* memory leak in do_seccomp @ 2020-08-11 17:06 syzbot 2020-08-31 3:50 ` syzbot 0 siblings, 1 reply; 11+ messages in thread From: syzbot @ 2020-08-11 17:06 UTC (permalink / raw) To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook, kpsingh, linux-kernel, luto, netdev, songliubraving, syzkaller-bugs, wad, yhs Hello, syzbot found the following issue on: HEAD commit: 449dc8c9 Merge tag 'for-v5.9' of git://git.kernel.org/pub/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15d816c2900000 kernel config: https://syzkaller.appspot.com/x/.config?x=4810fa4a53b3aa2c dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153d30e2900000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com 2020/08/09 00:29:47 executed programs: 3 BUG: memory leak unreferenced object 0xffff88811310ea80 (size 96): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 30 e0 00 00 c9 ff ff .........0...... backtrace: [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline] [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline] [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline] [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffffc90000e03000 (size 4096): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 01 00 03 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -............... backtrace: [<000000003b6a39af>] __vmalloc_node_range+0x2e1/0x3c0 mm/vmalloc.c:2520 [<00000000eee59e12>] __vmalloc_node mm/vmalloc.c:2552 [inline] [<00000000eee59e12>] __vmalloc+0x49/0x50 mm/vmalloc.c:2566 [<000000006e13ac2a>] bpf_prog_alloc_no_stats+0x32/0x100 kernel/bpf/core.c:85 [<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111 [<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409 [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline] [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888113bc1c00 (size 1024): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000466b245>] kmalloc include/linux/slab.h:554 [inline] [<000000000466b245>] kzalloc include/linux/slab.h:666 [inline] [<000000000466b245>] bpf_prog_alloc_no_stats+0x73/0x100 kernel/bpf/core.c:89 [<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111 [<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409 [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline] [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881154cb860 (size 32): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 01 00 73 74 65 6d 64 2d 00 5c d6 19 81 88 ff ff ..stemd-.\...... 65 72 76 69 63 65 00 00 00 00 00 00 00 00 00 00 ervice.......... backtrace: [<00000000561d65d4>] kmalloc include/linux/slab.h:554 [inline] [<00000000561d65d4>] bpf_prog_store_orig_filter+0x33/0xa0 net/core/filter.c:1131 [<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422 [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline] [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888119d65c00 (size 32): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 06 00 00 00 fb ff ff 7f 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000ad603142>] kmemdup+0x23/0x50 mm/util.c:127 [<0000000001d3eabf>] kmemdup include/linux/string.h:479 [inline] [<0000000001d3eabf>] bpf_prog_store_orig_filter+0x5e/0xa0 net/core/filter.c:1138 [<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422 [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline] [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881131ecb00 (size 96): comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 80 ea 10 13 81 88 ff ff 00 b0 d8 00 00 c9 ff ff ................ backtrace: [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline] [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline] [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline] [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811310e400 (size 96): comm "syz-executor.0", pid 6702, jiffies 4294955242 (age 7.460s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 50 e1 00 00 c9 ff ff .........P...... backtrace: [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline] [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline] [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline] [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline] [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline] [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649 [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this issue, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-08-11 17:06 memory leak in do_seccomp syzbot @ 2020-08-31 3:50 ` syzbot 2020-08-31 23:25 ` Kees Cook 0 siblings, 1 reply; 11+ messages in thread From: syzbot @ 2020-08-31 3:50 UTC (permalink / raw) To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook, kpsingh, linux-kernel, luto, netdev, songliubraving, syzkaller-bugs, wad, yhs syzbot has found a reproducer for the following issue on: HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com executing program executing program executing program executing program executing program BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 21.940s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 21.930s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 23.180s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 23.170s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 24.450s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 24.440s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 25.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 25.700s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 28.150s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 28.140s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93600 (size 64): comm "syz-executor680", pid 6503, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba936c0 (size 64): comm "syz-executor680", pid 6507, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6...... c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9% backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93700 (size 64): comm "syz-executor680", pid 6509, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7...... 08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./ backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88811ba93800 (size 64): comm "syz-executor680", pid 6511, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8...... 08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb800 (size 64): comm "syz-executor680", pid 6506, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<..... 08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb740 (size 64): comm "syz-executor680", pid 6513, jiffies 4294951104 (age 29.390s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<..... 48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5 backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881193cb640 (size 64): comm "syz-executor680", pid 6515, jiffies 4294951105 (age 29.380s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<..... 48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P.. backtrace: [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 executing program executing program ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-08-31 3:50 ` syzbot @ 2020-08-31 23:25 ` Kees Cook 2020-09-01 0:09 ` Tycho Andersen 0 siblings, 1 reply; 11+ messages in thread From: Kees Cook @ 2020-08-31 23:25 UTC (permalink / raw) To: Tycho Andersen, Christian Brauner Cc: linux-kernel, luto, syzbot, syzkaller-bugs, wad On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > syzbot has found a reproducer for the following issue on: > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > executing program > executing program > executing program > executing program > executing program > BUG: memory leak > unreferenced object 0xffff88811ba93600 (size 64): > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > backtrace: > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 I haven't narrowed this down yet (and it *might* be a false positive), but it looks like this is filter->notif. The only way that's possible is if seccomp_notify_release() was never called *and* seccomp_filter_free() got called... which would imply a reference counting problem. The way there doesn't jump out at me yet, but I haven't yet decoded the C reproducer into the actual seccomp arguments, etc. -- Kees Cook ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-08-31 23:25 ` Kees Cook @ 2020-09-01 0:09 ` Tycho Andersen 2020-09-01 1:14 ` Tycho Andersen 0 siblings, 1 reply; 11+ messages in thread From: Tycho Andersen @ 2020-09-01 0:09 UTC (permalink / raw) To: Kees Cook Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad, Tycho Andersen On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote: > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > > executing program > > executing program > > executing program > > executing program > > executing program > > BUG: memory leak > > unreferenced object 0xffff88811ba93600 (size 64): > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > > hex dump (first 32 bytes): > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > > backtrace: > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > I haven't narrowed this down yet (and it *might* be a false positive), > but it looks like this is filter->notif. The only way that's possible is > if seccomp_notify_release() was never called *and* seccomp_filter_free() > got called... which would imply a reference counting problem. The way > there doesn't jump out at me yet, but I haven't yet decoded the C > reproducer into the actual seccomp arguments, etc. Looks like it's just a bunch of threads in the same thread group trying to install a filter with TSYNC and NEW_LISTENER turned on. Does the patch below look reasonable? I didn't send it separately since I'm in the process of switching my e-mail address to tycho@tycho.pizza; let this e-mail serve as proof that that e-mail really is me too :). I can send it the normal way if it looks good. From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001 From: Tycho Andersen <tycho@tycho.pizza> Date: Mon, 31 Aug 2020 17:55:07 -0600 Subject: [PATCH] seccomp: don't leak memory when filter install races In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize the listener fd, then check to see if we can actually use it later in seccomp_may_assign_mode(), which can fail if anyone else in our thread group has installed a filter and caused some divergence. If we can't, we partially clean up the newly allocated file: we put the fd, put the file, but don't actually clean up the *memory* that was allocated at filter->notif. Let's clean that up too. Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com Signed-off-by: Tycho Andersen <tycho@tycho.pizza> --- kernel/seccomp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 3ee59ce0a323..21a76127833f 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags, listener_f->private_data = NULL; fput(listener_f); put_unused_fd(listener); + kfree(filter->notif); + filter->notif = NULL; } else { fd_install(listener, listener_f); ret = listener; base-commit: b51594df17d0ce80b9f9f35394a1f42d7ac94472 -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-09-01 0:09 ` Tycho Andersen @ 2020-09-01 1:14 ` Tycho Andersen 2020-09-01 10:07 ` Christian Brauner 2020-09-01 15:08 ` Kees Cook 0 siblings, 2 replies; 11+ messages in thread From: Tycho Andersen @ 2020-09-01 1:14 UTC (permalink / raw) To: Kees Cook Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote: > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote: > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > > > syzbot has found a reproducer for the following issue on: > > > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > > > > executing program > > > executing program > > > executing program > > > executing program > > > executing program > > > BUG: memory leak > > > unreferenced object 0xffff88811ba93600 (size 64): > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > > > hex dump (first 32 bytes): > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > > > backtrace: > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > I haven't narrowed this down yet (and it *might* be a false positive), > > but it looks like this is filter->notif. The only way that's possible is > > if seccomp_notify_release() was never called *and* seccomp_filter_free() > > got called... which would imply a reference counting problem. The way > > there doesn't jump out at me yet, but I haven't yet decoded the C > > reproducer into the actual seccomp arguments, etc. > > Looks like it's just a bunch of threads in the same thread group > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does > the patch below look reasonable? > > I didn't send it separately since I'm in the process of switching my > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof > that that e-mail really is me too :). I can send it the normal way if > it looks good. > > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001 > From: Tycho Andersen <tycho@tycho.pizza> > Date: Mon, 31 Aug 2020 17:55:07 -0600 > Subject: [PATCH] seccomp: don't leak memory when filter install races > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize > the listener fd, then check to see if we can actually use it later in > seccomp_may_assign_mode(), which can fail if anyone else in our thread > group has installed a filter and caused some divergence. If we can't, we > partially clean up the newly allocated file: we put the fd, put the file, > but don't actually clean up the *memory* that was allocated at > filter->notif. Let's clean that up too. > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > Signed-off-by: Tycho Andersen <tycho@tycho.pizza> > --- > kernel/seccomp.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > index 3ee59ce0a323..21a76127833f 100644 > --- a/kernel/seccomp.c > +++ b/kernel/seccomp.c > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags, > listener_f->private_data = NULL; > fput(listener_f); > put_unused_fd(listener); > + kfree(filter->notif); > + filter->notif = NULL; Oof, actually this isn't quite right. It should be s/filter/prepared/g. I can fix that and send out a real patch that's actually tested at some point tomorrow. Tycho ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-09-01 1:14 ` Tycho Andersen @ 2020-09-01 10:07 ` Christian Brauner 2020-09-01 15:08 ` Kees Cook 1 sibling, 0 replies; 11+ messages in thread From: Christian Brauner @ 2020-09-01 10:07 UTC (permalink / raw) To: Tycho Andersen Cc: Kees Cook, Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote: > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote: > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote: > > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > > > > git tree: upstream > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > > > > > > executing program > > > > executing program > > > > executing program > > > > executing program > > > > executing program > > > > BUG: memory leak > > > > unreferenced object 0xffff88811ba93600 (size 64): > > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > > > > hex dump (first 32 bytes): > > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > > > > backtrace: > > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > I haven't narrowed this down yet (and it *might* be a false positive), > > > but it looks like this is filter->notif. The only way that's possible is > > > if seccomp_notify_release() was never called *and* seccomp_filter_free() > > > got called... which would imply a reference counting problem. The way > > > there doesn't jump out at me yet, but I haven't yet decoded the C > > > reproducer into the actual seccomp arguments, etc. > > > > Looks like it's just a bunch of threads in the same thread group > > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does > > the patch below look reasonable? > > > > I didn't send it separately since I'm in the process of switching my > > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof > > that that e-mail really is me too :). I can send it the normal way if > > it looks good. > > > > > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001 > > From: Tycho Andersen <tycho@tycho.pizza> > > Date: Mon, 31 Aug 2020 17:55:07 -0600 > > Subject: [PATCH] seccomp: don't leak memory when filter install races > > > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize > > the listener fd, then check to see if we can actually use it later in > > seccomp_may_assign_mode(), which can fail if anyone else in our thread > > group has installed a filter and caused some divergence. If we can't, we > > partially clean up the newly allocated file: we put the fd, put the file, > > but don't actually clean up the *memory* that was allocated at > > filter->notif. Let's clean that up too. > > > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > Signed-off-by: Tycho Andersen <tycho@tycho.pizza> > > --- > > kernel/seccomp.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > > index 3ee59ce0a323..21a76127833f 100644 > > --- a/kernel/seccomp.c > > +++ b/kernel/seccomp.c > > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags, > > listener_f->private_data = NULL; > > fput(listener_f); > > put_unused_fd(listener); > > + kfree(filter->notif); > > + filter->notif = NULL; > > Oof, actually this isn't quite right. It should be s/filter/prepared/g. > I can fix that and send out a real patch that's actually tested at > some point tomorrow. Please do. :) Do we have tests for this scenario in the selftests, Tycho? Christian ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-09-01 1:14 ` Tycho Andersen 2020-09-01 10:07 ` Christian Brauner @ 2020-09-01 15:08 ` Kees Cook 2020-09-01 15:26 ` Tycho Andersen 1 sibling, 1 reply; 11+ messages in thread From: Kees Cook @ 2020-09-01 15:08 UTC (permalink / raw) To: Tycho Andersen Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote: > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote: > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote: > > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > > > > git tree: upstream > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > > > > > > executing program > > > > executing program > > > > executing program > > > > executing program > > > > executing program > > > > BUG: memory leak > > > > unreferenced object 0xffff88811ba93600 (size 64): > > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > > > > hex dump (first 32 bytes): > > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > > > > backtrace: > > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > I haven't narrowed this down yet (and it *might* be a false positive), > > > but it looks like this is filter->notif. The only way that's possible is > > > if seccomp_notify_release() was never called *and* seccomp_filter_free() > > > got called... which would imply a reference counting problem. The way > > > there doesn't jump out at me yet, but I haven't yet decoded the C > > > reproducer into the actual seccomp arguments, etc. > > > > Looks like it's just a bunch of threads in the same thread group > > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does > > the patch below look reasonable? > > > > I didn't send it separately since I'm in the process of switching my > > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof > > that that e-mail really is me too :). I can send it the normal way if > > it looks good. > > > > > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001 > > From: Tycho Andersen <tycho@tycho.pizza> > > Date: Mon, 31 Aug 2020 17:55:07 -0600 > > Subject: [PATCH] seccomp: don't leak memory when filter install races > > > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize > > the listener fd, then check to see if we can actually use it later in > > seccomp_may_assign_mode(), which can fail if anyone else in our thread > > group has installed a filter and caused some divergence. If we can't, we > > partially clean up the newly allocated file: we put the fd, put the file, > > but don't actually clean up the *memory* that was allocated at > > filter->notif. Let's clean that up too. > > > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > Signed-off-by: Tycho Andersen <tycho@tycho.pizza> > > --- > > kernel/seccomp.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > > index 3ee59ce0a323..21a76127833f 100644 > > --- a/kernel/seccomp.c > > +++ b/kernel/seccomp.c > > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags, > > listener_f->private_data = NULL; > > fput(listener_f); > > put_unused_fd(listener); > > + kfree(filter->notif); > > + filter->notif = NULL; > > Oof, actually this isn't quite right. It should be s/filter/prepared/g. > I can fix that and send out a real patch that's actually tested at > some point tomorrow. Ah! Yes, nice catch. I was staring at the wrong failure path. :) I'm thinking the free/NULL pattern, since it's repeated in a few places, should likely be a short helper. I'll stare at this some more... -- Kees Cook ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2020-09-01 15:08 ` Kees Cook @ 2020-09-01 15:26 ` Tycho Andersen 0 siblings, 0 replies; 11+ messages in thread From: Tycho Andersen @ 2020-09-01 15:26 UTC (permalink / raw) To: Kees Cook Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad On Tue, Sep 01, 2020 at 08:08:13AM -0700, Kees Cook wrote: > On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote: > > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote: > > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote: > > > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote: > > > > > syzbot has found a reproducer for the following issue on: > > > > > > > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke.. > > > > > git tree: upstream > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231 > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e > > > > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000 > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000 > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > > > > > > > > executing program > > > > > executing program > > > > > executing program > > > > > executing program > > > > > executing program > > > > > BUG: memory leak > > > > > unreferenced object 0xffff88811ba93600 (size 64): > > > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s) > > > > > hex dump (first 32 bytes): > > > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6...... > > > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:... > > > > > backtrace: > > > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline] > > > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline] > > > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline] > > > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline] > > > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649 > > > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > > > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > > > > > I haven't narrowed this down yet (and it *might* be a false positive), > > > > but it looks like this is filter->notif. The only way that's possible is > > > > if seccomp_notify_release() was never called *and* seccomp_filter_free() > > > > got called... which would imply a reference counting problem. The way > > > > there doesn't jump out at me yet, but I haven't yet decoded the C > > > > reproducer into the actual seccomp arguments, etc. > > > > > > Looks like it's just a bunch of threads in the same thread group > > > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does > > > the patch below look reasonable? > > > > > > I didn't send it separately since I'm in the process of switching my > > > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof > > > that that e-mail really is me too :). I can send it the normal way if > > > it looks good. > > > > > > > > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001 > > > From: Tycho Andersen <tycho@tycho.pizza> > > > Date: Mon, 31 Aug 2020 17:55:07 -0600 > > > Subject: [PATCH] seccomp: don't leak memory when filter install races > > > > > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize > > > the listener fd, then check to see if we can actually use it later in > > > seccomp_may_assign_mode(), which can fail if anyone else in our thread > > > group has installed a filter and caused some divergence. If we can't, we > > > partially clean up the newly allocated file: we put the fd, put the file, > > > but don't actually clean up the *memory* that was allocated at > > > filter->notif. Let's clean that up too. > > > > > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together") > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com > > > Signed-off-by: Tycho Andersen <tycho@tycho.pizza> > > > --- > > > kernel/seccomp.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c > > > index 3ee59ce0a323..21a76127833f 100644 > > > --- a/kernel/seccomp.c > > > +++ b/kernel/seccomp.c > > > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags, > > > listener_f->private_data = NULL; > > > fput(listener_f); > > > put_unused_fd(listener); > > > + kfree(filter->notif); > > > + filter->notif = NULL; > > > > Oof, actually this isn't quite right. It should be s/filter/prepared/g. > > I can fix that and send out a real patch that's actually tested at > > some point tomorrow. > > Ah! Yes, nice catch. I was staring at the wrong failure path. :) > > I'm thinking the free/NULL pattern, since it's repeated in a few places, > should likely be a short helper. I'll stare at this some more... I think (?) it's just two, one here and one in seccomp_notify_release() but agreed. Maybe something like (untested): diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 3b593b4caaa5..bb0dd9ae699a 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -1109,13 +1109,12 @@ static long seccomp_set_mode_strict(void) } #ifdef CONFIG_SECCOMP_FILTER -static int seccomp_notify_release(struct inode *inode, struct file *file) +static void seccomp_notify_detach(struct seccomp_filter *filter) { - struct seccomp_filter *filter = file->private_data; struct seccomp_knotif *knotif; if (!filter) - return 0; + return; mutex_lock(&filter->notify_lock); @@ -1142,6 +1141,13 @@ static int seccomp_notify_release(struct inode *inode, struct file *file) kfree(filter->notif); filter->notif = NULL; mutex_unlock(&filter->notify_lock); +} + +static int seccomp_notify_release(struct inode *inode, struct file *file) +{ + struct seccomp_filter *filter = file->private_data; + + seccomp_notify_detach(filter); __put_seccomp_filter(filter); return 0; } @@ -1581,8 +1587,7 @@ static long seccomp_set_mode_filter(unsigned int flags, listener_f->private_data = NULL; fput(listener_f); put_unused_fd(listener); - kfree(prepared->notif); - filter->notif = NULL; + seccomp_notify_detach(prepared); } else { fd_install(listener, listener_f); ret = listener; ^ permalink raw reply related [flat|nested] 11+ messages in thread
* memory leak in do_seccomp @ 2021-07-31 19:20 Sudip Mukherjee 2021-08-01 3:25 ` Kees Cook 0 siblings, 1 reply; 11+ messages in thread From: Sudip Mukherjee @ 2021-07-31 19:20 UTC (permalink / raw) To: Kees Cook, Andy Lutomirski, Will Drewry, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend, KP Singh Cc: linux-kernel, netdev, bpf Hi All, We had been running syzkaller on v5.10.y and a "memory leak in do_seccomp" was being reported on it. I got some time to check that today and have managed to get a syzkaller reproducer. I dont have a C reproducer which I can share but I can use the syz-reproducer to reproduce this with next-20210730. The old report on v5.10.y is at https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f BUG: memory leak unreferenced object 0xffff888019282c00 (size 512): comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000762c0963>] do_seccomp+0x2d5/0x27d0 [<0000000006e512d1>] do_syscall_64+0x3b/0x90 [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffffc900006b5000 (size 4096): comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0 [<000000002686628f>] __vmalloc_node+0xb5/0x100 [<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350 [<0000000009149728>] bpf_prog_alloc+0x24/0x170 [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0 [<000000000c70eb02>] do_seccomp+0x325/0x27d0 [<0000000006e512d1>] do_syscall_64+0x3b/0x90 [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff888026eb1000 (size 2048): comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350 [<0000000009149728>] bpf_prog_alloc+0x24/0x170 [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0 [<000000000c70eb02>] do_seccomp+0x325/0x27d0 [<0000000006e512d1>] do_syscall_64+0x3b/0x90 [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff888014dddac0 (size 16): comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) hex dump (first 16 bytes): 01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff ................ backtrace: [<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0 [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0 [<000000000c70eb02>] do_seccomp+0x325/0x27d0 [<0000000006e512d1>] do_syscall_64+0x3b/0x90 [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff888014dfefc8 (size 8): comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) hex dump (first 8 bytes): 06 00 00 00 ff ff ff 7f ........ backtrace: [<00000000ee5550f8>] kmemdup+0x23/0x50 [<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0 [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0 [<000000000c70eb02>] do_seccomp+0x325/0x27d0 [<0000000006e512d1>] do_syscall_64+0x3b/0x90 [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae Not sure if this has been already reported or not, but I will be happy to test if you have a fix for this. -- Regards Sudip ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2021-07-31 19:20 Sudip Mukherjee @ 2021-08-01 3:25 ` Kees Cook 2021-08-01 21:10 ` Sudip Mukherjee 0 siblings, 1 reply; 11+ messages in thread From: Kees Cook @ 2021-08-01 3:25 UTC (permalink / raw) To: Sudip Mukherjee Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev, bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen, Sargun Dhillon, Christian Brauner On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote: > Hi All, > > We had been running syzkaller on v5.10.y and a "memory leak in > do_seccomp" was being reported on it. I got some time to check that > today and have managed to get a syzkaller > reproducer. I dont have a C reproducer which I can share but I can use > the syz-reproducer to reproduce this with next-20210730. > The old report on v5.10.y is at > https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f Thanks for the details! Is this the same as what syzbot saw here (with a C reproducer)? https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987 I can't figure out what happened with the "Patch testing request" that was made; there's no link? > > BUG: memory leak > unreferenced object 0xffff888019282c00 (size 512): > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s) > hex dump (first 32 bytes): > 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<00000000762c0963>] do_seccomp+0x2d5/0x27d0 Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I expect it'll be: sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae The "size 512" in your v5.10.y report is from seccomp_prepare_filter() (noted above). seccomp_prepare_filter() cleans up its error paths. > > BUG: memory leak > unreferenced object 0xffffc900006b5000 (size 4096): > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s) > hex dump (first 32 bytes): > 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0 > [<000000002686628f>] __vmalloc_node+0xb5/0x100 > [<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350 > [<0000000009149728>] bpf_prog_alloc+0x24/0x170 > [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0 > [<000000000c70eb02>] do_seccomp+0x325/0x27d0 > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae Again, I'm curious about where do_seccomp+0x325/0x27d0 is for this, but the matching one in v5.10 shows: ret = bpf_prog_create_from_user(&sfilter->prog, fprog, seccomp_check_filter, save_orig); This and everything remaining below else has bpf_prog_create_from_user() in the allocation path. > > BUG: memory leak > unreferenced object 0xffff888026eb1000 (size 2048): > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350 > [<0000000009149728>] bpf_prog_alloc+0x24/0x170 > [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0 > [<000000000c70eb02>] do_seccomp+0x325/0x27d0 > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae > > BUG: memory leak > unreferenced object 0xffff888014dddac0 (size 16): > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) > hex dump (first 16 bytes): > 01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff ................ These are two kernel pointers: 0xffff888008ca0001 (unaligned by 1 byte?!) 0xffff888014dfefc8 Ah, no, this is from: struct sock_fprog_kern { u16 len; struct sock_filter *filter; }; The "ca 08 80 88 ff ff" bytes are uninitialized padding. ;) "len" has a value of 1 (which matches the syzkaller reproducer args below of a single BPF instruction). fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL); if (!fp->orig_prog) return -ENOMEM; fkprog = fp->orig_prog; fkprog->len = fprog->len; ... fkprog->filter = kmemdup(fp->insns, fsize, GFP_KERNEL | __GFP_NOWARN); > backtrace: > [<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0 > [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0 > [<000000000c70eb02>] do_seccomp+0x325/0x27d0 > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae > > BUG: memory leak > unreferenced object 0xffff888014dfefc8 (size 8): > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s) > hex dump (first 8 bytes): > 06 00 00 00 ff ff ff 7f ........ This contains a userspace (likely stack) pointer, and is referenced by the second pointer above. (i.e. kmemdup() above, but how have the contents become a user stack pointer?) > backtrace: > [<00000000ee5550f8>] kmemdup+0x23/0x50 > [<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0 > [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0 > [<000000000c70eb02>] do_seccomp+0x325/0x27d0 > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae > > Not sure if this has been already reported or not, but I will be happy > to test if you have a fix for this. I was suspecting a missing error path free near bpf_prepare_filter() as called by bpf_prog_create_from_user() here: /* bpf_prepare_filter() already takes care of freeing * memory in case something goes wrong. */ fp = bpf_prepare_filter(fp, trans); if (IS_ERR(fp)) return PTR_ERR(fp); Since only seccomp and af_packet use bpf_prog_create_from_user(), and af_packet sets neither a "trans" callback nor save_orig. But if "trans" fails (due to some BPF instructions seccomp doesn't support), I'd expect this leak to be detected more often. bpf_prepare_filter() is documented as cleaning up allocations on failure, though I notice its cleanup differs from bpf_prog_create_from_user()'s, which uses __bpf_prog_free() instead of __bfp_prog_release(). But that should only make a difference for orig_prog getting freed, and bpf_prog_store_orig_filter() should already be freeing that on failures too. Similarly, bpf_migrate_filter() cleanups up on failure too, so this doesn't seem to be it: if (!fp->jited) fp = bpf_migrate_filter(fp); return fp; So, I'm going to assume the missing free is somehow related to process management, since I see the Syzkaller reproducer mentions SECCOMP_SET_MODE_FILTER_LISTENER, fork(), and ptrace(). :) Quoting from the v5.10.y report: > # {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false} > seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x7fffffff}]}) 0x1 is SECCOMP_SET_MODE_FILTER 0x0 is empty flags {0x6, 0x0, 0x0, 0x7fffffff} is BPF_STMT(BPF_RET, SECCOMP_RET_ALLOW | 0xffff) For "SECCOMP_SET_MODE_FILTER_LISTENER", defined here: https://github.com/google/syzkaller/blob/master/sys/linux/seccomp.txt#L15 I was expecting flags to include SECCOMP_FILTER_FLAG_NEW_LISTENER: seccomp$SECCOMP_SET_MODE_FILTER_LISTENER( op const[SECCOMP_SET_MODE_FILTER], flags flags[seccomp_flags_listener], arg ptr[in, sock_fprog]) fd_seccomp (breaks_returns) For the flags: seccomp_flags_listener = SECCOMP_FILTER_FLAG_NEW_LISTENER, SECCOMP_FILTER_FLAG_LOG_LISTENER, SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER which is: SECCOMP_FILTER_FLAG_LOG_LISTENER = 10 SECCOMP_FILTER_FLAG_NEW_LISTENER = 8 SECCOMP_FILTER_FLAG_SPEC_ALLOW = 4 SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER = 12 How is flags 0 above? (Maybe I don't understand the syzkaller reproducer meaning fully?) > r0 = fork() > ptrace(0x10, r0) 0x10 is PTRACE_ATTACH My best guess is there is some LISTENER refcount state we can get into where all the processes die, but a reference is left alive. -Kees -- Kees Cook ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp 2021-08-01 3:25 ` Kees Cook @ 2021-08-01 21:10 ` Sudip Mukherjee 0 siblings, 0 replies; 11+ messages in thread From: Sudip Mukherjee @ 2021-08-01 21:10 UTC (permalink / raw) To: Kees Cook Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev, bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen, Sargun Dhillon, Christian Brauner Hi Kees, On Sun, Aug 1, 2021 at 4:26 AM Kees Cook <keescook@chromium.org> wrote: > > On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote: > > Hi All, > > > > We had been running syzkaller on v5.10.y and a "memory leak in > > do_seccomp" was being reported on it. I got some time to check that > > today and have managed to get a syzkaller > > reproducer. I dont have a C reproducer which I can share but I can use > > the syz-reproducer to reproduce this with next-20210730. > > The old report on v5.10.y is at > > https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f > > Thanks for the details! > > Is this the same as what syzbot saw here (with a C reproducer)? > https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987 Looks similar but it says its fixed and I still get it with the reproducer I have. > > I can't figure out what happened with the "Patch testing request" that > was made; there's no link? Looks like it has been merged with a566a9012acd ("seccomp: don't leak memory when filter install races") > > > > > BUG: memory leak > > unreferenced object 0xffff888019282c00 (size 512): > > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s) > > hex dump (first 32 bytes): > > 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > backtrace: > > [<00000000762c0963>] do_seccomp+0x2d5/0x27d0 > > Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I > expect it'll be: > sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN); Yes, it is from "(inlined by) seccomp_prepare_filter at kernel/seccomp.c:661". I did: $ scripts/faddr2line vmlinux do_seccomp+0x2d5/0x27d0 do_seccomp+0x2d5/0x27d0: kmalloc at include/linux/slab.h:591 (inlined by) kzalloc at include/linux/slab.h:721 (inlined by) seccomp_prepare_filter at kernel/seccomp.c:661 (inlined by) seccomp_prepare_user_filter at kernel/seccomp.c:703 (inlined by) seccomp_set_mode_filter at kernel/seccomp.c:1852 (inlined by) do_seccomp at kernel/seccomp.c:1972 > > > [<0000000006e512d1>] do_syscall_64+0x3b/0x90 > > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae > <snip> > > My best guess is there is some LISTENER refcount state we can get into > where all the processes die, but a reference is left alive. Will be happy to run any debug patch if you need. -- Regards Sudip ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-08-01 21:11 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-08-11 17:06 memory leak in do_seccomp syzbot 2020-08-31 3:50 ` syzbot 2020-08-31 23:25 ` Kees Cook 2020-09-01 0:09 ` Tycho Andersen 2020-09-01 1:14 ` Tycho Andersen 2020-09-01 10:07 ` Christian Brauner 2020-09-01 15:08 ` Kees Cook 2020-09-01 15:26 ` Tycho Andersen 2021-07-31 19:20 Sudip Mukherjee 2021-08-01 3:25 ` Kees Cook 2021-08-01 21:10 ` Sudip Mukherjee
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).