Re: [syzbot] [comedi?] memory leak in do_cmd_ioctl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	 xiaopei01@kylinos.cn, xiaopeitux@foxmail.com
Subject: Re: [syzbot] [comedi?] memory leak in do_cmd_ioctl
Date: Mon, 15 Dec 2025 00:05:02 -0800	[thread overview]
Message-ID: <693fc12e.a70a0220.104cf0.0338.GAE@google.com> (raw)
In-Reply-To: <tencent_BDAF5235437278899CF4CDF1BAC24718700A@qq.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in do_cmd_ioctl

BUG: unable to handle page fault for address: ffffec5e00000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6735 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS:  00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 do_cmd_ioctl.part.0+0x18a/0x360 drivers/comedi/comedi_fops.c:1896
 do_cmd_ioctl drivers/comedi/comedi_fops.c:1858 [inline]
 comedi_unlocked_ioctl+0xdea/0x1300 drivers/comedi/comedi_fops.c:2321
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl fs/ioctl.c:583 [inline]
 __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7feb6858f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007feb67bfe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007feb687e5fa0 RCX: 00007feb6858f749
RDX: 0000200000000180 RSI: 0000000080506409 RDI: 0000000000000003
RBP: 00007feb68613f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007feb687e6038 R14: 00007feb687e5fa0 R15: 00007fff6cee0be8
 </TASK>
Modules linked in:
CR2: ffffec5e00000008
---[ end trace 0000000000000000 ]---
RIP: 0010:page_slab mm/slab.h:142 [inline]
RIP: 0010:kfree+0x6c/0x3d0 mm/slub.c:6869
Code: 80 48 01 df 0f 82 6a 03 00 00 48 c7 c0 00 00 00 80 48 2b 05 66 9b 14 05 48 01 c7 48 c1 ef 0c 48 c1 e7 06 48 03 3d 44 9b 14 05 <48> 8b 47 08 a8 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 0f 85
RSP: 0018:ffffc9000217fd50 EFLAGS: 00010286
RAX: 0000777f80000000 RBX: 00002000000000c0 RCX: ffffffff844b815c
RDX: ffff8881244d9180 RSI: ffffffff844ab69a RDI: ffffec5e00000000
RBP: ffffc9000217fda0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000010 R11: ffffffff81000130 R12: ffff8881136bc198
R13: ffff8881458db700 R14: ffff8881458db500 R15: ffffc9000217fe28
FS:  00007feb67bfe6c0(0000) GS:ffff8881b266b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffec5e00000008 CR3: 000000010a316000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	80 48 01 df          	orb    $0xdf,0x1(%rax)
   4:	0f 82 6a 03 00 00    	jb     0x374
   a:	48 c7 c0 00 00 00 80 	mov    $0xffffffff80000000,%rax
  11:	48 2b 05 66 9b 14 05 	sub    0x5149b66(%rip),%rax        # 0x5149b7e
  18:	48 01 c7             	add    %rax,%rdi
  1b:	48 c1 ef 0c          	shr    $0xc,%rdi
  1f:	48 c1 e7 06          	shl    $0x6,%rdi
  23:	48 03 3d 44 9b 14 05 	add    0x5149b44(%rip),%rdi        # 0x5149b6e
* 2a:	48 8b 47 08          	mov    0x8(%rdi),%rax <-- trapping instruction
  2e:	a8 01                	test   $0x1,%al
  30:	4c 8d 60 ff          	lea    -0x1(%rax),%r12
  34:	4c 0f 44 e7          	cmove  %rdi,%r12
  38:	41 80 7c 24 33 f5    	cmpb   $0xf5,0x33(%r12)
  3e:	0f                   	.byte 0xf
  3f:	85                   	.byte 0x85


Tested on:

commit:         8f0b4cce Linux 6.19-rc1
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bd411a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d60836e327fd6756
dashboard link: https://syzkaller.appspot.com/bug?extid=f238baf6ded841b5a82e
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=166d411a580000

next prev parent reply	other threads:[~2025-12-15  8:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-15  4:03 [syzbot] [comedi?] memory leak in do_cmd_ioctl syzbot
2025-12-15  7:50 ` [PATCH] comedi: test memleak xiaopeitux
2025-12-15  8:05   ` syzbot [this message]
2025-12-15  8:50     ` [PATCH] comedi: test kmemleak xiaopeitux
2025-12-15  9:48       ` [syzbot] [comedi?] memory leak in do_cmd_ioctl syzbot
2025-12-15 11:11 ` [PATCH] comedi: runflags cannot determine whether to reclaim chanlist Edward Adam Davis
2025-12-15 12:25   ` Ian Abbott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=693fc12e.a70a0220.104cf0.0338.GAE@google.com \
    --to=syzbot+f238baf6ded841b5a82e@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=xiaopei01@kylinos.cn \
    --cc=xiaopeitux@foxmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.