lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000ff3e7a05f28197c4@google.com>
Date:   Tue, 17 Jan 2023 19:41:38 -0800
From:   syzbot <syzbot+e11e4ccbf72be52c556b@...kaller.appspotmail.com>
To:     davem@...emloft.net, edumazet@...gle.com, kernel@...gutronix.de,
        kuba@...nel.org, linux-can@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux@...pel-privat.de,
        mkl@...gutronix.de, netdev@...r.kernel.org, pabeni@...hat.com,
        robin@...tonic.nl, socketcan@...tkopp.net,
        syzkaller-bugs@...glegroups.com
Subject: [syzbot] memory leak in j1939_session_new

Hello,

syzbot found the following issue on:

HEAD commit:    d9fc1511728c Merge tag 'net-6.2-rc4' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ef774a480000
kernel config:  https://syzkaller.appspot.com/x/.config?x=277a06a151173742
dashboard link: https://syzkaller.appspot.com/bug?extid=e11e4ccbf72be52c556b
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11390e7e480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c69b02bb465e/disk-d9fc1511.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/7cbf6be156ee/vmlinux-d9fc1511.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2d087daee200/bzImage-d9fc1511.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e11e4ccbf72be52c556b@...kaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff88810b04c600 (size 512):
  comm "syz-executor.3", pid 5457, jiffies 4294949672 (age 11.860s)
  hex dump (first 32 bytes):
    00 80 16 17 81 88 ff ff 08 c6 04 0b 81 88 ff ff  ................
    08 c6 04 0b 81 88 ff ff 18 c6 04 0b 81 88 ff ff  ................
  backtrace:
    [<ffffffff814f94f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1062
    [<ffffffff8413311b>] kmalloc include/linux/slab.h:580 [inline]
    [<ffffffff8413311b>] kzalloc include/linux/slab.h:720 [inline]
    [<ffffffff8413311b>] j1939_session_new+0x5b/0x160 net/can/j1939/transport.c:1491
    [<ffffffff84138410>] j1939_tp_send+0x150/0x350 net/can/j1939/transport.c:2001
    [<ffffffff84131d24>] j1939_sk_send_loop net/can/j1939/socket.c:1133 [inline]
    [<ffffffff84131d24>] j1939_sk_sendmsg+0x4a4/0x810 net/can/j1939/socket.c:1256
    [<ffffffff83af8fa6>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83af8fa6>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff83affebf>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:3241
    [<ffffffff83af9b2d>] kernel_sendpage net/socket.c:3555 [inline]
    [<ffffffff83af9b2d>] kernel_sendpage+0xcd/0x2b0 net/socket.c:3549
    [<ffffffff83af9d50>] sock_sendpage+0x40/0x50 net/socket.c:1054
    [<ffffffff81669be2>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:361
    [<ffffffff8166affd>] splice_from_pipe_feed fs/splice.c:415 [inline]
    [<ffffffff8166affd>] __splice_from_pipe+0x1ed/0x330 fs/splice.c:559
    [<ffffffff8166b8ef>] splice_from_pipe fs/splice.c:594 [inline]
    [<ffffffff8166b8ef>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:743
    [<ffffffff81669c9b>] do_splice_from fs/splice.c:764 [inline]
    [<ffffffff81669c9b>] direct_splice_actor+0x4b/0x70 fs/splice.c:931
    [<ffffffff8166a439>] splice_direct_to_actor+0x149/0x350 fs/splice.c:886
    [<ffffffff8166a728>] do_splice_direct+0xe8/0x150 fs/splice.c:974
    [<ffffffff816069df>] do_sendfile+0x57f/0x7e0 fs/read_write.c:1255
    [<ffffffff8160a7d2>] __do_sys_sendfile64 fs/read_write.c:1323 [inline]
    [<ffffffff8160a7d2>] __se_sys_sendfile64 fs/read_write.c:1309 [inline]
    [<ffffffff8160a7d2>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1309

BUG: memory leak
unreferenced object 0xffff8881198de300 (size 240):
  comm "syz-executor.3", pid 5457, jiffies 4294949672 (age 11.860s)
  hex dump (first 32 bytes):
    00 e8 8d 19 81 88 ff ff 68 c6 04 0b 81 88 ff ff  ........h.......
    00 80 d3 13 81 88 ff ff 00 d4 f0 18 81 88 ff ff  ................
  backtrace:
    [<ffffffff83b0d902>] __alloc_skb+0x202/0x270 net/core/skbuff.c:552
    [<ffffffff83b11f6a>] alloc_skb include/linux/skbuff.h:1270 [inline]
    [<ffffffff83b11f6a>] alloc_skb_with_frags+0x6a/0x340 net/core/skbuff.c:6195
    [<ffffffff83b0431f>] sock_alloc_send_pskb+0x39f/0x3d0 net/core/sock.c:2741
    [<ffffffff84131b52>] sock_alloc_send_skb include/net/sock.h:1888 [inline]
    [<ffffffff84131b52>] j1939_sk_alloc_skb net/can/j1939/socket.c:864 [inline]
    [<ffffffff84131b52>] j1939_sk_send_loop net/can/j1939/socket.c:1121 [inline]
    [<ffffffff84131b52>] j1939_sk_sendmsg+0x2d2/0x810 net/can/j1939/socket.c:1256
    [<ffffffff83af8fa6>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83af8fa6>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff83affebf>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:3241
    [<ffffffff83af9b2d>] kernel_sendpage net/socket.c:3555 [inline]
    [<ffffffff83af9b2d>] kernel_sendpage+0xcd/0x2b0 net/socket.c:3549
    [<ffffffff83af9d50>] sock_sendpage+0x40/0x50 net/socket.c:1054
    [<ffffffff81669be2>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:361
    [<ffffffff8166affd>] splice_from_pipe_feed fs/splice.c:415 [inline]
    [<ffffffff8166affd>] __splice_from_pipe+0x1ed/0x330 fs/splice.c:559
    [<ffffffff8166b8ef>] splice_from_pipe fs/splice.c:594 [inline]
    [<ffffffff8166b8ef>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:743
    [<ffffffff81669c9b>] do_splice_from fs/splice.c:764 [inline]
    [<ffffffff81669c9b>] direct_splice_actor+0x4b/0x70 fs/splice.c:931
    [<ffffffff8166a439>] splice_direct_to_actor+0x149/0x350 fs/splice.c:886
    [<ffffffff8166a728>] do_splice_direct+0xe8/0x150 fs/splice.c:974
    [<ffffffff816069df>] do_sendfile+0x57f/0x7e0 fs/read_write.c:1255
    [<ffffffff8160a7d2>] __do_sys_sendfile64 fs/read_write.c:1323 [inline]
    [<ffffffff8160a7d2>] __se_sys_sendfile64 fs/read_write.c:1309 [inline]
    [<ffffffff8160a7d2>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1309

BUG: memory leak
unreferenced object 0xffff8881198de800 (size 240):
  comm "syz-executor.3", pid 5457, jiffies 4294949672 (age 11.860s)
  hex dump (first 32 bytes):
    68 c6 04 0b 81 88 ff ff 00 e3 8d 19 81 88 ff ff  h...............
    00 80 d3 13 81 88 ff ff 00 d4 f0 18 81 88 ff ff  ................
  backtrace:
    [<ffffffff83b0d902>] __alloc_skb+0x202/0x270 net/core/skbuff.c:552
    [<ffffffff83b11f6a>] alloc_skb include/linux/skbuff.h:1270 [inline]
    [<ffffffff83b11f6a>] alloc_skb_with_frags+0x6a/0x340 net/core/skbuff.c:6195
    [<ffffffff83b0431f>] sock_alloc_send_pskb+0x39f/0x3d0 net/core/sock.c:2741
    [<ffffffff84131b52>] sock_alloc_send_skb include/net/sock.h:1888 [inline]
    [<ffffffff84131b52>] j1939_sk_alloc_skb net/can/j1939/socket.c:864 [inline]
    [<ffffffff84131b52>] j1939_sk_send_loop net/can/j1939/socket.c:1121 [inline]
    [<ffffffff84131b52>] j1939_sk_sendmsg+0x2d2/0x810 net/can/j1939/socket.c:1256
    [<ffffffff83af8fa6>] sock_sendmsg_nosec net/socket.c:714 [inline]
    [<ffffffff83af8fa6>] sock_sendmsg+0x56/0x80 net/socket.c:734
    [<ffffffff83affebf>] sock_no_sendpage+0x8f/0xc0 net/core/sock.c:3241
    [<ffffffff83af9b2d>] kernel_sendpage net/socket.c:3555 [inline]
    [<ffffffff83af9b2d>] kernel_sendpage+0xcd/0x2b0 net/socket.c:3549
    [<ffffffff83af9d50>] sock_sendpage+0x40/0x50 net/socket.c:1054
    [<ffffffff81669be2>] pipe_to_sendpage+0xa2/0x110 fs/splice.c:361
    [<ffffffff8166affd>] splice_from_pipe_feed fs/splice.c:415 [inline]
    [<ffffffff8166affd>] __splice_from_pipe+0x1ed/0x330 fs/splice.c:559
    [<ffffffff8166b8ef>] splice_from_pipe fs/splice.c:594 [inline]
    [<ffffffff8166b8ef>] generic_splice_sendpage+0x6f/0xa0 fs/splice.c:743
    [<ffffffff81669c9b>] do_splice_from fs/splice.c:764 [inline]
    [<ffffffff81669c9b>] direct_splice_actor+0x4b/0x70 fs/splice.c:931
    [<ffffffff8166a439>] splice_direct_to_actor+0x149/0x350 fs/splice.c:886
    [<ffffffff8166a728>] do_splice_direct+0xe8/0x150 fs/splice.c:974
    [<ffffffff816069df>] do_sendfile+0x57f/0x7e0 fs/read_write.c:1255
    [<ffffffff8160a7d2>] __do_sys_sendfile64 fs/read_write.c:1323 [inline]
    [<ffffffff8160a7d2>] __se_sys_sendfile64 fs/read_write.c:1309 [inline]
    [<ffffffff8160a7d2>] __x64_sys_sendfile64+0xe2/0x100 fs/read_write.c:1309



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ