syzbot

 sign-in | mailing list | source | docs
🐞 Open [977] Subsystems 🐞 Fixed [5208] 🐞 Invalid [12460] Missing Backports [82] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

memory leak in nf_tables_parse_netdev_hooks (2)

Status: fixed on 2020/04/15 17:19
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+a2ff6fa45162a5ed4dd3@syzkaller.appspotmail.com
Fix commit: 2d285f26ecd0 netfilter: nf_tables: free flowtable hooks on hook register error
First crash: 1506d, last: 1501d
Discussions (4)
Title Replies (including bot) Last reply
[PATCH 5.5 000/151] 5.5.10-rc1 review 158 (158) 2020/03/18 10:00
[PATCH 00/11] Netfilter fixes for net 13 (13) 2020/03/07 05:38
[PATCH nf] netfilter: nf_tables: free flowtable hooks on hook register error 5 (5) 2020/03/05 13:37
memory leak in nf_tables_parse_netdev_hooks (2) 0 (1) 2020/03/02 18:13
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream memory leak in nf_tables_parse_netdev_hooks netfilter C 6 1523d 1552d 15/26 fixed on 2020/02/18 14:31
upstream memory leak in nf_tables_parse_netdev_hooks (3) netfilter C 1 1409d 1406d 15/26 fixed on 2020/07/17 17:58

Sample crash report:
BUG: memory leak
unreferenced object 0xffff88811be16880 (size 96):
  comm "syz-executor298", pid 7082, jiffies 4294941492 (age 13.760s)
  hex dump (first 32 bytes):
    40 88 b2 1e 81 88 ff ff 40 88 b2 1e 81 88 ff ff  @.......@.......
    e0 b2 ba 82 ff ff ff ff 00 00 76 2a 81 88 ff ff  ..........v*....
  backtrace:
    [<00000000c5078aa9>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000c5078aa9>] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1653
    [<00000000fe41b301>] nf_tables_parse_netdev_hooks+0xa1/0x220 net/netfilter/nf_tables_api.c:1702
    [<0000000048c62001>] nf_tables_flowtable_parse_hook net/netfilter/nf_tables_api.c:6097 [inline]
    [<0000000048c62001>] nf_tables_newflowtable+0x3c2/0x810 net/netfilter/nf_tables_api.c:6297
    [<00000000c2fb5ad0>] nfnetlink_rcv_batch+0x2f3/0x810 net/netfilter/nfnetlink.c:433
    [<00000000976b8cfb>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
    [<00000000976b8cfb>] nfnetlink_rcv+0x183/0x1b0 net/netfilter/nfnetlink.c:561
    [<0000000061197fa6>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    [<0000000061197fa6>] netlink_unicast+0x20a/0x2f0 net/netlink/af_netlink.c:1329
    [<000000006cc625c3>] netlink_sendmsg+0x2b5/0x560 net/netlink/af_netlink.c:1918
    [<00000000251766d2>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000251766d2>] sock_sendmsg+0x4c/0x60 net/socket.c:672
    [<00000000238aa22b>] ____sys_sendmsg+0x2c0/0x2f0 net/socket.c:2343
    [<00000000f1abb009>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2397
    [<00000000ea5189e2>] __sys_sendmsg+0x77/0xe0 net/socket.c:2430
    [<00000000196c7741>] do_syscall_64+0x6e/0x210 arch/x86/entry/common.c:294
    [<000000007d4cb6b9>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811be16780 (size 96):
  comm "syz-executor298", pid 7083, jiffies 4294942084 (age 7.840s)
  hex dump (first 32 bytes):
    40 88 b2 1e 81 88 ff ff 40 88 b2 1e 81 88 ff ff  @.......@.......
    e0 b2 ba 82 ff ff ff ff 00 00 76 2a 81 88 ff ff  ..........v*....
  backtrace:
    [<00000000c5078aa9>] kmalloc include/linux/slab.h:555 [inline]
    [<00000000c5078aa9>] nft_netdev_hook_alloc+0x3b/0xc0 net/netfilter/nf_tables_api.c:1653
    [<00000000fe41b301>] nf_tables_parse_netdev_hooks+0xa1/0x220 net/netfilter/nf_tables_api.c:1702
    [<0000000048c62001>] nf_tables_flowtable_parse_hook net/netfilter/nf_tables_api.c:6097 [inline]
    [<0000000048c62001>] nf_tables_newflowtable+0x3c2/0x810 net/netfilter/nf_tables_api.c:6297
    [<00000000c2fb5ad0>] nfnetlink_rcv_batch+0x2f3/0x810 net/netfilter/nfnetlink.c:433
    [<00000000976b8cfb>] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
    [<00000000976b8cfb>] nfnetlink_rcv+0x183/0x1b0 net/netfilter/nfnetlink.c:561
    [<0000000061197fa6>] netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
    [<0000000061197fa6>] netlink_unicast+0x20a/0x2f0 net/netlink/af_netlink.c:1329
    [<000000006cc625c3>] netlink_sendmsg+0x2b5/0x560 net/netlink/af_netlink.c:1918
    [<00000000251766d2>] sock_sendmsg_nosec net/socket.c:652 [inline]
    [<00000000251766d2>] sock_sendmsg+0x4c/0x60 net/socket.c:672
    [<00000000238aa22b>] ____sys_sendmsg+0x2c0/0x2f0 net/socket.c:2343
    [<00000000f1abb009>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2397
    [<00000000ea5189e2>] __sys_sendmsg+0x77/0xe0 net/socket.c:2430
    [<00000000196c7741>] do_syscall_64+0x6e/0x210 arch/x86/entry/common.c:294
    [<000000007d4cb6b9>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/03/07 05:17 upstream fb279f4e2386 fd2a5f28 .config console log report syz C ci-upstream-gce-leak
2020/03/02 06:07 upstream 63623fd44972 c88c7b75 .config console log report syz C ci-upstream-gce-leak
* Struck through repros no longer work on HEAD.