From: Daniel Borkmann <daniel@iogearbox.net>
To: Eric Dumazet <eric.dumazet@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
linux-sctp@vger.kernel.org,
syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: memory leak in do_ipv6_setsockopt
Date: Tue, 01 Dec 2015 15:07:58 +0100 [thread overview]
Message-ID: <565DA9BE.3060006@iogearbox.net> (raw)
In-Reply-To: <1448977016.25582.18.camel@edumazet-glaptop2.roam.corp.google.com>
On 12/01/2015 02:36 PM, Eric Dumazet wrote:
> On Tue, 2015-12-01 at 13:27 +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program causes a memory leak :
>>
>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>> #include <syscall.h>
>> #include <sys/types.h>
>> #include <sys/socket.h>
>> #include <string.h>
>> #include <stdint.h>
>> #include <linux/in.h>
>> #include <linux/socket.h>
>>
>> int main()
>> {
>> long r1 = syscall(SYS_socket, PF_INET6,
>> SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_SCTP);
>> const char *opt = "\x15\x53\x5e\x2d\x97\xab\xe1";
>> long r3 = syscall(SYS_setsockopt, r1, 0x29ul, 0x6ul, opt, 0x7ul);
>> return 0;
>> }
>>
>>
>> unreferenced object 0xffff880039a55260 (size 64):
>> comm "executor", pid 11746, jiffies 4298984475 (age 16.078s)
>> hex dump (first 32 bytes):
>> 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 /...............
>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> backtrace:
>> [< inline >] kmalloc include/linux/slab.h:463
>> [<ffffffff848a2f5f>] sock_kmalloc+0x7f/0xc0 net/core/sock.c:1774
>> [<ffffffff84e5bea0>] do_ipv6_setsockopt.isra.7+0x15d0/0x2830
>> net/ipv6/ipv6_sockglue.c:483
>> [<ffffffff84e5d19b>] ipv6_setsockopt+0x9b/0x140 net/ipv6/ipv6_sockglue.c:885
>> [<ffffffff8544616c>] sctp_setsockopt+0x15c/0x36c0 net/sctp/socket.c:3702
>> [<ffffffff848a2035>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2645
>> [< inline >] SYSC_setsockopt net/socket.c:1757
>> [<ffffffff8489f1d8>] SyS_setsockopt+0x158/0x240 net/socket.c:1736
>>
>>
>> I confirmed that running this program in a loop steadily increases
>> number of objects in kmalloc-64 slab. The leak does not happen with
>> IPPROTO_TCP, so probably it is sctp-related.
>
> Thanks for the report.
>
> Probably fixed by :
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 897c01c029ca..8079ecd8465d 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7375,6 +7375,12 @@ struct proto sctp_prot = {
>
> #if IS_ENABLED(CONFIG_IPV6)
>
> +static void sctp_v6_destroy_sock(struct sock *sk)
> +{
> + sctp_destroy_sock(sk);
> + inet6_destroy_sock(sk);
> +}
Yeah, we miss inet6_destroy_sock() in SCTP. :-(
Looks good to me.
> struct proto sctpv6_prot = {
> .name = "SCTPv6",
> .owner = THIS_MODULE,
> @@ -7384,7 +7390,7 @@ struct proto sctpv6_prot = {
> .accept = sctp_accept,
> .ioctl = sctp_ioctl,
> .init = sctp_init_sock,
> - .destroy = sctp_destroy_sock,
> + .destroy = sctp_v6_destroy_sock,
> .shutdown = sctp_shutdown,
> .setsockopt = sctp_setsockopt,
> .getsockopt = sctp_getsockopt,
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
next prev parent reply other threads:[~2015-12-01 14:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-01 12:27 memory leak in do_ipv6_setsockopt Dmitry Vyukov
2015-12-01 13:36 ` Eric Dumazet
2015-12-01 14:07 ` Daniel Borkmann [this message]
2015-12-01 14:16 ` Eric Dumazet
2015-12-01 14:24 ` Daniel Borkmann
2015-12-01 14:38 ` Eric Dumazet
2015-12-01 14:49 ` Daniel Borkmann
2015-12-01 15:20 ` [PATCH net] ipv6: sctp: implement sctp_v6_destroy_sock() Eric Dumazet
2015-12-01 15:55 ` Daniel Borkmann
2015-12-03 17:06 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=565DA9BE.3060006@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=glider@google.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kcc@google.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=vyasevich@gmail.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).