syzbot

 sign-in | mailing list | source | docs
🐞 Open [994] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12515] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

memory leak in raw_sendmsg

Status: fixed on 2019/07/10 21:40
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com
Fix commit: fd704bd5ee74 can: purge socket error queue on sock destruct
First crash: 1790d, last: 1777d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 00/87] 3.16.75-rc1 review 99 (99) 2019/11/19 14:49
[PATCH 4.9 000/102] 4.9.185-stable review 108 (108) 2019/07/10 06:11
[PATCH 4.4 00/73] 4.4.185-stable review 79 (79) 2019/07/10 06:10
[PATCH 4.19 00/90] 4.19.56-stable review 99 (99) 2019/06/26 10:22
[PATCH 5.1 000/121] 5.1.15-stable review 133 (133) 2019/06/26 00:51
[PATCH 4.14 00/51] 4.14.130-stable review 56 (56) 2019/06/25 09:59
[PATCH 9/9] can: purge socket error queue on sock destruct 1 (1) 2019/06/07 21:15
[PATCH net] can: purge socket error queue on sock destruct 1 (1) 2019/06/07 20:46
memory leak in raw_sendmsg 1 (2) 2019/06/04 18:52

Sample crash report:
][ T3037] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
executing program
BUG: memory leak
unreferenced object 0xffff888113404800 (size 512):
  comm "syz-executor219", pid 7170, jiffies 4294943685 (age 9.340s)
  hex dump (first 32 bytes):
    0d 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    d2 7a d4 99 ba 43 fe ef 6f 66 69 6c 65 3d 30 20  .z...C..ofile=0 
  backtrace:
    [<000000000d3cd43d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000000d3cd43d>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000000d3cd43d>] slab_alloc_node mm/slab.c:3269 [inline]
    [<000000000d3cd43d>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
    [<00000000abb552fa>] __do_kmalloc_node mm/slab.c:3619 [inline]
    [<00000000abb552fa>] __kmalloc_node_track_caller+0x38/0x50 mm/slab.c:3634
    [<00000000f11b1287>] __kmalloc_reserve.isra.0+0x40/0xb0 net/core/skbuff.c:138
    [<00000000303f99b4>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:206
    [<0000000066939bcc>] alloc_skb include/linux/skbuff.h:1054 [inline]
    [<0000000066939bcc>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
    [<00000000d64767de>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2219
    [<0000000061d1ca39>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2236
    [<00000000b9e7655d>] raw_sendmsg+0xce/0x300 net/can/raw.c:761
    [<00000000fbf369e0>] sock_sendmsg_nosec net/socket.c:646 [inline]
    [<00000000fbf369e0>] sock_sendmsg+0x54/0x70 net/socket.c:665
    [<000000000c1114a7>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2286
    [<0000000092b4a5c3>] __sys_sendmsg+0x80/0xf0 net/socket.c:2324
    [<000000003eeef580>] __do_sys_sendmsg net/socket.c:2333 [inline]
    [<000000003eeef580>] __se_sys_sendmsg net/socket.c:2331 [inline]
    [<000000003eeef580>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2331
    [<000000001747242b>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000004ae309be>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811f64c700 (size 224):
  comm "syz-executor219", pid 7170, jiffies 4294943685 (age 9.340s)
  hex dump (first 32 bytes):
    b0 94 98 13 81 88 ff ff b0 94 98 13 81 88 ff ff  ................
    00 e0 18 1e 81 88 ff ff 00 94 98 13 81 88 ff ff  ................
  backtrace:
    [<000000007af63cbc>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<000000007af63cbc>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<000000007af63cbc>] slab_alloc mm/slab.c:3326 [inline]
    [<000000007af63cbc>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
    [<000000000c292132>] skb_clone+0x6e/0x140 net/core/skbuff.c:1321
    [<0000000097d3c865>] __skb_tstamp_tx+0x19f/0x220 net/core/skbuff.c:4434
    [<00000000f91ea781>] __dev_queue_xmit+0x920/0xd60 net/core/dev.c:3813
    [<0000000016e30ae1>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3910
    [<000000001d3fdc89>] can_send+0x138/0x2b0 net/can/af_can.c:290
    [<000000005a4285ac>] raw_sendmsg+0x1bb/0x300 net/can/raw.c:780
    [<00000000fbf369e0>] sock_sendmsg_nosec net/socket.c:646 [inline]
    [<00000000fbf369e0>] sock_sendmsg+0x54/0x70 net/socket.c:665
    [<000000000c1114a7>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2286
    [<0000000092b4a5c3>] __sys_sendmsg+0x80/0xf0 net/socket.c:2324
    [<000000003eeef580>] __do_sys_sendmsg net/socket.c:2333 [inline]
    [<000000003eeef580>] __se_sys_sendmsg net/socket.c:2331 [inline]
    [<000000003eeef580>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2331
    [<000000001747242b>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000004ae309be>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/15 19:52 upstream 0011572c8830 442206d7 .config console log report syz C ci-upstream-gce-leak
2019/06/02 00:56 upstream 3ab4436f688c 53c81ea5 .config console log report syz C ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.