Re: [PATCH v2] audit, io_uring, io-wq: Fix memory leak in io_sq_thread() and io_wqe_worker()

On 8/4/22 7:51 AM, Paul Moore wrote: > On Wed, Aug 3, 2022 at 6:24 PM Peilin Ye <yepeilin.cs(a)gmail.com&gt; wrote: >> >> From: Peilin Ye <peilin.ye(a)bytedance.com&gt; >> >> Currently @audit_context is allocated twice for io_uring workers: >> >> 1. copy_process() calls audit_alloc(); >> 2. io_sq_thread() or io_wqe_worker() calls audit_alloc_kernel() (which >> is effectively audit_alloc()) and overwrites @audit_context, >> causing: >> >> BUG: memory leak >> unreferenced object 0xffff888144547400 (size 1024): >> <...> >> hex dump (first 32 bytes): >> 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ >> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >> backtrace: >> [<ffffffff8135cfc3>] audit_alloc+0x133/0x210 >> [<ffffffff81239e63>] copy_process+0xcd3/0x2340 >> [<ffffffff8123b5f3>] create_io_thread+0x63/0x90 >> [<ffffffff81686604>] create_io_worker+0xb4/0x230 >> [<ffffffff81686f68>] io_wqe_enqueue+0x248/0x3b0 >> [<ffffffff8167663a>] io_queue_iowq+0xba/0x200 >> [<ffffffff816768b3>] io_queue_async+0x113/0x180 >> [<ffffffff816840df>] io_req_task_submit+0x18f/0x1a0 >> [<ffffffff816841cd>] io_apoll_task_func+0xdd/0x120 >> [<ffffffff8167d49f>] tctx_task_work+0x11f/0x570 >> [<ffffffff81272c4e>] task_work_run+0x7e/0xc0 >> [<ffffffff8125a688>] get_signal+0xc18/0xf10 >> [<ffffffff8111645b>] arch_do_signal_or_restart+0x2b/0x730 >> [<ffffffff812ea44e>] exit_to_user_mode_prepare+0x5e/0x180 >> [<ffffffff844ae1b2>] syscall_exit_to_user_mode+0x12/0x20 >> [<ffffffff844a7e80>] do_syscall_64+0x40/0x80 >> >> Then, >> >> 3. io_sq_thread() or io_wqe_worker() frees @audit_context using >> audit_free(); >> 4. do_exit() eventually calls audit_free() again, which is okay >> because audit_free() does a NULL check. >> >> As suggested by Paul Moore, fix it by deleting audit_alloc_kernel() and >> redundant audit_free() calls. >> >> Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring") >> Suggested-by: Paul Moore <paul(a)paul-moore.com&gt; >> Cc: stable(a)vger.kernel.org >> Signed-off-by: Peilin Ye <peilin.ye(a)bytedance.com&gt; >> --- >> Change since v1: >> - Delete audit_alloc_kernel() (Paul Moore) >> >> fs/io-wq.c | 3 --- >> fs/io_uring.c | 4 ---- >> include/linux/audit.h | 5 ----- >> kernel/auditsc.c | 25 ------------------------- >> 4 files changed, 37 deletions(-) > > This looks good to me, thanks! Although it looks like the io_uring > related changes will need to be applied by hand as they are pointing > to the old layout under fs/ as opposed to the newer layout in > io_uring/ introduced during this merge window. > > Jens, did you want to take this via the io_uring tree or should I take > it via the audit tree? If the latter, an ACK would be appreciated, if > the former my ACK is below. > > Acked-by: Paul Moore <paul(a)paul-moore.com&gt; Probably better if I take it, since I need to massage it into the current tree anyway. We can then use this one as the base for the stable backports that are going to be required.