From: Dmitry Vyukov <dvyukov@google.com> To: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, "David S. Miller" <davem@davemloft.net>, linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org> Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>, Alexander Potapenko <glider@google.com>, Sasha Levin <sasha.levin@oracle.com>, Eric Dumazet <edumazet@google.com> Subject: net/sctp: sock memory leak Date: Wed, 30 Dec 2015 21:42:27 +0100 [thread overview] Message-ID: <CACT4Y+bf9h=vVSb82Jdv2GeV1MQPg15LW_AcV2BOw-XbMfNetw@mail.gmail.com> (raw) Hello, The following program leads to a leak of two sock objects: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> int fd; void *thr(void *arg) { memcpy((void*)0x2000bbbe, "\x0a\x00\x33\xdc\x14\x4d\x5b\xd1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xdd\x01\xf8\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); syscall(SYS_sendto, fd, 0x2000b000ul, 0x70ul, 0x8000ul, 0x2000bbbeul, 0x80ul); return 0; } int main() { long i; pthread_t th[6]; syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); fd = syscall(SYS_socket, 0xaul, 0x1ul, 0x84ul, 0, 0, 0); memcpy((void*)0x20003000, "\x02\x00\x33\xdf\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); syscall(SYS_bind, fd, 0x20003000ul, 0x80ul, 0, 0, 0); pthread_create(&th[0], 0, thr, (void*)0); usleep(100000); syscall(SYS_listen, fd, 0x3ul, 0, 0, 0, 0); syscall(SYS_accept, fd, 0x20005f80ul, 0x20003000ul, 0, 0, 0); return 0; } unreferenced object 0xffff8800342540c0 (size 1864): comm "a.out", pid 24109, jiffies 4299060398 (age 27.984s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915 [< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47 [< inline >] slab_post_alloc_hook mm/slub.c:1335 [< inline >] slab_alloc_node mm/slub.c:2594 [< inline >] slab_alloc mm/slub.c:2602 [<ffffffff816cc14d>] kmem_cache_alloc+0x12d/0x2c0 mm/slub.c:2607 [<ffffffff84b642c9>] sk_prot_alloc+0x69/0x340 net/core/sock.c:1344 [<ffffffff84b6d36a>] sk_alloc+0x3a/0x6b0 net/core/sock.c:1419 [<ffffffff850c6d57>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:173 [<ffffffff84b5f47c>] __sock_create+0x37c/0x640 net/socket.c:1162 [< inline >] sock_create net/socket.c:1202 [< inline >] SYSC_socket net/socket.c:1232 [<ffffffff84b5f96f>] SyS_socket+0xef/0x1b0 net/socket.c:1212 [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 [<ffffffffffffffff>] 0xffffffffffffffff unreferenced object 0xffff880034253780 (size 1864): comm "a.out", pid 24109, jiffies 4299060500 (age 27.882s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 33 dc 00 00 ............3... 0a 00 07 40 00 00 00 00 d8 40 25 34 00 88 ff ff ...@.....@%4.... backtrace: [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915 [< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47 [< inline >] slab_post_alloc_hook mm/slub.c:1335 [< inline >] slab_alloc_node mm/slub.c:2594 [< inline >] slab_alloc mm/slub.c:2602 [<ffffffff816cc14d>] kmem_cache_alloc+0x12d/0x2c0 mm/slub.c:2607 [<ffffffff84b642c9>] sk_prot_alloc+0x69/0x340 net/core/sock.c:1344 [<ffffffff84b6d36a>] sk_alloc+0x3a/0x6b0 net/core/sock.c:1419 [<ffffffff85750e00>] sctp_v6_create_accept_sk+0xf0/0x790 net/sctp/ipv6.c:646 [<ffffffff857242a9>] sctp_accept+0x409/0x6d0 net/sctp/socket.c:3925 [<ffffffff84fa33b3>] inet_accept+0xe3/0x660 net/ipv4/af_inet.c:671 [<ffffffff84b5a68c>] SYSC_accept4+0x32c/0x630 net/socket.c:1474 [< inline >] SyS_accept4 net/socket.c:1424 [< inline >] SYSC_accept net/socket.c:1508 [<ffffffff84b601e6>] SyS_accept+0x26/0x30 net/socket.c:1505 [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 [<ffffffffffffffff>] 0xffffffffffffffff On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).
WARNING: multiple messages have this Message-ID (diff)
From: Dmitry Vyukov <dvyukov@google.com> To: Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>, "David S. Miller" <davem@davemloft.net>, linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org> Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>, Alexander Potapenko <glider@google.com>, Sasha Levin <sasha.levin@oracle.com>, Eric Dumazet <edumazet@google.com> Subject: net/sctp: sock memory leak Date: Wed, 30 Dec 2015 20:42:27 +0000 [thread overview] Message-ID: <CACT4Y+bf9h=vVSb82Jdv2GeV1MQPg15LW_AcV2BOw-XbMfNetw@mail.gmail.com> (raw) Hello, The following program leads to a leak of two sock objects: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> int fd; void *thr(void *arg) { memcpy((void*)0x2000bbbe, "\x0a\x00\x33\xdc\x14\x4d\x5b\xd1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xdd\x01\xf8\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); syscall(SYS_sendto, fd, 0x2000b000ul, 0x70ul, 0x8000ul, 0x2000bbbeul, 0x80ul); return 0; } int main() { long i; pthread_t th[6]; syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); fd = syscall(SYS_socket, 0xaul, 0x1ul, 0x84ul, 0, 0, 0); memcpy((void*)0x20003000, "\x02\x00\x33\xdf\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); syscall(SYS_bind, fd, 0x20003000ul, 0x80ul, 0, 0, 0); pthread_create(&th[0], 0, thr, (void*)0); usleep(100000); syscall(SYS_listen, fd, 0x3ul, 0, 0, 0, 0); syscall(SYS_accept, fd, 0x20005f80ul, 0x20003000ul, 0, 0, 0); return 0; } unreferenced object 0xffff8800342540c0 (size 1864): comm "a.out", pid 24109, jiffies 4299060398 (age 27.984s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915 [< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47 [< inline >] slab_post_alloc_hook mm/slub.c:1335 [< inline >] slab_alloc_node mm/slub.c:2594 [< inline >] slab_alloc mm/slub.c:2602 [<ffffffff816cc14d>] kmem_cache_alloc+0x12d/0x2c0 mm/slub.c:2607 [<ffffffff84b642c9>] sk_prot_alloc+0x69/0x340 net/core/sock.c:1344 [<ffffffff84b6d36a>] sk_alloc+0x3a/0x6b0 net/core/sock.c:1419 [<ffffffff850c6d57>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:173 [<ffffffff84b5f47c>] __sock_create+0x37c/0x640 net/socket.c:1162 [< inline >] sock_create net/socket.c:1202 [< inline >] SYSC_socket net/socket.c:1232 [<ffffffff84b5f96f>] SyS_socket+0xef/0x1b0 net/socket.c:1212 [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 [<ffffffffffffffff>] 0xffffffffffffffff unreferenced object 0xffff880034253780 (size 1864): comm "a.out", pid 24109, jiffies 4299060500 (age 27.882s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 33 dc 00 00 ............3... 0a 00 07 40 00 00 00 00 d8 40 25 34 00 88 ff ff ...@.....@%4.... backtrace: [<ffffffff85c73a22>] kmemleak_alloc+0x72/0xc0 mm/kmemleak.c:915 [< inline >] kmemleak_alloc_recursive include/linux/kmemleak.h:47 [< inline >] slab_post_alloc_hook mm/slub.c:1335 [< inline >] slab_alloc_node mm/slub.c:2594 [< inline >] slab_alloc mm/slub.c:2602 [<ffffffff816cc14d>] kmem_cache_alloc+0x12d/0x2c0 mm/slub.c:2607 [<ffffffff84b642c9>] sk_prot_alloc+0x69/0x340 net/core/sock.c:1344 [<ffffffff84b6d36a>] sk_alloc+0x3a/0x6b0 net/core/sock.c:1419 [<ffffffff85750e00>] sctp_v6_create_accept_sk+0xf0/0x790 net/sctp/ipv6.c:646 [<ffffffff857242a9>] sctp_accept+0x409/0x6d0 net/sctp/socket.c:3925 [<ffffffff84fa33b3>] inet_accept+0xe3/0x660 net/ipv4/af_inet.c:671 [<ffffffff84b5a68c>] SYSC_accept4+0x32c/0x630 net/socket.c:1474 [< inline >] SyS_accept4 net/socket.c:1424 [< inline >] SYSC_accept net/socket.c:1508 [<ffffffff84b601e6>] SyS_accept+0x26/0x30 net/socket.c:1505 [<ffffffff85c8eaf6>] entry_SYSCALL_64_fastpath+0x16/0x7a arch/x86/entry/entry_64.S:185 [<ffffffffffffffff>] 0xffffffffffffffff On commit 8513342170278468bac126640a5d2d12ffbff106 (Dec 28).
next reply other threads:[~2015-12-30 20:42 UTC|newest] Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-12-30 20:42 Dmitry Vyukov [this message] 2015-12-30 20:42 ` net/sctp: sock memory leak Dmitry Vyukov 2015-12-30 20:47 ` Marcelo Ricardo Leitner 2015-12-30 20:47 ` Marcelo Ricardo Leitner 2016-01-15 18:46 ` Marcelo Ricardo Leitner 2016-01-15 18:46 ` Marcelo Ricardo Leitner 2016-01-15 19:11 ` Dmitry Vyukov 2016-01-15 19:11 ` Dmitry Vyukov 2016-01-15 21:40 ` [PATCH net] sctp: do sanity checks before migrating the asoc Marcelo Ricardo Leitner 2016-01-15 21:40 ` Marcelo Ricardo Leitner 2016-01-19 14:19 ` Vlad Yasevich 2016-01-19 14:19 ` Vlad Yasevich 2016-01-19 15:59 ` Marcelo Ricardo Leitner 2016-01-19 15:59 ` Marcelo Ricardo Leitner 2016-01-19 18:37 ` Vlad Yasevich 2016-01-19 18:37 ` Vlad Yasevich 2016-01-19 19:31 ` Marcelo Ricardo Leitner 2016-01-19 19:31 ` Marcelo Ricardo Leitner 2016-01-19 19:55 ` Vlad Yasevich 2016-01-19 19:55 ` Vlad Yasevich 2016-01-19 20:08 ` Marcelo Ricardo Leitner 2016-01-19 20:08 ` Marcelo Ricardo Leitner 2016-02-03 16:13 ` Dmitry Vyukov 2016-02-03 16:13 ` Dmitry Vyukov 2016-02-04 9:47 ` Marcelo Ricardo Leitner 2016-02-04 9:47 ` Marcelo Ricardo Leitner 2016-03-02 8:56 ` net/sctp: sock memory leak Dmitry Vyukov 2016-03-02 8:56 ` Dmitry Vyukov 2016-03-02 19:42 ` Marcelo Ricardo Leitner 2016-03-02 19:42 ` Marcelo Ricardo Leitner
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to='CACT4Y+bf9h=vVSb82Jdv2GeV1MQPg15LW_AcV2BOw-XbMfNetw@mail.gmail.com' \ --to=dvyukov@google.com \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=glider@google.com \ --cc=kcc@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-sctp@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=sasha.levin@oracle.com \ --cc=syzkaller@googlegroups.com \ --cc=vyasevich@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.