syzbot


memory leak in pfkey_xfrm_policy2msg_prep

Status: fixed on 2019/08/05 13:45
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
Fix commit: 7c80eb1c7e2b af_key: fix leaks in key_pol_get_resp and dump_sp.
First crash: 1970d, last: 1937d
Discussions (16)
Title Replies (including bot) Last reply
[PATCH 3.16 00/47] 3.16.76-rc1 review 57 (57) 2019/11/02 07:39
[PATCH 4.9 000/223] 4.9.187-stable review 231 (231) 2019/08/28 03:02
[PATCH 5.2 000/413] 5.2.3-stable review 444 (444) 2019/08/05 12:40
[PATCH 4.4 000/158] 4.4.187-stable review 166 (166) 2019/08/03 15:57
[PATCH 4.14 000/293] 4.14.135-stable review 302 (302) 2019/07/31 09:35
[PATCH 4.19 000/271] 4.19.61-stable review 284 (284) 2019/07/27 10:51
[PATCH AUTOSEL 4.19 001/158] wil6210: fix potential out-of-bounds read 161 (161) 2019/07/26 18:07
[PATCH 5.1 000/371] 5.1.20-stable review 384 (384) 2019/07/26 12:24
[PATCH AUTOSEL 5.2 001/249] ath10k: Check tx_stats before use it 267 (267) 2019/07/24 03:35
[PATCH AUTOSEL 4.14 001/105] wil6210: fix potential out-of-bounds read 107 (107) 2019/07/22 00:40
[PATCH AUTOSEL 4.4 01/53] ath10k: Do not send probe response template for mesh 53 (53) 2019/07/15 14:45
[PATCH AUTOSEL 4.9 01/73] ath10k: Do not send probe response template for mesh 73 (73) 2019/07/15 14:36
[PATCH AUTOSEL 5.1 001/219] ath10k: Check tx_stats before use it 219 (219) 2019/07/15 14:03
[PATCH 2/7] af_key: fix leaks in key_pol_get_resp and dump_sp. 1 (1) 2019/07/05 08:26
[PATCH net] af_key: fix leaks in key_pol_get_resp and dump_sp. 3 (3) 2019/05/28 07:45
memory leak in pfkey_xfrm_policy2msg_prep 0 (1) 2019/05/25 17:38

Sample crash report:
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88812ad18900 (size 224):
  comm "softirq", pid 0, jiffies 4294942926 (age 13.900s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000009252874f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000009252874f>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000009252874f>] slab_alloc_node mm/slab.c:3269 [inline]
    [<000000009252874f>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
    [<00000000fa03e85f>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:194
    [<0000000064c3d69e>] alloc_skb include/linux/skbuff.h:1054 [inline]
    [<0000000064c3d69e>] pfkey_xfrm_policy2msg_prep+0x2a/0x50 net/key/af_key.c:2050
    [<00000000652174ce>] dump_sp net/key/af_key.c:2688 [inline]
    [<00000000652174ce>] dump_sp+0x64/0x110 net/key/af_key.c:2678
    [<0000000057363be5>] xfrm_policy_walk+0xd4/0x230 net/xfrm/xfrm_policy.c:1841
    [<000000007aa6bbb4>] pfkey_dump_sp+0x2a/0x30 net/key/af_key.c:2715
    [<0000000072f4ba01>] pfkey_do_dump+0x3b/0xe0 net/key/af_key.c:285
    [<00000000b32bf018>] pfkey_spddump+0x81/0xb0 net/key/af_key.c:2742
    [<00000000571fc862>] pfkey_process+0x28a/0x2d0 net/key/af_key.c:2832
    [<00000000a39290d4>] pfkey_sendmsg+0x188/0x2e0 net/key/af_key.c:3671
    [<00000000a7d93746>] sock_sendmsg_nosec net/socket.c:646 [inline]
    [<00000000a7d93746>] sock_sendmsg+0x54/0x70 net/socket.c:665
    [<0000000030b60260>] ___sys_sendmsg+0x194/0x3c0 net/socket.c:2286
    [<00000000688c8f2d>] __sys_sendmmsg+0xf4/0x270 net/socket.c:2381
    [<000000006ef1e13c>] __do_sys_sendmmsg net/socket.c:2410 [inline]
    [<000000006ef1e13c>] __se_sys_sendmmsg net/socket.c:2407 [inline]
    [<000000006ef1e13c>] __x64_sys_sendmmsg+0x28/0x30 net/socket.c:2407
    [<00000000eeb4f0a3>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000008054bf64>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881212b5c00 (size 1024):
  comm "softirq", pid 0, jiffies 4294942926 (age 13.900s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    03 00 05 00 ff 00 00 00 02 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000002757976c>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000002757976c>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000002757976c>] slab_alloc_node mm/slab.c:3269 [inline]
    [<000000002757976c>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
    [<000000001398ec4c>] __do_kmalloc_node mm/slab.c:3619 [inline]
    [<000000001398ec4c>] __kmalloc_node_track_caller+0x38/0x50 mm/slab.c:3634
    [<00000000a3d8d783>] __kmalloc_reserve.isra.0+0x40/0xb0 net/core/skbuff.c:138
    [<00000000ba789fa7>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:206
    [<0000000064c3d69e>] alloc_skb include/linux/skbuff.h:1054 [inline]
    [<0000000064c3d69e>] pfkey_xfrm_policy2msg_prep+0x2a/0x50 net/key/af_key.c:2050
    [<00000000652174ce>] dump_sp net/key/af_key.c:2688 [inline]
    [<00000000652174ce>] dump_sp+0x64/0x110 net/key/af_key.c:2678
    [<0000000057363be5>] xfrm_policy_walk+0xd4/0x230 net/xfrm/xfrm_policy.c:1841
    [<000000007aa6bbb4>] pfkey_dump_sp+0x2a/0x30 net/key/af_key.c:2715
    [<0000000072f4ba01>] pfkey_do_dump+0x3b/0xe0 net/key/af_key.c:285
    [<00000000b32bf018>] pfkey_spddump+0x81/0xb0 net/key/af_key.c:2742
    [<00000000571fc862>] pfkey_process+0x28a/0x2d0 net/key/af_key.c:2832
    [<00000000a39290d4>] pfkey_sendmsg+0x188/0x2e0 net/key/af_key.c:3671
    [<00000000a7d93746>] sock_sendmsg_nosec net/socket.c:646 [inline]
    [<00000000a7d93746>] sock_sendmsg+0x54/0x70 net/socket.c:665
    [<0000000030b60260>] ___sys_sendmsg+0x194/0x3c0 net/socket.c:2286
    [<00000000688c8f2d>] __sys_sendmmsg+0xf4/0x270 net/socket.c:2381
    [<000000006ef1e13c>] __do_sys_sendmmsg net/socket.c:2410 [inline]
    [<000000006ef1e13c>] __se_sys_sendmmsg net/socket.c:2407 [inline]
    [<000000006ef1e13c>] __x64_sys_sendmmsg+0x28/0x30 net/socket.c:2407


Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/26 00:04 upstream 249155c20f9b 0a8d1a96 .config console log report syz C ci-upstream-gce-leak
2019/06/21 12:10 upstream abf02e2964b3 34bf9440 .config console log report syz C ci-upstream-gce-leak
2019/06/13 10:17 upstream b076173a309e 3f4e812b .config console log report syz C ci-upstream-gce-leak
2019/05/24 17:10 upstream 4dde821e4296 0dadcd9d .config console log report syz C ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.