syzbot


memory leak in nf_tables_parse_netdev_hooks (3)

Status: fixed on 2020/07/17 17:58
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+eb9d5924c51d6d59e094@syzkaller.appspotmail.com
Fix commit: 3003055f5066 netfilter: nf_tables: hook list memleak in flowtable deletion
First crash: 1474d, last: 1474d
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 0/4] Netfilter fixes for net 6 (6) 2020/06/15 20:27
[PATCH nf,v2] netfilter: nf_tables: hook list memleak in flowtable deletion 1 (1) 2020/06/12 16:35
[PATCH nf] netfilter: ctnetlink: memleak in filter initialization error path 2 (2) 2020/06/11 08:46
memory leak in nf_tables_parse_netdev_hooks (3) 1 (2) 2020/06/09 22:32
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in nf_tables_parse_netdev_hooks netfilter C 6 1588d 1618d 15/27 fixed on 2020/02/18 14:31
upstream memory leak in nf_tables_parse_netdev_hooks (2) netfilter C 2 1567d 1571d 15/27 fixed on 2020/04/15 17:19

Sample crash report:
executing program
BUG: memory leak
unreferenced object 0xffff88811589cd80 (size 96):
  comm "syz-executor337", pid 6663, jiffies 4294942418 (age 13.980s)
  hex dump (first 32 bytes):
    00 c9 89 15 81 88 ff ff 68 f9 ff 00 00 c9 ff ff  ........h.......
    00 cd 89 15 81 88 ff ff 60 52 c5 82 ff ff ff ff  ........`R......
  backtrace:
    [<00000000104a1f01>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000104a1f01>] nft_netdev_hook_alloc+0x3b/0xd0 net/netfilter/nf_tables_api.c:1659
    [<000000003bc42f25>] nf_tables_parse_netdev_hooks+0x94/0x210 net/netfilter/nf_tables_api.c:1709
    [<000000004b6a9590>] nft_flowtable_parse_hook+0x101/0x1d0 net/netfilter/nf_tables_api.c:6243
    [<000000004204916e>] nft_delflowtable_hook net/netfilter/nf_tables_api.c:6562 [inline]
    [<000000004204916e>] nf_tables_delflowtable+0x249/0x4a0 net/netfilter/nf_tables_api.c:6640
    [<00000000fa0bd6d2>] nfnetlink_rcv_batch+0x2f3/0x810 net/netfilter/nfnetlink.c:433
    [<000000004d4e8df7>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
    [<000000004d4e8df7>] nfnetlink_rcv+0x183/0x1b0 net/netfilter/nfnetlink.c:561
    [<000000001710060c>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    [<000000001710060c>] netlink_unicast+0x20a/0x2f0 net/netlink/af_netlink.c:1329
    [<00000000bb814b80>] netlink_sendmsg+0x2b5/0x560 net/netlink/af_netlink.c:1918
    [<00000000eb7a00fe>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000eb7a00fe>] sock_sendmsg+0x4c/0x60 net/socket.c:672
    [<000000008cc37c52>] ____sys_sendmsg+0x2c4/0x2f0 net/socket.c:2352
    [<00000000b882e46e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2406
    [<00000000870e7750>] __sys_sendmsg+0x77/0xe0 net/socket.c:2439
    [<000000002b222e75>] do_syscall_64+0x6e/0x220 arch/x86/entry/common.c:295
    [<00000000356e1a8a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811589c900 (size 96):
  comm "syz-executor337", pid 6663, jiffies 4294942418 (age 13.980s)
  hex dump (first 32 bytes):
    68 f9 ff 00 00 c9 ff ff 80 cd 89 15 81 88 ff ff  h...............
    00 00 00 00 00 00 00 00 60 52 c5 82 ff ff ff ff  ........`R......
  backtrace:
    [<00000000104a1f01>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000104a1f01>] nft_netdev_hook_alloc+0x3b/0xd0 net/netfilter/nf_tables_api.c:1659
    [<000000003bc42f25>] nf_tables_parse_netdev_hooks+0x94/0x210 net/netfilter/nf_tables_api.c:1709
    [<000000004b6a9590>] nft_flowtable_parse_hook+0x101/0x1d0 net/netfilter/nf_tables_api.c:6243
    [<000000004204916e>] nft_delflowtable_hook net/netfilter/nf_tables_api.c:6562 [inline]
    [<000000004204916e>] nf_tables_delflowtable+0x249/0x4a0 net/netfilter/nf_tables_api.c:6640
    [<00000000fa0bd6d2>] nfnetlink_rcv_batch+0x2f3/0x810 net/netfilter/nfnetlink.c:433
    [<000000004d4e8df7>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
    [<000000004d4e8df7>] nfnetlink_rcv+0x183/0x1b0 net/netfilter/nfnetlink.c:561
    [<000000001710060c>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    [<000000001710060c>] netlink_unicast+0x20a/0x2f0 net/netlink/af_netlink.c:1329
    [<00000000bb814b80>] netlink_sendmsg+0x2b5/0x560 net/netlink/af_netlink.c:1918
    [<00000000eb7a00fe>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000eb7a00fe>] sock_sendmsg+0x4c/0x60 net/socket.c:672
    [<000000008cc37c52>] ____sys_sendmsg+0x2c4/0x2f0 net/socket.c:2352
    [<00000000b882e46e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2406
    [<00000000870e7750>] __sys_sendmsg+0x77/0xe0 net/socket.c:2439
    [<000000002b222e75>] do_syscall_64+0x6e/0x220 arch/x86/entry/common.c:295
    [<00000000356e1a8a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888115961800 (size 96):
  comm "syz-executor337", pid 6664, jiffies 4294943010 (age 8.060s)
  hex dump (first 32 bytes):
    00 19 96 15 81 88 ff ff 68 f9 ff 00 00 c9 ff ff  ........h.......
    00 00 00 00 00 00 00 00 60 52 c5 82 ff ff ff ff  ........`R......
  backtrace:
    [<00000000104a1f01>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000104a1f01>] nft_netdev_hook_alloc+0x3b/0xd0 net/netfilter/nf_tables_api.c:1659
    [<000000003bc42f25>] nf_tables_parse_netdev_hooks+0x94/0x210 net/netfilter/nf_tables_api.c:1709
    [<000000004b6a9590>] nft_flowtable_parse_hook+0x101/0x1d0 net/netfilter/nf_tables_api.c:6243
    [<000000004204916e>] nft_delflowtable_hook net/netfilter/nf_tables_api.c:6562 [inline]
    [<000000004204916e>] nf_tables_delflowtable+0x249/0x4a0 net/netfilter/nf_tables_api.c:6640
    [<00000000fa0bd6d2>] nfnetlink_rcv_batch+0x2f3/0x810 net/netfilter/nfnetlink.c:433
    [<000000004d4e8df7>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
    [<000000004d4e8df7>] nfnetlink_rcv+0x183/0x1b0 net/netfilter/nfnetlink.c:561
    [<000000001710060c>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    [<000000001710060c>] netlink_unicast+0x20a/0x2f0 net/netlink/af_netlink.c:1329
    [<00000000bb814b80>] netlink_sendmsg+0x2b5/0x560 net/netlink/af_netlink.c:1918
    [<00000000eb7a00fe>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000eb7a00fe>] sock_sendmsg+0x4c/0x60 net/socket.c:672
    [<000000008cc37c52>] ____sys_sendmsg+0x2c4/0x2f0 net/socket.c:2352
    [<00000000b882e46e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2406
    [<00000000870e7750>] __sys_sendmsg+0x77/0xe0 net/socket.c:2439
    [<000000002b222e75>] do_syscall_64+0x6e/0x220 arch/x86/entry/common.c:295
    [<00000000356e1a8a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/06/07 07:56 upstream 7ae77150d94d e6b89e4e .config console log report syz C ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.