memory leak in vhost_net_ioctl

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15dc9ea6a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326
dashboard link: https://syzkaller.appspot.com/bug?extid=0789f0c7e45efd7bb643
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b31761a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=124892c1a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+0789f0...@syzkaller.appspotmail.com

udit: type=1400 audit(1559768703.229:36): avc: denied { map } for
pid=7116 comm="syz-executor330" path="/root/syz-executor330334897"
dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88812421fe40 (size 64):
comm "syz-executor330", pid 7117, jiffies 4294949245 (age 13.030s)
hex dump (first 32 bytes):
01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f .... ioc....dev/
50 fe 21 24 81 88 ff ff 50 fe 21 24 81 88 ff ff P.!$....P.!$....
backtrace:
[<00000000ae0c4ae0>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
[<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
[<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534
[inline]
[<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1716
[<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
[<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
[<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<0000000049c1f547>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88812421fa80 (size 64):
comm "syz-executor330", pid 7130, jiffies 4294949755 (age 7.930s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 2f 76 69 72 ............/vir
90 fa 21 24 81 88 ff ff 90 fa 21 24 81 88 ff ff ..!$......!$....
backtrace:
[<00000000ae0c4ae0>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<00000000ae0c4ae0>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000ae0c4ae0>] slab_alloc mm/slab.c:3326 [inline]
[<00000000ae0c4ae0>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<0000000079ebab38>] kmalloc include/linux/slab.h:547 [inline]
[<0000000079ebab38>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<0000000079ebab38>] vhost_net_set_backend drivers/vhost/net.c:1534
[inline]
[<0000000079ebab38>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1716
[<000000009f6204a2>] vfs_ioctl fs/ioctl.c:46 [inline]
[<000000009f6204a2>] file_ioctl fs/ioctl.c:509 [inline]
[<000000009f6204a2>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<00000000b45866de>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000dfb41eb8>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000dfb41eb8>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000dfb41eb8>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<0000000049c1f547>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000029cc8ca7>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Hillf Danton]

Ignore my noise if you have no interest seeing the syzbot report.

After commit c38e39c378f46f ("vhost-net: fix use-after-free in
vhost_net_flush") flush would no longer free ubuf, just wait until ubuf users
disappear instead.

The following diff, in hope that may perhaps help you handle the memory leak,
makes flush able to free ubuf in the path of file release.

Thanks
Hillf
---
drivers/vhost/net.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..dcf20b6 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -141,6 +141,7 @@ struct vhost_net {
unsigned tx_zcopy_err;
/* Flush in progress. Protected by tx vq lock. */
bool tx_flush;
+ bool ld; /* Last dinner */
/* Private page frag */
struct page_frag page_frag;
/* Refcount bias of page frag */
@@ -1283,6 +1284,7 @@ static int vhost_net_open(struct inode *inode, struct file *f)
n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
if (!n)
return -ENOMEM;
+ n->ld = false;
vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
if (!vqs) {
kvfree(n);
@@ -1376,7 +1378,10 @@ static void vhost_net_flush(struct vhost_net *n)
n->tx_flush = true;
mutex_unlock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
/* Wait for all lower device DMAs done. */
- vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
+ if (n->ld)
+ vhost_net_ubuf_put_wait_and_free(n->vqs[VHOST_NET_VQ_TX].ubufs);
+ else
+ vhost_net_ubuf_put_and_wait(n->vqs[VHOST_NET_VQ_TX].ubufs);
mutex_lock(&n->vqs[VHOST_NET_VQ_TX].vq.mutex);
n->tx_flush = false;
atomic_set(&n->vqs[VHOST_NET_VQ_TX].ubufs->refcount, 1);
@@ -1403,6 +1408,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)
synchronize_rcu();
/* We do an extra flush before freeing memory,
* since jobs can re-queue themselves. */
+ n->ld = true;
vhost_net_flush(n);
kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
kfree(n->vqs[VHOST_NET_VQ_TX].xdp);
--

[Jason Wang]

This is basically a kfree(ubuf) after the second vhost_net_flush() in
vhost_net_release().

Could you please post a formal patch?

Thanks

[Hillf Danton]

Hello Jason

On Thu, 13 Jun 2019 17:10:39 +0800 Jason Wang wrote:
>
> This is basically a kfree(ubuf) after the second vhost_net_flush() in
> vhost_net_release().
>

Fairly good catch.

> Could you please post a formal patch?
>

I'd like very much to do that; but I wont, I am afraid, until I collect a
Tested-by because of reproducer without a cutting edge.

Thanks
Hillf

[Dmitry Vyukov]

You can easily collect Tested-by from syzbot for any bug with a reproducer ;)
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

[Dmitry Vyukov]

On Thu, Jun 13, 2019 at 4:15 PM Hillf Danton <hda...@sina.com> wrote:
>
>
> Hello Dmitry

> Thank you for the light you are casting.

:)

But you did not ask syzbot to test. That would be something like this
(keeping syzbot email in CC):

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

(I've attached the patch because my email client is incapable of
sending non-corrupted patches inline, but otherwise inline patches
should work too).


> Here it goes.
> --->8--------
> From: Hillf Danton <hda...@sina.com>
> Subject: [PATCH] vhost: fix memory leak in vhost_net_release

>
> syzbot found the following crash on:
>
> HEAD commit: 788a0249 Merge tag 'arc-5.2-rc4' of git://git.kernel.org/p..
> git tree: upstream

> console output: https://syzkaller.appspot.com/x/log.txt?x dc9ea6a00000
> kernel config: https://syzkaller.appspot.com/x/.config?xÕc73825cbdc7326
> dashboard link: https://syzkaller.appspot.com/bug?extid 89f0c7e45efd7bb643

> compiler: gcc (GCC) 9.0.0 20181231 (experimental)

> syz repro: https://syzkaller.appspot.com/x/repro.syz?x b31761a00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x 4892c1a00000
>
>
> udit: type 00 audit(1559768703.229:36): avc: denied { map } for
> pidq16 comm="syz-executor330" path="/root/syz-executor330334897"
> dev="sda1" ino 461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023

> End of syzbot report.
>
> The function vhost_net_ubuf_alloc() appears in the two cases of dump info, for
> pid 7130 and 7117, suggesting that it is ubuf leak.
>
> Since commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> the function vhost_net_flush() had been no longer releasing ubuf.
>
> Freeing the slab after the last flush in the release path fixes it.
>
>
> Fixes: c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
> Reported-by: Syzbot <syzbot+0789f0...@syzkaller.appspotmail.com>
> Suggested-by: Jason Wang <jaso...@redhat.com>
> Cc: Dmitry Vyukov <dvy...@google.com>
> Cc: Asias He <as...@redhat.com>
> Signed-off-by: Hillf Danton <hda...@sina.com>
> ---
> This is sent only for collecting Tested-by.
>
> drivers/vhost/net.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
> index 3beb401..22fae0a 100644
> --- a/drivers/vhost/net.c
> +++ b/drivers/vhost/net.c
> @@ -1404,6 +1404,7 @@ static int vhost_net_release(struct inode *inode, struct file *f)

> /* We do an extra flush before freeing memory,
> * since jobs can re-queue themselves. */

> vhost_net_flush(n);
> + kfree(n->vqs[VHOST_NET_VQ_TX].ubufs);

> kfree(n->vqs[VHOST_NET_VQ_RX].rxq.queue);
> kfree(n->vqs[VHOST_NET_VQ_TX].xdp);

> kfree(n->dev.vqs);
> --
>

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:
memory leak in vhost_net_ioctl

ANGE): hsr_slave_1: link becomes ready
2019/06/13 18:24:57 executed programs: 18
BUG: memory leak
unreferenced object 0xffff88811cbc6ac0 (size 64):
comm "syz-executor.0", pid 7196, jiffies 4294943804 (age 14.770s)

hex dump (first 32 bytes):

01 00 00 00 81 88 ff ff 00 00 00 00 82 88 ff ff ................
d0 6a bc 1c 81 88 ff ff d0 6a bc 1c 81 88 ff ff .j.......j......
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b1365c0 (size 64):
comm "syz-executor.2", pid 7193, jiffies 4294943823 (age 14.580s)

hex dump (first 32 bytes):

01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff ................
d0 65 13 0b 81 88 ff ff d0 65 13 0b 81 88 ff ff .e.......e......
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810be23700 (size 64):
comm "syz-executor.3", pid 7194, jiffies 4294943823 (age 14.580s)

hex dump (first 32 bytes):

01 00 00 00 00 00 00 00 00 00 00 00 00 c9 ff ff ................
10 37 e2 0b 81 88 ff ff 10 37 e2 0b 81 88 ff ff .7.......7......
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b136500 (size 64):
comm "syz-executor.6", pid 7228, jiffies 4294943827 (age 14.540s)

hex dump (first 32 bytes):
01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f .... ioc....dev/

10 65 13 0b 81 88 ff ff 10 65 13 0b 81 88 ff ff .e.......e......
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cfec0 (size 64):
comm "syz-executor.7", pid 7236, jiffies 4294943829 (age 14.520s)

hex dump (first 32 bytes):
01 00 00 00 20 69 6f 63 00 00 00 00 64 65 76 2f .... ioc....dev/

d0 fe 9c 0b 81 88 ff ff d0 fe 9c 0b 81 88 ff ff ................
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88810b9cd380 (size 64):
comm "syz-executor.4", pid 7218, jiffies 4294943834 (age 14.470s)

hex dump (first 32 bytes):

01 00 00 00 81 88 ff ff 00 00 00 00 81 88 ff ff ................
90 d3 9c 0b 81 88 ff ff 90 d3 9c 0b 81 88 ff ff ................
backtrace:
[<000000006c752978>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000006c752978>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000006c752978>] slab_alloc mm/slab.c:3326 [inline]
[<000000006c752978>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000b3825d52>] kmalloc include/linux/slab.h:547 [inline]
[<00000000b3825d52>] vhost_net_ubuf_alloc drivers/vhost/net.c:241
[inline]
[<00000000b3825d52>] vhost_net_set_backend drivers/vhost/net.c:1535
[inline]
[<00000000b3825d52>] vhost_net_ioctl+0xb43/0xc10
drivers/vhost/net.c:1717
[<00000000700f02d7>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000700f02d7>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000700f02d7>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<000000009a0ec0a7>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000d9416323>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000d9416323>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000d9416323>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<00000000e4407a23>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<000000008715c149>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



Tested on:

commit: c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11c6b666a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48

compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=11ff0de1a00000

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 02:26:02 +0800 syzbot wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer still triggered crash:
> memory leak in vhost_net_ioctl
>

Oh sorry for my poor patch.

And I want to try again the following tiny diff made based on the logic:

1_> vhost_net_ubuf_alloc() in the dump info suggests that it is ubuf leak.

2_> commit c38e39c378f4 ("vhost-net: fix use-after-free in vhost_net_flush")
makes vhost_net_flush() no longer release ubuf.

3_> in both reset_owner and release pathes, see vhost_net_reset_owner() and
vhost_net_release() please, vq is reset in wake of flush:

vhost_net_flush(n);
vhost_dev_stop(&n->dev);
vhost_dev_cleanup(&n->dev);
vhost_net_vq_reset(n);

4_> the ubufs pointer is cleared in vhost_net_vq_reset()

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Can you give it a shoot please if there is not anything missed in the
above logic?


Thanks
Hillf
------->8---
---
drivers/vhost/net.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index 3beb401..87db9b3 100644
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -309,6 +309,8 @@ static void vhost_net_vq_reset(struct vhost_net *n)
for (i = 0; i < VHOST_NET_VQ_MAX; i++) {
n->vqs[i].done_idx = 0;
n->vqs[i].upend_idx = 0;
+ if (n->vqs[i].ubufs)
+ vhost_net_ubuf_put_wait_and_free(n->vqs[i].ubufs);
n->vqs[i].ubufs = NULL;
n->vqs[i].vhost_hlen = 0;
n->vqs[i].sock_hlen = 0;
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered
crash:

memory leak in batadv_tvlv_handler_register

484.626788][ T156] bond0 (unregistering): Releasing backup interface
bond_slave_1
Warning: Permanently added '10.128.0.87' (ECDSA) to the list of known hosts.
BUG: memory leak
unreferenced object 0xffff88811d25c4c0 (size 64):
comm "softirq", pid 0, jiffies 4294943668 (age 434.830s)

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 e0 fc 5b 20 81 88 ff ff ..........[ ....
00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff ........ .......
backtrace:
[<000000000045bc9d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
[<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
[<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
[<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
net/batman-adv/tvlv.c:529
[<00000000fa9f11af>] batadv_tt_init+0x78/0x180
net/batman-adv/translation-table.c:4411
[<000000008c50839d>] batadv_mesh_init+0x196/0x230
net/batman-adv/main.c:208
[<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
net/batman-adv/soft-interface.c:861
[<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
[<000000005601497b>] __rtnl_newlink+0xaca/0xb30
net/core/rtnetlink.c:3199
[<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
[<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
net/core/rtnetlink.c:5214
[<00000000140451f6>] netlink_rcv_skb+0x61/0x170
net/netlink/af_netlink.c:2482
[<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
[<000000000d47c000>] netlink_unicast_kernel
net/netlink/af_netlink.c:1307 [inline]
[<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
net/netlink/af_netlink.c:1333
[<0000000098503d79>] netlink_sendmsg+0x26a/0x480
net/netlink/af_netlink.c:1922
[<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
[<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
[<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
[<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
[<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
[<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff8881024a3340 (size 64):
comm "softirq", pid 0, jiffies 4294943678 (age 434.730s)

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 e0 2c 66 04 81 88 ff ff .........,f.....
00 00 00 00 00 00 00 00 20 91 15 83 ff ff ff ff ........ .......
backtrace:
[<000000000045bc9d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
[<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000197d773e>] kmalloc include/linux/slab.h:547 [inline]
[<00000000197d773e>] kzalloc include/linux/slab.h:742 [inline]
[<00000000197d773e>] batadv_tvlv_handler_register+0xae/0x140
net/batman-adv/tvlv.c:529
[<00000000fa9f11af>] batadv_tt_init+0x78/0x180
net/batman-adv/translation-table.c:4411
[<000000008c50839d>] batadv_mesh_init+0x196/0x230
net/batman-adv/main.c:208
[<000000001c5a74a3>] batadv_softif_init_late+0x1ca/0x220
net/batman-adv/soft-interface.c:861
[<000000004e676cd1>] register_netdevice+0xbf/0x600 net/core/dev.c:8635
[<000000005601497b>] __rtnl_newlink+0xaca/0xb30
net/core/rtnetlink.c:3199
[<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
[<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
net/core/rtnetlink.c:5214
[<00000000140451f6>] netlink_rcv_skb+0x61/0x170
net/netlink/af_netlink.c:2482
[<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
[<000000000d47c000>] netlink_unicast_kernel
net/netlink/af_netlink.c:1307 [inline]
[<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
net/netlink/af_netlink.c:1333
[<0000000098503d79>] netlink_sendmsg+0x26a/0x480
net/netlink/af_netlink.c:1922
[<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
[<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
[<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
[<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
[<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
[<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966

BUG: memory leak
unreferenced object 0xffff888108a71b80 (size 128):
comm "syz-executor.3", pid 7367, jiffies 4294943696 (age 434.550s)

hex dump (first 32 bytes):

f0 f8 bf 02 81 88 ff ff f0 f8 bf 02 81 88 ff ff ................
1a dc 77 da 54 a0 be 41 64 20 e9 56 ff ff ff ff ..w.T..Ad .V....
backtrace:
[<000000000045bc9d>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<000000000045bc9d>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<000000000045bc9d>] slab_alloc mm/slab.c:3326 [inline]
[<000000000045bc9d>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
[<00000000cc6863ae>] kmalloc include/linux/slab.h:547 [inline]
[<00000000cc6863ae>] hsr_create_self_node+0x42/0x150
net/hsr/hsr_framereg.c:84
[<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233
net/hsr/hsr_device.c:441
[<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
[<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30
net/core/rtnetlink.c:3187
[<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
[<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0
net/core/rtnetlink.c:5214
[<00000000140451f6>] netlink_rcv_skb+0x61/0x170
net/netlink/af_netlink.c:2482
[<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
[<000000000d47c000>] netlink_unicast_kernel
net/netlink/af_netlink.c:1307 [inline]
[<000000000d47c000>] netlink_unicast+0x1ec/0x2d0
net/netlink/af_netlink.c:1333
[<0000000098503d79>] netlink_sendmsg+0x26a/0x480
net/netlink/af_netlink.c:1922
[<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
[<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
[<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
[<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
[<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
[<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
[<000000003ba31db7>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Tested on:

commit: c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15c8f3b6a00000

kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
compiler: gcc (GCC) 9.0.0 20181231 (experimental)

patch: https://syzkaller.appspot.com/x/patch.diff?x=12477101a00000

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 11:04:03 +0800 syzbot wrote:
>
>Hello,
>
>syzbot has tested the proposed patch but the reproducer still triggered crash:
>memory leak in batadv_tvlv_handler_register
>

It is not ubuf leak which is addressed in this thread. Good news.
I will see this new leak soon.

Oh another one.

> [<000000000e2bb6b0>] hsr_dev_finalize+0xa4/0x233 net/hsr/hsr_device.c:441
> [<000000003b100a4a>] hsr_newlink+0xf3/0x140 net/hsr/hsr_netlink.c:69
> [<00000000b5efb0eb>] __rtnl_newlink+0x892/0xb30 net/core/rtnetlink.c:3187
> [<00000000ad02cf5e>] rtnl_newlink+0x4e/0x80 net/core/rtnetlink.c:3245
> [<00000000eceb53af>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5214
> [<00000000140451f6>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2482
> [<00000000237e38f7>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5232
> [<000000000d47c000>] netlink_unicast_kernel net/netlink/af_netlink.c:1307 [inline]
> [<000000000d47c000>] netlink_unicast+0x1ec/0x2d0 net/netlink/af_netlink.c:1333
> [<0000000098503d79>] netlink_sendmsg+0x26a/0x480 net/netlink/af_netlink.c:1922
> [<000000009263e868>] sock_sendmsg_nosec net/socket.c:646 [inline]
> [<000000009263e868>] sock_sendmsg+0x54/0x70 net/socket.c:665
> [<000000007791ad47>] __sys_sendto+0x148/0x1f0 net/socket.c:1958
> [<00000000d6f3807d>] __do_sys_sendto net/socket.c:1970 [inline]
> [<00000000d6f3807d>] __se_sys_sendto net/socket.c:1966 [inline]
> [<00000000d6f3807d>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1966
> [<000000003ba31db7>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
> [<0000000075c8daad>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
>
>
>Tested on:
>
>commit: c11fb13a Merge branch 'for-linus' of git://git.kernel.org/..
>git tree: upstream

>console output: https://syzkaller.appspot.com/x/log.txt?x=3D15c8f3b6a00000
>kernel config: https://syzkaller.appspot.com/x/.config?x=3Dcb38d33cd06d8d48

>compiler: gcc (GCC) 9.0.0 20181231 (experimental)

>patch: https://syzkaller.appspot.com/x/patch.diff?x=3D12477101a00000
>

Thanks
Hillf

[Jeremy Sowden]

On 2019-06-13, at 20:04:01 -0700, syzbot wrote:
> syzbot has tested the proposed patch but the reproducer still
> triggered crash: memory leak in batadv_tvlv_handler_register

There's already a fix for this batman leak:

https://lore.kernel.org/netdev/00000000000017...@google.com/
https://www.open-mesh.org/issues/378

J.

[Hillf Danton]

Hello Syzbot

On Fri, 14 Jun 2019 11:04:03 +0800 syzbot wrote:
>
>Hello,
>

>syzbot has tested the proposed patch but the reproducer still triggered crash:
>memory leak in batadv_tvlv_handler_register
>

The following diff, made against the mainline master tree, purges both the
node_db and the self_node_db lists in the destroy path, to free any dangling
hsr node.

Thanks and good weekend
Hillf
------>8---
---
net/hsr/hsr_device.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index 15c7206..c98ae6f 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -364,6 +364,12 @@ static void hsr_dev_destroy(struct net_device *hsr_dev)
del_timer_sync(&hsr->prune_timer);
del_timer_sync(&hsr->announce_timer);

+ while (!list_empty(&hsr->self_node_db))
+ hsr_del_node(&hsr->self_node_db);
+
+ while (!list_empty(&hsr->node_db))
+ hsr_del_node(&hsr->node_db);
+
synchronize_rcu();
}

--

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.