syzbot


memory leak in inet6_create

Status: fixed on 2019/07/10 21:40
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 522924b58308 net: correct udp zerocopy refcnt also when zerocopy only on append
First crash: 1114d, last: 1111d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in inet6_create (2) C 2 1d20h 778d 0/22 upstream: reported C repro on 2020/05/07 05:56

Sample crash report:
executing program
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff888123ee0540 (size 1280):
  comm "syz-executor836", pid 7010, jiffies 4294943884 (age 19.480s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 52 94 30 f5 00 00 00 00  ........R.0.....
    0a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [<0000000002bb9ff5>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<0000000002bb9ff5>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<0000000002bb9ff5>] slab_alloc mm/slab.c:3326 [inline]
    [<0000000002bb9ff5>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
    [<0000000075981cbb>] sk_prot_alloc+0x41/0x170 net/core/sock.c:1596
    [<00000000ee262ca2>] sk_alloc+0x35/0x2f0 net/core/sock.c:1656
    [<00000000047ec4d9>] inet6_create net/ipv6/af_inet6.c:180 [inline]
    [<00000000047ec4d9>] inet6_create+0x115/0x4b0 net/ipv6/af_inet6.c:107
    [<00000000d2f927c5>] __sock_create+0x164/0x250 net/socket.c:1424
    [<00000000caeae96a>] sock_create net/socket.c:1475 [inline]
    [<00000000caeae96a>] __sys_socket+0x69/0x110 net/socket.c:1517
    [<00000000d90d0739>] __do_sys_socket net/socket.c:1526 [inline]
    [<00000000d90d0739>] __se_sys_socket net/socket.c:1524 [inline]
    [<00000000d90d0739>] __x64_sys_socket+0x1e/0x30 net/socket.c:1524
    [<000000004b3d5e1e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<0000000045238441>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811fc74c00 (size 32):
  comm "syz-executor836", pid 7010, jiffies 4294943884 (age 19.480s)
  hex dump (first 32 bytes):
    02 00 00 00 00 00 00 00 40 01 47 2a 81 88 ff ff  ........@.G*....
    e0 00 00 00 03 00 00 00 11 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000cb38f8c1>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000cb38f8c1>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<00000000cb38f8c1>] slab_alloc mm/slab.c:3326 [inline]
    [<00000000cb38f8c1>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [<00000000b58924b4>] kmalloc include/linux/slab.h:547 [inline]
    [<00000000b58924b4>] kzalloc include/linux/slab.h:742 [inline]
    [<00000000b58924b4>] selinux_sk_alloc_security+0x48/0xb0 security/selinux/hooks.c:5059
    [<000000003b7ab7ef>] security_sk_alloc+0x49/0x70 security/security.c:2026
    [<00000000131d2929>] sk_prot_alloc+0x6e/0x170 net/core/sock.c:1605
    [<00000000ee262ca2>] sk_alloc+0x35/0x2f0 net/core/sock.c:1656
    [<00000000047ec4d9>] inet6_create net/ipv6/af_inet6.c:180 [inline]
    [<00000000047ec4d9>] inet6_create+0x115/0x4b0 net/ipv6/af_inet6.c:107
    [<00000000d2f927c5>] __sock_create+0x164/0x250 net/socket.c:1424
    [<00000000caeae96a>] sock_create net/socket.c:1475 [inline]
    [<00000000caeae96a>] __sys_socket+0x69/0x110 net/socket.c:1517
    [<00000000d90d0739>] __do_sys_socket net/socket.c:1526 [inline]
    [<00000000d90d0739>] __se_sys_socket net/socket.c:1524 [inline]
    [<00000000d90d0739>] __x64_sys_socket+0x1e/0x30 net/socket.c:1524
    [<000000004b3d5e1e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<0000000045238441>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888113685100 (size 224):
  comm "syz-executor836", pid 7010, jiffies 4294943884 (age 19.480s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 40 05 ee 23 81 88 ff ff  ........@..#....
  backtrace:
    [<000000005145aeec>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000005145aeec>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000005145aeec>] slab_alloc_node mm/slab.c:3269 [inline]
    [<000000005145aeec>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
    [<00000000c5ba5512>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:194
    [<0000000004158f9d>] alloc_skb include/linux/skbuff.h:1054 [inline]
    [<0000000004158f9d>] sock_omalloc+0x4e/0x90 net/core/sock.c:2098
    [<000000004da30ac1>] sock_zerocopy_alloc+0x3c/0xf0 net/core/skbuff.c:975
    [<0000000005488b81>] sock_zerocopy_realloc+0x7b/0x110 net/core/skbuff.c:1045
    [<000000003999817d>] __ip6_append_data.isra.0+0x8f4/0x10e0 net/ipv6/ip6_output.c:1340
    [<000000009379b55d>] ip6_append_data+0xf1/0x180 net/ipv6/ip6_output.c:1623
    [<00000000ce475cc2>] udpv6_sendmsg+0x40c/0x1050 net/ipv6/udp.c:1494
    [<00000000e9b36741>] inet_sendmsg+0x64/0x120 net/ipv4/af_inet.c:798
    [<000000002e33f4f5>] sock_sendmsg_nosec net/socket.c:646 [inline]
    [<000000002e33f4f5>] sock_sendmsg+0x54/0x70 net/socket.c:665
    [<000000005393ae94>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
    [<00000000f82f4b03>] __do_sys_sendto net/socket.c:1970 [inline]
    [<00000000f82f4b03>] __se_sys_sendto net/socket.c:1966 [inline]
    [<00000000f82f4b03>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
    [<000000004b3d5e1e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<0000000045238441>] entry_SYSCALL_64_after_hwframe+0x44/0xa9


Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-leak 2019/06/09 12:52 upstream d1fdb6d8f6a4 0159583c .config log report syz C
ci-upstream-gce-leak 2019/06/06 17:54 upstream 156c05917e09 698773cb .config log report syz C