syzbot


memory leak in h4_recv_buf

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com
Fix commit: bb2853a6a421 tty: Fix data race between tiocsti() and flush_to_ldisc()
First crash: 1756d, last: 994d
Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: no output from test machine (log)
Repro: C syz .config
  
Discussions (14)
Title Replies (including bot) Last reply
[PATCH 4.4 000/133] 4.4.284-rc1 review 138 (138) 2021/09/22 07:22
[PATCH 5.14 000/334] 5.14.4-rc1 review 381 (381) 2021/09/22 06:20
[PATCH 4.19 000/293] 4.19.207-rc1 review 300 (300) 2021/09/22 05:34
[PATCH 4.14 000/217] 4.14.247-rc1 review 220 (220) 2021/09/22 01:59
[PATCH 4.9 000/175] 4.9.283-rc1 review 180 (180) 2021/09/21 15:34
[PATCH 5.10 000/236] 5.10.65-rc1 review 249 (249) 2021/09/16 08:48
[PATCH 5.4 000/144] 5.4.146-rc1 review 151 (151) 2021/09/15 02:05
[PATCH 5.13 000/300] 5.13.17-rc1 review 308 (308) 2021/09/14 15:59
[PATCH v2] tty: Fix data race between tiocsti() and flush_to_ldisc() 2 (2) 2021/08/23 08:52
[PATCH] tty: Fix data race between tiocsti() and flush_to_ldisc() 5 (5) 2021/08/22 16:09
Re: memory leak in h4_recv_buf 7 (7) 2021/07/29 19:49
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/24 01:41
Reminder: 29 open syzbot bugs in bluetooth subsystem 1 (1) 2019/07/09 19:07
memory leak in h4_recv_buf 0 (1) 2019/06/24 07:27
Last patch testing requests (6)
Created Duration User Patch Repo Result
2021/07/29 14:50 15m phind.uet@gmail.com patch upstream OK
2021/07/25 22:25 15m phind.uet@gmail.com patch upstream OK
2021/07/25 14:52 2m phind.uet@gmail.com patch upstream error OK
2021/07/19 05:23 8m phind.uet@gmail.com upstream report log
2020/09/28 04:15 9m anant.thazhemadam@gmail.com patch upstream report log
2020/09/23 10:44 8m anant.thazhemadam@gmail.com upstream report log

Sample crash report:
BUG: memory leak
unreferenced object 0xffff88810d477800 (size 232):
  comm "syz-executor177", pid 8552, jiffies 4294977478 (age 50.280s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000a291570a>] __alloc_skb+0x6d/0x280 net/core/skbuff.c:198
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810eede400 (size 1024):
  comm "syz-executor177", pid 8552, jiffies 4294977478 (age 50.280s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000045bb5699>] __kmalloc_reserve net/core/skbuff.c:142 [inline]
    [<0000000045bb5699>] __alloc_skb+0xab/0x280 net/core/skbuff.c:210
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810c4d9700 (size 232):
  comm "syz-executor177", pid 8574, jiffies 4294980675 (age 18.310s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000a291570a>] __alloc_skb+0x6d/0x280 net/core/skbuff.c:198
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810ef0f800 (size 1024):
  comm "syz-executor177", pid 8574, jiffies 4294980675 (age 18.310s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000045bb5699>] __kmalloc_reserve net/core/skbuff.c:142 [inline]
    [<0000000045bb5699>] __alloc_skb+0xab/0x280 net/core/skbuff.c:210
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (21):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/19 02:42 upstream 19c329f68089 63631df1 .config console log report syz C ci-upstream-gce-leak memory leak in h4_recv_buf
2020/07/28 02:17 upstream 92ed30191993 cb93dc6a .config console log report syz C ci-upstream-gce-leak
2020/07/05 07:27 upstream 7cc2a8ea1048 51095195 .config console log report syz C ci-upstream-gce-leak
2020/04/13 04:39 upstream 4f8a3cc1183c 36b0b050 .config console log report syz C ci-upstream-gce-leak
2020/03/03 10:44 upstream 63623fd44972 c88c7b75 .config console log report syz C ci-upstream-gce-leak
2019/12/23 10:47 upstream c60174717544 8b967267 .config console log report syz C ci-upstream-gce-leak
2019/11/21 15:10 upstream c74386d50fba 8098ea0f .config console log report syz C ci-upstream-gce-leak
2019/10/19 12:33 upstream b9959c7a347d 8c88c9c1 .config console log report syz C ci-upstream-gce-leak
2019/09/14 21:41 upstream a7f89616b737 32d59357 .config console log report syz C ci-upstream-gce-leak
2019/09/06 11:13 upstream 3b47fd5ca9ea 040fda58 .config console log report syz C ci-upstream-gce-leak
2019/09/04 16:34 upstream 089cf7f6ecb2 12381952 .config console log report syz C ci-upstream-gce-leak
2019/08/22 02:13 upstream bb7ba8069de9 984250d5 .config console log report syz C ci-upstream-gce-leak
2019/08/09 19:24 upstream b678c568c561 ede31a9b .config console log report syz C ci-upstream-gce-leak
2019/07/20 01:06 upstream 3bfe1fc46794 1656845f .config console log report syz C ci-upstream-gce-leak
2019/07/01 05:16 upstream 6fbc7275c7a9 699d6448 .config console log report syz C ci-upstream-gce-leak
2019/06/27 14:31 upstream 249155c20f9b 7509bf36 .config console log report syz C ci-upstream-gce-leak
2019/06/22 20:53 upstream abf02e2964b3 34bf9440 .config console log report syz C ci-upstream-gce-leak
2021/07/23 08:56 upstream 9bead1b58c4c bc5f1d88 .config console log report syz ci-upstream-gce-leak memory leak in h4_recv_buf
2019/12/27 16:10 upstream 46cf053efec6 be5c2c81 .config console log report syz ci-upstream-gce-leak
2019/12/22 07:28 upstream b8e382a185eb bc586918 .config console log report syz ci-upstream-gce-leak
2019/12/13 06:40 upstream ae4b064e2a61 08003f64 .config console log report syz ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.