* memory leak in tcindex_set_parms
@ 2020-02-04 17:58 syzbot
2020-02-04 18:03 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: syzbot @ 2020-02-04 17:58 UTC (permalink / raw)
To: davem, jhs, jiri, kuba, linux-kernel, netdev, syzkaller-bugs,
xiyou.wangcong
Hello,
syzbot found the following crash on:
HEAD commit: 322bf2d3 Merge branch 'for-5.6' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1111f8e6e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d0490614a000a37
dashboard link: https://syzkaller.appspot.com/bug?extid=f0bbb2287b8993d4fa74
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db90f6e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a94511e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88811ee18c00 (size 256):
comm "syz-executor278", pid 7255, jiffies 4294941828 (age 13.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000004705b10>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<0000000004705b10>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<0000000004705b10>] slab_alloc mm/slab.c:3320 [inline]
[<0000000004705b10>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
[<000000005a926de7>] kmalloc include/linux/slab.h:556 [inline]
[<000000005a926de7>] kmalloc_array include/linux/slab.h:597 [inline]
[<000000005a926de7>] kcalloc include/linux/slab.h:609 [inline]
[<000000005a926de7>] tcf_exts_init include/net/pkt_cls.h:210 [inline]
[<000000005a926de7>] tcindex_set_parms+0xac/0x970 net/sched/cls_tcindex.c:313
[<000000004198237d>] tcindex_change+0xd8/0x110 net/sched/cls_tcindex.c:519
[<00000000f90be4e9>] tc_new_tfilter+0x566/0xf50 net/sched/cls_api.c:2103
[<00000000bdffab68>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5429
[<000000008de6f6fa>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<00000000637db501>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
[<00000000cb1396a7>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000cb1396a7>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<000000003d9f7439>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<0000000004922ee9>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<0000000004922ee9>] sock_sendmsg+0x54/0x70 net/socket.c:672
[<00000000bbc6917f>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2343
[<00000000d3ae3854>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2397
[<0000000000c5372b>] __sys_sendmsg+0x80/0xf0 net/socket.c:2430
[<00000000db15859a>] __do_sys_sendmsg net/socket.c:2439 [inline]
[<00000000db15859a>] __se_sys_sendmsg net/socket.c:2437 [inline]
[<00000000db15859a>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2437
[<00000000a5a1c036>] do_syscall_64+0x73/0x220 arch/x86/entry/common.c:294
[<00000000e73613df>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ee18900 (size 256):
comm "syz-executor278", pid 7255, jiffies 4294941828 (age 13.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000004705b10>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<0000000004705b10>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<0000000004705b10>] slab_alloc mm/slab.c:3320 [inline]
[<0000000004705b10>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
[<0000000036dbc592>] kmalloc include/linux/slab.h:556 [inline]
[<0000000036dbc592>] kmalloc_array include/linux/slab.h:597 [inline]
[<0000000036dbc592>] kcalloc include/linux/slab.h:609 [inline]
[<0000000036dbc592>] tcf_exts_init include/net/pkt_cls.h:210 [inline]
[<0000000036dbc592>] tcindex_alloc_perfect_hash net/sched/cls_tcindex.c:287 [inline]
[<0000000036dbc592>] tcindex_alloc_perfect_hash+0x8f/0xf0 net/sched/cls_tcindex.c:277
[<0000000088e6ec51>] tcindex_set_parms+0x831/0x970 net/sched/cls_tcindex.c:405
[<000000004198237d>] tcindex_change+0xd8/0x110 net/sched/cls_tcindex.c:519
[<00000000f90be4e9>] tc_new_tfilter+0x566/0xf50 net/sched/cls_api.c:2103
[<00000000bdffab68>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5429
[<000000008de6f6fa>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<00000000637db501>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
[<00000000cb1396a7>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000cb1396a7>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<000000003d9f7439>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<0000000004922ee9>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<0000000004922ee9>] sock_sendmsg+0x54/0x70 net/socket.c:672
[<00000000bbc6917f>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2343
[<00000000d3ae3854>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2397
[<0000000000c5372b>] __sys_sendmsg+0x80/0xf0 net/socket.c:2430
[<00000000db15859a>] __do_sys_sendmsg net/socket.c:2439 [inline]
[<00000000db15859a>] __se_sys_sendmsg net/socket.c:2437 [inline]
[<00000000db15859a>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2437
[<00000000a5a1c036>] do_syscall_64+0x73/0x220 arch/x86/entry/common.c:294
BUG: memory leak
unreferenced object 0xffff88811ee18800 (size 256):
comm "syz-executor278", pid 7255, jiffies 4294941828 (age 13.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000004705b10>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<0000000004705b10>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<0000000004705b10>] slab_alloc mm/slab.c:3320 [inline]
[<0000000004705b10>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
[<0000000036dbc592>] kmalloc include/linux/slab.h:556 [inline]
[<0000000036dbc592>] kmalloc_array include/linux/slab.h:597 [inline]
[<0000000036dbc592>] kcalloc include/linux/slab.h:609 [inline]
[<0000000036dbc592>] tcf_exts_init include/net/pkt_cls.h:210 [inline]
[<0000000036dbc592>] tcindex_alloc_perfect_hash net/sched/cls_tcindex.c:287 [inline]
[<0000000036dbc592>] tcindex_alloc_perfect_hash+0x8f/0xf0 net/sched/cls_tcindex.c:277
[<0000000088e6ec51>] tcindex_set_parms+0x831/0x970 net/sched/cls_tcindex.c:405
[<000000004198237d>] tcindex_change+0xd8/0x110 net/sched/cls_tcindex.c:519
[<00000000f90be4e9>] tc_new_tfilter+0x566/0xf50 net/sched/cls_api.c:2103
[<00000000bdffab68>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5429
[<000000008de6f6fa>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<00000000637db501>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456
[<00000000cb1396a7>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000cb1396a7>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<000000003d9f7439>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<0000000004922ee9>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<0000000004922ee9>] sock_sendmsg+0x54/0x70 net/socket.c:672
[<00000000bbc6917f>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2343
[<00000000d3ae3854>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2397
[<0000000000c5372b>] __sys_sendmsg+0x80/0xf0 net/socket.c:2430
[<00000000db15859a>] __do_sys_sendmsg net/socket.c:2439 [inline]
[<00000000db15859a>] __se_sys_sendmsg net/socket.c:2437 [inline]
[<00000000db15859a>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2437
[<00000000a5a1c036>] do_syscall_64+0x73/0x220 arch/x86/entry/common.c:294
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: memory leak in tcindex_set_parms
2020-02-04 17:58 memory leak in tcindex_set_parms syzbot
@ 2020-02-04 18:03 ` Eric Dumazet
2020-02-04 21:22 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2020-02-04 18:03 UTC (permalink / raw)
To: syzbot, davem, jhs, jiri, kuba, linux-kernel, netdev,
syzkaller-bugs, xiyou.wangcong
On 2/4/20 9:58 AM, syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 322bf2d3 Merge branch 'for-5.6' of git://git.kernel.org/pu..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1111f8e6e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=8d0490614a000a37
> dashboard link: https://syzkaller.appspot.com/bug?extid=f0bbb2287b8993d4fa74
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db90f6e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a94511e00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
>
>
Might have been fixed already ?
commit 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: memory leak in tcindex_set_parms
2020-02-04 18:03 ` Eric Dumazet
@ 2020-02-04 21:22 ` David Miller
2020-02-04 22:26 ` Cong Wang
0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2020-02-04 21:22 UTC (permalink / raw)
To: eric.dumazet
Cc: syzbot+f0bbb2287b8993d4fa74, jhs, jiri, kuba, linux-kernel,
netdev, syzkaller-bugs, xiyou.wangcong
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 4 Feb 2020 10:03:16 -0800
>
>
> On 2/4/20 9:58 AM, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 322bf2d3 Merge branch 'for-5.6' of git://git.kernel.org/pu..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1111f8e6e00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=8d0490614a000a37
>> dashboard link: https://syzkaller.appspot.com/bug?extid=f0bbb2287b8993d4fa74
>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db90f6e00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a94511e00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
>>
>>
>
> Might have been fixed already ?
>
> commit 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex
My reaction was actually that this bug is caused by this commit :)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: memory leak in tcindex_set_parms
2020-02-04 21:22 ` David Miller
@ 2020-02-04 22:26 ` Cong Wang
2020-02-04 23:40 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Cong Wang @ 2020-02-04 22:26 UTC (permalink / raw)
To: David Miller
Cc: Eric Dumazet, syzbot+f0bbb2287b8993d4fa74, Jamal Hadi Salim,
Jiri Pirko, Jakub Kicinski, LKML,
Linux Kernel Network Developers, syzkaller-bugs
On Tue, Feb 4, 2020 at 1:22 PM David Miller <davem@davemloft.net> wrote:
>
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 4 Feb 2020 10:03:16 -0800
>
> >
> >
> > On 2/4/20 9:58 AM, syzbot wrote:
> >> Hello,
> >>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit: 322bf2d3 Merge branch 'for-5.6' of git://git.kernel.org/pu..
> >> git tree: upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1111f8e6e00000
> >> kernel config: https://syzkaller.appspot.com/x/.config?x=8d0490614a000a37
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=f0bbb2287b8993d4fa74
> >> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db90f6e00000
> >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a94511e00000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
> >>
> >>
> >
> > Might have been fixed already ?
> >
> > commit 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex
>
> My reaction was actually that this bug is caused by this commit :)
I think it is neither of the cases, I will test the following change:
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 09b7dc5fe7e0..2495b15ca78c 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -454,6 +454,7 @@ tcindex_set_parms(struct net *net, struct
tcf_proto *tp, unsigned long base,
oldp = p;
r->res = cr;
tcf_exts_change(&r->exts, &e);
+ tcf_exts_destroy(&e);
rcu_assign_pointer(tp->root, cp);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: memory leak in tcindex_set_parms
2020-02-04 22:26 ` Cong Wang
@ 2020-02-04 23:40 ` Eric Dumazet
2020-02-05 0:41 ` Cong Wang
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2020-02-04 23:40 UTC (permalink / raw)
To: Cong Wang, David Miller
Cc: Eric Dumazet, syzbot+f0bbb2287b8993d4fa74, Jamal Hadi Salim,
Jiri Pirko, Jakub Kicinski, LKML,
Linux Kernel Network Developers, syzkaller-bugs
On 2/4/20 2:26 PM, Cong Wang wrote:
> On Tue, Feb 4, 2020 at 1:22 PM David Miller <davem@davemloft.net> wrote:
>>
>> From: Eric Dumazet <eric.dumazet@gmail.com>
>> Date: Tue, 4 Feb 2020 10:03:16 -0800
>>
>>>
>>>
>>> On 2/4/20 9:58 AM, syzbot wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following crash on:
>>>>
>>>> HEAD commit: 322bf2d3 Merge branch 'for-5.6' of git://git.kernel.org/pu..
>>>> git tree: upstream
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=1111f8e6e00000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=8d0490614a000a37
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=f0bbb2287b8993d4fa74
>>>> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17db90f6e00000
>>>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13a94511e00000
>>>>
>>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>>> Reported-by: syzbot+f0bbb2287b8993d4fa74@syzkaller.appspotmail.com
>>>>
>>>>
>>>
>>> Might have been fixed already ?
>>>
>>> commit 599be01ee567b61f4471ee8078870847d0a11e8e net_sched: fix an OOB access in cls_tcindex
>>
>> My reaction was actually that this bug is caused by this commit :)
>
> I think it is neither of the cases, I will test the following change:
>
> diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
> index 09b7dc5fe7e0..2495b15ca78c 100644
> --- a/net/sched/cls_tcindex.c
> +++ b/net/sched/cls_tcindex.c
> @@ -454,6 +454,7 @@ tcindex_set_parms(struct net *net, struct
> tcf_proto *tp, unsigned long base,
> oldp = p;
> r->res = cr;
> tcf_exts_change(&r->exts, &e);
> + tcf_exts_destroy(&e);
>
The only thing the repro fires for me on latest net tree is an UBSAN warning about a silly ->shift
I have not tried it on the old kernel.
[ 170.331009] UBSAN: Undefined behaviour in net/sched/cls_tcindex.c:239:29
[ 170.337729] shift exponent 19375 is too large for 32-bit type 'int'
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 0323aee03de7efbb99c7943be078765c74dfdf2e..42436ae61b7a64a7244a9df03dc397e5aa103a86 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -339,9 +339,13 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
if (tb[TCA_TCINDEX_MASK])
cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
- if (tb[TCA_TCINDEX_SHIFT])
+ if (tb[TCA_TCINDEX_SHIFT]) {
cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
-
+ if (cp->shift > 16) {
+ err = -EINVAL;
+ goto errout;
+ }
+ }
if (!cp->hash) {
/* Hash not specified, use perfect hash if the upper limit
* of the hashing index is below the threshold.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: memory leak in tcindex_set_parms
2020-02-04 23:40 ` Eric Dumazet
@ 2020-02-05 0:41 ` Cong Wang
0 siblings, 0 replies; 6+ messages in thread
From: Cong Wang @ 2020-02-05 0:41 UTC (permalink / raw)
To: Eric Dumazet
Cc: David Miller, syzbot+f0bbb2287b8993d4fa74, Jamal Hadi Salim,
Jiri Pirko, Jakub Kicinski, LKML,
Linux Kernel Network Developers, syzkaller-bugs
On Tue, Feb 4, 2020 at 3:40 PM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
> The only thing the repro fires for me on latest net tree is an UBSAN warning about a silly ->shift
Yeah, I thought HEAD commit 322bf2d3 already contains my fix,
I was wrong.
>
> I have not tried it on the old kernel.
>
> [ 170.331009] UBSAN: Undefined behaviour in net/sched/cls_tcindex.c:239:29
> [ 170.337729] shift exponent 19375 is too large for 32-bit type 'int'
Please send your patch formally, it looks reasonable to me.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-02-05 0:41 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-04 17:58 memory leak in tcindex_set_parms syzbot
2020-02-04 18:03 ` Eric Dumazet
2020-02-04 21:22 ` David Miller
2020-02-04 22:26 ` Cong Wang
2020-02-04 23:40 ` Eric Dumazet
2020-02-05 0:41 ` Cong Wang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.