inotify oops with wd == 4096

Bug #485556 reported by desrt
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Linux
Expired
Medium
linux (Ubuntu)
Fix Released
Medium
Andy Whitcroft
Dapper
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Won't Fix
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Medium
Andy Whitcroft

Bug Description

inotify_rm_watch() fails when you call it with watch descriptor 4096, even if this watch descriptor is valid.

it only ever happens with 4096. All other numbers work OK.

this is really bad because the watch remains in effect and when the process exits, you get this from the kernel:

[ 1097.904754] ------------[ cut here ]------------
[ 1097.904775] WARNING: at /build/buildd/linux-2.6.31/fs/notify/inotify/inotify_fsnotify.c:129 idr_callback+0x49/0x70()
[ 1097.904782] Hardware name: 7448CTO
[ 1097.904787] inotify closing but id=0 for entry=ffff8800658af690 in group=ffff88007195b400 still in idr. Probably leaking memory
[ 1097.904794] Modules linked in: binfmt_misc ppdev bridge stp bnep kvm_intel kvm nfsd lockd nfs_acl auth_rpcgss sunrpc snd_hda_codec_conexant snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss arc4 ecb snd_seq_midi snd_rawmidi snd_seq_midi_event iwlagn uvcvideo snd_seq iwlcore iptable_filter videodev snd_timer ip_tables snd_seq_device mac80211 v4l1_compat x_tables heci(C) v4l2_compat_ioctl32 snd psmouse thinkpad_acpi soundcore btusb led_class serio_raw snd_page_alloc cfg80211 lp nvram parport xfs exportfs fbcon tileblit font bitblit softcursor i915 drm i2c_algo_bit e1000e video output intel_agp
[ 1097.904917] Pid: 2949, comm: fail Tainted: G WC 2.6.31-16-generic #51~pre2-Ubuntu
[ 1097.904922] Call Trace:
[ 1097.904936] [<ffffffff8105e7d8>] warn_slowpath_common+0x78/0xb0
[ 1097.904945] [<ffffffff8105e86c>] warn_slowpath_fmt+0x3c/0x40
[ 1097.904952] [<ffffffff81153c99>] idr_callback+0x49/0x70
[ 1097.904962] [<ffffffff812733d9>] idr_for_each+0x89/0xe0
[ 1097.904970] [<ffffffff81153c50>] ? idr_callback+0x0/0x70
[ 1097.904979] [<ffffffff81151814>] ? fsnotify_put_event+0x44/0x60
[ 1097.904987] [<ffffffff81153c32>] inotify_free_group_priv+0x22/0x40
[ 1097.904996] [<ffffffff81151973>] fsnotify_final_destroy_group+0x23/0x40
[ 1097.905004] [<ffffffff81151a78>] fsnotify_put_group+0x98/0xb0
[ 1097.905012] [<ffffffff81153ebf>] inotify_release+0x2f/0x50
[ 1097.905020] [<ffffffff81120cd0>] __fput+0xf0/0x210
[ 1097.905027] [<ffffffff81120e0d>] fput+0x1d/0x30
[ 1097.905037] [<ffffffff8111cec8>] filp_close+0x58/0x90
[ 1097.905045] [<ffffffff81060657>] put_files_struct+0x77/0xe0
[ 1097.905052] [<ffffffff8106070f>] exit_files+0x4f/0x60
[ 1097.905060] [<ffffffff81061a5b>] do_exit+0x14b/0x360
[ 1097.905069] [<ffffffff8106d594>] ? signal_wake_up+0x34/0x40
[ 1097.905077] [<ffffffff81061cb9>] do_group_exit+0x49/0xc0
[ 1097.905085] [<ffffffff8106f8db>] get_signal_to_deliver+0x1bb/0x3b0
[ 1097.905093] [<ffffffff8106d9ca>] ? __send_signal+0x16a/0x360
[ 1097.905104] [<ffffffff810119a0>] do_signal+0x70/0x1c0
[ 1097.905115] [<ffffffff81529b40>] ? _spin_lock_irq+0x10/0x20
[ 1097.905122] [<ffffffff8106c031>] ? sigprocmask+0x91/0x110
[ 1097.905130] [<ffffffff8106c4c2>] ? sys_rt_sigprocmask+0x82/0x110
[ 1097.905138] [<ffffffff81011b3f>] do_notify_resume+0x4f/0x60
[ 1097.905146] [<ffffffff8106c4c2>] ? sys_rt_sigprocmask+0x82/0x110
[ 1097.905154] [<ffffffff810120fb>] sysret_signal+0x7e/0xcf
[ 1097.905161] ---[ end trace e98b6c8990922934 ]---
[ 1097.905167] entry->group=(null) inode=(null) wd=4096
----

the kernel telling me "Probably leaking memory" is particularly scary.

i get this on the latest (stable) karmic kernel but i also get the same bug on the prerelease kernel from smb's PPA:
Linux marzipan 2.6.31-16-generic #51~pre2-Ubuntu SMP Thu Nov 12 14:47:25 UTC 2009 x86_64 GNU/Linux

i'll attach a test program that makes it happen pretty quickly.

Revision history for this message
desrt (desrt) wrote :
Andy Whitcroft (apw)
tags: added: kernel-karmic
Kees Cook (kees)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Putting the test case in a loop and watching slabtop, I would confirm the memory leak.

Changed in linux (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Kees Cook (kees) wrote :

Should be "could confirm", and it's only with fd 4096, any above that are fine. Very strange.

Revision history for this message
Kees Cook (kees) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Seems to be extremely common kernel oops report too:
http://www.kerneloops.org/search.php?search=idr_callback

Revision history for this message
Kees Cook (kees) wrote :
visibility: private → public
Changed in linux (Ubuntu Karmic):
status: New → Confirmed
Changed in linux (Ubuntu Jaunty):
status: New → Confirmed
Changed in linux (Ubuntu Hardy):
status: New → Confirmed
Changed in linux (Ubuntu Dapper):
status: New → Confirmed
Changed in linux (Ubuntu Intrepid):
status: New → Confirmed
Changed in linux:
status: Unknown → In Progress
Revision history for this message
Andy Whitcroft (apw) wrote :

As this appears to affect all releases I've pulled in the patch reference for Lucid so we can test it there. I note it is also slated for slable and so I am applying it as pre-stable. I am applying it early to get more testing before it hits karmic et al.

Changed in linux (Ubuntu Lucid):
assignee: nobody → Andy Whitcroft (apw)
status: Confirmed → In Progress
Revision history for this message
Andy Whitcroft (apw) wrote :

The stable this is in has now released and I am incorporating that version.

Changed in linux (Ubuntu Lucid):
status: In Progress → Fix Released
status: Fix Released → Fix Committed
tags: added: v2.6.27.y v2.6.31.y
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package linux - 2.6.32-12.16

---------------
linux (2.6.32-12.16) lucid; urgency=low

  [ Andy Whitcroft ]

  * Revert "SAUCE: acpi battery -- delay first lookup of the battery until
    first use"
  * SAUCE: acpi battery -- move first lookup asynchronous
    - LP: #507211
  * [Config] update configs to cleanup generic configs
  * [Config] disable CONFIG_X86_CPU_DEBUG for amd64
  * [Config] enable USER_NS
    - LP: #480739, #509808

  [ Heiko Carstens ]

  * (pre-stable) driver-core: fix devtmpfs crash on s390
    - LP: #512370

  [ John Johansen ]

  * [Config] for server and virtual flavours make CONFIG_SCSI_SYM53C8XX_2=y
    - LP: #494565
  * [Config] VIRTIO=y for server/virtual flavours
    - LP: #494565

  [ Kay Sievers ]

  * (pre-stable) Driver-Core: devtmpfs - set root directory mode to 0755
    - LP: #512370

  [ Kees Cook ]

  * SAUCE: x86: brk away from exec rand area
    - LP: #452175

  [ Leann Ogasawara ]

  * [Upstream] e1000: enhance frame fragment detection
    - CVE-2009-4536
  * [Upstream] e1000e: enhance frame fragment detection
    - CVE-2009-4538

  [ Sebastian Kapfer ]

  * (pre-stable) Input: ALPS - add interleaved protocol support (Dell E6x00
    series)
    - LP: #296610

  [ Upstream Kernel Changes ]

  * inotify: do not reuse watch descriptors
    - LP: #485556
  * inotify: only warn once for inotify problems
  * revert "drivers/video/s3c-fb.c: fix clock setting for Samsung SoC
    Framebuffer"
  * memcg: ensure list is empty at rmdir
  * drm/i915: remove loop in Ironlake interrupt handler
  * block: Fix incorrect reporting of partition alignment
  * x86, mce: Thermal monitoring depends on APIC being enabled
  * futexes: Remove rw parameter from get_futex_key()
  * page allocator: update NR_FREE_PAGES only when necessary
  * x86, apic: use physical mode for IBM summit platforms
  * edac: i5000_edac critical fix panic out of bounds
  * x86: SGI UV: Fix mapping of MMIO registers
  * mfd: WM835x GPIO direction register is not locked
  * mfd: Correct WM835x ISINK ramp time defines
  * ALSA: hda - Fix missing capture mixer for ALC861/660 codecs
  * V4L/DVB (13868): gspca - sn9c20x: Fix test of unsigned.
  * reiserfs: truncate blocks not used by a write
  * HID: add device IDs for new model of Apple Wireless Keyboard
  * PCI/cardbus: Add a fixup hook and fix powerpc
  * Input: pmouse - move Sentelic probe down the list
  * asus-laptop: add Lenovo SL hotkey support
  * sched: Fix cpu_clock() in NMIs, on !CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
  * sparc64: Fix NMI programming when perf events are active.
  * sparc64: Fix Niagara2 perf event handling.
  * i2c: Do not use device name after device_unregister
  * i2c/pca: Don't use *_interruptible
  * serial/8250_pnp: add a new Fujitsu Wacom Tablet PC device
  * sched: Fix task priority bug
  * vfs: Fix vmtruncate() regression
  * Linux 2.6.32.5
  * x86, msr/cpuid: Register enough minors for the MSR and CPUID drivers
  * V4L/DVB (13900): gspca - sunplus: Fix bridge exchanges.
  * Staging: asus_oled: fix oops in 2.6.32.2
  * Staging: hv: fix smp problems in the hyperv core code
  * tty: fix race in tty_fasync
  * ecryptfs: use after free
  * ecryptfs: initi...

Read more...

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Jeff Strunk (jstrunk-math) wrote :

What is the time frame for seeing this fix in Karmic?

Revision history for this message
Juri Haberland (haberland) wrote :

Any news on a release date for Karmic?

Kees Cook (kees)
Changed in linux (Ubuntu Intrepid):
status: Confirmed → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-22.60

---------------
linux (2.6.31-22.60) karmic-security; urgency=low

  [ Leann Ogasawara ]

  * kvm: restrict writing of segment selectors to segment registers
    - CVE-2010-0419

  [ Upstream Kernel Changes ]

  * USB: usbfs: properly clean up the as structure on error paths
    - CVE-2010-1083
  * Bluetooth: Fix potential bad memory access with sysfs files
    - CVE-2010-1084
  * ALSA: hda-intel: Avoid divide by zero crash
    - CVE-2010-1085
  * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
    by an invalid Payload Pointer
    - CVE-2010-1086
  * GFS2: Skip check for mandatory locks when unlocking
    - CVE-2010-0727
  * tipc: Fix oops on send prior to entering networked mode (v3)
    - CVE-2010-1187
  * inotify: do not reuse watch descriptors
    - LP: #485556
  * idr: fix a critical misallocation bug, take#2
    - LP: #485556
  * tty: release_one_tty() forgets to put pids
    - CVE-2010-1162
  * reiserfs: fix permissions on .reiserfs_priv
    - CVE-2010-1146
  * fix LOOKUP_FOLLOW on automount "symlinks"
    - CVE-2010-1088
  * NFS: Fix an Oops when truncating a file
    - CVE-2010-1087
  * Attempt #2 to handle null nameidata
    - CVE-2010-1148
  * r8169: Fix receive buffer length when MTU is between 1515 and 1536
    - CVE-2009-4537
  * r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
    - CVE-2009-4537
  * KVM: Use kvm_{read,write}_guest_virt() to read and write segment
    descriptors
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check CPL level during privilege instruction
    emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Add Virtual-8086 mode of emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: fix memory access during x86 emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check IOPL level during io instruction emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Fix popf emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: VMX: Use macros instead of hex value on cr0 initialization
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: SVM: Reset cr0 properly on vcpu reset
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86: disable paravirt mmu reporting
    - CVE-2010-0298
    - CVE-2010-0306
 -- Stefan Bader <email address hidden> Tue, 25 May 2010 14:01:30 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-19.61

---------------
linux (2.6.28-19.61) jaunty-security; urgency=low

  [ Leann Ogasawara ]

  * kvm: restrict writing of segment selectors to segment registers
    - CVE-2010-0419

  [ Upstream Kernel Changes ]

  * USB: usbfs: properly clean up the as structure on error paths
    - CVE-2010-1083
  * Bluetooth: Fix potential bad memory access with sysfs files
    - CVE-2010-1084
  * ALSA: hda-intel: Avoid divide by zero crash
    - CVE-2010-1085
  * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
    by an invalid Payload Pointer
    - CVE-2010-1086
  * GFS2: Skip check for mandatory locks when unlocking
    - CVE-2010-0727
  * tipc: Fix oops on send prior to entering networked mode (v3)
    - CVE-2010-1187
  * idr: fix a critical misallocation bug, take#2
    - LP: #485556
  * tty: release_one_tty() forgets to put pids
    - CVE-2010-1162
  * fix LOOKUP_FOLLOW on automount "symlinks"
    - CVE-2010-1088
  * NFS: Fix an Oops when truncating a file
    - CVE-2010-1087
  * r8169: Fix receive buffer length when MTU is between 1515 and 1536
    - CVE-2009-4537
  * r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
    - CVE-2009-4537
  * KVM: introduce kvm_read_guest_virt, kvm_write_guest_virt
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: remove the vmap usage
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: Use kvm_{read,write}_guest_virt() to read and write segment
    descriptors
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check CPL level during privilege instruction
    emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Add Virtual-8086 mode of emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: fix memory access during x86 emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check IOPL level during io instruction emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: VMX: Use macros instead of hex value on cr0 initialization
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: SVM: Reset cr0 properly on vcpu reset
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86: disable paravirt mmu reporting
    - CVE-2010-0298
    - CVE-2010-0306
 -- Stefan Bader <email address hidden> Tue, 25 May 2010 14:21:52 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-28.70

---------------
linux (2.6.24-28.70) hardy-security; urgency=low

  [Stefan Bader]

  * OPENVZ: Fix patch failure on fs/namei.c
    - CVE-2010-1088
  * KVM: x86: Completely backport get_cpl functionality
    - CVE-2010-0298
    - CVE-2010-0306

  [Upstream Kernel Changes]

  * virtio: finer-grained features for virtio_net
    - CVE-2010-0741
  * virtio: explicit advertisement of driver features
    - CVE-2010-0741
  * USB: usbfs: properly clean up the as structure on error paths
    - CVE-2010-1083
  * Bluetooth: Fix potential bad memory access with sysfs files
    - CVE-2010-1084
  * dvb-core: Fix DoS bug in ULE decapsulation code that can be triggered
    by an invalid Payload Pointer
    - CVE-2010-1086
  * ipv6: Fix OOPS in ip6_dst_lookup_tail().
    - CVE-2010-0437
  * GFS2: Skip check for mandatory locks when unlocking
    - CVE-2010-0727
  * tipc: Fix oops on send prior to entering networked mode (v3)
    - CVE-2010-1187
  * idr: fix a critical misallocation bug, take#2
    - LP: #485556
  * tty: release_one_tty() forgets to put pids
    - CVE-2010-1162
  * fix LOOKUP_FOLLOW on automount "symlinks"
    - CVE-2010-1088
  * NFS: Fix an Oops when truncating a file
    - CVE-2010-1087
  * r8169: Fix receive buffer length when MTU is between 1515 and 1536
    - CVE-2009-4537
  * r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
    - CVE-2009-4537
  * KVM: introduce kvm_read_guest_virt, kvm_write_guest_virt
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: remove the vmap usage
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check CPL level during privilege instruction
    emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Add Virtual-8086 mode of emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: fix memory access during x86 emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: x86 emulator: Check IOPL level during io instruction emulation
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: VMX: Use macros instead of hex value on cr0 initialization
    - CVE-2010-0298
    - CVE-2010-0306
  * KVM: SVM: Reset cr0 properly on vcpu reset
    - CVE-2010-0298
    - CVE-2010-0306
 -- Stefan Bader <email address hidden> Tue, 25 May 2010 12:14:20 +0000

Changed in linux (Ubuntu Hardy):
status: Confirmed → Fix Released
Changed in linux (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in linux (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in linux:
importance: Unknown → Medium
Changed in linux (Ubuntu Dapper):
status: Confirmed → Won't Fix
Changed in linux:
status: In Progress → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.