[syzbot] [bluetooth?] memory leak in hci_conn_add (2)
38 views
Skip to first unread message
syzbot
Sep 3, 2023, 2:25:01 AM9/3/23
to johan....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0468be89b3fa Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e2d447a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=3544ee7492950dd3
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a86513a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a3f977a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/961bf23596d0/disk-0468be89.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9431ec0107c/vmlinux-0468be89.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fb5d1f6d7aad/bzImage-0468be89.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b6678e...@syzkaller.appspotmail.com
executing program
BUG: memory leak
unreferenced object 0xffff88810dcfd000 (size 2048):
comm "syz-executor249", pid 5023, jiffies 4294943992 (age 23.130s)
hex dump (first 32 bytes):
d8 4c ce 0d 81 88 ff ff 22 01 00 00 00 00 ad de .L......".......
00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451d4db>] hci_connect_sco+0x4b/0x520 net/bluetooth/hci_conn.c:1685
[<ffffffff8458f6b3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458f6b3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89281>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e893cc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
[<ffffffff84b23fa8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88810b503600 (size 512):
comm "kworker/u5:1", pid 4429, jiffies 4294944492 (age 18.130s)
hex dump (first 32 bytes):
00 d0 cf 0d 81 88 ff ff 80 7b 7f 0b 81 88 ff ff .........{......
fd 03 00 00 00 00 00 00 00 06 0c 00 00 00 00 00 ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff845547dd>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff845547dd>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff845547dd>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff845623b4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff845623b4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451da53>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451da53>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff84586cc6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff8451761d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2894
[<ffffffff8457d3ad>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8e0d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6e8b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149875>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0468be89b3fa Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e2d447a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=3544ee7492950dd3
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a86513a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16a3f977a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/961bf23596d0/disk-0468be89.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d9431ec0107c/vmlinux-0468be89.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fb5d1f6d7aad/bzImage-0468be89.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b6678e...@syzkaller.appspotmail.com
executing program
BUG: memory leak
unreferenced object 0xffff88810dcfd000 (size 2048):
comm "syz-executor249", pid 5023, jiffies 4294943992 (age 23.130s)
hex dump (first 32 bytes):
d8 4c ce 0d 81 88 ff ff 22 01 00 00 00 00 ad de .L......".......
00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451d4db>] hci_connect_sco+0x4b/0x520 net/bluetooth/hci_conn.c:1685
[<ffffffff8458f6b3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458f6b3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89281>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e893cc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
[<ffffffff84b23fa8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88810b503600 (size 512):
comm "kworker/u5:1", pid 4429, jiffies 4294944492 (age 18.130s)
hex dump (first 32 bytes):
00 d0 cf 0d 81 88 ff ff 80 7b 7f 0b 81 88 ff ff .........{......
fd 03 00 00 00 00 00 00 00 06 0c 00 00 00 00 00 ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff845547dd>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff845547dd>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff845547dd>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff845623b4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff845623b4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451da53>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451da53>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff84586cc6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff8451761d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2894
[<ffffffff8457d3ad>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8e0d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6e8b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149875>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward AD
Sep 3, 2023, 6:50:16 AM9/3/23
to syzbot+b6678e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward Adam Davis <ead...@sina.com>
please test master for ml
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
please test master for ml
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
syzbot
Sep 3, 2023, 7:11:36 AM9/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hci_conn_add
BUG: memory leak
unreferenced object 0xffff88811b9d9000 (size 2048):
comm "syz-executor.0", pid 5476, jiffies 4294944426 (age 15.750s)
[<ffffffff8451a7af>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8451a7af>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8451a7af>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451afa8>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451de0b>] hci_connect_sco+0x4b/0x520 net/bluetooth/hci_conn.c:1685
[<ffffffff8458ffe3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458ffe3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89bb1>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89cb6>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e89cfc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e89cfc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e89cfc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
comm "kworker/u5:2", pid 5031, jiffies 4294944510 (age 14.910s)
[<ffffffff8455510d>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8455510d>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8455510d>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff84562ce4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff84562ce4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451e383>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451e383>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff845875f6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff84517f4d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2894
[<ffffffff8457dcdd>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8f1d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c9ac7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c9ac7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6f9b>] kthread+0x12b/0x170 kernel/kthread.c:388
commit: 92901222 Merge tag 'f2fs-for-6-6-rc1' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=152acb98680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hci_conn_add
BUG: memory leak
unreferenced object 0xffff88811b9d9000 (size 2048):
comm "syz-executor.0", pid 5476, jiffies 4294944426 (age 15.750s)
hex dump (first 32 bytes):
d8 cc 3f 0e 81 88 ff ff 22 01 00 00 00 00 ad de ..?.....".......
00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa ................
backtrace:
[<ffffffff815739f5>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
backtrace:
[<ffffffff8451a7af>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8451a7af>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8451a7af>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451afa8>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451de0b>] hci_connect_sco+0x4b/0x520 net/bluetooth/hci_conn.c:1685
[<ffffffff8458ffe3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458ffe3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89bb1>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89cb6>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e89cfc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e89cfc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e89cfc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
[<ffffffff84b23fa8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88811a9e6a00 (size 512):
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "kworker/u5:2", pid 5031, jiffies 4294944510 (age 14.910s)
hex dump (first 32 bytes):
00 90 9d 1b 81 88 ff ff 40 30 30 0e 81 88 ff ff ........@00.....
fd 03 00 00 00 00 00 00 00 06 0c 00 00 00 00 00 ................
backtrace:
[<ffffffff815739f5>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
backtrace:
[<ffffffff8455510d>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8455510d>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8455510d>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff84562ce4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff84562ce4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451e383>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451e383>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff845875f6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff84517f4d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2894
[<ffffffff8457dcdd>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8f1d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c9ac7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c9ac7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6f9b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149875>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Tested on:
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
commit: 92901222 Merge tag 'f2fs-for-6-6-rc1' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=152acb98680000
kernel config: https://syzkaller.appspot.com/x/.config?x=3544ee7492950dd3
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 3, 2023, 7:27:09 AM9/3/23
to syzbot+b6678e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test 0468be89b3fa for ml
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0468be89b3fa
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9d5057cef30a..2f6c3b66d3a7 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1154,6 +1154,7 @@ void hci_conn_del(struct hci_conn *conn)
* rest of hci_conn_del.
*/
hci_conn_cleanup(conn);
+ kfree(conn);
}
struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0468be89b3fa
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9d5057cef30a..2f6c3b66d3a7 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1154,6 +1154,7 @@ void hci_conn_del(struct hci_conn *conn)
* rest of hci_conn_del.
*/
hci_conn_cleanup(conn);
+ kfree(conn);
}
struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src, uint8_t src_type)
syzbot
Sep 3, 2023, 7:45:31 AM9/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
53 testing simple program...
[ 38.048381][ T5020] cgroup: Unknown subsys name 'net'
[ 38.144096][ T5020] cgroup: Unknown subsys name 'rlimit'
executing program
executing program
[ 45.312571][ T5020] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
[ 46.020316][ T5020] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 46.030096][ T5016] syz-fuzzer[5016]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[ 46.039760][ T5016] syz-fuzzer[5016]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[ 46.091389][ T5026] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 46.098787][ T5026] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 46.106111][ T5026] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 46.113742][ T5026] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 46.121019][ T5026] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 46.128205][ T5026] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 46.206730][ T5023] chnl_net:caif_netlink_parms(): no params data found
[ 46.244389][ T5023] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.251667][ T5023] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.258894][ T5023] bridge_slave_0: entered allmulticast mode
[ 46.265537][ T5023] bridge_slave_0: entered promiscuous mode
[ 46.272703][ T5023] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.280396][ T5023] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.288066][ T5023] bridge_slave_1: entered allmulticast mode
[ 46.294823][ T5023] bridge_slave_1: entered promiscuous mode
[ 46.311947][ T5023] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 46.322710][ T5023] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 46.343136][ T5023] team0: Port device team_slave_0 added
[ 46.350340][ T5023] team0: Port device team_slave_1 added
[ 46.367590][ T5023] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 46.374605][ T5023] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.401086][ T5023] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 46.413021][ T5023] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 46.420064][ T5023] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.446391][ T5023] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 46.473592][ T5023] hsr_slave_0: entered promiscuous mode
[ 46.479735][ T5023] hsr_slave_1: entered promiscuous mode
[ 46.543832][ T5023] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 46.552655][ T5023] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 46.561763][ T5023] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 46.570426][ T5023] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 46.586605][ T5023] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.594143][ T5023] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.601501][ T5023] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.608669][ T5023] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.643919][ T5023] 8021q: adding VLAN 0 to HW filter on device bond0
[ 46.656872][ T5023] 8021q: adding VLAN 0 to HW filter on device team0
[ 46.665110][ T8] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.673161][ T8] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.691487][ T22] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.699009][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.707513][ T22] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.714673][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.772885][ T5023] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 46.794139][ T5023] veth0_vlan: entered promiscuous mode
[ 46.804606][ T5023] veth1_vlan: entered promiscuous mode
[ 46.821987][ T5023] veth0_macvtap: entered promiscuous mode
[ 46.830513][ T5023] veth1_macvtap: entered promiscuous mode
[ 46.843066][ T5023] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 46.854088][ T5023] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 46.863330][ T5023] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.872461][ T5023] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.881548][ T5023] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.890297][ T5023] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
2023/09/03 11:43:02 building call list...
[ 46.921916][ T22] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 46.930025][ T22] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 46.948583][ T22] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 46.956718][ T22] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 48.150369][ T5047] damon-dbgfs: DAMON debugfs interface is deprecated, so users should move to DAMON_SYSFS. If you cannot, please report your usecase to da...@lists.linux.dev and linu...@kvack.org.
[ 48.248399][ T5047] can: request_module (can-proto-0) failed.
[ 48.261421][ T5047] can: request_module (can-proto-0) failed.
[ 48.274077][ T5047] can: request_module (can-proto-0) failed.
[ 48.437939][ T5047] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 48.550231][ T5047] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 48.595248][ T5047] kmemleak: Cannot insert 0xffff888108a8e800 into the object search tree (overlaps existing)
[ 48.605931][ T5047] CPU: 1 PID: 5047 Comm: syz-fuzzer Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa-dirty #0
[ 48.616071][ T5047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 48.626123][ T5047] Call Trace:
[ 48.629398][ T5047] <TASK>
[ 48.632598][ T5047] dump_stack_lvl+0x72/0xa0
[ 48.637182][ T5047] __create_object+0x2e9/0x430
[ 48.641958][ T5047] __kmem_cache_alloc_node+0x1ee/0x300
[ 48.647592][ T5047] ? sk_prot_alloc+0x112/0x1b0
[ 48.652475][ T5047] ? sk_prot_alloc+0x112/0x1b0
[ 48.657410][ T5047] __kmalloc+0x4b/0x150
[ 48.661652][ T5047] sk_prot_alloc+0x112/0x1b0
[ 48.666229][ T5047] sk_alloc+0x36/0x2f0
[ 48.670281][ T5047] __netlink_create+0x40/0xe0
[ 48.675202][ T5047] netlink_create+0x221/0x320
[ 48.679866][ T5047] ? genl_pernet_exit+0x30/0x30
[ 48.684879][ T5047] __sock_create+0x19f/0x2e0
[ 48.689478][ T5047] __sys_socket+0xb8/0x1a0
[ 48.693975][ T5047] __x64_sys_socket+0x1b/0x20
[ 48.698721][ T5047] do_syscall_64+0x38/0xb0
[ 48.703121][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.709261][ T5047] RIP: 0033:0x403ace
[ 48.713360][ T5047] Code: 48 89 6c 24 38 48 8d 6c 24 38 e8 0d 00 00 00 48 8b 6c 24 38 48 83 c4 40 c3 cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
[ 48.733718][ T5047] RSP: 002b:000000c000d072e0 EFLAGS: 00000206 ORIG_RAX: 0000000000000029
[ 48.742290][ T5047] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 0000000000403ace
[ 48.750243][ T5047] RDX: 0000000000000010 RSI: 0000000000000003 RDI: 0000000000000010
[ 48.758311][ T5047] RBP: 000000c000d07320 R08: 0000000000000000 R09: 0000000000000000
[ 48.766357][ T5047] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000600
[ 48.774671][ T5047] R13: 0000000000000038 R14: 000000c0000061a0 R15: 000000000000022f
[ 48.782895][ T5047] </TASK>
[ 48.785999][ T5047] kmemleak: Kernel memory leak detector disabled
[ 48.792326][ T5047] kmemleak: Object 0xffff888108a8e800 (size 2048):
[ 48.798802][ T5047] kmemleak: comm "syz-fuzzer", pid 5047, jiffies 4294942099
[ 48.806421][ T5047] kmemleak: min_count = 1
[ 48.811247][ T5047] kmemleak: count = 0
[ 48.815473][ T5047] kmemleak: flags = 0x1
[ 48.819859][ T5047] kmemleak: checksum = 0
[ 48.824491][ T5047] kmemleak: backtrace:
[ 48.828941][ T5047] __kmalloc+0x4b/0x150
[ 48.833116][ T5047] sk_prot_alloc+0x112/0x1b0
[ 48.838049][ T5047] sk_alloc+0x36/0x2f0
[ 48.842099][ T5047] __netlink_create+0x40/0xe0
[ 48.847113][ T5047] netlink_create+0x221/0x320
[ 48.851869][ T5047] __sock_create+0x19f/0x2e0
[ 48.856962][ T5047] __sys_socket+0xb8/0x1a0
[ 48.861620][ T5047] __x64_sys_socket+0x1b/0x20
[ 48.866297][ T5047] do_syscall_64+0x38/0xb0
[ 48.870901][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.899361][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 48.907285][ C0] #PF: supervisor instruction fetch in kernel mode
[ 48.913783][ C0] #PF: error_code(0x0010) - not-present page
[ 48.919759][ C0] PGD 109de7067 P4D 109de7067 PUD 109dd7067 PMD 0
[ 48.926364][ C0] Oops: 0010 [#1] PREEMPT SMP
[ 48.931133][ C0] CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa-dirty #0
[ 48.941291][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 48.951437][ C0] RIP: 0010:0x0
[ 48.955069][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 48.962767][ C0] RSP: 0018:ffffc900000cbdf0 EFLAGS: 00010206
[ 48.968996][ C0] RAX: 0000000000000000 RBX: ffff88813bc2ec00 RCX: 0000000000000100
[ 48.977303][ C0] RDX: ffff88810c74d220 RSI: ffffffff83eddfde RDI: ffff888108a8ec40
[ 48.985349][ C0] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffff83eddf00
[ 48.993306][ C0] R10: ffff88811bbaa000 R11: 0000000000000001 R12: ffff8881008c8000
[ 49.001442][ C0] R13: ffff88813bc2ec78 R14: 0000000000000002 R15: 0000000000000000
[ 49.009402][ C0] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 49.018493][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.025330][ C0] CR2: ffffffffffffffd6 CR3: 000000010bc18000 CR4: 00000000003506f0
[ 49.033552][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 49.041861][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 49.050091][ C0] Call Trace:
[ 49.053454][ C0] <TASK>
[ 49.058223][ C0] ? show_regs+0x8f/0xa0
[ 49.062563][ C0] ? __die+0x2c/0x80
[ 49.066450][ C0] ? page_fault_oops+0x29a/0x710
[ 49.071411][ C0] ? do_user_addr_fault+0x4c5/0xab0
[ 49.076890][ C0] ? exc_page_fault+0x5d/0xb0
[ 49.081659][ C0] ? asm_exc_page_fault+0x26/0x30
[ 49.086772][ C0] ? dst_destroy+0x80/0x210
[ 49.091285][ C0] ? dst_destroy+0x15e/0x210
[ 49.096160][ C0] rcu_core+0x42d/0x730
[ 49.100324][ C0] __do_softirq+0xc5/0x2b0
[ 49.104736][ C0] run_ksoftirqd+0x19/0x20
[ 49.109153][ C0] smpboot_thread_fn+0x19f/0x330
[ 49.114195][ C0] ? sort_range+0x30/0x30
[ 49.118533][ C0] kthread+0x12b/0x170
[ 49.122617][ C0] ? kthread_complete_and_exit+0x30/0x30
[ 49.130765][ C0] ret_from_fork+0x45/0x50
[ 49.135346][ C0] ? kthread_complete_and_exit+0x30/0x30
[ 49.141072][ C0] ret_from_fork_asm+0x11/0x20
[ 49.146101][ C0] </TASK>
[ 49.149194][ C0] Modules linked in:
[ 49.153253][ C0] CR2: 0000000000000000
[ 49.157486][ C0] ---[ end trace 0000000000000000 ]---
[ 49.162925][ C0] RIP: 0010:0x0
[ 49.166810][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 49.174425][ C0] RSP: 0018:ffffc900000cbdf0 EFLAGS: 00010206
[ 49.180478][ C0] RAX: 0000000000000000 RBX: ffff88813bc2ec00 RCX: 0000000000000100
[ 49.188436][ C0] RDX: ffff88810c74d220 RSI: ffffffff83eddfde RDI: ffff888108a8ec40
[ 49.196471][ C0] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffff83eddf00
[ 49.204690][ C0] R10: ffff88811bbaa000 R11: 0000000000000001 R12: ffff8881008c8000
[ 49.213690][ C0] R13: ffff88813bc2ec78 R14: 0000000000000002 R15: 0000000000000000
[ 49.221840][ C0] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 49.230846][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.237482][ C0] CR2: ffffffffffffffd6 CR3: 000000010bc18000 CR4: 00000000003506f0
[ 49.245713][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 49.253931][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 49.262600][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 49.269993][ C0] Kernel Offset: disabled
[ 49.274389][ C0] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2431736915=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 696ea0d2f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"696ea0d2f4fdaa17db929e152edba19bf7666d84\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12e000d7a80000
Tested on:
commit: 0468be89 Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
53 testing simple program...
[ 38.048381][ T5020] cgroup: Unknown subsys name 'net'
[ 38.144096][ T5020] cgroup: Unknown subsys name 'rlimit'
executing program
executing program
[ 45.312571][ T5020] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
[ 46.020316][ T5020] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 46.030096][ T5016] syz-fuzzer[5016]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[ 46.039760][ T5016] syz-fuzzer[5016]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set
[ 46.091389][ T5026] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 46.098787][ T5026] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 46.106111][ T5026] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 46.113742][ T5026] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 46.121019][ T5026] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 46.128205][ T5026] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 46.206730][ T5023] chnl_net:caif_netlink_parms(): no params data found
[ 46.244389][ T5023] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.251667][ T5023] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.258894][ T5023] bridge_slave_0: entered allmulticast mode
[ 46.265537][ T5023] bridge_slave_0: entered promiscuous mode
[ 46.272703][ T5023] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.280396][ T5023] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.288066][ T5023] bridge_slave_1: entered allmulticast mode
[ 46.294823][ T5023] bridge_slave_1: entered promiscuous mode
[ 46.311947][ T5023] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 46.322710][ T5023] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 46.343136][ T5023] team0: Port device team_slave_0 added
[ 46.350340][ T5023] team0: Port device team_slave_1 added
[ 46.367590][ T5023] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 46.374605][ T5023] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.401086][ T5023] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 46.413021][ T5023] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 46.420064][ T5023] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 46.446391][ T5023] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 46.473592][ T5023] hsr_slave_0: entered promiscuous mode
[ 46.479735][ T5023] hsr_slave_1: entered promiscuous mode
[ 46.543832][ T5023] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 46.552655][ T5023] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 46.561763][ T5023] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 46.570426][ T5023] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 46.586605][ T5023] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.594143][ T5023] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.601501][ T5023] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.608669][ T5023] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.643919][ T5023] 8021q: adding VLAN 0 to HW filter on device bond0
[ 46.656872][ T5023] 8021q: adding VLAN 0 to HW filter on device team0
[ 46.665110][ T8] bridge0: port 1(bridge_slave_0) entered disabled state
[ 46.673161][ T8] bridge0: port 2(bridge_slave_1) entered disabled state
[ 46.691487][ T22] bridge0: port 1(bridge_slave_0) entered blocking state
[ 46.699009][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 46.707513][ T22] bridge0: port 2(bridge_slave_1) entered blocking state
[ 46.714673][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 46.772885][ T5023] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 46.794139][ T5023] veth0_vlan: entered promiscuous mode
[ 46.804606][ T5023] veth1_vlan: entered promiscuous mode
[ 46.821987][ T5023] veth0_macvtap: entered promiscuous mode
[ 46.830513][ T5023] veth1_macvtap: entered promiscuous mode
[ 46.843066][ T5023] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 46.854088][ T5023] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 46.863330][ T5023] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.872461][ T5023] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.881548][ T5023] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 46.890297][ T5023] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
2023/09/03 11:43:02 building call list...
[ 46.921916][ T22] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 46.930025][ T22] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 46.948583][ T22] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 46.956718][ T22] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 48.150369][ T5047] damon-dbgfs: DAMON debugfs interface is deprecated, so users should move to DAMON_SYSFS. If you cannot, please report your usecase to da...@lists.linux.dev and linu...@kvack.org.
[ 48.248399][ T5047] can: request_module (can-proto-0) failed.
[ 48.261421][ T5047] can: request_module (can-proto-0) failed.
[ 48.274077][ T5047] can: request_module (can-proto-0) failed.
[ 48.437939][ T5047] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 48.550231][ T5047] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 48.595248][ T5047] kmemleak: Cannot insert 0xffff888108a8e800 into the object search tree (overlaps existing)
[ 48.605931][ T5047] CPU: 1 PID: 5047 Comm: syz-fuzzer Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa-dirty #0
[ 48.616071][ T5047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 48.626123][ T5047] Call Trace:
[ 48.629398][ T5047] <TASK>
[ 48.632598][ T5047] dump_stack_lvl+0x72/0xa0
[ 48.637182][ T5047] __create_object+0x2e9/0x430
[ 48.641958][ T5047] __kmem_cache_alloc_node+0x1ee/0x300
[ 48.647592][ T5047] ? sk_prot_alloc+0x112/0x1b0
[ 48.652475][ T5047] ? sk_prot_alloc+0x112/0x1b0
[ 48.657410][ T5047] __kmalloc+0x4b/0x150
[ 48.661652][ T5047] sk_prot_alloc+0x112/0x1b0
[ 48.666229][ T5047] sk_alloc+0x36/0x2f0
[ 48.670281][ T5047] __netlink_create+0x40/0xe0
[ 48.675202][ T5047] netlink_create+0x221/0x320
[ 48.679866][ T5047] ? genl_pernet_exit+0x30/0x30
[ 48.684879][ T5047] __sock_create+0x19f/0x2e0
[ 48.689478][ T5047] __sys_socket+0xb8/0x1a0
[ 48.693975][ T5047] __x64_sys_socket+0x1b/0x20
[ 48.698721][ T5047] do_syscall_64+0x38/0xb0
[ 48.703121][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.709261][ T5047] RIP: 0033:0x403ace
[ 48.713360][ T5047] Code: 48 89 6c 24 38 48 8d 6c 24 38 e8 0d 00 00 00 48 8b 6c 24 38 48 83 c4 40 c3 cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
[ 48.733718][ T5047] RSP: 002b:000000c000d072e0 EFLAGS: 00000206 ORIG_RAX: 0000000000000029
[ 48.742290][ T5047] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 0000000000403ace
[ 48.750243][ T5047] RDX: 0000000000000010 RSI: 0000000000000003 RDI: 0000000000000010
[ 48.758311][ T5047] RBP: 000000c000d07320 R08: 0000000000000000 R09: 0000000000000000
[ 48.766357][ T5047] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000600
[ 48.774671][ T5047] R13: 0000000000000038 R14: 000000c0000061a0 R15: 000000000000022f
[ 48.782895][ T5047] </TASK>
[ 48.785999][ T5047] kmemleak: Kernel memory leak detector disabled
[ 48.792326][ T5047] kmemleak: Object 0xffff888108a8e800 (size 2048):
[ 48.798802][ T5047] kmemleak: comm "syz-fuzzer", pid 5047, jiffies 4294942099
[ 48.806421][ T5047] kmemleak: min_count = 1
[ 48.811247][ T5047] kmemleak: count = 0
[ 48.815473][ T5047] kmemleak: flags = 0x1
[ 48.819859][ T5047] kmemleak: checksum = 0
[ 48.824491][ T5047] kmemleak: backtrace:
[ 48.828941][ T5047] __kmalloc+0x4b/0x150
[ 48.833116][ T5047] sk_prot_alloc+0x112/0x1b0
[ 48.838049][ T5047] sk_alloc+0x36/0x2f0
[ 48.842099][ T5047] __netlink_create+0x40/0xe0
[ 48.847113][ T5047] netlink_create+0x221/0x320
[ 48.851869][ T5047] __sock_create+0x19f/0x2e0
[ 48.856962][ T5047] __sys_socket+0xb8/0x1a0
[ 48.861620][ T5047] __x64_sys_socket+0x1b/0x20
[ 48.866297][ T5047] do_syscall_64+0x38/0xb0
[ 48.870901][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.899361][ C0] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 48.907285][ C0] #PF: supervisor instruction fetch in kernel mode
[ 48.913783][ C0] #PF: error_code(0x0010) - not-present page
[ 48.919759][ C0] PGD 109de7067 P4D 109de7067 PUD 109dd7067 PMD 0
[ 48.926364][ C0] Oops: 0010 [#1] PREEMPT SMP
[ 48.931133][ C0] CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa-dirty #0
[ 48.941291][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 48.951437][ C0] RIP: 0010:0x0
[ 48.955069][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 48.962767][ C0] RSP: 0018:ffffc900000cbdf0 EFLAGS: 00010206
[ 48.968996][ C0] RAX: 0000000000000000 RBX: ffff88813bc2ec00 RCX: 0000000000000100
[ 48.977303][ C0] RDX: ffff88810c74d220 RSI: ffffffff83eddfde RDI: ffff888108a8ec40
[ 48.985349][ C0] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffff83eddf00
[ 48.993306][ C0] R10: ffff88811bbaa000 R11: 0000000000000001 R12: ffff8881008c8000
[ 49.001442][ C0] R13: ffff88813bc2ec78 R14: 0000000000000002 R15: 0000000000000000
[ 49.009402][ C0] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 49.018493][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.025330][ C0] CR2: ffffffffffffffd6 CR3: 000000010bc18000 CR4: 00000000003506f0
[ 49.033552][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 49.041861][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 49.050091][ C0] Call Trace:
[ 49.053454][ C0] <TASK>
[ 49.058223][ C0] ? show_regs+0x8f/0xa0
[ 49.062563][ C0] ? __die+0x2c/0x80
[ 49.066450][ C0] ? page_fault_oops+0x29a/0x710
[ 49.071411][ C0] ? do_user_addr_fault+0x4c5/0xab0
[ 49.076890][ C0] ? exc_page_fault+0x5d/0xb0
[ 49.081659][ C0] ? asm_exc_page_fault+0x26/0x30
[ 49.086772][ C0] ? dst_destroy+0x80/0x210
[ 49.091285][ C0] ? dst_destroy+0x15e/0x210
[ 49.096160][ C0] rcu_core+0x42d/0x730
[ 49.100324][ C0] __do_softirq+0xc5/0x2b0
[ 49.104736][ C0] run_ksoftirqd+0x19/0x20
[ 49.109153][ C0] smpboot_thread_fn+0x19f/0x330
[ 49.114195][ C0] ? sort_range+0x30/0x30
[ 49.118533][ C0] kthread+0x12b/0x170
[ 49.122617][ C0] ? kthread_complete_and_exit+0x30/0x30
[ 49.130765][ C0] ret_from_fork+0x45/0x50
[ 49.135346][ C0] ? kthread_complete_and_exit+0x30/0x30
[ 49.141072][ C0] ret_from_fork_asm+0x11/0x20
[ 49.146101][ C0] </TASK>
[ 49.149194][ C0] Modules linked in:
[ 49.153253][ C0] CR2: 0000000000000000
[ 49.157486][ C0] ---[ end trace 0000000000000000 ]---
[ 49.162925][ C0] RIP: 0010:0x0
[ 49.166810][ C0] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 49.174425][ C0] RSP: 0018:ffffc900000cbdf0 EFLAGS: 00010206
[ 49.180478][ C0] RAX: 0000000000000000 RBX: ffff88813bc2ec00 RCX: 0000000000000100
[ 49.188436][ C0] RDX: ffff88810c74d220 RSI: ffffffff83eddfde RDI: ffff888108a8ec40
[ 49.196471][ C0] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffffff83eddf00
[ 49.204690][ C0] R10: ffff88811bbaa000 R11: 0000000000000001 R12: ffff8881008c8000
[ 49.213690][ C0] R13: ffff88813bc2ec78 R14: 0000000000000002 R15: 0000000000000000
[ 49.221840][ C0] FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
[ 49.230846][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.237482][ C0] CR2: ffffffffffffffd6 CR3: 000000010bc18000 CR4: 00000000003506f0
[ 49.245713][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 49.253931][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 49.262600][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 49.269993][ C0] Kernel Offset: disabled
[ 49.274389][ C0] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs-2/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs-2/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build2431736915=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 696ea0d2f
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=696ea0d2f4fdaa17db929e152edba19bf7666d84 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20230831-140644'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"696ea0d2f4fdaa17db929e152edba19bf7666d84\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12e000d7a80000
Tested on:
commit: 0468be89 Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3544ee7492950dd3
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10290bc0680000
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Edward AD
Sep 3, 2023, 8:19:34 AM9/3/23
to syzbot+b6678e...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward Adam Davis <ead...@sina.com>
please test 0468be89b3fa for ml
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0468be89b3fa
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 9d5057cef30a..158b11553e9e 100644
please test 0468be89b3fa for ml
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0468be89b3fa
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1681,6 +1681,7 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
struct hci_conn *acl;
struct hci_conn *sco;
struct hci_link *link;
+ char add_sco = 0;
acl = hci_connect_acl(hdev, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING,
CONN_REASON_SCO_CONNECT);
@@ -1694,12 +1695,16 @@ struct hci_conn *hci_connect_sco(struct hci_dev *hdev, int type, bdaddr_t *dst,
hci_conn_drop(acl);
return ERR_PTR(-ENOMEM);
}
+ add_sco = 1;
}
link = hci_conn_link(acl, sco);
if (!link) {
hci_conn_drop(acl);
- hci_conn_drop(sco);
+ if (!add_sco)
+ hci_conn_drop(sco);
+ else
+ hci_conn_del(sco);
return ERR_PTR(-ENOLINK);
}
syzbot
Sep 3, 2023, 8:49:33 AM9/3/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hci_conn_add
BUG: memory leak
unreferenced object 0xffff88811b02a800 (size 2048):
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hci_conn_add
BUG: memory leak
comm "syz-executor.0", pid 5506, jiffies 4294944422 (age 16.080s)
hex dump (first 32 bytes):
d8 8c ad 1b 81 88 ff ff 22 01 00 00 00 00 ad de ........".......
00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa ................
backtrace:
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451e88b>] hci_connect_sco+0x4b/0x550 net/bluetooth/hci_conn.c:1686
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8458f6e3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458f6e3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89281>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e893cc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff84b23fa8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88811bf85800 (size 512):
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "kworker/u5:1", pid 4431, jiffies 4294944506 (age 15.240s)
hex dump (first 32 bytes):
00 a8 02 1b 81 88 ff ff 00 02 bf 1b 81 88 ff ff ................
fd 03 00 00 00 00 00 00 00 06 0c 00 00 00 00 00 ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
backtrace:
[<ffffffff8455480d>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8455480d>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8455480d>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff845623e4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff845623e4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451d533>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451d533>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff84586cf6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff8451761d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2899
[<ffffffff8457d3dd>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8e0d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6e8b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff81149875>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
BUG: memory leak
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
unreferenced object 0xffff88811b02c800 (size 2048):
comm "syz-executor.0", pid 5735, jiffies 4294945055 (age 9.750s)
hex dump (first 32 bytes):
d8 8c ad 1b 81 88 ff ff 22 01 00 00 00 00 ad de ........".......
00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa ................
backtrace:
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8451e88b>] hci_connect_sco+0x4b/0x550 net/bluetooth/hci_conn.c:1686
[<ffffffff84519e7f>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff84519e7f>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff84519e7f>] hci_conn_add+0x4f/0x5e0 net/bluetooth/hci_conn.c:957
[<ffffffff8451a678>] hci_connect_acl+0x198/0x1b0 net/bluetooth/hci_conn.c:1632
[<ffffffff8458f6e3>] sco_connect net/bluetooth/sco.c:266 [inline]
[<ffffffff8458f6e3>] sco_sock_connect+0x1c3/0x520 net/bluetooth/sco.c:591
[<ffffffff83e89281>] __sys_connect_file+0x91/0xb0 net/socket.c:2032
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff83e893cc>] __x64_sys_connect+0x1c/0x20 net/socket.c:2056
[<ffffffff83e89386>] __sys_connect+0xe6/0x110 net/socket.c:2049
[<ffffffff83e893cc>] __do_sys_connect net/socket.c:2059 [inline]
[<ffffffff83e893cc>] __se_sys_connect net/socket.c:2056 [inline]
[<ffffffff84b23fa8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff888110523200 (size 512):
[<ffffffff84b23fa8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "kworker/u5:1", pid 4431, jiffies 4294945139 (age 8.910s)
hex dump (first 32 bytes):
00 c8 02 1b 81 88 ff ff c0 03 bf 1b 81 88 ff ff ................
fd 03 00 00 00 00 00 00 00 06 0c 00 00 00 00 00 ................
backtrace:
[<ffffffff81573855>] kmalloc_trace+0x25/0x90 mm/slab_common.c:1114
backtrace:
[<ffffffff8455480d>] kmalloc include/linux/slab.h:599 [inline]
[<ffffffff8455480d>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8455480d>] l2cap_conn_add.part.0+0x3d/0x340 net/bluetooth/l2cap_core.c:7845
[<ffffffff845623e4>] l2cap_conn_add net/bluetooth/l2cap_core.c:71 [inline]
[<ffffffff845623e4>] l2cap_connect_cfm+0x264/0x740 net/bluetooth/l2cap_core.c:8242
[<ffffffff8451d533>] hci_connect_cfm include/net/bluetooth/hci_core.h:1935 [inline]
[<ffffffff8451d533>] hci_conn_failed+0xa3/0x120 net/bluetooth/hci_conn.c:1251
[<ffffffff84586cf6>] hci_abort_conn_sync+0x4d6/0x6d0 net/bluetooth/hci_sync.c:5435
[<ffffffff8451761d>] abort_conn_sync+0x7d/0xa0 net/bluetooth/hci_conn.c:2899
[<ffffffff8457d3dd>] hci_cmd_sync_work+0xcd/0x150 net/bluetooth/hci_sync.c:306
[<ffffffff812c8e0d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6e8b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff812c99b7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99b7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff81149875>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
Tested on:
commit: 0468be89 Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=146065a8680000
commit: 0468be89 Merge tag 'iommu-updates-v6.6' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3544ee7492950dd3
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1002f738680000
dashboard link: https://syzkaller.appspot.com/bug?extid=b6678ec6b1772e54ee6e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Jan 9, 2024, 1:17:23 PM1/9/24
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages