Subject: Re: kern/32842: SCM_RIGHTS can leak file descriptor resources
To: None <netbsd-bugs@netbsd.org>
From: Christian Biere <christianbiere@gmx.de>
List: netbsd-bugs
Date: 09/07/2006 04:41:32
Christian Biere wrote:
>  The patch might be incomplete but I cannot reproduce the leak
>  using my provided test case with this patch applied anymore.

I have a new simpler more aggressive testcase which works even with
my patch applied. However, this causes a different problem. So it's
relate but might not actually the same bug or it could indicate
that the proposed fix is incomplete. After a few seconds, top
shows that the process hangs in "vmmapkv". This does not cause
a file descriptor leak but rather a kernel memory leak. Some
programs like "top" can still be started but others especially
network-related ones e.g., "ping" don't work and just hang as
well. After some time a kernel panic occurs:

"panic: malloc: out of space in kmem_map"

Note, that this abuses the unix domain socket of "syslogd"
for less code.

cat <<EOF > vmmapkv.c && cc -o vmmapkv vmmapkv.c && ./vmmapkv
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <assert.h>

#define ARRAY_LEN(x) (sizeof (x) / sizeof (x)[0])

static int
set_socket_address(struct sockaddr_un *sun, const char *path)
{
  static const struct sockaddr_un zero_sun;

  assert(sun);
  assert(path);
  
  *sun = zero_sun;
  if (strlen(path) >= sizeof sun->sun_path) {
    fprintf(stderr, "sockpath is too long\n");
    return -1;
  }
  strncpy(sun->sun_path, path, sizeof sun->sun_path);
  sun->sun_len = SUN_LEN(sun);
  sun->sun_family = AF_LOCAL;
  return 0;
}

static int
create_new_socket(void)
{
  int fd;

  fd = socket(PF_LOCAL, SOCK_STREAM, 0);
  if (-1 == fd) {
    perror("socket(PF_LOCAL, SOCK_STREAM, 0)");
    return -1;
  }

  {
    int enable = 1;
    
    if (0 != setsockopt(fd, 0, LOCAL_CREDS, &enable, sizeof enable)) {
      perror("setsockopt(fd, 0, LOCAL_CREDS, enable, sizeof enable)");
      return -1;
    }
  }

  return fd;
}

static int
send_msg(const int fd, const char * const dst_path,
  const struct msghdr * const msg_ptr)
{
  struct msghdr msg;
  struct sockaddr_un sun;

  assert(-1 != fd);
  assert(dst_path);
  assert(msg_ptr);
  
  if (set_socket_address(&sun, dst_path))
    return -1;

  msg = *msg_ptr;
  msg.msg_name = &sun;
  msg.msg_namelen = sizeof sun;
  
  if ((ssize_t) -1 == sendmsg(fd, &msg, 0)) {
    perror("sendmsg()");
    return -1;
  }

  return 0;
}

static int
send_descriptors(const int fd, const char * const dst_path,
  const int * const fd_array, const size_t num_fds)
{
  static const struct cmsghdr zero_cmsg;
  static const struct msghdr zero_msg;
  static struct iovec iov[1];
  struct msghdr msg;
  struct cmsghdr *cmsg;
  size_t data_size;

  assert(-1 != fd);
  assert(dst_path);
  assert(fd_array);

  data_size = num_fds * sizeof fd_array[0];

  cmsg = malloc(CMSG_SPACE(data_size));
  if (!cmsg) {
    perror("malloc()");
    return -1;
  }

  *cmsg = zero_cmsg;
  cmsg->cmsg_len = CMSG_LEN(data_size);
  cmsg->cmsg_level = SOL_SOCKET;
  cmsg->cmsg_type = SCM_RIGHTS;

  memcpy((char *) cmsg + CMSG_LEN(0), fd_array, data_size);

  msg = zero_msg;
  msg.msg_iov = iov;
  msg.msg_iovlen = ARRAY_LEN(iov);
  msg.msg_control = cmsg;
  msg.msg_controllen = CMSG_LEN(data_size);

  return send_msg(fd, dst_path, &msg);
}

static int
run_server(const char *path)
{
  int s;

  s = create_new_socket();
  if (-1 == s)
    return -1;

  for (;;) {
    int fd = dup(STDOUT_FILENO);
    
    send_descriptors(s, path, &fd, 1);
    close(fd);
  }

  return 0;
}

static const char server_path[] = "/var/run/log";

int
main(void)
{
  if (0 != run_server(server_path))
    exit(EXIT_FAILURE);

  return 0;
}

/* vi: set ai et ts=2 sts=2 sw=2 cindent: */
EOF

-- 
Christian