linux-kernel - Re: [syzbot] [arm-msm?] [net?] memory leak in radix_tree

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <00000000000092a0e5060c2047b0@google.com>
Date:   Sat, 09 Dec 2023 20:30:39 -0800
From:   syzbot <syzbot+006987d1be3586e13555@...kaller.appspotmail.com>
To:     linux-kernel@...r.kernel.org
Subject: Re: [syzbot] [arm-msm?] [net?] memory leak in radix_tree_insert

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: [arm-msm?] [net?] memory leak in radix_tree_insert
Author: eadavis@...com

please test memory leak in radix_tree_insert

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 33cc938e65a9

diff --git a/net/qrtr/af_qrtr.c b/net/qrtr/af_qrtr.c
index 41ece61eb57a..41a210e1d8b3 100644
--- a/net/qrtr/af_qrtr.c
+++ b/net/qrtr/af_qrtr.c
@@ -274,7 +274,8 @@ static int qrtr_tx_wait(struct qrtr_node *node, int dest_node, int dest_port,
 		flow = kzalloc(sizeof(*flow), GFP_KERNEL);
 		if (flow) {
 			init_waitqueue_head(&flow->resume_tx);
-			if (radix_tree_insert(&node->qrtr_tx_flow, key, flow)) {
+			if (ret = radix_tree_insert(&node->qrtr_tx_flow, key, flow)) {
+				printk("r: %d\n", ret);
 				kfree(flow);
 				flow = NULL;
 			}
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index b98e9f2c24ac..522277bff6e3 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -413,6 +413,7 @@ static int radix_tree_extend(struct radix_tree_root *root, gfp_t gfp,
 	void *entry;
 	unsigned int maxshift;
 	int tag;
+	int i = 0;
 
 	/* Figure out what the shift should be.  */
 	maxshift = shift;
@@ -428,6 +429,8 @@ static int radix_tree_extend(struct radix_tree_root *root, gfp_t gfp,
 							root, shift, 0, 1, 0);
 		if (!node)
 			return -ENOMEM;
+		i++;
+		printk("i: %d, n: %p, idx: %d, s: %d, %s\n", i, node, index, shift,  __func__);
 
 		if (is_idr(root)) {
 			all_tag_set(node, IDR_FREE);
@@ -611,6 +614,7 @@ static int __radix_tree_create(struct radix_tree_root *root,
 	shift = radix_tree_load_root(root, &child, &maxindex);
 
 	/* Make sure the tree is high enough.  */
+	printk("im: %d, s: %d, m: %d, %s\n", index, shift, maxindex, __func__);
 	if (max > maxindex) {
 		int error = radix_tree_extend(root, gfp, max, shift);
 		if (error < 0)
@@ -625,6 +629,7 @@ static int __radix_tree_create(struct radix_tree_root *root,
 			/* Have to add a child node.  */
 			child = radix_tree_node_alloc(gfp, node, root, shift,
 							offset, 0, 0);
+			printk("c: %p, %s\n", child, __func__);
 			if (!child)
 				return -ENOMEM;
 			rcu_assign_pointer(*slot, node_to_entry(child));