syzbot


memory leak in llc_ui_create (2)

Status: fixed on 2019/11/04 14:50
Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
Fix commit: c6ee11c39fcc llc: fix sk_buff leak in llc_sap_state_process()
First crash: 1716d, last: 1596d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: memory leak in llc_ui_sendmsg (log)
Repro: C syz .config
  
Discussions (19)
Title Replies (including bot) Last reply
[PATCH AUTOSEL 4.14 01/33] iommu/arm-smmu: Free context bitmap in the err path of arm_smmu_init_domain_context 37 (37) 2020/09/08 12:12
[PATCH 3.16 000/136] 3.16.80-rc1 review 140 (140) 2019/12/23 14:00
[PATCH 4.19 000/149] 4.19.82-stable review 169 (169) 2019/11/11 09:36
[PATCH 4.9 00/62] 4.9.199-stable review 72 (72) 2019/11/06 11:17
[PATCH 5.3 000/163] 5.3.9-stable review 174 (174) 2019/11/06 10:49
[PATCH 4.14 00/95] 4.14.152-stable review 102 (102) 2019/11/05 23:37
[PATCH 4.4 00/46] 4.4.199-stable review 52 (52) 2019/11/05 23:36
[PATCH AUTOSEL 4.4 01/17] iommu/arm-smmu: Free context bitmap in the err path of arm_smmu_init_domain_context 16 (16) 2019/10/26 13:23
[PATCH AUTOSEL 4.9 01/21] iommu/arm-smmu: Free context bitmap in the err path of arm_smmu_init_domain_context 20 (20) 2019/10/26 13:22
[PATCH AUTOSEL 4.19 01/59] tools: bpf: Use !building_out_of_srctree to determine srctree 59 (59) 2019/10/26 13:19
[PATCH AUTOSEL 5.3 01/99] tools: bpf: Use !building_out_of_srctree to determine srctree 98 (98) 2019/10/26 13:16
[PATCH AUTOSEL 4.19 01/37] PCI/ASPM: Do not initialize link state when aspm_disabled is set 37 (37) 2019/10/26 07:44
[PATCH AUTOSEL 5.3 01/33] net: ipv6: fix listify ip6_rcv_finish in case of forwarding 35 (35) 2019/10/25 15:49
[PATCH AUTOSEL 4.9 01/20] PCI/ASPM: Do not initialize link state when aspm_disabled is set 20 (20) 2019/10/25 15:32
[PATCH AUTOSEL 4.4 01/16] PCI/ASPM: Do not initialize link state when aspm_disabled is set 16 (16) 2019/10/25 13:58
[PATCH AUTOSEL 4.14 01/25] PCI/ASPM: Do not initialize link state when aspm_disabled is set 24 (24) 2019/10/25 13:57
[PATCH net 0/4] llc: fix sk_buff refcounting 6 (6) 2019/10/08 21:15
Reminder: 3 open syzbot bugs in "net/llc" subsystem 1 (1) 2019/07/24 02:39
memory leak in llc_ui_create (2) 0 (2) 2019/07/17 08:09
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in llc_ui_create net C 4 1728d 1741d 12/26 fixed on 2019/06/18 17:49

Sample crash report:
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88811eb9c800 (size 2048):
  comm "syz-executor893", pid 6859, jiffies 4294952317 (age 13.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    1a 00 02 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [<0000000062d6d9c2>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<0000000062d6d9c2>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<0000000062d6d9c2>] slab_alloc mm/slab.c:3319 [inline]
    [<0000000062d6d9c2>] __do_kmalloc mm/slab.c:3653 [inline]
    [<0000000062d6d9c2>] __kmalloc+0x169/0x300 mm/slab.c:3664
    [<000000002e405cc8>] kmalloc include/linux/slab.h:561 [inline]
    [<000000002e405cc8>] sk_prot_alloc+0x112/0x170 net/core/sock.c:1603
    [<00000000ff7601ad>] sk_alloc+0x35/0x2f0 net/core/sock.c:1657
    [<0000000061c1dbf2>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
    [<00000000cd5f9d0c>] llc_ui_create+0x7b/0x150 net/llc/af_llc.c:173
    [<0000000077e7f156>] __sock_create+0x164/0x250 net/socket.c:1418
    [<000000004616c448>] sock_create net/socket.c:1469 [inline]
    [<000000004616c448>] __sys_socket+0x69/0x110 net/socket.c:1511
    [<00000000b98b8324>] __do_sys_socket net/socket.c:1520 [inline]
    [<00000000b98b8324>] __se_sys_socket net/socket.c:1518 [inline]
    [<00000000b98b8324>] __x64_sys_socket+0x1e/0x30 net/socket.c:1518
    [<00000000e1b79251>] do_syscall_64+0x73/0x1f0 arch/x86/entry/common.c:290
    [<00000000bd855cb0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881184719a0 (size 32):
  comm "syz-executor893", pid 6859, jiffies 4294952317 (age 13.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    e1 00 00 00 03 00 00 00 0f 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000485cb10d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000485cb10d>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000485cb10d>] slab_alloc mm/slab.c:3319 [inline]
    [<00000000485cb10d>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
    [<00000000d70f1fcb>] kmalloc include/linux/slab.h:556 [inline]
    [<00000000d70f1fcb>] kzalloc include/linux/slab.h:690 [inline]
    [<00000000d70f1fcb>] selinux_sk_alloc_security+0x48/0xb0 security/selinux/hooks.c:5119
    [<00000000c6410cf7>] security_sk_alloc+0x49/0x70 security/security.c:2069
    [<00000000dbc84b1b>] sk_prot_alloc+0x12d/0x170 net/core/sock.c:1606
    [<00000000ff7601ad>] sk_alloc+0x35/0x2f0 net/core/sock.c:1657
    [<0000000061c1dbf2>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
    [<00000000cd5f9d0c>] llc_ui_create+0x7b/0x150 net/llc/af_llc.c:173
    [<0000000077e7f156>] __sock_create+0x164/0x250 net/socket.c:1418
    [<000000004616c448>] sock_create net/socket.c:1469 [inline]
    [<000000004616c448>] __sys_socket+0x69/0x110 net/socket.c:1511
    [<00000000b98b8324>] __do_sys_socket net/socket.c:1520 [inline]
    [<00000000b98b8324>] __se_sys_socket net/socket.c:1518 [inline]
    [<00000000b98b8324>] __x64_sys_socket+0x1e/0x30 net/socket.c:1518
    [<00000000e1b79251>] do_syscall_64+0x73/0x1f0 arch/x86/entry/common.c:290
    [<00000000bd855cb0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888116c59800 (size 224):
  comm "syz-executor893", pid 6859, jiffies 4294952317 (age 13.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 40 e8 2a 81 88 ff ff 00 c8 b9 1e 81 88 ff ff  .@.*............
  backtrace:
    [<00000000650023ec>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000650023ec>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000650023ec>] slab_alloc_node mm/slab.c:3262 [inline]
    [<00000000650023ec>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574
    [<00000000cfcd23d9>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197
    [<00000000f8ff32f5>] alloc_skb include/linux/skbuff.h:1049 [inline]
    [<00000000f8ff32f5>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
    [<000000006268628a>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777
    [<0000000009f272d1>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
    [<0000000009f272d1>] llc_conn_service net/llc/llc_conn.c:400 [inline]
    [<0000000009f272d1>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75
    [<00000000cef52fc2>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109
    [<00000000779adfee>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
    [<000000007b1bbac3>] __sys_connect+0x11d/0x170 net/socket.c:1828
    [<00000000edced189>] __do_sys_connect net/socket.c:1839 [inline]
    [<00000000edced189>] __se_sys_connect net/socket.c:1836 [inline]
    [<00000000edced189>] __x64_sys_connect+0x1e/0x30 net/socket.c:1836
    [<00000000e1b79251>] do_syscall_64+0x73/0x1f0 arch/x86/entry/common.c:290
    [<00000000bd855cb0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811a478c00 (size 512):
  comm "syz-executor893", pid 6859, jiffies 4294952317 (age 13.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 82 cc 03 8c 02 3a 00 03 00 c8  ...........:....
    7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000628c4f94>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000628c4f94>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000628c4f94>] slab_alloc_node mm/slab.c:3262 [inline]
    [<00000000628c4f94>] kmem_cache_alloc_node_trace+0x161/0x2f0 mm/slab.c:3592
    [<0000000023eec4ad>] __do_kmalloc_node mm/slab.c:3614 [inline]
    [<0000000023eec4ad>] __kmalloc_node_track_caller+0x38/0x50 mm/slab.c:3629
    [<000000001a403ec1>] __kmalloc_reserve.isra.0+0x40/0xb0 net/core/skbuff.c:141
    [<000000001641cbb8>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:209
    [<00000000f8ff32f5>] alloc_skb include/linux/skbuff.h:1049 [inline]
    [<00000000f8ff32f5>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
    [<000000006268628a>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777
    [<0000000009f272d1>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline]
    [<0000000009f272d1>] llc_conn_service net/llc/llc_conn.c:400 [inline]
    [<0000000009f272d1>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75
    [<00000000cef52fc2>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109
    [<00000000779adfee>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
    [<000000007b1bbac3>] __sys_connect+0x11d/0x170 net/socket.c:1828
    [<00000000edced189>] __do_sys_connect net/socket.c:1839 [inline]
    [<00000000edced189>] __se_sys_connect net/socket.c:1836 [inline]
    [<00000000edced189>] __x64_sys_connect+0x1e/0x30 net/socket.c:1836
    [<00000000e1b79251>] do_syscall_64+0x73/0x1f0 arch/x86/entry/common.c:290
    [<00000000bd855cb0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (19):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/19 09:37 upstream b9959c7a347d 8c88c9c1 .config console log report syz C ci-upstream-gce-leak
2019/10/12 21:59 upstream 1c0cc5f1ae5e 426631dd .config console log report syz C ci-upstream-gce-leak
2019/10/12 09:15 upstream 9892f9f6cf83 426631dd .config console log report syz C ci-upstream-gce-leak
2019/10/06 11:43 upstream 43b815c6a8e7 f3f7d9c8 .config console log report syz C ci-upstream-gce-leak
2019/10/04 15:01 upstream cc3a7bfe62b9 b2f369e5 .config console log report syz C ci-upstream-gce-leak
2019/10/03 15:06 upstream 0f1a7b3fac05 fc17ba49 .config console log report syz C ci-upstream-gce-leak
2019/09/29 05:51 upstream f1f2f614d535 eb6b9855 .config console log report syz C ci-upstream-gce-leak
2019/09/28 22:45 upstream f1f2f614d535 eb6b9855 .config console log report syz C ci-upstream-gce-leak
2019/09/15 06:13 upstream 1609d7604b84 32d59357 .config console log report syz C ci-upstream-gce-leak
2019/09/04 05:27 upstream 089cf7f6ecb2 526709ff .config console log report syz C ci-upstream-gce-leak
2019/08/25 03:07 upstream 361469211f87 d21c5d9d .config console log report syz C ci-upstream-gce-leak
2019/08/10 08:36 upstream 7f20fd23377a acb51638 .config console log report syz C ci-upstream-gce-leak
2019/08/05 16:50 upstream e21a712a9685 6affd8e8 .config console log report syz C ci-upstream-gce-leak
2019/08/05 15:39 upstream e21a712a9685 6affd8e8 .config console log report syz C ci-upstream-gce-leak
2019/07/30 19:35 upstream 2a11c76e5301 f28bf2a5 .config console log report syz C ci-upstream-gce-leak
2019/07/29 13:17 upstream 609488bc979f c85e1c5b .config console log report syz C ci-upstream-gce-leak
2019/07/24 16:59 upstream c6dd78fcb8ee 32329ceb .config console log report syz C ci-upstream-gce-leak
2019/07/17 08:09 upstream 3eb514866f20 0d10349c .config console log report syz C ci-upstream-gce-leak
2019/06/20 19:49 upstream abf02e2964b3 34bf9440 .config console log report syz ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.