From: Hawkins Jiawei <yin31149@gmail.com>
To: syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: johannes@sipsolutions.net, linux-kernel@vger.kernel.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs@googlegroups.com, 18801353760@163.com,
yin31149@gmail.com
Subject: Re: [syzbot] memory leak in regulatory_hint_core
Date: Sun, 30 Oct 2022 00:14:17 +0800 [thread overview]
Message-ID: <20221029161418.2709-1-yin31149@gmail.com> (raw)
In-Reply-To: <0000000000001de5c505ebc9ec59@google.com>
Hi,
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: aae703b02f92 Merge tag 'for-6.1-rc1-tag' of git://git.kern..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=113ed1b4880000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d2f454d7d3b63980
> dashboard link: https://syzkaller.appspot.com/bug?extid=232ebdbd36706c965ebf
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=124b8de2880000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12ae6a4a880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a6542869e73f/disk-aae703b0.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1a8ac40b2df8/vmlinux-aae703b0.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com
>
> executing program
> BUG: memory leak
> unreferenced object 0xffff8881450a3900 (size 64):
> comm "swapper/0", pid 1, jiffies 4294937964 (age 66.260s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> ff ff ff ff 00 00 00 00 00 00 00 00 30 30 00 00 ............00..
> backtrace:
> [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
> [<ffffffff84070f62>] kmalloc include/linux/slab.h:576 [inline]
> [<ffffffff84070f62>] kzalloc include/linux/slab.h:712 [inline]
> [<ffffffff84070f62>] regulatory_hint_core+0x22/0x60 net/wireless/reg.c:3242
> [<ffffffff8722bfc1>] regulatory_init_db+0x222/0x2de net/wireless/reg.c:4312
> [<ffffffff81000fde>] do_one_initcall+0x5e/0x2e0 init/main.c:1303
> [<ffffffff8718db35>] do_initcall_level init/main.c:1376 [inline]
> [<ffffffff8718db35>] do_initcalls init/main.c:1392 [inline]
> [<ffffffff8718db35>] do_basic_setup init/main.c:1411 [inline]
> [<ffffffff8718db35>] kernel_init_freeable+0x255/0x2cf init/main.c:1631
> [<ffffffff8460cb9a>] kernel_init+0x1a/0x1c0 init/main.c:1519
> [<ffffffff8100224f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
>
> BUG: memory leak
> unreferenced object 0xffff88810c287f00 (size 256):
> comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
> [<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]
> [<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]
> [<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]
> [<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]
> [<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342
> [<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553
> [<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147
> [<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082
> [<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540
> [<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
> [<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
> [<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
> [<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]
> [<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734
> [<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482
> [<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
> [<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622
> [<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]
> [<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]
> [<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648
> [<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> BUG: memory leak
> unreferenced object 0xffff88810c287e00 (size 256):
> comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
> [<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]
> [<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]
> [<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]
> [<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]
> [<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342
> [<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553
> [<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147
> [<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082
> [<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540
> [<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
> [<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
> [<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
> [<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]
> [<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734
> [<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482
> [<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
> [<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622
> [<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]
> [<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]
> [<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648
> [<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> BUG: memory leak
> unreferenced object 0xffff88810c1c6d00 (size 256):
> comm "syz-executor105", pid 3601, jiffies 4294943831 (age 7.600s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
> [<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]
> [<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]
> [<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]
> [<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]
> [<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342
> [<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553
> [<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147
> [<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082
> [<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540
> [<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
> [<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
> [<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
> [<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]
> [<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734
> [<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482
> [<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
> [<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622
> [<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]
> [<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]
> [<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648
> [<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> [<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
This bug seems to be related to tcindex_set_parms().
To be more specific, kernel should release the old_r->exts before
initializing it. Let us test it.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
aae703b02f92bde9264366c545e87cec451de471
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 1c9eeb98d826..00a6c04a4b42 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -479,6 +479,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
}
if (old_r && old_r != r) {
+ tcf_exts_destroy(&old_r->exts);
err = tcindex_filter_result_init(old_r, cp, net);
if (err < 0) {
kfree(f);
next prev parent reply other threads:[~2022-10-29 16:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 16:02 [syzbot] memory leak in regulatory_hint_core syzbot
2022-10-29 16:14 ` Hawkins Jiawei [this message]
2022-10-30 5:41 ` syzbot
2022-10-30 15:36 ` Hawkins Jiawei
2022-10-31 5:18 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221029161418.2709-1-yin31149@gmail.com \
--to=yin31149@gmail.com \
--cc=18801353760@163.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=johannes@sipsolutions.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).