On Wed, Aug 13, 2025 at 9:22 PM Adrian Huang (Lenovo)
<adrianhuang0701@xxxxxxxxx> wrote:
>
> After running the program 'ioctl_pidfd03' of Linux Test Project (LTP) or
> the program 'pidfd_info_test' in 'tools/testing/selftests/pidfd' of the
> kernel source, kmemleak reports the following memory leaks:
>
> # cat /sys/kernel/debug/kmemleak
> unreferenced object 0xff110020e5988000 (size 8216):
> comm "ioctl_pidfd03", pid 10853, jiffies 4294800031
> hex dump (first 32 bytes):
> 02 40 00 00 00 00 00 00 10 00 00 00 00 00 00 00 .@..............
> 00 00 00 00 af 01 00 00 80 00 00 00 00 00 00 00 ................
> backtrace (crc 69483047):
> kmem_cache_alloc_node_noprof+0x2fb/0x410
> copy_process+0x178/0x1740
> kernel_clone+0x99/0x3b0
> __do_sys_clone3+0xbe/0x100
> do_syscall_64+0x7b/0x2c0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> ...
> unreferenced object 0xff11002097b70000 (size 8216):
> comm "pidfd_info_test", pid 11840, jiffies 4294889165
> hex dump (first 32 bytes):
> 06 40 00 00 00 00 00 00 10 00 00 00 00 00 00 00 .@..............
> 00 00 00 00 b5 00 00 00 80 00 00 00 00 00 00 00 ................
> backtrace (crc a6286bb7):
> kmem_cache_alloc_node_noprof+0x2fb/0x410
> copy_process+0x178/0x1740
> kernel_clone+0x99/0x3b0
> __do_sys_clone3+0xbe/0x100
> do_syscall_64+0x7b/0x2c0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> ...
>
> The leak occurs because pidfd_info() obtains a task_struct via
> get_pid_task() but never calls put_task_struct() to drop the reference,
> leaving task->usage unbalanced.
>
> Fix the issue by adding __free(put_task) to the local variable 'task',
> ensuring that put_task_struct() is automatically invoked when the
> variable goes out of scope.
>
> Fixes: 7477d7dce48a ("pidfs: allow to retrieve exit information")
> Signed-off-by: Adrian Huang (Lenovo) <adrianhuang0701@xxxxxxxxx>
> ---
> fs/pidfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/pidfs.c b/fs/pidfs.c
> index edc35522d75c..857eb27c3d94 100644
> --- a/fs/pidfs.c
> +++ b/fs/pidfs.c
> @@ -296,12 +296,12 @@ static __u32 pidfs_coredump_mask(unsigned long mm_flags)
> static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg)
> {
> struct pidfd_info __user *uinfo = (struct pidfd_info __user *)arg;
> + struct task_struct *task __free(put_task);
Oops, forgot to assign NULL. This causes the regression (general
protection fault) for the error path in pidfd_info() when running the
program 'ioctl_pidfd05' of Linux Test Project (LTP).
Please ignore this patch, and I'll send a v2 shortly.
> struct pid *pid = pidfd_pid(file);
> size_t usize = _IOC_SIZE(cmd);
> struct pidfd_info kinfo = {};
> struct pidfs_exit_info *exit_info;
> struct user_namespace *user_ns;
> - struct task_struct *task;
> struct pidfs_attr *attr;
> const struct cred *c;
> __u64 mask;
> --
> 2.34.1
>
