* memory leak in raw_sendmsg
@ 2019-06-03 20:41 syzbot
2019-06-04 18:52 ` Willem de Bruijn
0 siblings, 1 reply; 2+ messages in thread
From: syzbot @ 2019-06-03 20:41 UTC (permalink / raw)
To: davem, linux-can, linux-kernel, mkl, netdev, socketcan, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 3ab4436f Merge tag 'nfsd-5.2-1' of git://linux-nfs.org/~bf..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158090a6a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=50393f7bfe444ff6
dashboard link: https://syzkaller.appspot.com/bug?extid=a90604060cb40f5bdd16
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e42092a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1327b0a6a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com
DRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88812af50600 (size 512):
comm "syz-executor081", pid 7046, jiffies 4294948162 (age 13.870s)
hex dump (first 32 bytes):
0d 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
9d 92 de d5 ec ad bc 02 6f 66 69 6c 65 3d 30 20 ........ofile=0
backtrace:
[<00000000c4297f99>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<00000000c4297f99>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000c4297f99>] slab_alloc_node mm/slab.c:3269 [inline]
[<00000000c4297f99>] kmem_cache_alloc_node_trace+0x15b/0x2a0
mm/slab.c:3597
[<0000000066d13723>] __do_kmalloc_node mm/slab.c:3619 [inline]
[<0000000066d13723>] __kmalloc_node_track_caller+0x38/0x50
mm/slab.c:3634
[<00000000ed0585ca>] __kmalloc_reserve.isra.0+0x40/0xb0
net/core/skbuff.c:138
[<000000009a9dc318>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:206
[<00000000926a7d5b>] alloc_skb include/linux/skbuff.h:1054 [inline]
[<00000000926a7d5b>] alloc_skb_with_frags+0x5f/0x250
net/core/skbuff.c:5327
[<00000000c4ab3faa>] sock_alloc_send_pskb+0x269/0x2a0
net/core/sock.c:2219
[<00000000723cdeb0>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2236
[<000000009ba80e2d>] raw_sendmsg+0xce/0x300 net/can/raw.c:761
[<0000000000a68d92>] sock_sendmsg_nosec net/socket.c:646 [inline]
[<0000000000a68d92>] sock_sendmsg+0x54/0x70 net/socket.c:665
[<000000004e3a95f6>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2286
[<00000000ec078bc9>] __sys_sendmsg+0x80/0xf0 net/socket.c:2324
[<0000000002d8ab21>] __do_sys_sendmsg net/socket.c:2333 [inline]
[<0000000002d8ab21>] __se_sys_sendmsg net/socket.c:2331 [inline]
[<0000000002d8ab21>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2331
[<0000000007c3590d>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000003149a5e4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888118308200 (size 224):
comm "syz-executor081", pid 7046, jiffies 4294948162 (age 13.870s)
hex dump (first 32 bytes):
b0 64 19 2a 81 88 ff ff b0 64 19 2a 81 88 ff ff .d.*.....d.*....
00 90 28 24 81 88 ff ff 00 64 19 2a 81 88 ff ff ..($.....d.*....
backtrace:
[<0000000085e706a4>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000085e706a4>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000085e706a4>] slab_alloc mm/slab.c:3326 [inline]
[<0000000085e706a4>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<000000005a366403>] skb_clone+0x6e/0x140 net/core/skbuff.c:1321
[<00000000854d44b1>] __skb_tstamp_tx+0x19f/0x220 net/core/skbuff.c:4434
[<0000000091e53e01>] __dev_queue_xmit+0x920/0xd60 net/core/dev.c:3813
[<0000000043e22300>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3910
[<0000000091bdc746>] can_send+0x138/0x2b0 net/can/af_can.c:290
[<000000002dddbaef>] raw_sendmsg+0x1bb/0x300 net/can/raw.c:780
[<0000000000a68d92>] sock_sendmsg_nosec net/socket.c:646 [inline]
[<0000000000a68d92>] sock_sendmsg+0x54/0x70 net/socket.c:665
[<000000004e3a95f6>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2286
[<00000000ec078bc9>] __sys_sendmsg+0x80/0xf0 net/socket.c:2324
[<0000000002d8ab21>] __do_sys_sendmsg net/socket.c:2333 [inline]
[<0000000002d8ab21>] __se_sys_sendmsg net/socket.c:2331 [inline]
[<0000000002d8ab21>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2331
[<0000000007c3590d>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000003149a5e4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: memory leak in raw_sendmsg
2019-06-03 20:41 memory leak in raw_sendmsg syzbot
@ 2019-06-04 18:52 ` Willem de Bruijn
0 siblings, 0 replies; 2+ messages in thread
From: Willem de Bruijn @ 2019-06-04 18:52 UTC (permalink / raw)
To: syzbot
Cc: David Miller, linux-can, LKML, Marc Kleine-Budde,
Network Development, Oliver Hartkopp, syzkaller-bugs, wg,
patrick.ohly
On Mon, Jun 3, 2019 at 6:24 PM syzbot
<syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 3ab4436f Merge tag 'nfsd-5.2-1' of git://linux-nfs.org/~bf..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=158090a6a00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=50393f7bfe444ff6
> dashboard link: https://syzkaller.appspot.com/bug?extid=a90604060cb40f5bdd16
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12e42092a00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1327b0a6a00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+a90604060cb40f5bdd16@syzkaller.appspotmail.com
>
> BUG: memory leak
> unreferenced object 0xffff888118308200 (size 224):
> comm "syz-executor081", pid 7046, jiffies 4294948162 (age 13.870s)
> hex dump (first 32 bytes):
> b0 64 19 2a 81 88 ff ff b0 64 19 2a 81 88 ff ff .d.*.....d.*....
> 00 90 28 24 81 88 ff ff 00 64 19 2a 81 88 ff ff ..($.....d.*....
> backtrace:
> [<0000000085e706a4>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:55 [inline]
> [<0000000085e706a4>] slab_post_alloc_hook mm/slab.h:439 [inline]
> [<0000000085e706a4>] slab_alloc mm/slab.c:3326 [inline]
> [<0000000085e706a4>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
> [<000000005a366403>] skb_clone+0x6e/0x140 net/core/skbuff.c:1321
> [<00000000854d44b1>] __skb_tstamp_tx+0x19f/0x220 net/core/skbuff.c:4434
> [<0000000091e53e01>] __dev_queue_xmit+0x920/0xd60 net/core/dev.c:3813
> [<0000000043e22300>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3910
> [<0000000091bdc746>] can_send+0x138/0x2b0 net/can/af_can.c:290
> [<000000002dddbaef>] raw_sendmsg+0x1bb/0x300 net/can/raw.c:780
The CAN protocol seems to be missing an error queue purge on socket
destruction. Verified that this still happens on net-next and the
following stops the warning:
static void can_sock_destruct(struct sock *sk)
{
skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_error_queue);
}
I would have to double check socket destruct semantics to be sure, but
judging from inet_sock_destruct there is no need to take the list
lock.
This appears to be going back to the introduction of tx timestamps for
CAN in commit 51f31cabe3ce ("ip: support for TX timestamps on UDP and
RAW sockets")
There don't seem to be any other protocols families that setup
tx_flags but lack the error queue purge.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-06-04 18:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-03 20:41 memory leak in raw_sendmsg syzbot
2019-06-04 18:52 ` Willem de Bruijn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).