memory leak in vhost_net_ioctl

memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
dashboard link: https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com

udit: type=1400 audit(1559768703.229:36): avc:  denied  { map } for   
pid=7116 comm="syz-executor330" path="/root/syz-executor330334897"  
dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88812421fe40 (size 64):
   comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  
[inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812421fa80 (size 64):
   comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
   hex dump (first 32 bytes):
     01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
     90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  
[inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 11:04:03 +0800 syzbot wrote:
>
>Hello,
>
>syzbot has tested the proposed patch but the reproducer still triggered crash:
>memory leak in batadv_tvlv_handler_register
>
>   484.626788][  T156] bond0 (unregistering): Releasing backup interface bond_slave_1
>Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
>BUG: memory leak
>unreferenced object 0xffff88811d25c4c0 (size 64):
>   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140 net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180 net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230 net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220 net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30 net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
>BUG: memory leak
>unreferenced object 0xffff8881024a3340 (size 64):
>   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140 net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180 net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230 net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220 net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30 net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
>BUG: memory leak
>unreferenced object 0xffff888108a71b80 (size 128):
>   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
>   hex dump (first 32 bytes):
>     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
>     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150 net/hsr/hsr_framereg.c:84
>     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233 net/hsr/hsr_device.c:441
>     [<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
>     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30 net/core/rtnetlink.c:3187
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
>
>
>Tested on:
>
>commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
>git tree:       upstream
>console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000
>kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
>compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>patch:          https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000
>
The following diff, made against the mainline master tree, purges both the
node_db and the self_node_db lists in the destroy path, to free any dangling
hsr node.

Thanks and good weekend
Hillf
------>8---
---
 net/hsr/hsr_device.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index 15c7206..c98ae6f 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -364,6 +364,12 @@ static void hsr_dev_destroy(struct net_device *hsr_dev)
 	del_timer_sync(&hsr->prune_timer);
 	del_timer_sync(&hsr->announce_timer);

+	while (!list_empty(&hsr->self_node_db))
+		hsr_del_node(&hsr->self_node_db);
+
+	while (!list_empty(&hsr->node_db))
+		hsr_del_node(&hsr->node_db);
+
 	synchronize_rcu();
 }

--

Re: memory leak in vhost_net_ioctl

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 7749 bytes --]

On 2019-06-13, at 20:04:01 -0700, syzbot wrote:
> syzbot has tested the proposed patch but the reproducer still
> triggered crash: memory leak in batadv_tvlv_handler_register

There's already a fix for this batman leak:

  https://lore.kernel.org/netdev/00000000000017d64c058965f966@google.com/
  https://www.open-mesh.org/issues/378

>   484.626788][  T156] bond0 (unregistering): Releasing backup
>   interface bond_slave_1
> Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known
> hosts.
> BUG: memory leak
> unreferenced object 0xffff88811d25c4c0 (size 64):
>   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
> net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180
> net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230
> net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
> net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600
> net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30
> net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
> BUG: memory leak
> unreferenced object 0xffff8881024a3340 (size 64):
>   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
> net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180
> net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230
> net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
> net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600
> net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30
> net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
> BUG: memory leak
> unreferenced object 0xffff888108a71b80 (size 128):
>   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
>   hex dump (first 32 bytes):
>     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
>     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150
> net/hsr/hsr_framereg.c:84
>     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233
> net/hsr/hsr_device.c:441
>     [<000000003b100a4a>] hsr_newlink+0xf3/0x140
> net/hsr/hsr_netlink.c:69
>     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30
> net/core/rtnetlink.c:3187
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0
> arch/x86/entry/common.c:301
>     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Tested on:
>
> commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: memory leak in vhost_net_ioctl

[Jeremy Sowden]

[-- Attachment #1.1: Type: text/plain, Size: 7749 bytes --]

On 2019-06-13, at 20:04:01 -0700, syzbot wrote:
> syzbot has tested the proposed patch but the reproducer still
> triggered crash: memory leak in batadv_tvlv_handler_register

There's already a fix for this batman leak:

  https://lore.kernel.org/netdev/00000000000017d64c058965f966@google.com/
  https://www.open-mesh.org/issues/378

>   484.626788][  T156] bond0 (unregistering): Releasing backup
>   interface bond_slave_1
> Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known
> hosts.
> BUG: memory leak
> unreferenced object 0xffff88811d25c4c0 (size 64):
>   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
> net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180
> net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230
> net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
> net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600
> net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30
> net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
> BUG: memory leak
> unreferenced object 0xffff8881024a3340 (size 64):
>   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
> net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180
> net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230
> net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
> net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600
> net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30
> net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
> BUG: memory leak
> unreferenced object 0xffff888108a71b80 (size 128):
>   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
>   hex dump (first 32 bytes):
>     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
>     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280
> mm/slab.c:3553
>     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150
> net/hsr/hsr_framereg.c:84
>     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233
> net/hsr/hsr_device.c:441
>     [<000000003b100a4a>] hsr_newlink+0xf3/0x140
> net/hsr/hsr_netlink.c:69
>     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30
> net/core/rtnetlink.c:3187
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80
> net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
> net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170
> net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30
> net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel
> net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
> net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480
> net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0
> arch/x86/entry/common.c:301
>     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Tested on:
>
> commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000

J.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 11:04:03 +0800 syzbot wrote:
>
>Hello,
>
>syzbot has tested the proposed patch but the reproducer still triggered crash:
>memory leak in batadv_tvlv_handler_register
>
It is not ubuf leak which is addressed in this thread. Good news.
I will see this new leak soon.

>   484.626788][  T156] bond0 (unregistering): Releasing backup interface bond_slave_1
>Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
>BUG: memory leak
>unreferenced object 0xffff88811d25c4c0 (size 64):
>   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140 net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180 net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230 net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220 net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30 net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
>BUG: memory leak
>unreferenced object 0xffff8881024a3340 (size 64):
>   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
>     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
>     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140 net/batman-adv/tvlv.c:529
>     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180 net/batman-adv/translation-table.c:4411
>     [<000000008c50839d>] batadv_mesh_init+0x196/0x230 net/batman-adv/main.c:208
>     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220 net/batman-adv/soft-interface.c:861
>     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
>     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30 net/core/rtnetlink.c:3199
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>
>BUG: memory leak
>unreferenced object 0xffff888108a71b80 (size 128):
>   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
>   hex dump (first 32 bytes):
>     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
>     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
>   backtrace:
>     [<000000000045bc9d>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
>     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
>     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
>     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150 net/hsr/hsr_framereg.c:84

Oh another one.

>     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233 net/hsr/hsr_device.c:441
>     [<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
>     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30 net/core/rtnetlink.c:3187
>     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
>     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
>     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
>     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
>     [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
>     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
>     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
>     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
>     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
>     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
>     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
>     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
>     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
>     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
>
>
>Tested on:
>
>commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
>git tree:       upstream
>console output: https://syzkaller.appspot.com/x/log.txt?x=3D15c8f3b6a00000
>kernel config:  https://syzkaller.appspot.com/x/.config?x=3Dcb38d33cd06d8d48
>compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>patch:          https://syzkaller.appspot.com/x/patch.diff?x=3D12477101a00000
>

Thanks
Hillf

Re: memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
memory leak in batadv_tvlv_handler_register

   484.626788][  T156] bond0 (unregistering): Releasing backup interface  
bond_slave_1
Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
BUG: memory leak
unreferenced object 0xffff88811d25c4c0 (size 64):
   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140  
net/batman-adv/tvlv.c:529
     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180  
net/batman-adv/translation-table.c:4411
     [<000000008c50839d>] batadv_mesh_init+0x196/0x230  
net/batman-adv/main.c:208
     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220  
net/batman-adv/soft-interface.c:861
     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30  
net/core/rtnetlink.c:3199
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff8881024a3340 (size 64):
   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140  
net/batman-adv/tvlv.c:529
     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180  
net/batman-adv/translation-table.c:4411
     [<000000008c50839d>] batadv_mesh_init+0x196/0x230  
net/batman-adv/main.c:208
     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220  
net/batman-adv/soft-interface.c:861
     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30  
net/core/rtnetlink.c:3199
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff888108a71b80 (size 128):
   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
   hex dump (first 32 bytes):
     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150  
net/hsr/hsr_framereg.c:84
     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233  
net/hsr/hsr_device.c:441
     [<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30  
net/core/rtnetlink.c:3187
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



Tested on:

commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000

Re: memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
memory leak in batadv_tvlv_handler_register

   484.626788][  T156] bond0 (unregistering): Releasing backup interface  
bond_slave_1
Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
BUG: memory leak
unreferenced object 0xffff88811d25c4c0 (size 64):
   comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff  ..........[ ....
     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140  
net/batman-adv/tvlv.c:529
     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180  
net/batman-adv/translation-table.c:4411
     [<000000008c50839d>] batadv_mesh_init+0x196/0x230  
net/batman-adv/main.c:208
     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220  
net/batman-adv/soft-interface.c:861
     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30  
net/core/rtnetlink.c:3199
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff8881024a3340 (size 64):
   comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)
   hex dump (first 32 bytes):
     00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff  .........,f.....
     00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff  ........ .......
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
     [<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140  
net/batman-adv/tvlv.c:529
     [<00000000fa9f11af>] batadv_tt_init+0x78/0x180  
net/batman-adv/translation-table.c:4411
     [<000000008c50839d>] batadv_mesh_init+0x196/0x230  
net/batman-adv/main.c:208
     [<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220  
net/batman-adv/soft-interface.c:861
     [<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
     [<000000005601497b>] __rtnl_newlink+0xaca/0xb30  
net/core/rtnetlink.c:3199
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff888108a71b80 (size 128):
   comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)
   hex dump (first 32 bytes):
     f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff  ................
     1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff  ..w.T..Ad .V....
   backtrace:
     [<000000000045bc9d>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
     [<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000cc6863ae>] hsr_create_self_node+0x42/0x150  
net/hsr/hsr_framereg.c:84
     [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233  
net/hsr/hsr_device.c:441
     [<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
     [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30  
net/core/rtnetlink.c:3187
     [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
     [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0  
net/core/rtnetlink.c:5214
     [<00000000140451f6>] netlink_rcv_skb+0x61/0x170  
net/netlink/af_netlink.c:2482
     [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
     [<000000000d47c000>] netlink_unicast_kernel  
net/netlink/af_netlink.c:1307 [inline]
     [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0  
net/netlink/af_netlink.c:1333
     [<0000000098503d79>] netlink_sendmsg+0x26a/0x480  
net/netlink/af_netlink.c:1922
     [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
     [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
     [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
     [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
     [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
     [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
     [<000000003ba31db7>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



Tested on:

commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 02:26:02 +0800 syzbot wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered crash:
> memory leak in vhost_net_ioctl
>
Oh sorry for my poor patch.

> ANGE): hsr_slave_1: link becomes ready
> 2019/06/13 18:24:57 executed programs: 18
> BUG: memory leak
> unreferenced object 0xffff88811cbc6ac0 (size 64):
>    comm "syz-executor.0", pid 7196, jiffies 4294943804 (age 14.770s)
>    hex dump (first 32 bytes):
>      01 00 00 00 81 88 ff ff 00 00 00 00 82 88 ff ff  ................
>      d0 6a bc 1c 81 88 ff ff d0 6a bc 1c 81 88 ff ff  .j.......j......
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>      [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b1365c0 (size 64):
>    comm "syz-executor.2", pid 7193, jiffies 4294943823 (age 14.580s)
>    hex dump (first 32 bytes):
>      01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
>      d0 65 13 0b 81 88 ff ff d0 65 13 0b 81 88 ff ff  .e.......e......
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810be23700 (size 64):
>    comm "syz-executor.3", pid 7194, jiffies 4294943823 (age 14.580s)
>    hex dump (first 32 bytes):
>      01 00 00 00 00 00 00 00 00 00 00 00 00 c9 ff ff  ................
>      10 37 e2 0b 81 88 ff ff 10 37 e2 0b 81 88 ff ff  .7.......7......
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>      [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b136500 (size 64):
>    comm "syz-executor.6", pid 7228, jiffies 4294943827 (age 14.540s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      10 65 13 0b 81 88 ff ff 10 65 13 0b 81 88 ff ff  .e.......e......
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>      [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b9cfec0 (size 64):
>    comm "syz-executor.7", pid 7236, jiffies 4294943829 (age 14.520s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      d0 fe 9c 0b 81 88 ff ff d0 fe 9c 0b 81 88 ff ff  ................
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>      [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88810b9cd380 (size 64):
>    comm "syz-executor.4", pid 7218, jiffies 4294943834 (age 14.470s)
>    hex dump (first 32 bytes):
>      01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
>      90 d3 9c 0b 81 88 ff ff 90 d3 9c 0b 81 88 ff ff  ................
>    backtrace:
>      [<000000006c752978>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>      [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
>      [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
>      [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535 [inline]
>      [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1717
>      [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
>      [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<00000000e4407a23>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
>
>
> Tested on:
>
> commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11c6b666a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=11ff0de1a00000
>

And I want to try again the following tiny diff made based on the logic:

1_> vhost_net_ubuf_alloc() in the dump info suggests that it is ubuf leak.

2_> commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
makes vhost_net_flush() no longer release ubuf.

3_> in both reset_owner and release pathes, see vhost_net_reset_owner() and
vhost_net_release() please, vq is reset in wake of flush:

        vhost_net_flush(n);
        vhost_dev_stop(&n->dev);
        vhost_dev_cleanup(&n->dev);
        vhost_net_vq_reset(n);

4_> the ubufs pointer is cleared in vhost_net_vq_reset()


#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Can you give it a shoot please if there is not anything missed in the
above logic?


Thanks
Hillf
------->8---
---
 drivers/vhost/net.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..87db9b3 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -309,6 +309,8 @@ static void vhost_net_vq_reset(struct vhost_net *n)
 	for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
 		n->vqs[i].done_idx = 0;
 		n->vqs[i].upend_idx = 0;
+		if (n->vqs[i].ubufs)
+			vhost_net_ubuf_put_wait_and_free(n->vqs[i].ubufs);
 		n->vqs[i].ubufs = NULL;
 		n->vqs[i].vhost_hlen = 0;
 		n->vqs[i].sock_hlen = 0;
--

Re: memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
memory leak in vhost_net_ioctl

ANGE): hsr_slave_1: link becomes ready
2019/06/13 18:24:57 executed programs: 18
BUG: memory leak
unreferenced object 0xffff88811cbc6ac0 (size 64):
   comm "syz-executor.0", pid 7196, jiffies 4294943804 (age 14.770s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 82 88 ff ff  ................
     d0 6a bc 1c 81 88 ff ff d0 6a bc 1c 81 88 ff ff  .j.......j......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b1365c0 (size 64):
   comm "syz-executor.2", pid 7193, jiffies 4294943823 (age 14.580s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
     d0 65 13 0b 81 88 ff ff d0 65 13 0b 81 88 ff ff  .e.......e......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810be23700 (size 64):
   comm "syz-executor.3", pid 7194, jiffies 4294943823 (age 14.580s)
   hex dump (first 32 bytes):
     01 00 00 00 00 00 00 00 00 00 00 00 00 c9 ff ff  ................
     10 37 e2 0b 81 88 ff ff 10 37 e2 0b 81 88 ff ff  .7.......7......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b136500 (size 64):
   comm "syz-executor.6", pid 7228, jiffies 4294943827 (age 14.540s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     10 65 13 0b 81 88 ff ff 10 65 13 0b 81 88 ff ff  .e.......e......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cfec0 (size 64):
   comm "syz-executor.7", pid 7236, jiffies 4294943829 (age 14.520s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     d0 fe 9c 0b 81 88 ff ff d0 fe 9c 0b 81 88 ff ff  ................
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cd380 (size 64):
   comm "syz-executor.4", pid 7218, jiffies 4294943834 (age 14.470s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
     90 d3 9c 0b 81 88 ff ff 90 d3 9c 0b 81 88 ff ff  ................
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



Tested on:

commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c6b666a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11ff0de1a00000

Re: memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered  
crash:
memory leak in vhost_net_ioctl

ANGE): hsr_slave_1: link becomes ready
2019/06/13 18:24:57 executed programs: 18
BUG: memory leak
unreferenced object 0xffff88811cbc6ac0 (size 64):
   comm "syz-executor.0", pid 7196, jiffies 4294943804 (age 14.770s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 82 88 ff ff  ................
     d0 6a bc 1c 81 88 ff ff d0 6a bc 1c 81 88 ff ff  .j.......j......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b1365c0 (size 64):
   comm "syz-executor.2", pid 7193, jiffies 4294943823 (age 14.580s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
     d0 65 13 0b 81 88 ff ff d0 65 13 0b 81 88 ff ff  .e.......e......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810be23700 (size 64):
   comm "syz-executor.3", pid 7194, jiffies 4294943823 (age 14.580s)
   hex dump (first 32 bytes):
     01 00 00 00 00 00 00 00 00 00 00 00 00 c9 ff ff  ................
     10 37 e2 0b 81 88 ff ff 10 37 e2 0b 81 88 ff ff  .7.......7......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b136500 (size 64):
   comm "syz-executor.6", pid 7228, jiffies 4294943827 (age 14.540s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     10 65 13 0b 81 88 ff ff 10 65 13 0b 81 88 ff ff  .e.......e......
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cfec0 (size 64):
   comm "syz-executor.7", pid 7236, jiffies 4294943829 (age 14.520s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     d0 fe 9c 0b 81 88 ff ff d0 fe 9c 0b 81 88 ff ff  ................
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cd380 (size 64):
   comm "syz-executor.4", pid 7218, jiffies 4294943834 (age 14.470s)
   hex dump (first 32 bytes):
     01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff  ................
     90 d3 9c 0b 81 88 ff ff 90 d3 9c 0b 81 88 ff ff  ................
   backtrace:
     [<000000006c752978>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
     [<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
     [<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535  
[inline]
     [<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1717
     [<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<00000000e4407a23>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



Tested on:

commit:         c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c6b666a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11ff0de1a00000

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov]

[-- Attachment #1: Type: text/plain, Size: 6947 bytes --]

On Thu, Jun 13, 2019 at 4:15 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Dmitry
>
> On Thu, 13 Jun 2019 20:12:06 +0800 Dmitry Vyukov wrote:
> > On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
> > >
> > > Hello Jason
> > >
> > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> > > >
> > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > > > vhost_net_release().
> > > >
> > > Fairly good catch.
> > >
> > > > Could you please post a formal patch?
> > > >
> > > I'd like very much to do that; but I wont, I am afraid, until I collect a
> > > Tested-by because of reproducer without a cutting edge.
> >
> > You can easily collect Tested-by from syzbot for any bug with a reproducer;)
> > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
> >
> Thank you for the light you are casting.

:)

But you did not ask syzbot to test. That would be something like this
(keeping syzbot email in CC):

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

(I've attached the patch because my email client is incapable of
sending non-corrupted patches inline, but otherwise inline patches
should work too).


> Here it goes.
> --->8--------
> From: Hillf Danton <hdanton@sina.com>
> Subject: [PATCH] vhost: fix memory leak in vhost_net_release
>
> syzbot found the following crash on:
>
> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x dc9ea6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?xÕc73825cbdc7326
> dashboard link: https://syzkaller.appspot.com/bug?extid 89f0c7e45efd7bb643
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x b31761a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x 4892c1a00000
>
>
> udit: type 00 audit(1559768703.229:36): avc:  denied  { map } for
> pidq16 comm="syz-executor330" path="/root/syz-executor330334897"
> dev="sda1" ino 461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> executing program
> executing program
>
> BUG: memory leak
> unreferenced object 0xffff88812421fe40 (size 64):
>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88812421fa80 (size 64):
>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>    hex dump (first 32 bytes):
>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> End of syzbot report.
>
> The function vhost_net_ubuf_alloc() appears in the two cases of dump info, for
> pid 7130 and 7117, suggesting that it is ubuf leak.
>
> Since commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> the function vhost_net_flush() had been no longer releasing ubuf.
>
> Freeing the slab after the last flush in the release path fixes it.
>
>
> Fixes: c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> Reported-by: Syzbot <syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Asias He <asias@redhat.com>
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> ---
> This is sent only for collecting Tested-by.
>
>  drivers/vhost/net.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..22fae0a 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
>         /* We do an extra flush before freeing memory,
>          * since jobs can re-queue themselves. */
>         vhost_net_flush(n);
> +       kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
>         kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
>         kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
>         kfree(n->dev.vqs);
> --
>

[-- Attachment #2: patch --]
[-- Type: application/octet-stream, Size: 486 bytes --]

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..22fae0a 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
 	/* We do an extra flush before freeing memory,
 	 * since jobs can re-queue themselves. */
 	vhost_net_flush(n);
+	kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
 	kfree(n->dev.vqs);
--

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov]

[-- Attachment #1: Type: text/plain, Size: 6947 bytes --]

On Thu, Jun 13, 2019 at 4:15 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Dmitry
>
> On Thu, 13 Jun 2019 20:12:06 +0800 Dmitry Vyukov wrote:
> > On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
> > >
> > > Hello Jason
> > >
> > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> > > >
> > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > > > vhost_net_release().
> > > >
> > > Fairly good catch.
> > >
> > > > Could you please post a formal patch?
> > > >
> > > I'd like very much to do that; but I wont, I am afraid, until I collect a
> > > Tested-by because of reproducer without a cutting edge.
> >
> > You can easily collect Tested-by from syzbot for any bug with a reproducer;)
> > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
> >
> Thank you for the light you are casting.

:)

But you did not ask syzbot to test. That would be something like this
(keeping syzbot email in CC):

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

(I've attached the patch because my email client is incapable of
sending non-corrupted patches inline, but otherwise inline patches
should work too).


> Here it goes.
> --->8--------
> From: Hillf Danton <hdanton@sina.com>
> Subject: [PATCH] vhost: fix memory leak in vhost_net_release
>
> syzbot found the following crash on:
>
> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x dc9ea6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?xÕc73825cbdc7326
> dashboard link: https://syzkaller.appspot.com/bug?extid 89f0c7e45efd7bb643
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x b31761a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x 4892c1a00000
>
>
> udit: type 00 audit(1559768703.229:36): avc:  denied  { map } for
> pidq16 comm="syz-executor330" path="/root/syz-executor330334897"
> dev="sda1" ino 461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> executing program
> executing program
>
> BUG: memory leak
> unreferenced object 0xffff88812421fe40 (size 64):
>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88812421fa80 (size 64):
>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>    hex dump (first 32 bytes):
>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> End of syzbot report.
>
> The function vhost_net_ubuf_alloc() appears in the two cases of dump info, for
> pid 7130 and 7117, suggesting that it is ubuf leak.
>
> Since commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> the function vhost_net_flush() had been no longer releasing ubuf.
>
> Freeing the slab after the last flush in the release path fixes it.
>
>
> Fixes: c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> Reported-by: Syzbot <syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Asias He <asias@redhat.com>
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> ---
> This is sent only for collecting Tested-by.
>
>  drivers/vhost/net.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..22fae0a 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
>         /* We do an extra flush before freeing memory,
>          * since jobs can re-queue themselves. */
>         vhost_net_flush(n);
> +       kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
>         kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
>         kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
>         kfree(n->dev.vqs);
> --
>

[-- Attachment #2: patch --]
[-- Type: application/octet-stream, Size: 486 bytes --]

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..22fae0a 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
 	/* We do an extra flush before freeing memory,
 	 * since jobs can re-queue themselves. */
 	vhost_net_flush(n);
+	kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
 	kfree(n->dev.vqs);
--

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov via Virtualization]

[-- Attachment #1: Type: text/plain, Size: 6947 bytes --]

On Thu, Jun 13, 2019 at 4:15 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Dmitry
>
> On Thu, 13 Jun 2019 20:12:06 +0800 Dmitry Vyukov wrote:
> > On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
> > >
> > > Hello Jason
> > >
> > > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> > > >
> > > > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > > > vhost_net_release().
> > > >
> > > Fairly good catch.
> > >
> > > > Could you please post a formal patch?
> > > >
> > > I'd like very much to do that; but I wont, I am afraid, until I collect a
> > > Tested-by because of reproducer without a cutting edge.
> >
> > You can easily collect Tested-by from syzbot for any bug with a reproducer;)
> > https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
> >
> Thank you for the light you are casting.

:)

But you did not ask syzbot to test. That would be something like this
(keeping syzbot email in CC):

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

(I've attached the patch because my email client is incapable of
sending non-corrupted patches inline, but otherwise inline patches
should work too).


> Here it goes.
> --->8--------
> From: Hillf Danton <hdanton@sina.com>
> Subject: [PATCH] vhost: fix memory leak in vhost_net_release
>
> syzbot found the following crash on:
>
> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x dc9ea6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?xÕc73825cbdc7326
> dashboard link: https://syzkaller.appspot.com/bug?extid 89f0c7e45efd7bb643
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x b31761a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x 4892c1a00000
>
>
> udit: type 00 audit(1559768703.229:36): avc:  denied  { map } for
> pidq16 comm="syz-executor330" path="/root/syz-executor330334897"
> dev="sda1" ino 461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> executing program
> executing program
>
> BUG: memory leak
> unreferenced object 0xffff88812421fe40 (size 64):
>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> BUG: memory leak
> unreferenced object 0xffff88812421fa80 (size 64):
>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>    hex dump (first 32 bytes):
>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> End of syzbot report.
>
> The function vhost_net_ubuf_alloc() appears in the two cases of dump info, for
> pid 7130 and 7117, suggesting that it is ubuf leak.
>
> Since commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> the function vhost_net_flush() had been no longer releasing ubuf.
>
> Freeing the slab after the last flush in the release path fixes it.
>
>
> Fixes: c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> Reported-by: Syzbot <syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com>
> Suggested-by: Jason Wang <jasowang@redhat.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: Asias He <asias@redhat.com>
> Signed-off-by: Hillf Danton <hdanton@sina.com>
> ---
> This is sent only for collecting Tested-by.
>
>  drivers/vhost/net.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..22fae0a 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
>         /* We do an extra flush before freeing memory,
>          * since jobs can re-queue themselves. */
>         vhost_net_flush(n);
> +       kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
>         kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
>         kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
>         kfree(n->dev.vqs);
> --
>

[-- Attachment #2: patch --]
[-- Type: application/octet-stream, Size: 486 bytes --]

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..22fae0a 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
 	/* We do an extra flush before freeing memory,
 	 * since jobs can re-queue themselves. */
 	vhost_net_flush(n);
+	kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
 	kfree(n->dev.vqs);
--

[-- Attachment #3: Type: text/plain, Size: 183 bytes --]

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 6086 bytes --]


Hello Dmitry

On Thu, 13 Jun 2019 20:12:06 +0800 Dmitry Vyukov wrote:
> On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
> >
> > Hello Jason
> >
> > On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> > >
> > > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > > vhost_net_release().
> > >
> > Fairly good catch.
> >
> > > Could you please post a formal patch?
> > >
> > I'd like very much to do that; but I wont, I am afraid, until I collect a
> > Tested-by because of reproducer without a cutting edge.
>
> You can easily collect Tested-by from syzbot for any bug with a reproducer;)
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
>
Thank you for the light you are casting.

Here it goes.
--->8--------
From: Hillf Danton <hdanton@sina.com>
Subject: [PATCH] vhost: fix memory leak in vhost_net_release

syzbot found the following crash on:

HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x\x15dc9ea6a00000
kernel config:  https://syzkaller.appspot.com/x/.config?xÕc73825cbdc7326
dashboard link: https://syzkaller.appspot.com/bug?extid\a89f0c7e45efd7bb643
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x\x10b31761a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x\x124892c1a00000


udit: type\x1400 audit(1559768703.229:36): avc:  denied  { map } for
pidq16 comm="syz-executor330" path="/root/syz-executor330334897"
dev="sda1" ino\x16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program

BUG: memory leak
unreferenced object 0xffff88812421fe40 (size 64):
   comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812421fa80 (size 64):
   comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
   hex dump (first 32 bytes):
     01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
     90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  [inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  [inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

End of syzbot report.

The function vhost_net_ubuf_alloc() appears in the two cases of dump info, for
pid 7130 and 7117, suggesting that it is ubuf leak.

Since commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
the function vhost_net_flush() had been no longer releasing ubuf.

Freeing the slab after the last flush in the release path fixes it.


Fixes: c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
Reported-by: Syzbot <syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Asias He <asias@redhat.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
---
This is sent only for collecting Tested-by.

 drivers/vhost/net.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..22fae0a 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
 	/* We do an extra flush before freeing memory,
 	 * since jobs can re-queue themselves. */
 	vhost_net_flush(n);
+	kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);
 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
 	kfree(n->dev.vqs);
--


[-- Attachment #2: Type: text/plain, Size: 183 bytes --]

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov]

On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Jason
>
> On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> >
> > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > vhost_net_release().
> >
> Fairly good catch.
>
> > Could you please post a formal patch?
> >
> I'd like very much to do that; but I wont, I am afraid, until I collect a
> Tested-by because of reproducer without a cutting edge.

You can easily collect Tested-by from syzbot for any bug with a reproducer ;)
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov]

On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Jason
>
> On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> >
> > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > vhost_net_release().
> >
> Fairly good catch.
>
> > Could you please post a formal patch?
> >
> I'd like very much to do that; but I wont, I am afraid, until I collect a
> Tested-by because of reproducer without a cutting edge.

You can easily collect Tested-by from syzbot for any bug with a reproducer ;)
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Re: memory leak in vhost_net_ioctl

[Dmitry Vyukov via Virtualization]

On Thu, Jun 13, 2019 at 2:07 PM Hillf Danton <hdanton@sina.com> wrote:
>
>
> Hello Jason
>
> On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> >
> > This is basically a kfree(ubuf) after the second vhost_net_flush() in
> > vhost_net_release().
> >
> Fairly good catch.
>
> > Could you please post a formal patch?
> >
> I'd like very much to do that; but I wont, I am afraid, until I collect a
> Tested-by because of reproducer without a cutting edge.

You can easily collect Tested-by from syzbot for any bug with a reproducer ;)
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

Hello Jason

On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
> 
> This is basically a kfree(ubuf) after the second vhost_net_flush() in
> vhost_net_release().
> 
Fairly good catch.

> Could you please post a formal patch?
> 
I'd like very much to do that; but I wont, I am afraid, until I collect a
Tested-by because of reproducer without a cutting edge.

Thanks
Hillf

Re: memory leak in vhost_net_ioctl

[Jason Wang]

On 2019/6/6 下午10:40, Hillf Danton wrote:
>
> On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of 
>> git://git.kernel.org/p..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
>> kernel config: 
>> https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
>> dashboard link: 
>> https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
>> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the 
>> commit:
>> Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com
>>
>> udit: type=1400 audit(1559768703.229:36): avc:  denied  { map } for  
>> pid=7116 comm="syz-executor330" path="/root/syz-executor330334897" 
>> dev="sda1" ino=16461 
>> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>> executing program
>> executing program
>> BUG: memory leak
>> unreferenced object 0xffff88812421fe40 (size 64):
>>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>>    hex dump (first 32 bytes):
>>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff P.!$....P.!$....
>>    backtrace:
>>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive 
>> include/linux/kmemleak.h:55 [inline]
>>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 
>> mm/slab.c:3553
>>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>>      [<0000000079ebab38>] vhost_net_ubuf_alloc 
>> drivers/vhost/net.c:241 [inline]
>>      [<0000000079ebab38>] vhost_net_set_backend 
>> drivers/vhost/net.c:1534 [inline]
>>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 
>> drivers/vhost/net.c:1716
>>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 
>> arch/x86/entry/common.c:301
>>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> BUG: memory leak
>> unreferenced object 0xffff88812421fa80 (size 64):
>>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>>    hex dump (first 32 bytes):
>>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72 ............/vir
>>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff ..!$......!$....
>>    backtrace:
>>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive 
>> include/linux/kmemleak.h:55 [inline]
>>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 
>> mm/slab.c:3553
>>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>>      [<0000000079ebab38>] vhost_net_ubuf_alloc 
>> drivers/vhost/net.c:241 [inline]
>>      [<0000000079ebab38>] vhost_net_set_backend 
>> drivers/vhost/net.c:1534 [inline]
>>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 
>> drivers/vhost/net.c:1716
>>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 
>> arch/x86/entry/common.c:301
>>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>>
> Ignore my noise if you have no interest seeing the syzbot report.
>
> After commit c38e39c378f46f ("vhost-net: fix use-after-free in
> vhost_net_flush") flush would no longer free ubuf, just wait until 
> ubuf users
> disappear instead.
>
> The following diff, in hope that may perhaps help you handle the 
> memory leak,
> makes flush able to free ubuf in the path of file release.
>
> Thanks
> Hillf
> ---
> drivers/vhost/net.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..dcf20b6 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -141,6 +141,7 @@ struct vhost_net {
>     unsigned tx_zcopy_err;
>     /* Flush in progress. Protected by tx vq lock. */
>     bool tx_flush;
> +    bool ld;    /* Last dinner */
>     /* Private page frag */
>     struct page_frag page_frag;
>     /* Refcount bias of page frag */
> @@ -1283,6 +1284,7 @@ static int vhost_net_open(struct inode *inode, 
> struct file *f)
>     n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
>     if (!n)
>         return -ENOMEM;
> +    n->ld = false;
>     vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
>     if (!vqs) {
>         kvfree(n);
> @@ -1376,7 +1378,10 @@ static void vhost_net_flush(struct vhost_net *n)
>         n->tx_flush = true;
>         mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
>         /* Wait for all lower device DMAs done. */
> - vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
> +        if (n->ld)
> + vhost_net_ubuf_put_wait_and_free(n->vqs[VHOST_NET_VQ_TX].ubufs);
> +        else
> + vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
>         mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
>         n->tx_flush = false;
> atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
> @@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode 
> *inode, struct file *f)
>     synchronize_rcu();
>     /* We do an extra flush before freeing memory,
>      * since jobs can re-queue themselves. */
> +    n->ld = true;
>     vhost_net_flush(n);
>     kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
>     kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
> -- 


This is basically a kfree(ubuf) after the second vhost_net_flush() in 
vhost_net_release().

Could you please post a formal patch?

Thanks

Re: memory leak in vhost_net_ioctl

[Jason Wang]

On 2019/6/6 下午10:40, Hillf Danton wrote:
>
> On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of 
>> git://git.kernel.org/p..
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
>> kernel config: 
>> https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
>> dashboard link: 
>> https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
>> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the 
>> commit:
>> Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com
>>
>> udit: type=1400 audit(1559768703.229:36): avc:  denied  { map } for  
>> pid=7116 comm="syz-executor330" path="/root/syz-executor330334897" 
>> dev="sda1" ino=16461 
>> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 
>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>> executing program
>> executing program
>> BUG: memory leak
>> unreferenced object 0xffff88812421fe40 (size 64):
>>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>>    hex dump (first 32 bytes):
>>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff P.!$....P.!$....
>>    backtrace:
>>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive 
>> include/linux/kmemleak.h:55 [inline]
>>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 
>> mm/slab.c:3553
>>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>>      [<0000000079ebab38>] vhost_net_ubuf_alloc 
>> drivers/vhost/net.c:241 [inline]
>>      [<0000000079ebab38>] vhost_net_set_backend 
>> drivers/vhost/net.c:1534 [inline]
>>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 
>> drivers/vhost/net.c:1716
>>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 
>> arch/x86/entry/common.c:301
>>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> BUG: memory leak
>> unreferenced object 0xffff88812421fa80 (size 64):
>>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>>    hex dump (first 32 bytes):
>>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72 ............/vir
>>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff ..!$......!$....
>>    backtrace:
>>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive 
>> include/linux/kmemleak.h:55 [inline]
>>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 
>> mm/slab.c:3553
>>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>>      [<0000000079ebab38>] vhost_net_ubuf_alloc 
>> drivers/vhost/net.c:241 [inline]
>>      [<0000000079ebab38>] vhost_net_set_backend 
>> drivers/vhost/net.c:1534 [inline]
>>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 
>> drivers/vhost/net.c:1716
>>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 
>> arch/x86/entry/common.c:301
>>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>>
> Ignore my noise if you have no interest seeing the syzbot report.
>
> After commit c38e39c378f46f ("vhost-net: fix use-after-free in
> vhost_net_flush") flush would no longer free ubuf, just wait until 
> ubuf users
> disappear instead.
>
> The following diff, in hope that may perhaps help you handle the 
> memory leak,
> makes flush able to free ubuf in the path of file release.
>
> Thanks
> Hillf
> ---
> drivers/vhost/net.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..dcf20b6 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -141,6 +141,7 @@ struct vhost_net {
>     unsigned tx_zcopy_err;
>     /* Flush in progress. Protected by tx vq lock. */
>     bool tx_flush;
> +    bool ld;    /* Last dinner */
>     /* Private page frag */
>     struct page_frag page_frag;
>     /* Refcount bias of page frag */
> @@ -1283,6 +1284,7 @@ static int vhost_net_open(struct inode *inode, 
> struct file *f)
>     n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
>     if (!n)
>         return -ENOMEM;
> +    n->ld = false;
>     vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
>     if (!vqs) {
>         kvfree(n);
> @@ -1376,7 +1378,10 @@ static void vhost_net_flush(struct vhost_net *n)
>         n->tx_flush = true;
>         mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
>         /* Wait for all lower device DMAs done. */
> - vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
> +        if (n->ld)
> + vhost_net_ubuf_put_wait_and_free(n->vqs[VHOST_NET_VQ_TX].ubufs);
> +        else
> + vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
>         mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
>         n->tx_flush = false;
> atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
> @@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode 
> *inode, struct file *f)
>     synchronize_rcu();
>     /* We do an extra flush before freeing memory,
>      * since jobs can re-queue themselves. */
> +    n->ld = true;
>     vhost_net_flush(n);
>     kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
>     kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
> -- 


This is basically a kfree(ubuf) after the second vhost_net_flush() in 
vhost_net_release().

Could you please post a formal patch?

Thanks

_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization

Re: memory leak in vhost_net_ioctl

[Hillf Danton]

On Wed, 05 Jun 2019 16:42:05 -0700 (PDT) syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
> dashboard link: https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com
> 
> udit: type=1400 audit(1559768703.229:36): avc:  denied  { map } for   
> pid=7116 comm="syz-executor330" path="/root/syz-executor330334897"  
> dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff88812421fe40 (size 64):
>    comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
>    hex dump (first 32 bytes):
>      01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
>      50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> BUG: memory leak
> unreferenced object 0xffff88812421fa80 (size 64):
>    comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
>    hex dump (first 32 bytes):
>      01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
>      90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
>    backtrace:
>      [<00000000ae0c4ae0>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
>      [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
>      [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241 [inline]
>      [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534 [inline]
>      [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10 drivers/vhost/net.c:1716
>      [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
>      [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
>      [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
>      [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
>      [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
>      [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
>      [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
>      [<0000000049c1f547>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
>      [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> 
> 
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
> 
Ignore my noise if you have no interest seeing the syzbot report.

After commit c38e39c378f46f ("vhost-net: fix use-after-free in
vhost_net_flush") flush would no longer free ubuf, just wait until ubuf users
disappear instead.

The following diff, in hope that may perhaps help you handle the memory leak,
makes flush able to free ubuf in the path of file release.

Thanks
Hillf
---
 drivers/vhost/net.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..dcf20b6 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -141,6 +141,7 @@ struct vhost_net {
 	unsigned tx_zcopy_err;
 	/* Flush in progress. Protected by tx vq lock. */
 	bool tx_flush;
+	bool ld;	/* Last dinner */
 	/* Private page frag */
 	struct page_frag page_frag;
 	/* Refcount bias of page frag */
@@ -1283,6 +1284,7 @@ static int vhost_net_open(struct inode *inode, struct file *f)
 	n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
 	if (!n)
 		return -ENOMEM;
+	n->ld = false;
 	vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
 	if (!vqs) {
 		kvfree(n);
@@ -1376,7 +1378,10 @@ static void vhost_net_flush(struct vhost_net *n)
 		n->tx_flush = true;
 		mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
 		/* Wait for all lower device DMAs done. */
-		vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
+		if (n->ld)
+			vhost_net_ubuf_put_wait_and_free(n->vqs[VHOST_NET_VQ_TX].ubufs);
+		else
+			vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
 		mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
 		n->tx_flush = false;
 		atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
@@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
 	synchronize_rcu();
 	/* We do an extra flush before freeing memory,
 	 * since jobs can re-queue themselves. */
+	n->ld = true;
 	vhost_net_flush(n);
 	kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
 	kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
--

memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
dashboard link: https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0789f0c7e45efd7bb643@syzkaller.appspotmail.com

udit: type=1400 audit(1559768703.229:36): avc:  denied  { map } for   
pid=7116 comm="syz-executor330" path="/root/syz-executor330334897"  
dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88812421fe40 (size 64):
   comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
   hex dump (first 32 bytes):
     01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f  .... ioc....dev/
     50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff  P.!$....P.!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  
[inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812421fa80 (size 64):
   comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
   hex dump (first 32 bytes):
     01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72  ............/vir
     90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff  ..!$......!$....
   backtrace:
     [<00000000ae0c4ae0>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:55 [inline]
     [<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
     [<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
     [<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241  
[inline]
     [<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534  
[inline]
     [<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10  
drivers/vhost/net.c:1716
     [<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
     [<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000049c1f547>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301
     [<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches