scan() while it tries to queue_work on already destroyed workqueues. Change hci_unregister_dev() to invoke destroy_workqueues after the call to hci_adv_monitors_clear(). Signed-off-by: Vamshi K Sthambamkadi --- net/bluetooth/hci_core.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 7959b85..5577cf9 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3795,9 +3795,6 @@ void hci_unregister_dev(struct hci_dev *hdev) kfree_const(hdev->hw_info); kfree_const(hdev->fw_info); - destroy_workqueue(hdev->workqueue); - destroy_workqueue(hdev->req_workqueue); - hci_dev_lock(hdev); hci_bdaddr_list_clear(>blacklist); hci_bdaddr_list_clear(>whitelist); @@ -3815,6 +3812,9 @@ void hci_unregister_dev(struct hci_dev *hdev) hci_blocked_keys_clear(hdev); hci_dev_unlock(hdev); + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + hci_dev_put(hdev); ida_simple_remove(_index_ida, id); -- 2.7.4
[PATCH] tracing/probe: fix memleak in fetch_op_data operations
kmemleak report: [<57dcc2ca>] __kmalloc_track_caller+0x139/0x2b0 [] kstrndup+0x37/0x80 [] parse_probe_arg.isra.7+0x3cc/0x630 [<055bf2ba>] traceprobe_parse_probe_arg+0x2f5/0x810 [<655a7766>] trace_kprobe_create+0x2ca/0x950 [<4fc6a02a>] create_or_delete_trace_kprobe+0xf/0x30 [<6d1c8a52>] trace_run_command+0x67/0x80 [] trace_parse_run_command+0xa7/0x140 [] probes_write+0x10/0x20 [<2027641c>] __vfs_write+0x30/0x1e0 [<6a4aeee1>] vfs_write+0x96/0x1b0 [<3517fb7d>] ksys_write+0x53/0xc0 [] __ia32_sys_write+0x15/0x20 [] do_syscall_32_irqs_on+0x3d/0x260 [] do_fast_syscall_32+0x39/0xb0 [] entry_SYSENTER_32+0xaf/0x102 Post parse_probe_arg(), the FETCH_OP_DATA operation type is overwritten to FETCH_OP_ST_STRING, as a result memory is never freed since traceprobe_free_probe_arg() iterates only over SYMBOL and DATA op types Setup fetch string operation correctly after fetch_op_data operation. Signed-off-by: Vamshi K Sthambamkadi --- kernel/trace/trace_probe.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c index b8a928e..d2867cc 100644 --- a/kernel/trace/trace_probe.c +++ b/kernel/trace/trace_probe.c @@ -639,8 +639,8 @@ static int traceprobe_parse_probe_arg_body(char *arg, ssize_t *size, ret = -EINVAL; goto fail; } - if ((code->op == FETCH_OP_IMM || code->op == FETCH_OP_COMM) || -parg->count) { + if ((code->op == FETCH_OP_IMM || code->op == FETCH_OP_COMM || +code->op == FETCH_OP_DATA) || parg->count) { /* * IMM, DATA and COMM is pointing actual address, those * must be kept, and if parg->count != 0, this is an -- 2.7.4
[PATCH] mm/memory_hotplug: fix default_zone_for_pfn() to include highmem zone range
On x86_32, while onlining highmem sections, the func default_zone_for_pfn() defaults target zone to ZONE_NORMAL (movable_node_enabled = 0). Onlining of pages is successful, and these highmem pages are moved into zone_normal. As a consequence, these pages are treated as low mem, and page addresses are calculated using lowmem_page_address() which effectively overflows the 32 bit virtual addresses, leading to kernel panics and system becomes unusable. Change default_kernel_zone_for_pfn() to intersect highmem pfn range, and calculate the default zone accordingly. Signed-off-by: Vamshi K Sthambamkadi --- mm/memory_hotplug.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index c4d5c45..30f101a 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -725,8 +725,13 @@ static struct zone *default_kernel_zone_for_pfn(int nid, unsigned long start_pfn { struct pglist_data *pgdat = NODE_DATA(nid); int zid; + int nr_zones = ZONE_NORMAL; - for (zid = 0; zid <= ZONE_NORMAL; zid++) { +#ifdef CONFIG_HIGHMEM + nr_zones = ZONE_HIGHMEM; +#endif + + for (zid = 0; zid <= nr_zones; zid++) { struct zone *zone = >node_zones[zid]; if (zone_intersects(zone, start_pfn, nr_pages)) -- 2.7.4
[tip: x86/boot] x86/boot: Add kstrtoul() from lib/
The following commit has been merged into the x86/boot branch of tip: Commit-ID: 5fafbebc86a0043ca5bbd8d3ce4f63dc5a02ad8e Gitweb: https://git.kernel.org/tip/5fafbebc86a0043ca5bbd8d3ce4f63dc5a02ad8e Author:Vamshi K Sthambamkadi AuthorDate:Thu, 23 Apr 2020 18:09:47 +05:30 Committer: Borislav Petkov CommitterDate: Mon, 04 May 2020 15:19:07 +02:00 x86/boot: Add kstrtoul() from lib/ Add kstrtoul() to ../boot/ to be used by facilities there too. [ bp: Massage, make _kstrtoul() static. Prepend function names with "boot_". This is a temporary workaround for build errors like: ld: arch/x86/boot/compressed/acpi.o: in function `count_immovable_mem_regions': acpi.c:(.text+0x463): undefined reference to `_kstrtoul' make[2]: *** [arch/x86/boot/compressed/Makefile:117: arch/x86/boot/compressed/vmlinux] Error 1 due to the namespace clash between x86/boot/ and kernel proper. Future reorg will get rid of the linux/linux/ namespace as much as possible so that x86/boot/ can be independent from kernel proper. ] Signed-off-by: Vamshi K Sthambamkadi Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/1587645588-7130-2-git-send-email-vamshi.k.sthambamk...@gmail.com --- arch/x86/boot/string.c | 43 - arch/x86/boot/string.h | 1 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/string.c b/arch/x86/boot/string.c index 8272a44..8a3fff9 100644 --- a/arch/x86/boot/string.c +++ b/arch/x86/boot/string.c @@ -117,7 +117,6 @@ static unsigned int simple_guess_base(const char *cp) * @endp: A pointer to the end of the parsed string will be placed here * @base: The number base to use */ - unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base) { unsigned long long result = 0; @@ -335,3 +334,45 @@ int kstrtoull(const char *s, unsigned int base, unsigned long long *res) s++; return _kstrtoull(s, base, res); } + +static int _kstrtoul(const char *s, unsigned int base, unsigned long *res) +{ + unsigned long long tmp; + int rv; + + rv = kstrtoull(s, base, ); + if (rv < 0) + return rv; + if (tmp != (unsigned long)tmp) + return -ERANGE; + *res = tmp; + return 0; +} + +/** + * kstrtoul - convert a string to an unsigned long + * @s: The start of the string. The string must be null-terminated, and may also + * include a single newline before its terminating null. The first character + * may also be a plus sign, but not a minus sign. + * @base: The number base to use. The maximum supported base is 16. If base is + * given as 0, then the base of the string is automatically detected with the + * conventional semantics - If it begins with 0x the number will be parsed as a + * hexadecimal (case insensitive), if it otherwise begins with 0, it will be + * parsed as an octal number. Otherwise it will be parsed as a decimal. + * @res: Where to write the result of the conversion on success. + * + * Returns 0 on success, -ERANGE on overflow and -EINVAL on parsing error. + * Used as a replacement for the simple_strtoull. + */ +int boot_kstrtoul(const char *s, unsigned int base, unsigned long *res) +{ + /* +* We want to shortcut function call, but +* __builtin_types_compatible_p(unsigned long, unsigned long long) = 0. +*/ + if (sizeof(unsigned long) == sizeof(unsigned long long) && + __alignof__(unsigned long) == __alignof__(unsigned long long)) + return kstrtoull(s, base, (unsigned long long *)res); + else + return _kstrtoul(s, base, res); +} diff --git a/arch/x86/boot/string.h b/arch/x86/boot/string.h index 38d8f2f..995f7b7 100644 --- a/arch/x86/boot/string.h +++ b/arch/x86/boot/string.h @@ -30,4 +30,5 @@ extern unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base); int kstrtoull(const char *s, unsigned int base, unsigned long long *res); +int boot_kstrtoul(const char *s, unsigned int base, unsigned long *res); #endif /* BOOT_STRING_H */
[tip: x86/boot] x86/boot: Fix -Wint-to-pointer-cast build warning
The following commit has been merged into the x86/boot branch of tip: Commit-ID: 40ba9309c76f29d012a5cc0cf938f8ff7dc6fef2 Gitweb: https://git.kernel.org/tip/40ba9309c76f29d012a5cc0cf938f8ff7dc6fef2 Author:Vamshi K Sthambamkadi AuthorDate:Thu, 23 Apr 2020 18:09:48 +05:30 Committer: Borislav Petkov CommitterDate: Mon, 04 May 2020 15:22:16 +02:00 x86/boot: Fix -Wint-to-pointer-cast build warning Fix this warning when building 32-bit with CONFIG_RANDOMIZE_BASE=y CONFIG_MEMORY_HOTREMOVE=y arch/x86/boot/compressed/acpi.c:316:9: warning: \ cast to pointer from integer of different size [-Wint-to-pointer-cast] Have get_cmdline_acpi_rsdp() return unsigned long which is the proper type to convert to a pointer of the respective width. [ bp: Rewrite commit message, touch ups. ] Signed-off-by: Vamshi K Sthambamkadi Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/1587645588-7130-3-git-send-email-vamshi.k.sthambamk...@gmail.com --- arch/x86/boot/compressed/acpi.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/arch/x86/boot/compressed/acpi.c b/arch/x86/boot/compressed/acpi.c index ef2ad72..8bcbcee 100644 --- a/arch/x86/boot/compressed/acpi.c +++ b/arch/x86/boot/compressed/acpi.c @@ -280,9 +280,9 @@ acpi_physical_address get_rsdp_addr(void) */ #define MAX_ADDR_LEN 19 -static acpi_physical_address get_cmdline_acpi_rsdp(void) +static unsigned long get_cmdline_acpi_rsdp(void) { - acpi_physical_address addr = 0; + unsigned long addr = 0; #ifdef CONFIG_KEXEC char val[MAX_ADDR_LEN] = { }; @@ -292,7 +292,7 @@ static acpi_physical_address get_cmdline_acpi_rsdp(void) if (ret < 0) return 0; - if (kstrtoull(val, 16, )) + if (boot_kstrtoul(val, 16, )) return 0; #endif return addr; @@ -314,7 +314,6 @@ static unsigned long get_acpi_srat_table(void) * different ideas about whether to trust a command-line parameter. */ rsdp = (struct acpi_table_rsdp *)get_cmdline_acpi_rsdp(); - if (!rsdp) rsdp = (struct acpi_table_rsdp *)(long) boot_params->acpi_rsdp_addr;