| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <697569c7.a00a0220.33ccc7.0014.GAE@google.com>
Date: Sat, 24 Jan 2026 16:54:31 -0800
From: syzbot <syzbot+f2d245f1d76bbfa50e4c@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, horms@...nel.org,
krzk@...nel.org, kuba@...nel.org, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [nfc?] [net?] memory leak in llcp_sock_create
Hello,
syzbot found the following issue on:
HEAD commit: da32d155f4a8 Merge tag 'gpio-fixes-for-v6.18-rc5' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1553117c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=f2d245f1d76bbfa50e4c
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1128d084580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10c6b812580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f0e5b9dcdca5/disk-da32d155.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e34cc0c57edb/vmlinux-da32d155.xz
kernel image: https://storage.googleapis.com/syzbot-assets/27bf793e9b1e/bzImage-da32d155.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f2d245f1d76bbfa50e4c@...kaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888100919400 (size 1024):
comm "syz.0.33", pid 6225, jiffies 4294951961
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
27 00 03 40 00 00 00 00 00 00 00 00 00 00 00 00 '..@............
backtrace (crc b7b16b39):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0x11a/0x1b0 net/core/sock.c:2239
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888146745b80 (size 32):
comm "syz.0.33", pid 6225, jiffies 4294951961
hex dump (first 32 bytes):
f8 f2 85 00 81 88 ff ff 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc e7cc8a40):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x3e3/0x6b0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
lsm_blob_alloc+0x4d/0x70 security/security.c:690
lsm_sock_alloc security/security.c:4922 [inline]
security_sk_alloc+0x30/0x270 security/security.c:4938
sk_prot_alloc+0x135/0x1b0 net/core/sock.c:2242
sk_alloc+0x36/0x360 net/core/sock.c:2295
nfc_llcp_sock_alloc+0x37/0x130 net/nfc/llcp_sock.c:979
llcp_sock_create+0x71/0xd0 net/nfc/llcp_sock.c:1044
nfc_sock_create+0xc9/0xf0 net/nfc/af_nfc.c:31
__sock_create+0x1a9/0x340 net/socket.c:1605
sock_create net/socket.c:1663 [inline]
__sys_socket_create net/socket.c:1700 [inline]
__sys_socket+0xb9/0x1a0 net/socket.c:1747
__do_sys_socket net/socket.c:1761 [inline]
__se_sys_socket net/socket.c:1759 [inline]
__x64_sys_socket+0x1b/0x30 net/socket.c:1759
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff888100919000 (size 1024):
comm "syz.0.33", pid 6225, jiffies 4294951961
hex dump (first 32 bytes):
03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 01 00 00 00 d8 8a 17 1a 81 88 ff ff ................
backtrace (crc 8562c5d7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
nfc_allocate_device+0xa1/0x1e0 net/nfc/core.c:1065
nci_allocate_device+0xf5/0x180 net/nfc/nci/core.c:1190
virtual_ncidev_open+0x4a/0x100 drivers/nfc/virtual_ncidev.c:145
misc_open+0x12a/0x1f0 drivers/char/misc.c:163
chrdev_open+0x10a/0x310 fs/char_dev.c:414
do_dentry_open+0x388/0x800 fs/open.c:965
vfs_open+0x3d/0x1b0 fs/open.c:1097
do_open fs/namei.c:3975 [inline]
path_openat+0x11aa/0x1eb0 fs/namei.c:4134
do_filp_open+0x102/0x1f0 fs/namei.c:4161
do_sys_openat2+0xc1/0x140 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0xb2/0x100 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88811a178ad8 (size 8):
comm "syz.0.33", pid 6225, jiffies 4294951961
hex dump (first 8 bytes):
6e 66 63 33 00 00 00 00 nfc3....
backtrace (crc 45e674f4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_node_track_caller_noprof+0x3aa/0x6b0 mm/slub.c:5755
kvasprintf+0x70/0xf0 lib/kasprintf.c:25
kvasprintf_const+0x5c/0x110 lib/kasprintf.c:49
kobject_set_name_vargs+0x40/0xd0 lib/kobject.c:274
dev_set_name+0x6d/0x90 drivers/base/core.c:3492
nfc_allocate_device+0x109/0x1e0 net/nfc/core.c:1075
nci_allocate_device+0xf5/0x180 net/nfc/nci/core.c:1190
virtual_ncidev_open+0x4a/0x100 drivers/nfc/virtual_ncidev.c:145
misc_open+0x12a/0x1f0 drivers/char/misc.c:163
chrdev_open+0x10a/0x310 fs/char_dev.c:414
do_dentry_open+0x388/0x800 fs/open.c:965
vfs_open+0x3d/0x1b0 fs/open.c:1097
do_open fs/namei.c:3975 [inline]
path_openat+0x11aa/0x1eb0 fs/namei.c:4134
do_filp_open+0x102/0x1f0 fs/namei.c:4161
do_sys_openat2+0xc1/0x140 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0xb2/0x100 fs/open.c:1463
BUG: memory leak
unreferenced object 0xffff88812493d900 (size 256):
comm "syz.0.33", pid 6225, jiffies 4294951961
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 d9 93 24 81 88 ff ff ...........$....
08 d9 93 24 81 88 ff ff 00 b3 19 83 ff ff ff ff ...$............
backtrace (crc c71a4960):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4979 [inline]
slab_alloc_node mm/slub.c:5284 [inline]
__kmalloc_cache_noprof+0x3a6/0x5b0 mm/slub.c:5762
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
device_private_init drivers/base/core.c:3534 [inline]
device_add+0x72a/0xc80 drivers/base/core.c:3585
nfc_register_device+0x31/0x150 net/nfc/core.c:1118
nci_register_device+0x2af/0x340 net/nfc/nci/core.c:1277
virtual_ncidev_open+0x9f/0x100 drivers/nfc/virtual_ncidev.c:157
misc_open+0x12a/0x1f0 drivers/char/misc.c:163
chrdev_open+0x10a/0x310 fs/char_dev.c:414
do_dentry_open+0x388/0x800 fs/open.c:965
vfs_open+0x3d/0x1b0 fs/open.c:1097
do_open fs/namei.c:3975 [inline]
path_openat+0x11aa/0x1eb0 fs/namei.c:4134
do_filp_open+0x102/0x1f0 fs/namei.c:4161
do_sys_openat2+0xc1/0x140 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0xb2/0x100 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists