syzbot


memory leak in con_do_clear_unimap

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+bcc922b19ccc64240b42@syzkaller.appspotmail.com
Fix commit: 211b4d42b70f tty: fix memory leak in vc_deallocate
First crash: 583d, last: 523d
Patch testing requests:
Created Duration User Patch Repo Result
2021/03/27 19:18 16m paskripkin@gmail.com https://linux.googlesource.com/linux/kernel/git/torvalds/linux refs/changes/37/9537/1 OK

Sample crash report:
Warning: Permanently added '10.128.0.131' (ECDSA) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810f9a6600 (size 512):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    00 f6 e7 10 81 88 ff ff 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff82499e06>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff82499e06>] kzalloc include/linux/slab.h:684 [inline]
    [<ffffffff82499e06>] con_do_clear_unimap+0xa6/0x140 drivers/tty/vt/consolemap.c:510
    [<ffffffff8249ae5e>] con_set_unimap+0x1ae/0x350 drivers/tty/vt/consolemap.c:564
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888110e7f600 (size 256):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    80 4d 36 0b 81 88 ff ff 80 4f 36 0b 81 88 ff ff  .M6......O6.....
    00 4d 36 0b 81 88 ff ff 80 47 36 0b 81 88 ff ff  .M6......G6.....
  backtrace:
    [<ffffffff8249a0fb>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff8249a0fb>] kmalloc_array include/linux/slab.h:593 [inline]
    [<ffffffff8249a0fb>] con_insert_unipair+0x9b/0x1a0 drivers/tty/vt/consolemap.c:482
    [<ffffffff8249af94>] con_set_unimap+0x2e4/0x350 drivers/tty/vt/consolemap.c:595
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff88810b364d80 (size 128):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
  backtrace:
    [<ffffffff8249a155>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff8249a155>] kmalloc_array include/linux/slab.h:593 [inline]
    [<ffffffff8249a155>] con_insert_unipair+0xf5/0x1a0 drivers/tty/vt/consolemap.c:491
    [<ffffffff8249af94>] con_set_unimap+0x2e4/0x350 drivers/tty/vt/consolemap.c:595
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff88810b364f80 (size 128):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    00 20 41 00 42 00 43 00 44 00 45 00 46 00 47 00  . A.B.C.D.E.F.G.
    48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 4f 00  H.I.J.K.L.M.N.O.
  backtrace:
    [<ffffffff8249a155>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff8249a155>] kmalloc_array include/linux/slab.h:593 [inline]
    [<ffffffff8249a155>] con_insert_unipair+0xf5/0x1a0 drivers/tty/vt/consolemap.c:491
    [<ffffffff8249af94>] con_set_unimap+0x2e4/0x350 drivers/tty/vt/consolemap.c:595
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff88810de52800 (size 128):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    e3 00 ff ff ff ff e5 00 e7 00 ff ff ed 00 ff ff  ................
    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
  backtrace:
    [<ffffffff8249a155>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff8249a155>] kmalloc_array include/linux/slab.h:593 [inline]
    [<ffffffff8249a155>] con_insert_unipair+0xf5/0x1a0 drivers/tty/vt/consolemap.c:491
    [<ffffffff8249af94>] con_set_unimap+0x2e4/0x350 drivers/tty/vt/consolemap.c:595
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888110e7f700 (size 256):
  comm "syz-executor891", pid 8389, jiffies 4294943271 (age 13.310s)
  hex dump (first 32 bytes):
    80 27 e5 0d 81 88 ff ff 00 27 e5 0d 81 88 ff ff  .'.......'......
    80 26 e5 0d 81 88 ff ff 00 00 00 00 00 00 00 00  .&..............
  backtrace:
    [<ffffffff8249a0fb>] kmalloc include/linux/slab.h:554 [inline]
    [<ffffffff8249a0fb>] kmalloc_array include/linux/slab.h:593 [inline]
    [<ffffffff8249a0fb>] con_insert_unipair+0x9b/0x1a0 drivers/tty/vt/consolemap.c:482
    [<ffffffff8249af94>] con_set_unimap+0x2e4/0x350 drivers/tty/vt/consolemap.c:595
    [<ffffffff8249179a>] do_unimap_ioctl drivers/tty/vt/vt_ioctl.c:498 [inline]
    [<ffffffff8249179a>] vt_io_ioctl drivers/tty/vt/vt_ioctl.c:544 [inline]
    [<ffffffff8249179a>] vt_ioctl+0xcda/0x18e0 drivers/tty/vt/vt_ioctl.c:717
    [<ffffffff82478613>] tty_ioctl+0x713/0xcb0 drivers/tty/tty_io.c:2801
    [<ffffffff8156d7fc>] vfs_ioctl fs/ioctl.c:48 [inline]
    [<ffffffff8156d7fc>] __do_sys_ioctl fs/ioctl.c:753 [inline]
    [<ffffffff8156d7fc>] __se_sys_ioctl fs/ioctl.c:739 [inline]
    [<ffffffff8156d7fc>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:739
    [<ffffffff842e1f5d>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae


Crashes (13):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-leak 2021/04/22 04:12 upstream 16fc44d6387e 2bc8999a .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/04/13 02:51 upstream d434405aaab7 bfeda1b1 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/04/08 21:30 upstream 454859c552da 6a81331a .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/29 23:15 upstream 1e43c377a79f 6a81331a .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/27 13:48 upstream 0f4498cef9f5 a8529b82 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/27 05:57 upstream db24726bfefa a8529b82 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/25 06:04 upstream 4ee998b0ef8b 607e3baf .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/24 18:01 upstream 7acac4b3196c 607e3baf .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/23 06:14 upstream 84196390620a 8092f30d .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/22 16:50 upstream 0d02ec6b3136 bea32f74 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/22 14:52 upstream 0d02ec6b3136 bea32f74 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/03/22 02:16 upstream 5ee96fa9dd78 bea32f74 .config log report syz C memory leak in con_do_clear_unimap
ci-upstream-gce-leak 2021/02/21 12:35 upstream e767b3530acb 3e5ed8b4 .config log report syz C memory leak in con_do_clear_unimap
* Struck through repros no longer work on HEAD.