lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0000000000008183f605c85d9e9c@google.com>
Date:   Fri, 30 Jul 2021 14:08:20 -0700
From:   syzbot <syzbot+989efe781c74de1ddb54@...kaller.appspotmail.com>
To:     andrii@...nel.org, ast@...nel.org, bpf@...r.kernel.org,
        daniel@...earbox.net, davem@...emloft.net, edumazet@...gle.com,
        john.fastabend@...il.com, kafai@...com, kpsingh@...nel.org,
        kuba@...nel.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, songliubraving@...com,
        syzkaller-bugs@...glegroups.com, tannerlove@...gle.com,
        willemb@...gle.com, xie.he.0141@...il.com, yhs@...com
Subject: [syzbot] memory leak in packet_sendmsg

Hello,

syzbot found the following issue on:

HEAD commit:    ff1176468d36 Linux 5.14-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15057fa2300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ebfe83ba9ca8666
dashboard link: https://syzkaller.appspot.com/bug?extid=989efe781c74de1ddb54
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16e54382300000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+989efe781c74de1ddb54@...kaller.appspotmail.com

2021/07/26 20:48:07 executed programs: 1
2021/07/26 20:48:13 executed programs: 3
2021/07/26 20:48:19 executed programs: 5
BUG: memory leak
unreferenced object 0xffff88810f41be00 (size 232):
  comm "dhclient", pid 4908, jiffies 4294938558 (age 1092.590s)
  hex dump (first 32 bytes):
    a0 6c 13 19 81 88 ff ff a0 6c 13 19 81 88 ff ff  .l.......l......
    00 00 83 1a 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff836e1e8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
    [<ffffffff836ec6ba>] alloc_skb include/linux/skbuff.h:1112 [inline]
    [<ffffffff836ec6ba>] alloc_skb_with_frags+0x6a/0x2b0 net/core/skbuff.c:6019
    [<ffffffff836d9fa3>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2461
    [<ffffffff83bf47a2>] packet_alloc_skb net/packet/af_packet.c:2864 [inline]
    [<ffffffff83bf47a2>] packet_snd net/packet/af_packet.c:2959 [inline]
    [<ffffffff83bf47a2>] packet_sendmsg+0xbd2/0x2500 net/packet/af_packet.c:3044
    [<ffffffff836d0b46>] sock_sendmsg_nosec net/socket.c:703 [inline]
    [<ffffffff836d0b46>] sock_sendmsg+0x56/0x80 net/socket.c:723
    [<ffffffff836d0c67>] sock_write_iter+0xf7/0x180 net/socket.c:1056
    [<ffffffff81564527>] call_write_iter include/linux/fs.h:2114 [inline]
    [<ffffffff81564527>] new_sync_write+0x1d7/0x2b0 fs/read_write.c:518
    [<ffffffff81567ba1>] vfs_write+0x351/0x400 fs/read_write.c:605
    [<ffffffff81567f1b>] ksys_write+0x12b/0x160 fs/read_write.c:658
    [<ffffffff843b18b5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    [<ffffffff843b18b5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff8881019ce500 (size 232):
  comm "kworker/1:1", pid 35, jiffies 4294938559 (age 1092.580s)
  hex dump (first 32 bytes):
    a0 d4 28 19 81 88 ff ff a0 d4 28 19 81 88 ff ff  ..(.......(.....
    00 00 cb 03 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff836e1e8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
    [<ffffffff836ec6ba>] alloc_skb include/linux/skbuff.h:1112 [inline]
    [<ffffffff836ec6ba>] alloc_skb_with_frags+0x6a/0x2b0 net/core/skbuff.c:6019
    [<ffffffff836d9fa3>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2461
    [<ffffffff83b812d4>] mld_newpack+0x84/0x200 net/ipv6/mcast.c:1751
    [<ffffffff83b814f3>] add_grhead+0xa3/0xc0 net/ipv6/mcast.c:1854
    [<ffffffff83b82196>] add_grec+0x7b6/0x820 net/ipv6/mcast.c:1992
    [<ffffffff83b84643>] mld_send_cr net/ipv6/mcast.c:2118 [inline]
    [<ffffffff83b84643>] mld_ifc_work+0x273/0x750 net/ipv6/mcast.c:2655
    [<ffffffff81262669>] process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
    [<ffffffff81262f59>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2422
    [<ffffffff8126c3b8>] kthread+0x188/0x1d0 kernel/kthread.c:319
    [<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff88810f41b300 (size 232):
  comm "kworker/1:1", pid 35, jiffies 4294938624 (age 1091.930s)
  hex dump (first 32 bytes):
    a0 ac 3f 19 81 88 ff ff a0 ac 3f 19 81 88 ff ff  ..?.......?.....
    00 00 cb 03 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff836e1e8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
    [<ffffffff83b6d076>] alloc_skb include/linux/skbuff.h:1112 [inline]
    [<ffffffff83b6d076>] ndisc_alloc_skb+0x56/0xe0 net/ipv6/ndisc.c:420
    [<ffffffff83b7183a>] ndisc_send_ns+0xba/0x2f0 net/ipv6/ndisc.c:626
    [<ffffffff83b48b13>] addrconf_dad_work+0x643/0x900 net/ipv6/addrconf.c:4119
    [<ffffffff81262669>] process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
    [<ffffffff81262f59>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2422
    [<ffffffff8126c3b8>] kthread+0x188/0x1d0 kernel/kthread.c:319
    [<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff88810dd97600 (size 232):
  comm "softirq", pid 0, jiffies 4294938659 (age 1091.580s)
  hex dump (first 32 bytes):
    a0 fc fb 16 81 88 ff ff a0 fc fb 16 81 88 ff ff  ................
    00 c0 84 03 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff836e1e8f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
    [<ffffffff839f1aff>] alloc_skb include/linux/skbuff.h:1112 [inline]
    [<ffffffff839f1aff>] __ip_append_data+0x12cf/0x1510 net/ipv4/ip_output.c:1109
    [<ffffffff839f429d>] ip_append_data net/ipv4/ip_output.c:1327 [inline]
    [<ffffffff839f429d>] ip_append_data net/ipv4/ip_output.c:1306 [inline]
    [<ffffffff839f429d>] ip_send_unicast_reply+0x33d/0x550 net/ipv4/ip_output.c:1718
    [<ffffffff83a33e6f>] tcp_v4_send_reset+0x3df/0x980 net/ipv4/tcp_ipv4.c:818
    [<ffffffff83a37442>] tcp_v4_rcv+0xf22/0x1620 net/ipv4/tcp_ipv4.c:2116
    [<ffffffff839e99b2>] ip_protocol_deliver_rcu+0x22/0x2c0 net/ipv4/ip_input.c:204
    [<ffffffff839e9cc1>] ip_local_deliver_finish+0x71/0x90 net/ipv4/ip_input.c:231
    [<ffffffff839e9e33>] NF_HOOK include/linux/netfilter.h:307 [inline]
    [<ffffffff839e9e33>] NF_HOOK include/linux/netfilter.h:301 [inline]
    [<ffffffff839e9e33>] ip_local_deliver+0x153/0x160 net/ipv4/ip_input.c:252
    [<ffffffff839e9016>] dst_input include/net/dst.h:458 [inline]
    [<ffffffff839e9016>] ip_sublist_rcv_finish+0x76/0x90 net/ipv4/ip_input.c:551
    [<ffffffff839e9723>] ip_list_rcv_finish net/ipv4/ip_input.c:601 [inline]
    [<ffffffff839e9723>] ip_sublist_rcv+0x293/0x340 net/ipv4/ip_input.c:609
    [<ffffffff839ea126>] ip_list_rcv+0x1c6/0x1f0 net/ipv4/ip_input.c:644
    [<ffffffff83713f01>] __netif_receive_skb_list_ptype net/core/dev.c:5541 [inline]
    [<ffffffff83713f01>] __netif_receive_skb_list_core+0x2b1/0x360 net/core/dev.c:5589
    [<ffffffff83714305>] __netif_receive_skb_list net/core/dev.c:5641 [inline]
    [<ffffffff83714305>] netif_receive_skb_list_internal+0x355/0x4a0 net/core/dev.c:5751
    [<ffffffff83715d52>] gro_normal_list net/core/dev.c:5905 [inline]
    [<ffffffff83715d52>] gro_normal_list net/core/dev.c:5901 [inline]
    [<ffffffff83715d52>] napi_complete_done+0xe2/0x2e0 net/core/dev.c:6627
    [<ffffffff828eb89d>] virtqueue_napi_complete drivers/net/virtio_net.c:337 [inline]
    [<ffffffff828eb89d>] virtnet_poll+0x52d/0x6a0 drivers/net/virtio_net.c:1546
    [<ffffffff83715f8d>] __napi_poll+0x3d/0x290 net/core/dev.c:7047



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ