* [syzbot] memory leak in mld_newpack
@ 2021-07-26 0:29 syzbot
2022-09-16 22:13 ` syzbot
0 siblings, 1 reply; 5+ messages in thread
From: syzbot @ 2021-07-26 0:29 UTC (permalink / raw)
To: davem, dsahern, kuba, linux-kernel, netdev, syzkaller-bugs, yoshfuji
Hello,
syzbot found the following issue on:
HEAD commit: 8cae8cd89f05 seq_file: disallow extremely large seq buffer..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1100e00a300000
kernel config: https://syzkaller.appspot.com/x/.config?x=7384ed231a0fd986
dashboard link: https://syzkaller.appspot.com/bug?extid=dcd3e13cf4472f2e0ba1
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14c646a2300000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dcd3e13cf4472f2e0ba1@syzkaller.appspotmail.com
2021/07/22 00:14:37 executed programs: 3
2021/07/22 00:14:42 executed programs: 5
2021/07/22 00:14:48 executed programs: 7
BUG: memory leak
unreferenced object 0xffff88810df2ad00 (size 232):
comm "kworker/1:2", pid 2838, jiffies 4294938475 (age 902.280s)
hex dump (first 32 bytes):
a0 34 1f 19 81 88 ff ff a0 34 1f 19 81 88 ff ff .4.......4......
00 40 1c 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@..............
backtrace:
[<ffffffff836e0f5f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<ffffffff836eb79a>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<ffffffff836eb79a>] alloc_skb_with_frags+0x6a/0x2b0 net/core/skbuff.c:6005
[<ffffffff836d9083>] sock_alloc_send_pskb+0x353/0x3c0 net/core/sock.c:2461
[<ffffffff83b7fd64>] mld_newpack+0x84/0x200 net/ipv6/mcast.c:1751
[<ffffffff83b7ff83>] add_grhead+0xa3/0xc0 net/ipv6/mcast.c:1854
[<ffffffff83b80c26>] add_grec+0x7b6/0x820 net/ipv6/mcast.c:1992
[<ffffffff83b830d3>] mld_send_cr net/ipv6/mcast.c:2118 [inline]
[<ffffffff83b830d3>] mld_ifc_work+0x273/0x750 net/ipv6/mcast.c:2655
[<ffffffff81262669>] process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
[<ffffffff81262f59>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2422
[<ffffffff8126c3b8>] kthread+0x188/0x1d0 kernel/kthread.c:319
[<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
BUG: memory leak
unreferenced object 0xffff88811109ca00 (size 232):
comm "kworker/1:2", pid 2838, jiffies 4294938656 (age 900.470s)
hex dump (first 32 bytes):
a0 ac 9e 16 81 88 ff ff a0 ac 9e 16 81 88 ff ff ................
00 00 37 13 81 88 ff ff 00 00 00 00 00 00 00 00 ..7.............
backtrace:
[<ffffffff836e0f5f>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<ffffffff83b6bb36>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<ffffffff83b6bb36>] ndisc_alloc_skb+0x56/0xe0 net/ipv6/ndisc.c:420
[<ffffffff83b7085c>] ndisc_send_rs+0x1bc/0x2a0 net/ipv6/ndisc.c:686
[<ffffffff83b46bae>] addrconf_dad_completed+0x17e/0x560 net/ipv6/addrconf.c:4195
[<ffffffff83b4736d>] addrconf_dad_work+0x3dd/0x900 net/ipv6/addrconf.c:4105
[<ffffffff81262669>] process_one_work+0x2c9/0x610 kernel/workqueue.c:2276
[<ffffffff81262f59>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2422
[<ffffffff8126c3b8>] kthread+0x188/0x1d0 kernel/kthread.c:319
[<ffffffff810022cf>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [syzbot] memory leak in mld_newpack 2021-07-26 0:29 [syzbot] memory leak in mld_newpack syzbot @ 2022-09-16 22:13 ` syzbot 2022-09-23 4:25 ` [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() Peilin Ye 0 siblings, 1 reply; 5+ messages in thread From: syzbot @ 2022-09-16 22:13 UTC (permalink / raw) To: davem, dsahern, edumazet, kuba, linux-kernel, netdev, pabeni, phind.uet, syzkaller-bugs, yoshfuji syzbot has found a reproducer for the following issue on: HEAD commit: 6879c2d3b960 Merge tag 'pinctrl-v6.0-2' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1053435d080000 kernel config: https://syzkaller.appspot.com/x/.config?x=a4afe4efcad47dde dashboard link: https://syzkaller.appspot.com/bug?extid=dcd3e13cf4472f2e0ba1 compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11842b37080000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15078ed5080000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/0e68bb9c6cf9/disk-6879c2d3.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/bf179217db31/vmlinux-6879c2d3.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+dcd3e13cf4472f2e0ba1@syzkaller.appspotmail.com BUG: memory leak unreferenced object 0xffff88810bb0bb00 (size 240): comm "kworker/0:2", pid 143, jiffies 4294946271 (age 15.640s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 bb b0 0b 81 88 ff ff ................ 00 70 aa 11 81 88 ff ff 80 10 e9 44 81 88 ff ff .p.........D.... backtrace: [<ffffffff8387bb59>] __alloc_skb+0x1f9/0x270 net/core/skbuff.c:422 [<ffffffff8388255a>] alloc_skb include/linux/skbuff.h:1257 [inline] [<ffffffff8388255a>] alloc_skb_with_frags+0x6a/0x340 net/core/skbuff.c:6021 [<ffffffff8387508f>] sock_alloc_send_pskb+0x39f/0x3d0 net/core/sock.c:2665 [<ffffffff83d4eb01>] sock_alloc_send_skb include/net/sock.h:1866 [inline] [<ffffffff83d4eb01>] mld_newpack.isra.0+0x81/0x200 net/ipv6/mcast.c:1748 [<ffffffff83d4ed26>] add_grhead+0xa6/0xc0 net/ipv6/mcast.c:1851 [<ffffffff83d4f4fc>] add_grec+0x7bc/0x820 net/ipv6/mcast.c:1989 [<ffffffff83d514e3>] mld_send_cr net/ipv6/mcast.c:2115 [inline] [<ffffffff83d514e3>] mld_ifc_work+0x273/0x750 net/ipv6/mcast.c:2653 [<ffffffff8127afca>] process_one_work+0x2ba/0x5f0 kernel/workqueue.c:2289 [<ffffffff8127b8e9>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2436 [<ffffffff81284c95>] kthread+0x125/0x160 kernel/kthread.c:376 [<ffffffff8100224f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() 2022-09-16 22:13 ` syzbot @ 2022-09-23 4:25 ` Peilin Ye 2022-09-26 10:47 ` Oliver Neukum 2022-09-26 18:40 ` patchwork-bot+netdevbpf 0 siblings, 2 replies; 5+ messages in thread From: Peilin Ye @ 2022-09-23 4:25 UTC (permalink / raw) To: Oliver Neukum, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni Cc: Peilin Ye, Greg Kroah-Hartman, Ming Lei, Cong Wang, netdev, linux-usb, linux-kernel, Peilin Ye From: Peilin Ye <peilin.ye@bytedance.com> Currently usbnet_disconnect() unanchors and frees all deferred URBs using usb_scuttle_anchored_urbs(), which does not free urb->context, causing a memory leak as reported by syzbot. Use a usb_get_from_anchor() while loop instead, similar to what we did in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in play_deferred"). Also free urb->sg. Reported-and-tested-by: syzbot+dcd3e13cf4472f2e0ba1@syzkaller.appspotmail.com Fixes: 69ee472f2706 ("usbnet & cdc-ether: Autosuspend for online devices") Fixes: 638c5115a794 ("USBNET: support DMA SG") Signed-off-by: Peilin Ye <peilin.ye@bytedance.com> --- Hi all, I think we may have similar issues at other usb_scuttle_anchored_urbs() call sites. Since urb->context is (void *), should we pass a "destructor" callback to usb_scuttle_anchored_urbs(), or replace this function with usb_get_from_anchor() loops like this patch does? Please advise, thanks! Peilin Ye drivers/net/usb/usbnet.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index fd399a8ed973..64a9a80b2309 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1598,6 +1598,7 @@ void usbnet_disconnect (struct usb_interface *intf) struct usbnet *dev; struct usb_device *xdev; struct net_device *net; + struct urb *urb; dev = usb_get_intfdata(intf); usb_set_intfdata(intf, NULL); @@ -1614,7 +1615,11 @@ void usbnet_disconnect (struct usb_interface *intf) net = dev->net; unregister_netdev (net); - usb_scuttle_anchored_urbs(&dev->deferred); + while ((urb = usb_get_from_anchor(&dev->deferred))) { + dev_kfree_skb(urb->context); + kfree(urb->sg); + usb_free_urb(urb); + } if (dev->driver_info->unbind) dev->driver_info->unbind(dev, intf); -- 2.20.1 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() 2022-09-23 4:25 ` [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() Peilin Ye @ 2022-09-26 10:47 ` Oliver Neukum 2022-09-26 18:40 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 5+ messages in thread From: Oliver Neukum @ 2022-09-26 10:47 UTC (permalink / raw) To: Peilin Ye, Oliver Neukum, David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni Cc: Peilin Ye, Greg Kroah-Hartman, Ming Lei, Cong Wang, netdev, linux-usb, linux-kernel On 23.09.22 06:25, Peilin Ye wrote: Hi, > I think we may have similar issues at other usb_scuttle_anchored_urbs() > call sites. Since urb->context is (void *), should we pass a "destructor" > callback to usb_scuttle_anchored_urbs(), or replace this function with > usb_get_from_anchor() loops like this patch does? > please introduce a new function with an additional parameter for that, so that we do not need to touch the correct usages. Regards Oliver ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() 2022-09-23 4:25 ` [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() Peilin Ye 2022-09-26 10:47 ` Oliver Neukum @ 2022-09-26 18:40 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 5+ messages in thread From: patchwork-bot+netdevbpf @ 2022-09-26 18:40 UTC (permalink / raw) To: Peilin Ye Cc: oneukum, davem, edumazet, kuba, pabeni, peilin.ye, gregkh, ming.lei, cong.wang, netdev, linux-usb, linux-kernel Hello: This patch was applied to netdev/net.git (master) by Jakub Kicinski <kuba@kernel.org>: On Thu, 22 Sep 2022 21:25:51 -0700 you wrote: > From: Peilin Ye <peilin.ye@bytedance.com> > > Currently usbnet_disconnect() unanchors and frees all deferred URBs > using usb_scuttle_anchored_urbs(), which does not free urb->context, > causing a memory leak as reported by syzbot. > > Use a usb_get_from_anchor() while loop instead, similar to what we did > in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in > play_deferred"). Also free urb->sg. > > [...] Here is the summary with links: - [net] usbnet: Fix memory leak in usbnet_disconnect() https://git.kernel.org/netdev/net/c/a43206156263 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-26 18:42 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-07-26 0:29 [syzbot] memory leak in mld_newpack syzbot 2022-09-16 22:13 ` syzbot 2022-09-23 4:25 ` [PATCH net] usbnet: Fix memory leak in usbnet_disconnect() Peilin Ye 2022-09-26 10:47 ` Oliver Neukum 2022-09-26 18:40 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).