[syzbot] [bluetooth?] memory leak in prepare_creds (4)

[syzbot] [bluetooth?] memory leak in prepare_creds (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    6465e260f487 Linux 6.6-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11b402cc680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=aa96152f5a3192e3
dashboard link: https://syzkaller.appspot.com/bug?extid=2a478080bd86d36bb5ea
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11d97bd4680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8d4a973843e8/disk-6465e260.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7d5718938500/vmlinux-6465e260.xz
kernel image: https://storage.googleapis.com/syzbot-assets/409606a5d458/bzImage-6465e260.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2a478080bd86d36bb5ea@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888120320240 (size 192):
  comm "syz-executor.1", pid 5087, jiffies 4294976980 (age 8.630s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff812deb3b>] prepare_creds+0x2b/0x460 kernel/cred.c:263
    [<ffffffff812df934>] copy_creds+0x44/0x2c0 kernel/cred.c:368
    [<ffffffff81290f0a>] copy_process+0x6aa/0x2570 kernel/fork.c:2361
    [<ffffffff81292f7b>] kernel_clone+0x11b/0x690 kernel/fork.c:2909
    [<ffffffff8129356c>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3052
    [<ffffffff84b32fc8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff84b32fc8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff8881009e7dc0 (size 16):
  comm "syz-executor.1", pid 5087, jiffies 4294976980 (age 8.630s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 a8 dd 07 00 81 88 ff ff  ................
  backtrace:
    [<ffffffff815748bb>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
    [<ffffffff815748bb>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
    [<ffffffff82349a61>] kmalloc include/linux/slab.h:603 [inline]
    [<ffffffff82349a61>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff82349a61>] lsm_cred_alloc security/security.c:577 [inline]
    [<ffffffff82349a61>] security_prepare_creds+0x121/0x140 security/security.c:2950
    [<ffffffff812dedec>] prepare_creds+0x2dc/0x460 kernel/cred.c:294
    [<ffffffff812df934>] copy_creds+0x44/0x2c0 kernel/cred.c:368
    [<ffffffff81290f0a>] copy_process+0x6aa/0x2570 kernel/fork.c:2361
    [<ffffffff81292f7b>] kernel_clone+0x11b/0x690 kernel/fork.c:2909
    [<ffffffff8129356c>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3052
    [<ffffffff84b32fc8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff84b32fc8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd

BUG: memory leak
unreferenced object 0xffff88812014a7e0 (size 96):
  comm "kworker/0:5", pid 5153, jiffies 4294977028 (age 8.150s)
  hex dump (first 32 bytes):
    fa 50 25 82 2e 06 06 00 00 00 00 00 00 00 00 00  .P%.............
    00 00 00 00 00 00 00 00 28 00 00 00 01 00 06 10  ........(.......
  backtrace:
    [<ffffffff815748bb>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
    [<ffffffff815748bb>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
    [<ffffffff8474bca8>] kmalloc include/linux/slab.h:603 [inline]
    [<ffffffff8474bca8>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff8474bca8>] cfg80211_inform_single_bss_frame_data+0x198/0x8d0 net/wireless/scan.c:2852
    [<ffffffff8474e2fd>] cfg80211_inform_bss_frame_data+0x6d/0x140 net/wireless/scan.c:2912
    [<ffffffff84801ec7>] ieee80211_bss_info_update+0x177/0x320 net/mac80211/scan.c:211
    [<ffffffff848110c4>] ieee80211_rx_bss_info net/mac80211/ibss.c:1124 [inline]
    [<ffffffff848110c4>] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1613 [inline]
    [<ffffffff848110c4>] ieee80211_ibss_rx_queued_mgmt+0x894/0x1210 net/mac80211/ibss.c:1642
    [<ffffffff84813c81>] ieee80211_iface_process_skb net/mac80211/iface.c:1604 [inline]
    [<ffffffff84813c81>] ieee80211_iface_work+0x601/0x790 net/mac80211/iface.c:1658
    [<ffffffff84731458>] cfg80211_wiphy_work+0xf8/0x110 net/wireless/core.c:435
    [<ffffffff812c8d9d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
    [<ffffffff812c9947>] process_scheduled_works kernel/workqueue.c:2703 [inline]
    [<ffffffff812c9947>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
    [<ffffffff812d6e1b>] kthread+0x12b/0x170 kernel/kthread.c:388
    [<ffffffff81149f25>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
    [<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

BUG: memory leak
unreferenced object 0xffff88812014a780 (size 96):
  comm "kworker/0:5", pid 5153, jiffies 4294977028 (age 8.150s)
  hex dump (first 32 bytes):
    5c 51 25 82 2e 06 06 00 00 00 00 00 00 00 00 00  \Q%.............
    00 00 00 00 00 00 00 00 28 00 00 00 01 00 06 10  ........(.......
  backtrace:
    [<ffffffff815748bb>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
    [<ffffffff815748bb>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
    [<ffffffff8474bca8>] kmalloc include/linux/slab.h:603 [inline]
    [<ffffffff8474bca8>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff8474bca8>] cfg80211_inform_single_bss_frame_data+0x198/0x8d0 net/wireless/scan.c:2852
    [<ffffffff8474e2fd>] cfg80211_inform_bss_frame_data+0x6d/0x140 net/wireless/scan.c:2912
    [<ffffffff84801ec7>] ieee80211_bss_info_update+0x177/0x320 net/mac80211/scan.c:211
    [<ffffffff848110c4>] ieee80211_rx_bss_info net/mac80211/ibss.c:1124 [inline]
    [<ffffffff848110c4>] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1613 [inline]
    [<ffffffff848110c4>] ieee80211_ibss_rx_queued_mgmt+0x894/0x1210 net/mac80211/ibss.c:1642
    [<ffffffff84813c81>] ieee80211_iface_process_skb net/mac80211/iface.c:1604 [inline]
    [<ffffffff84813c81>] ieee80211_iface_work+0x601/0x790 net/mac80211/iface.c:1658
    [<ffffffff84731458>] cfg80211_wiphy_work+0xf8/0x110 net/wireless/core.c:435
    [<ffffffff812c8d9d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
    [<ffffffff812c9947>] process_scheduled_works kernel/workqueue.c:2703 [inline]
    [<ffffffff812c9947>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
    [<ffffffff812d6e1b>] kthread+0x12b/0x170 kernel/kthread.c:388
    [<ffffffff81149f25>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
    [<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] memory leak in prepare_creds (4)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    13d88ac54ddd Merge tag 'vfs-6.7.fsid' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10740c7b680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ecfdf78a410c834
dashboard link: https://syzkaller.appspot.com/bug?extid=2a478080bd86d36bb5ea
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12d8fd7f680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=107b137f680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9bb27a01f17c/disk-13d88ac5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fb496feed171/vmlinux-13d88ac5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f4da22719ffa/bzImage-13d88ac5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2a478080bd86d36bb5ea@syzkaller.appspotmail.com

Warning: Permanently added '10.128.0.113' (ED25519) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff888107c20600 (size 192):
  comm "syz-executor418", pid 5027, jiffies 4294942544 (age 13.100s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81630798>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81630798>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81630798>] slab_alloc_node mm/slub.c:3478 [inline]
    [<ffffffff81630798>] slab_alloc mm/slub.c:3486 [inline]
    [<ffffffff81630798>] __kmem_cache_alloc_lru mm/slub.c:3493 [inline]
    [<ffffffff81630798>] kmem_cache_alloc+0x298/0x430 mm/slub.c:3502
    [<ffffffff812e0d5b>] prepare_creds+0x2b/0x4e0 kernel/cred.c:269
    [<ffffffff812e17c4>] copy_creds+0x44/0x280 kernel/cred.c:373
    [<ffffffff812927ba>] copy_process+0x6aa/0x25c0 kernel/fork.c:2366
    [<ffffffff8129487b>] kernel_clone+0x11b/0x690 kernel/fork.c:2907
    [<ffffffff81294e6c>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3050
    [<ffffffff84b67d8f>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    [<ffffffff84b67d8f>] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b

BUG: memory leak
unreferenced object 0xffff888107470a80 (size 16):
  comm "syz-executor418", pid 5027, jiffies 4294942544 (age 13.100s)
  hex dump (first 16 bytes):
    00 00 00 00 00 00 00 00 00 c3 87 00 81 88 ff ff  ................
  backtrace:
    [<ffffffff8163331d>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff8163331d>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff8163331d>] slab_alloc_node mm/slub.c:3478 [inline]
    [<ffffffff8163331d>] __kmem_cache_alloc_node+0x2dd/0x3f0 mm/slub.c:3517
    [<ffffffff8157e81b>] __do_kmalloc_node mm/slab_common.c:1006 [inline]
    [<ffffffff8157e81b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1020
    [<ffffffff82364631>] kmalloc include/linux/slab.h:604 [inline]
    [<ffffffff82364631>] kzalloc include/linux/slab.h:721 [inline]
    [<ffffffff82364631>] lsm_cred_alloc security/security.c:577 [inline]
    [<ffffffff82364631>] security_prepare_creds+0x121/0x140 security/security.c:2950
    [<ffffffff812e1059>] prepare_creds+0x329/0x4e0 kernel/cred.c:300
    [<ffffffff812e17c4>] copy_creds+0x44/0x280 kernel/cred.c:373
    [<ffffffff812927ba>] copy_process+0x6aa/0x25c0 kernel/fork.c:2366
    [<ffffffff8129487b>] kernel_clone+0x11b/0x690 kernel/fork.c:2907
    [<ffffffff81294e6c>] __do_sys_clone+0x7c/0xb0 kernel/fork.c:3050
    [<ffffffff84b67d8f>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
    [<ffffffff84b67d8f>] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
    [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b



---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.