syzbot


memory leak in h4_recv_buf

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+97388eb9d31b997fe1d0@syzkaller.appspotmail.com
Fix commit: bb2853a6a421 tty: Fix data race between tiocsti() and flush_to_ldisc()
First crash: 1252d, last: 491d

Cause bisection: the issue happens on the oldest tested release (bisect log)
Crash: no output from test machine (log)
Repro: C syz .config
Patch testing requests:
Created Duration User Patch Repo Result
2021/07/29 14:50 15m phind.uet@gmail.com patch upstream OK
2021/07/25 22:25 15m phind.uet@gmail.com patch upstream OK
2021/07/25 14:52 2m phind.uet@gmail.com patch upstream error
2021/07/19 05:23 8m phind.uet@gmail.com upstream report log
2020/09/28 04:15 9m anant.thazhemadam@gmail.com patch upstream report log
2020/09/23 10:44 8m anant.thazhemadam@gmail.com upstream report log

Sample crash report:
BUG: memory leak
unreferenced object 0xffff88810d477800 (size 232):
  comm "syz-executor177", pid 8552, jiffies 4294977478 (age 50.280s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000a291570a>] __alloc_skb+0x6d/0x280 net/core/skbuff.c:198
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810eede400 (size 1024):
  comm "syz-executor177", pid 8552, jiffies 4294977478 (age 50.280s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000045bb5699>] __kmalloc_reserve net/core/skbuff.c:142 [inline]
    [<0000000045bb5699>] __alloc_skb+0xab/0x280 net/core/skbuff.c:210
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810c4d9700 (size 232):
  comm "syz-executor177", pid 8574, jiffies 4294980675 (age 18.310s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000a291570a>] __alloc_skb+0x6d/0x280 net/core/skbuff.c:198
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810ef0f800 (size 1024):
  comm "syz-executor177", pid 8574, jiffies 4294980675 (age 18.310s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000045bb5699>] __kmalloc_reserve net/core/skbuff.c:142 [inline]
    [<0000000045bb5699>] __alloc_skb+0xab/0x280 net/core/skbuff.c:210
    [<000000001b500750>] alloc_skb include/linux/skbuff.h:1099 [inline]
    [<000000001b500750>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
    [<000000001b500750>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
    [<0000000028e94489>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
    [<00000000338ee020>] hci_uart_tty_receive+0xc7/0x230 drivers/bluetooth/hci_ldisc.c:614
    [<0000000065855925>] tiocsti drivers/tty/tty_io.c:2200 [inline]
    [<0000000065855925>] tty_ioctl+0x517/0xc40 drivers/tty/tty_io.c:2574
    [<000000001eb5b5c3>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<000000001eb5b5c3>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<000000001eb5b5c3>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<000000001eb5b5c3>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<00000000cdf9a9fa>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<0000000033cd44b4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (21):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-leak 2021/01/19 02:42 upstream 19c329f68089 63631df1 .config log report syz C memory leak in h4_recv_buf
ci-upstream-gce-leak 2020/07/28 02:17 upstream 92ed30191993 cb93dc6a .config log report syz C
ci-upstream-gce-leak 2020/07/05 07:27 upstream 7cc2a8ea1048 51095195 .config log report syz C
ci-upstream-gce-leak 2020/04/13 04:39 upstream 4f8a3cc1183c 36b0b050 .config log report syz C
ci-upstream-gce-leak 2020/03/03 10:44 upstream 63623fd44972 c88c7b75 .config log report syz C
ci-upstream-gce-leak 2019/12/23 10:47 upstream c60174717544 8b967267 .config log report syz C
ci-upstream-gce-leak 2019/11/21 15:10 upstream c74386d50fba 8098ea0f .config log report syz C
ci-upstream-gce-leak 2019/10/19 12:33 upstream b9959c7a347d 8c88c9c1 .config log report syz C
ci-upstream-gce-leak 2019/09/14 21:41 upstream a7f89616b737 32d59357 .config log report syz C
ci-upstream-gce-leak 2019/09/06 11:13 upstream 3b47fd5ca9ea 040fda58 .config log report syz C
ci-upstream-gce-leak 2019/09/04 16:34 upstream 089cf7f6ecb2 12381952 .config log report syz C
ci-upstream-gce-leak 2019/08/22 02:13 upstream bb7ba8069de9 984250d5 .config log report syz C
ci-upstream-gce-leak 2019/08/09 19:24 upstream b678c568c561 ede31a9b .config log report syz C
ci-upstream-gce-leak 2019/07/20 01:06 upstream 3bfe1fc46794 1656845f .config log report syz C
ci-upstream-gce-leak 2019/07/01 05:16 upstream 6fbc7275c7a9 699d6448 .config log report syz C
ci-upstream-gce-leak 2019/06/27 14:31 upstream 249155c20f9b 7509bf36 .config log report syz C
ci-upstream-gce-leak 2019/06/22 20:53 upstream abf02e2964b3 34bf9440 .config log report syz C
ci-upstream-gce-leak 2021/07/23 08:56 upstream 9bead1b58c4c bc5f1d88 .config log report syz memory leak in h4_recv_buf
ci-upstream-gce-leak 2019/12/27 16:10 upstream 46cf053efec6 be5c2c81 .config log report syz
ci-upstream-gce-leak 2019/12/22 07:28 upstream b8e382a185eb bc586918 .config log report syz
ci-upstream-gce-leak 2019/12/13 06:40 upstream ae4b064e2a61 08003f64 .config log report syz
* Struck through repros no longer work on HEAD.