* memory leak in bio_copy_user_iov
@ 2019-06-18 22:37 syzbot
2019-07-29 0:38 ` syzbot
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-06-18 22:37 UTC (permalink / raw)
To: axboe, linux-block, linux-kernel, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15193256a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
dashboard link: https://syzkaller.appspot.com/bug?extid=03e5c8ebd22cc6c3a8cb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13244221a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117b2432a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+03e5c8ebd22cc6c3a8cb@syzkaller.appspotmail.com
ram
executing program
BUG: memory leak
unreferenced object 0xffff8881204d7800 (size 2048):
comm "syz-executor855", pid 6936, jiffies 4294941958 (age 26.780s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20 00 00 00 02 01 00 00 00 00 00 00 08 00 00 00 ...............
backtrace:
[<00000000c5e27070>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000c5e27070>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000c5e27070>] slab_alloc mm/slab.c:3326 [inline]
[<00000000c5e27070>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000c5e27070>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
[<000000004415e750>] kmalloc include/linux/slab.h:552 [inline]
[<000000004415e750>] bio_alloc_bioset+0x1b8/0x2c0 block/bio.c:439
[<000000002da58d1d>] bio_kmalloc include/linux/bio.h:391 [inline]
[<000000002da58d1d>] bio_copy_user_iov+0x113/0x4a0 block/bio.c:1275
[<00000000b4b23d95>] __blk_rq_map_user_iov block/blk-map.c:67 [inline]
[<00000000b4b23d95>] blk_rq_map_user_iov+0xc6/0x2b0 block/blk-map.c:136
[<00000000edad5f7e>] blk_rq_map_user+0x71/0xb0 block/blk-map.c:166
[<00000000c94723b5>] sg_start_req drivers/scsi/sg.c:1813 [inline]
[<00000000c94723b5>] sg_common_write.isra.0+0x619/0xa10
drivers/scsi/sg.c:809
[<00000000b11f3605>] sg_write.part.0+0x325/0x570 drivers/scsi/sg.c:709
[<00000000aba41953>] sg_write+0x44/0x64 drivers/scsi/sg.c:617
[<00000000afecd177>] __vfs_write+0x43/0xa0 fs/read_write.c:494
[<00000000de690898>] vfs_write fs/read_write.c:558 [inline]
[<00000000de690898>] vfs_write+0xee/0x210 fs/read_write.c:542
[<00000000705a35b0>] ksys_write+0x7c/0x130 fs/read_write.c:611
[<000000009efb9e6c>] __do_sys_write fs/read_write.c:623 [inline]
[<000000009efb9e6c>] __se_sys_write fs/read_write.c:620 [inline]
[<000000009efb9e6c>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
[<00000000f9e48771>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<00000000d5cff9fc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: memory leak in bio_copy_user_iov
2019-06-18 22:37 memory leak in bio_copy_user_iov syzbot
@ 2019-07-29 0:38 ` syzbot
2019-07-29 1:03 ` Bob Liu
0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-07-29 0:38 UTC (permalink / raw)
To: agk, axboe, coreteam, davem, dm-devel, hdanton, kaber, kadlec,
linux-block, linux-kernel, linux-raid, netdev, netfilter-devel,
pablo, shli, snitzer, syzkaller-bugs
syzbot has bisected this bug to:
commit 664820265d70a759dceca87b6eb200cd2b93cda8
Author: Mike Snitzer <snitzer@redhat.com>
Date: Thu Feb 18 20:44:39 2016 +0000
dm: do not return target from dm_get_live_table_for_ioctl()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f4eb64600000
start commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=100ceb64600000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f4eb64600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
dashboard link: https://syzkaller.appspot.com/bug?extid=03e5c8ebd22cc6c3a8cb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13244221a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117b2432a00000
Reported-by: syzbot+03e5c8ebd22cc6c3a8cb@syzkaller.appspotmail.com
Fixes: 664820265d70 ("dm: do not return target from
dm_get_live_table_for_ioctl()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: memory leak in bio_copy_user_iov
2019-07-29 0:38 ` syzbot
@ 2019-07-29 1:03 ` Bob Liu
0 siblings, 0 replies; 3+ messages in thread
From: Bob Liu @ 2019-07-29 1:03 UTC (permalink / raw)
To: syzbot, agk, axboe, coreteam, davem, dm-devel, hdanton, kaber,
kadlec, linux-block, linux-kernel, linux-raid, netdev,
netfilter-devel, pablo, shli, snitzer, syzkaller-bugs
On 7/29/19 8:38 AM, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 664820265d70a759dceca87b6eb200cd2b93cda8
> Author: Mike Snitzer <snitzer@redhat.com>
> Date: Thu Feb 18 20:44:39 2016 +0000
>
> dm: do not return target from dm_get_live_table_for_ioctl()
>
This(and previous bisection) look not related to the reported leak.
A possible reason may be KASAN can't recognize the failure path of bio_alloc_bioset()
where mempool_free() is called but not kmalloc(p).
But it's not a real bug, because we have the condition if (nr_iovecs > inline_vecs).
Below fix may avoid the syzbot bug report..
diff --git a/block/bio.c b/block/bio.c
index 4db1008..04a7879 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -513,8 +513,10 @@ struct bio *bio_alloc_bioset(gfp_t gfp_mask, unsigned int nr_iovecs,
bvl = bvec_alloc(gfp_mask, nr_iovecs, &idx, &bs->bvec_pool);
}
- if (unlikely(!bvl))
- goto err_free;
+ if (unlikely(!bvl)) {
+ mempool_free(p, &bs->bio_pool);
+ return NULL;
+ }
bio->bi_flags |= idx << BVEC_POOL_OFFSET;
} else if (nr_iovecs) {
@@ -525,10 +527,6 @@ struct bio *bio_alloc_bioset(gfp_t gfp_mask, unsigned int nr_iovecs,
bio->bi_max_vecs = nr_iovecs;
bio->bi_io_vec = bvl;
return bio;
-
-err_free:
- mempool_free(p, &bs->bio_pool);
- return NULL;
}
EXPORT_SYMBOL(bio_alloc_bioset);
Regards, -Bob
> bisection log: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_bisect.txt-3Fx-3D13f4eb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=MNjYy_nft_s0ErmK2n89p7y2yhKmeWlxWch0z7_dsm8&e=start commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
> git tree: upstream
> final crash: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_report.txt-3Fx-3D100ceb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=iviPOQNPEIjkuqBma_VWEQ9l1Ve3eOiTwads42E4ZPo&e=console output: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_log.txt-3Fx-3D17f4eb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=MBwnFwjEcSQfYymfv8EYt_EawVdK9vD-OAqDMutO-YY&e=kernel config: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_.config-3Fx-3Dcb38d33cd06d8d48&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=SqmDUenNFS-961PGgiMW5mIUv0nIBrf0oBrzUxYZ8Do&e=dashboard link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_bug-3Fextid-3D03e5c8ebd22cc6c3a8cb&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=jKd2ocY5X94uyB8Or-OC3yffbOgClPQPlXqFnLzvvSY&e=syz repro: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_repro.syz-3Fx-3D13244221a00000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=K-C39Kcd1oEOtJKwnby-s1EyEZZA10mr9bcXZ0J9Kh0&e=C reproducer: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_repro.c-3Fx-3D117b2432a00000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=7J685CwQN6_FA2KgO3Vgy1msF0zi5O0OqZj_bgvEqBE&e=
> Reported-by: syzbot+03e5c8ebd22cc6c3a8cb@syzkaller.appspotmail.com
> Fixes: 664820265d70 ("dm: do not return target from dm_get_live_table_for_ioctl()")
>
> For information about bisection process see: https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_tpsmEJ-23bisection&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=rs52TkiEQCrV4V8YQa2wT55HD8E-0AX9pn7MNIDcje4&e=
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-29 1:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-18 22:37 memory leak in bio_copy_user_iov syzbot
2019-07-29 0:38 ` syzbot
2019-07-29 1:03 ` Bob Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).