From: syzbot <syzbot+1d37bef05da87b99c5a6@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, kernel@pengutronix.de,
kuba@kernel.org, linux-can@vger.kernel.org,
linux-kernel@vger.kernel.org, mkl@pengutronix.de,
netdev@vger.kernel.org, o.rempel@pengutronix.de,
pabeni@redhat.com, robin@protonic.nl, socketcan@hartkopp.net,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [can?] memory leak in j1939_netdev_start
Date: Fri, 24 Nov 2023 18:45:21 -0800 [thread overview]
Message-ID: <00000000000060446d060af10f08@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 98b1cc82c4af Linux 6.7-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1286e3d4e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=f1b9d95ada516af
dashboard link: https://syzkaller.appspot.com/bug?extid=1d37bef05da87b99c5a6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c8f8cce80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6b6d520f592c/disk-98b1cc82.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c2cb6183fd56/vmlinux-98b1cc82.xz
kernel image: https://storage.googleapis.com/syzbot-assets/de520cfc8b93/bzImage-98b1cc82.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1d37bef05da87b99c5a6@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff88811f324000 (size 8192):
comm "syz-executor.7", pid 5245, jiffies 4294947603 (age 10.860s)
hex dump (first 32 bytes):
00 40 32 1f 81 88 ff ff 00 40 32 1f 81 88 ff ff .@2......@2.....
00 00 00 00 00 00 00 00 00 80 0f 1b 81 88 ff ff ................
backtrace:
[<ffffffff816339bd>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
[<ffffffff816339bd>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff816339bd>] slab_alloc_node mm/slub.c:3478 [inline]
[<ffffffff816339bd>] __kmem_cache_alloc_node+0x2dd/0x3f0 mm/slub.c:3517
[<ffffffff8157e845>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1098
[<ffffffff8453e829>] kmalloc include/linux/slab.h:600 [inline]
[<ffffffff8453e829>] kzalloc include/linux/slab.h:721 [inline]
[<ffffffff8453e829>] j1939_priv_create net/can/j1939/main.c:135 [inline]
[<ffffffff8453e829>] j1939_netdev_start+0x159/0x6f0 net/can/j1939/main.c:272
[<ffffffff8454046e>] j1939_sk_bind+0x21e/0x550 net/can/j1939/socket.c:485
[<ffffffff83ec4dac>] __sys_bind+0x11c/0x130 net/socket.c:1845
[<ffffffff83ec4ddc>] __do_sys_bind net/socket.c:1856 [inline]
[<ffffffff83ec4ddc>] __se_sys_bind net/socket.c:1854 [inline]
[<ffffffff83ec4ddc>] __x64_sys_bind+0x1c/0x20 net/socket.c:1854
[<ffffffff84b6bd8f>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
[<ffffffff84b6bd8f>] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b
BUG: memory leak
unreferenced object 0xffff88811f0bf300 (size 240):
comm "softirq", pid 0, jiffies 4294947604 (age 10.850s)
hex dump (first 32 bytes):
68 74 bb 1d 81 88 ff ff 68 74 bb 1d 81 88 ff ff ht......ht......
00 80 0f 1b 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81631427>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
[<ffffffff81631427>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81631427>] slab_alloc_node mm/slub.c:3478 [inline]
[<ffffffff81631427>] kmem_cache_alloc_node+0x2c7/0x450 mm/slub.c:3523
[<ffffffff83ed869f>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:641
[<ffffffff845473ef>] alloc_skb include/linux/skbuff.h:1286 [inline]
[<ffffffff845473ef>] j1939_session_fresh_new net/can/j1939/transport.c:1535 [inline]
[<ffffffff845473ef>] j1939_xtp_rx_rts_session_new net/can/j1939/transport.c:1631 [inline]
[<ffffffff845473ef>] j1939_xtp_rx_rts+0x49f/0xa50 net/can/j1939/transport.c:1735
[<ffffffff84547ea5>] j1939_tp_cmd_recv net/can/j1939/transport.c:2057 [inline]
[<ffffffff84547ea5>] j1939_tp_recv+0x1b5/0x7f0 net/can/j1939/transport.c:2144
[<ffffffff8453e3f9>] j1939_can_recv+0x349/0x4e0 net/can/j1939/main.c:112
[<ffffffff8452eea4>] deliver net/can/af_can.c:572 [inline]
[<ffffffff8452eea4>] can_rcv_filter+0xd4/0x290 net/can/af_can.c:606
[<ffffffff8452f560>] can_receive+0xf0/0x140 net/can/af_can.c:663
[<ffffffff8452f6a0>] can_rcv+0xf0/0x130 net/can/af_can.c:687
[<ffffffff83f10bf6>] __netif_receive_skb_one_core+0x66/0x90 net/core/dev.c:5529
[<ffffffff83f10c6d>] __netif_receive_skb+0x1d/0x90 net/core/dev.c:5643
[<ffffffff83f10fcc>] process_backlog+0xbc/0x190 net/core/dev.c:5971
[<ffffffff83f1215e>] __napi_poll+0x3e/0x310 net/core/dev.c:6533
[<ffffffff83f12b78>] napi_poll net/core/dev.c:6602 [inline]
[<ffffffff83f12b78>] net_rx_action+0x3d8/0x510 net/core/dev.c:6735
[<ffffffff84b8974d>] __do_softirq+0xbd/0x2b0 kernel/softirq.c:553
BUG: memory leak
unreferenced object 0xffff88811f340000 (size 131072):
comm "softirq", pid 0, jiffies 4294947604 (age 10.850s)
hex dump (first 32 bytes):
0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157e703>] __kmalloc_large_node+0xe3/0x170 mm/slab_common.c:1157
[<ffffffff8157ecbb>] __do_kmalloc_node mm/slab_common.c:995 [inline]
[<ffffffff8157ecbb>] __kmalloc_node_track_caller+0xbb/0x150 mm/slab_common.c:1027
[<ffffffff83ed49a6>] kmalloc_reserve+0x96/0x170 net/core/skbuff.c:582
[<ffffffff83ed8585>] __alloc_skb+0xd5/0x230 net/core/skbuff.c:651
[<ffffffff845473ef>] alloc_skb include/linux/skbuff.h:1286 [inline]
[<ffffffff845473ef>] j1939_session_fresh_new net/can/j1939/transport.c:1535 [inline]
[<ffffffff845473ef>] j1939_xtp_rx_rts_session_new net/can/j1939/transport.c:1631 [inline]
[<ffffffff845473ef>] j1939_xtp_rx_rts+0x49f/0xa50 net/can/j1939/transport.c:1735
[<ffffffff84547ea5>] j1939_tp_cmd_recv net/can/j1939/transport.c:2057 [inline]
[<ffffffff84547ea5>] j1939_tp_recv+0x1b5/0x7f0 net/can/j1939/transport.c:2144
[<ffffffff8453e3f9>] j1939_can_recv+0x349/0x4e0 net/can/j1939/main.c:112
[<ffffffff8452eea4>] deliver net/can/af_can.c:572 [inline]
[<ffffffff8452eea4>] can_rcv_filter+0xd4/0x290 net/can/af_can.c:606
[<ffffffff8452f560>] can_receive+0xf0/0x140 net/can/af_can.c:663
[<ffffffff8452f6a0>] can_rcv+0xf0/0x130 net/can/af_can.c:687
[<ffffffff83f10bf6>] __netif_receive_skb_one_core+0x66/0x90 net/core/dev.c:5529
[<ffffffff83f10c6d>] __netif_receive_skb+0x1d/0x90 net/core/dev.c:5643
[<ffffffff83f10fcc>] process_backlog+0xbc/0x190 net/core/dev.c:5971
[<ffffffff83f1215e>] __napi_poll+0x3e/0x310 net/core/dev.c:6533
[<ffffffff83f12b78>] napi_poll net/core/dev.c:6602 [inline]
[<ffffffff83f12b78>] net_rx_action+0x3d8/0x510 net/core/dev.c:6735
[<ffffffff84b8974d>] __do_softirq+0xbd/0x2b0 kernel/softirq.c:553
BUG: memory leak
unreferenced object 0xffff88811dbb7400 (size 512):
comm "softirq", pid 0, jiffies 4294947604 (age 10.850s)
hex dump (first 32 bytes):
00 40 32 1f 81 88 ff ff 28 50 32 1f 81 88 ff ff .@2.....(P2.....
28 50 32 1f 81 88 ff ff 18 74 bb 1d 81 88 ff ff (P2......t......
backtrace:
[<ffffffff816339bd>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
[<ffffffff816339bd>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff816339bd>] slab_alloc_node mm/slub.c:3478 [inline]
[<ffffffff816339bd>] __kmem_cache_alloc_node+0x2dd/0x3f0 mm/slub.c:3517
[<ffffffff8157e845>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1098
[<ffffffff84542463>] kmalloc include/linux/slab.h:600 [inline]
[<ffffffff84542463>] kzalloc include/linux/slab.h:721 [inline]
[<ffffffff84542463>] j1939_session_new+0x53/0x140 net/can/j1939/transport.c:1494
[<ffffffff84547485>] j1939_session_fresh_new net/can/j1939/transport.c:1546 [inline]
[<ffffffff84547485>] j1939_xtp_rx_rts_session_new net/can/j1939/transport.c:1631 [inline]
[<ffffffff84547485>] j1939_xtp_rx_rts+0x535/0xa50 net/can/j1939/transport.c:1735
[<ffffffff84547ea5>] j1939_tp_cmd_recv net/can/j1939/transport.c:2057 [inline]
[<ffffffff84547ea5>] j1939_tp_recv+0x1b5/0x7f0 net/can/j1939/transport.c:2144
[<ffffffff8453e3f9>] j1939_can_recv+0x349/0x4e0 net/can/j1939/main.c:112
[<ffffffff8452eea4>] deliver net/can/af_can.c:572 [inline]
[<ffffffff8452eea4>] can_rcv_filter+0xd4/0x290 net/can/af_can.c:606
[<ffffffff8452f560>] can_receive+0xf0/0x140 net/can/af_can.c:663
[<ffffffff8452f6a0>] can_rcv+0xf0/0x130 net/can/af_can.c:687
[<ffffffff83f10bf6>] __netif_receive_skb_one_core+0x66/0x90 net/core/dev.c:5529
[<ffffffff83f10c6d>] __netif_receive_skb+0x1d/0x90 net/core/dev.c:5643
[<ffffffff83f10fcc>] process_backlog+0xbc/0x190 net/core/dev.c:5971
[<ffffffff83f1215e>] __napi_poll+0x3e/0x310 net/core/dev.c:6533
[<ffffffff83f12b78>] napi_poll net/core/dev.c:6602 [inline]
[<ffffffff83f12b78>] net_rx_action+0x3d8/0x510 net/core/dev.c:6735
[<ffffffff84b8974d>] __do_softirq+0xbd/0x2b0 kernel/softirq.c:553
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2023-11-25 2:45 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-25 2:45 syzbot [this message]
2024-01-19 13:27 ` [syzbot] [syzbot] [can?] memory leak in j1939_netdev_start syzbot
2024-01-23 9:12 ` Edward Adam Davis
2024-01-23 9:24 ` syzbot
2024-01-23 9:39 ` Edward Adam Davis
2024-01-23 10:05 ` syzbot
2024-01-24 1:24 ` Edward Adam Davis
2024-01-24 2:51 ` syzbot
2025-12-21 7:58 ` syzbot
[not found] <20240119132659.3158-1-n.zhandarovich@fintech.ru>
2024-01-19 14:23 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=00000000000060446d060af10f08@google.com \
--to=syzbot+1d37bef05da87b99c5a6@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=pabeni@redhat.com \
--cc=robin@protonic.nl \
--cc=socketcan@hartkopp.net \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.