linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* memory leak in fdb_create
@ 2019-06-24  7:27 syzbot
  2019-07-28 14:20 ` syzbot
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-06-24  7:27 UTC (permalink / raw)
  To: bridge, davem, linux-kernel, netdev, nikolay, roopa, syzkaller-bugs

Hello,

syzbot found the following crash on:

HEAD commit:    abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12970eb2a00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10546026a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com

ffffffffda RBX: 0000000000000000 RCX: 0000000000441519
BUG: memory leak
unreferenced object 0xffff888123886800 (size 128):
   comm "softirq", pid 0, jiffies 4294945699 (age 13.160s)
   hex dump (first 32 bytes):
     81 89 f8 20 81 88 ff ff 00 00 00 00 00 00 00 00  ... ............
     32 f9 fc b7 11 e2 01 00 00 00 00 00 00 00 00 00  2...............
   backtrace:
     [<00000000ca2421fa>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<00000000ca2421fa>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000ca2421fa>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000ca2421fa>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
     [<000000007faade68>] fdb_create+0x49/0x5a0 net/bridge/br_fdb.c:492
     [<00000000772dfc36>] fdb_insert+0xb7/0x100 net/bridge/br_fdb.c:536
     [<00000000ded35dd0>] br_fdb_insert+0x3b/0x60 net/bridge/br_fdb.c:552
     [<00000000758ae277>] __vlan_add+0x617/0xdf0 net/bridge/br_vlan.c:284
     [<0000000054c3b165>] br_vlan_add+0x26f/0x480 net/bridge/br_vlan.c:678
     [<00000000ed895462>] br_vlan_init+0xe9/0x130 net/bridge/br_vlan.c:1061
     [<00000000f916c753>] br_dev_init+0xa6/0x170 net/bridge/br_device.c:137
     [<00000000a4e1a1ea>] register_netdevice+0xbf/0x600 net/core/dev.c:8663
     [<00000000bdcf4ebd>] register_netdev+0x24/0x40 net/core/dev.c:8851
     [<0000000042e6c0c4>] br_add_bridge+0x5e/0xa0 net/bridge/br_if.c:456
     [<0000000036402409>] br_ioctl_deviceless_stub+0x30c/0x350  
net/bridge/br_ioctl.c:374
     [<00000000e57c9a76>] sock_ioctl+0x287/0x480 net/socket.c:1141
     [<00000000109b8329>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000109b8329>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000109b8329>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000d8eb5a5e>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000cd162915>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000cd162915>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000cd162915>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718

BUG: memory leak
unreferenced object 0xffff88811ced2de0 (size 32):
   comm "syz-executor140", pid 6998, jiffies 4294945699 (age 13.160s)
   hex dump (first 32 bytes):
     d3 d2 f1 a7 6c 83 5b 30 30 15 a1 6f 77 3f 00 00  ....l.[00..ow?..
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   backtrace:
     [<00000000d53fdc1e>] kmemleak_alloc_recursive  
include/linux/kmemleak.h:43 [inline]
     [<00000000d53fdc1e>] slab_post_alloc_hook mm/slab.h:439 [inline]
     [<00000000d53fdc1e>] slab_alloc mm/slab.c:3326 [inline]
     [<00000000d53fdc1e>] __do_kmalloc mm/slab.c:3658 [inline]
     [<00000000d53fdc1e>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675
     [<00000000c742d29c>] kstrdup+0x3a/0x70 mm/util.c:52
     [<00000000d3df5d2b>] kstrdup_const+0x48/0x60 mm/util.c:74
     [<00000000d75a8fa8>] kvasprintf_const+0x7e/0xe0 lib/kasprintf.c:48
     [<00000000ebee37a0>] kobject_set_name_vargs+0x40/0xe0 lib/kobject.c:289
     [<00000000c23c056a>] dev_set_name+0x63/0x90 drivers/base/core.c:1915
     [<000000004c47b6d3>] netdev_register_kobject+0x5a/0x1b0  
net/core/net-sysfs.c:1727
     [<000000005fb074af>] register_netdevice+0x397/0x600 net/core/dev.c:8733
     [<00000000bdcf4ebd>] register_netdev+0x24/0x40 net/core/dev.c:8851
     [<0000000042e6c0c4>] br_add_bridge+0x5e/0xa0 net/bridge/br_if.c:456
     [<0000000036402409>] br_ioctl_deviceless_stub+0x30c/0x350  
net/bridge/br_ioctl.c:374
     [<00000000e57c9a76>] sock_ioctl+0x287/0x480 net/socket.c:1141
     [<00000000109b8329>] vfs_ioctl fs/ioctl.c:46 [inline]
     [<00000000109b8329>] file_ioctl fs/ioctl.c:509 [inline]
     [<00000000109b8329>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
     [<00000000d8eb5a5e>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
     [<00000000cd162915>] __do_sys_ioctl fs/ioctl.c:720 [inline]
     [<00000000cd162915>] __se_sys_ioctl fs/ioctl.c:718 [inline]
     [<00000000cd162915>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
     [<0000000069b4ac36>] do_syscall_64+0x76/0x1a0  
arch/x86/entry/common.c:301



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: memory leak in fdb_create
  2019-06-24  7:27 memory leak in fdb_create syzbot
@ 2019-07-28 14:20 ` syzbot
  2019-07-28 16:51   ` Nikolay Aleksandrov
  0 siblings, 1 reply; 3+ messages in thread
From: syzbot @ 2019-07-28 14:20 UTC (permalink / raw)
  To: bridge, bsingharora, coreteam, davem, duwe, kaber, kadlec,
	linux-kernel, mingo, mpe, netdev, netfilter-devel, nikolay,
	pablo, roopa, rostedt, syzkaller-bugs

syzbot has bisected this bug to:

commit 04cf31a759ef575f750a63777cee95500e410994
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Thu Mar 24 11:04:01 2016 +0000

     ftrace: Make ftrace_location_range() global

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1538c778600000
start commit:   abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree:       upstream
final crash:    https://syzkaller.appspot.com/x/report.txt?x=1738c778600000
console output: https://syzkaller.appspot.com/x/log.txt?x=1338c778600000
kernel config:  https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10546026a00000

Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com
Fixes: 04cf31a759ef ("ftrace: Make ftrace_location_range() global")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: memory leak in fdb_create
  2019-07-28 14:20 ` syzbot
@ 2019-07-28 16:51   ` Nikolay Aleksandrov
  0 siblings, 0 replies; 3+ messages in thread
From: Nikolay Aleksandrov @ 2019-07-28 16:51 UTC (permalink / raw)
  To: syzbot, bridge, bsingharora, coreteam, davem, duwe, kaber,
	kadlec, linux-kernel, mingo, mpe, netdev, netfilter-devel, pablo,
	roopa, rostedt, syzkaller-bugs

On 28/07/2019 17:20, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit 04cf31a759ef575f750a63777cee95500e410994
> Author: Michael Ellerman <mpe@ellerman.id.au>
> Date:   Thu Mar 24 11:04:01 2016 +0000
> 
>     ftrace: Make ftrace_location_range() global
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1538c778600000
> start commit:   abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=1738c778600000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1338c778600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
> dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10546026a00000
> 
> Reported-by: syzbot+88533dc8b582309bf3ee@syzkaller.appspotmail.com
> Fixes: 04cf31a759ef ("ftrace: Make ftrace_location_range() global")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

I see the problem, it'd happen if the multicast stats memory allocation fails on bridge
init then the fdb added due to the default vlan would remain and the bridge kmem cache
would be destroyed while not empty (you can even trigger a BUG because of that).
I'll post a patch shortly after running a few tests.

Thanks,
 Nik


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-07-28 16:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-24  7:27 memory leak in fdb_create syzbot
2019-07-28 14:20 ` syzbot
2019-07-28 16:51   ` Nikolay Aleksandrov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).