memory leak in tipc_buf_acquire
18 views
Skip to first unread message
syzbot
May 24, 2019, 5:18:06 PM5/24/19
to da...@davemloft.net, jon....@ericsson.com, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com, tipc-di...@lists.sourceforge.net, ying...@windriver.com
Hello,
syzbot found the following crash on:
HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107db73aa00000
kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
dashboard link: https://syzkaller.appspot.com/bug?extid=78fbe679c8ca8d264a8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162bd84ca00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160c605ca00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+78fbe6...@syzkaller.appspotmail.com
type=1400 audit(1558701681.775:36): avc: denied { map } for pid=7128
comm="syz-executor987" path="/root/syz-executor987656147" dev="sda1"
ino=15900 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000009375ee42>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000009375ee42>] slab_alloc_node mm/slab.c:3269 [inline]
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<000000004c563922>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
[<00000000d3568ee0>] sock_close+0x1b/0x30 net/socket.c:1279
[<00000000266a6215>] __fput+0xed/0x300 fs/file_table.c:280
BUG: memory leak
unreferenced object 0xffff888111895400 (size 1024):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e2e2855e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<00000000e2e2855e>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000e2e2855e>] slab_alloc_node mm/slab.c:3269 [inline]
[<00000000e2e2855e>] kmem_cache_alloc_node_trace+0x15b/0x2a0
mm/slab.c:3597
[<00000000a5030ce7>] __do_kmalloc_node mm/slab.c:3619 [inline]
[<00000000a5030ce7>] __kmalloc_node_track_caller+0x38/0x50
mm/slab.c:3634
[<0000000039212451>] __kmalloc_reserve.isra.0+0x40/0xb0
net/core/skbuff.c:142
[<00000000307cb4cf>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:210
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
BUG: memory leak
unreferenced object 0xffff88810e63de00 (size 512):
comm "softirq", pid 0, jiffies 4294943548 (age 7.890s)
hex dump (first 32 bytes):
38 10 0d 0f 81 88 ff ff 38 10 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000009375ee42>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000009375ee42>] slab_alloc_node mm/slab.c:3269 [inline]
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<000000004c563922>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
[<00000000d3568ee0>] sock_close+0x1b/0x30 net/socket.c:1279
[<00000000266a6215>] __fput+0xed/0x300 fs/file_table.c:280
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=107db73aa00000
kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
dashboard link: https://syzkaller.appspot.com/bug?extid=78fbe679c8ca8d264a8d
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162bd84ca00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160c605ca00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+78fbe6...@syzkaller.appspotmail.com
type=1400 audit(1558701681.775:36): avc: denied { map } for pid=7128
comm="syz-executor987" path="/root/syz-executor987656147" dev="sda1"
ino=15900 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000009375ee42>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000009375ee42>] slab_alloc_node mm/slab.c:3269 [inline]
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<000000004c563922>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
[<00000000d3568ee0>] sock_close+0x1b/0x30 net/socket.c:1279
[<00000000266a6215>] __fput+0xed/0x300 fs/file_table.c:280
BUG: memory leak
unreferenced object 0xffff888111895400 (size 1024):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e2e2855e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<00000000e2e2855e>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000e2e2855e>] slab_alloc_node mm/slab.c:3269 [inline]
[<00000000e2e2855e>] kmem_cache_alloc_node_trace+0x15b/0x2a0
mm/slab.c:3597
[<00000000a5030ce7>] __do_kmalloc_node mm/slab.c:3619 [inline]
[<00000000a5030ce7>] __kmalloc_node_track_caller+0x38/0x50
mm/slab.c:3634
[<0000000039212451>] __kmalloc_reserve.isra.0+0x40/0xb0
net/core/skbuff.c:142
[<00000000307cb4cf>] __alloc_skb+0xa0/0x210 net/core/skbuff.c:210
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
BUG: memory leak
unreferenced object 0xffff88810e63de00 (size 512):
comm "softirq", pid 0, jiffies 4294943548 (age 7.890s)
hex dump (first 32 bytes):
38 10 0d 0f 81 88 ff ff 38 10 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<000000009375ee42>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000009375ee42>] slab_alloc_node mm/slab.c:3269 [inline]
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<000000004c563922>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000ec87bfa1>] alloc_skb_fclone include/linux/skbuff.h:1107
[inline]
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80 net/tipc/msg.c:66
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0 net/tipc/msg.c:98
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
net/tipc/group.c:679
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
net/tipc/group.c:781
[<00000000b75ab039>] tipc_sk_proto_rcv net/tipc/socket.c:1996 [inline]
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
net/tipc/socket.c:2163
[<000000000dab7a6c>] tipc_sk_enqueue net/tipc/socket.c:2255 [inline]
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0 net/tipc/socket.c:2306
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0 net/tipc/node.c:1442
[<00000000337dd9eb>] tipc_node_xmit_skb net/tipc/node.c:1491 [inline]
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
net/tipc/node.c:1506
[<00000000b6375182>] tipc_group_delete+0xe6/0x130 net/tipc/group.c:224
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0 net/tipc/socket.c:2925
[<000000009df90505>] tipc_release+0x7b/0x5e0 net/tipc/socket.c:584
[<000000009f3189da>] __sock_release+0x4b/0xe0 net/socket.c:607
[<00000000d3568ee0>] sock_close+0x1b/0x30 net/socket.c:1279
[<00000000266a6215>] __fput+0xed/0x300 fs/file_table.c:280
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Xin Long
Jun 9, 2019, 2:44:42 PM6/9/19
to syzbot, davem, Jon Maloy, LKML, network dev, syzkaller-bugs, tipc-di...@lists.sourceforge.net, Ying Xue
On Sat, May 25, 2019 at 5:18 AM syzbot
<syzbot+78fbe6...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=107db73aa00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
> dashboard link: https://syzkaller.appspot.com/bug?extid=78fbe679c8ca8d264a8d
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162bd84ca00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160c605ca00000
>
Looks we need to purge each member's deferredq list in tipc_group_delete():
<syzbot+78fbe6...@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=107db73aa00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
> dashboard link: https://syzkaller.appspot.com/bug?extid=78fbe679c8ca8d264a8d
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162bd84ca00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160c605ca00000
>
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 992be61..23823eb 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct
tipc_group *grp)
rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
+ __skb_queue_purge(&m->deferredq);
list_del(&m->list);
kfree(m);
Hillf Danton
Jun 9, 2019, 11:38:41 PM6/9/19
to syzbot, da...@davemloft.net, jon....@ericsson.com, linux-...@vger.kernel.org, net...@vger.kernel.org, syzkall...@googlegroups.com, tipc-di...@lists.sourceforge.net, ying...@windriver.com
Hi
On Fri, 24 May 2019 14:18:05 -0700 (PDT) syzbot wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=107db73aa00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=61dd9e15a761691d
> dashboard link: https://syzkaller.appspot.com/bug?extid=78fbe679c8ca8d264a8d
> compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162bd84ca00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=160c605ca00000
>
The following tiny diff, made in the hope that it may help you perhaps
handle the report, adds skb purges in the unlikely nobufs case.
Thanks
Hillf
---
net/tipc/node.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 9e106d3..d9d441e 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1465,11 +1465,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);
- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
-
+ }
tipc_node_put(n);
return rc;
--
Jon Maloy
Jun 10, 2019, 7:57:59 AM6/10/19
to Xin Long, syzbot, davem, LKML, network dev, syzkaller-bugs, tipc-di...@lists.sourceforge.net, Ying Xue
> -----Original Message-----
> From: netdev...@vger.kernel.org <netdev...@vger.kernel.org> On
> Behalf Of Xin Long
> Sent: 9-Jun-19 14:45
> To: syzbot <syzbot+78fbe6...@syzkaller.appspotmail.com>
> Cc: davem <da...@davemloft.net>; Jon Maloy <jon....@ericsson.com>;
> LKML <linux-...@vger.kernel.org>; network dev
> <net...@vger.kernel.org>; syzkaller-bugs <syzkaller-
> bu...@googlegroups.com>; tipc-di...@lists.sourceforge.net; Ying Xue
> <ying...@windriver.com>
> Subject: Re: memory leak in tipc_buf_acquire
>
> On Sat, May 25, 2019 at 5:18 AM syzbot
> <syzbot+78fbe6...@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
> > git tree: upstream
> > console output:
> > https://protect2.fireeye.com/url?k=2a9bdca3-761109b5-2a9b9c38-
> On Sat, May 25, 2019 at 5:18 AM syzbot
> <syzbot+78fbe6...@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 4dde821e Merge tag 'xfs-5.2-fixes-1' of git://git.kernel.o..
> > git tree: upstream
> > console output:
> 862f14a9
> > 365e-
> 4ed8fb52eb782aab&q=1&u=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%
> 2F
> > log.txt%3Fx%3D107db73aa00000 kernel config:
> > https://protect2.fireeye.com/url?k=a1863015-fd0ce503-a186708e-
> 862f14a9
> > 365e-
> 04056f2111354660&q=1&u=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%
> 2F
> > .config%3Fx%3D61dd9e15a761691d dashboard link:
> > https://protect2.fireeye.com/url?k=ba923b23-e618ee35-ba927bb8-
> 862f14a9365e-
> 6187e2f343fe3a3e&q=1&u=https%3A%2F%2Fsyzkaller.appspot.com%2Fbug
> %3Fextid%3D78fbe679c8ca8d264a8d
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://protect2.fireeye.com/url?k=27ea1a58-7b60cf4e-
> 27ea5ac3-862f14a9365e-
> f17f13fb7f100fa1&q=1&u=https%3A%2F%2Fsyzkaller.appspot.com%2Fx%2
> Frepro.syz%3Fx%3D162bd84ca00000
> > C reproducer: https://protect2.fireeye.com/url?k=dbe4799b-876eac8d-
> dbe43900-862f14a9365e-
> 787a755a5a1800d6&q=1&u=https%3A%2F%2Fsyzkaller.appspot.com%2Fx
> %2Frepro.c%3Fx%3D160c605ca00000
> >
> Looks we need to purge each member's deferredq list in tipc_group_delete():
> diff --git a/net/tipc/group.c b/net/tipc/group.c index 992be61..23823eb
> 100644
> --- a/net/tipc/group.c
> +++ b/net/tipc/group.c
> @@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct
> tipc_group *grp)
>
> rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
> tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
> + __skb_queue_purge(&m->deferredq);
> list_del(&m->list);
> kfree(m);
> }
Yes, I think you are right. I'll check it further.
> Looks we need to purge each member's deferredq list in tipc_group_delete():
> diff --git a/net/tipc/group.c b/net/tipc/group.c index 992be61..23823eb
> 100644
> --- a/net/tipc/group.c
> +++ b/net/tipc/group.c
> @@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct
> tipc_group *grp)
>
> rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
> tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
> + __skb_queue_purge(&m->deferredq);
> list_del(&m->list);
> kfree(m);
> }
Thanks
///jon
> 862f14a9365e-
> 29d28d4e37c9de97&q=1&u=https%3A%2F%2Fgoo.gl%2FtpsmEJ for more
> information about syzbot.
> > syzbot engineers can be reached at syzk...@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://protect2.fireeye.com/url?k=e3266fe7-bfacbaf1-e3262f7c-
> > syzbot engineers can be reached at syzk...@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> 862f14a9365e-
> 80a14dc097f61dfe&q=1&u=https%3A%2F%2Fgoo.gl%2FtpsmEJ%23status
> for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://protect2.fireeye.com/url?k=26e2f1e8-7a6824fe-26e2b173-
> > syzbot can test patches for this bug, for details see:
> 862f14a9
> > 365e-
> e569ee98f89625d4&q=1&u=https%3A%2F%2Fgoo.gl%2FtpsmEJ%23testing-
> pa
> > tches
Ying Xue
Jun 16, 2019, 3:13:56 AM6/16/19
to Xin Long, syzbot, davem, Jon Maloy, LKML, network dev, syzkaller-bugs, tipc-di...@lists.sourceforge.net
On 6/10/19 2:44 AM, Xin Long wrote:
> Looks we need to purge each member's deferredq list in tipc_group_delete():
> diff --git a/net/tipc/group.c b/net/tipc/group.c
> index 992be61..23823eb 100644
> --- a/net/tipc/group.c
> +++ b/net/tipc/group.c
> @@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct
> tipc_group *grp)
>
> rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
> tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
> + __skb_queue_purge(&m->deferredq);
> list_del(&m->list);
> kfree(m);
> }
Good catch! I agree with you.
> Looks we need to purge each member's deferredq list in tipc_group_delete():
> diff --git a/net/tipc/group.c b/net/tipc/group.c
> index 992be61..23823eb 100644
> --- a/net/tipc/group.c
> +++ b/net/tipc/group.c
> @@ -218,6 +218,7 @@ void tipc_group_delete(struct net *net, struct
> tipc_group *grp)
>
> rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) {
> tipc_group_proto_xmit(grp, m, GRP_LEAVE_MSG, &xmitq);
> + __skb_queue_purge(&m->deferredq);
> list_del(&m->list);
> kfree(m);
> }
Reply all
Reply to author
Forward
0 new messages