[syzbot] memory leak in sctp_sched_prio_set
41 views
Skip to first unread message
syzbot
Nov 18, 2022, 12:18:45 AM11/18/22
to da...@davemloft.net, ku...@kernel.org, linux-...@vger.kernel.org, linux...@vger.kernel.org, marcelo...@gmail.com, net...@vger.kernel.org, nho...@tuxdriver.com, pab...@redhat.com, syzkall...@googlegroups.com, vyas...@gmail.com
Hello,
syzbot found the following issue on:
HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810b472a00 (size 64):
comm "syz-executor206", pid 3601, jiffies 4294944661 (age 12.290s)
hex dump (first 32 bytes):
00 2a 47 0b 81 88 ff ff 00 2a 47 0b 81 88 ff ff .*G......*G.....
10 2a 47 0b 81 88 ff ff 10 2a 47 0b 81 88 ff ff .*G......*G.....
backtrace:
[<ffffffff83fa1634>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_set+0x2c4/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6a6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e0e>] sctp_sendmsg_to_asoc+0xc8e/0xdb0 net/sctp/socket.c:1807
[<ffffffff83f8f77f>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2027
[<ffffffff83b7a315>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3e6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3e6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce38c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce456>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce456>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce456>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88810b472a00 (size 64):
comm "syz-executor206", pid 3601, jiffies 4294944661 (age 12.290s)
hex dump (first 32 bytes):
00 2a 47 0b 81 88 ff ff 00 2a 47 0b 81 88 ff ff .*G......*G.....
10 2a 47 0b 81 88 ff ff 10 2a 47 0b 81 88 ff ff .*G......*G.....
backtrace:
[<ffffffff83fa1634>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa1634>] sctp_sched_prio_set+0x2c4/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6a6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e0e>] sctp_sendmsg_to_asoc+0xc8e/0xdb0 net/sctp/socket.c:1807
[<ffffffff83f8f77f>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2027
[<ffffffff83b7a315>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3e6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3e6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce38c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce456>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce456>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce456>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
ead...@sina.com
Nov 20, 2022, 1:27:15 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
From: Edward Adam Davis <ead...@sina.com>
On Thu, 17 Nov 2022 21:18:43 -0800
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b2d229d4ddb1
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1796,7 +1796,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
bool wait_connect = false;
struct sctp_chunk *chunk;
long timeo;
- int err;
+ int err, mem = 0;
if (sinfo->sinfo_stream >= asoc->stream.outcnt) {
err = -EINVAL;
@@ -1807,11 +1807,12 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_stream_init_ext(&asoc->stream, sinfo->sinfo_stream);
if (err)
goto err;
+ mem = 1;
}
if (sp->disable_fragments && msg_len > asoc->frag_point) {
err = -EMSGSIZE;
- goto err;
+ goto free-mem;
}
if (asoc->pmtu_pending) {
@@ -1830,20 +1831,20 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
if (err)
- goto err;
+ goto free-mem;
}
if (sctp_state(asoc, CLOSED)) {
err = sctp_primitive_ASSOCIATE(net, asoc, NULL);
if (err)
- goto err;
+ goto free-mem;
if (asoc->ep->intl_enable) {
timeo = sock_sndtimeo(sk, 0);
err = sctp_wait_for_connect(asoc, &timeo);
if (err) {
err = -ESRCH;
- goto err;
+ goto free-mem;
}
} else {
wait_connect = true;
@@ -1855,7 +1856,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);
if (IS_ERR(datamsg)) {
err = PTR_ERR(datamsg);
- goto err;
+ goto free-mem;
}
asoc->force_delay = !!(msg->msg_flags & MSG_MORE);
@@ -1869,7 +1870,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_primitive_SEND(net, asoc, datamsg);
if (err) {
sctp_datamsg_free(datamsg);
- goto err;
+ goto free-mem;
}
pr_debug("%s: we sent primitively\n", __func__);
@@ -1883,6 +1884,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = msg_len;
+free-mem:
+ if (mem)
+ sctp_stream_free(&asoc->stream);
+
err:
return err;
}
--
2.37.2
On Thu, 17 Nov 2022 21:18:43 -0800
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
Check the memory leak is fixed.
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b2d229d4ddb1
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1796,7 +1796,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
bool wait_connect = false;
struct sctp_chunk *chunk;
long timeo;
- int err;
+ int err, mem = 0;
if (sinfo->sinfo_stream >= asoc->stream.outcnt) {
err = -EINVAL;
@@ -1807,11 +1807,12 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_stream_init_ext(&asoc->stream, sinfo->sinfo_stream);
if (err)
goto err;
+ mem = 1;
}
if (sp->disable_fragments && msg_len > asoc->frag_point) {
err = -EMSGSIZE;
- goto err;
+ goto free-mem;
}
if (asoc->pmtu_pending) {
@@ -1830,20 +1831,20 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
if (err)
- goto err;
+ goto free-mem;
}
if (sctp_state(asoc, CLOSED)) {
err = sctp_primitive_ASSOCIATE(net, asoc, NULL);
if (err)
- goto err;
+ goto free-mem;
if (asoc->ep->intl_enable) {
timeo = sock_sndtimeo(sk, 0);
err = sctp_wait_for_connect(asoc, &timeo);
if (err) {
err = -ESRCH;
- goto err;
+ goto free-mem;
}
} else {
wait_connect = true;
@@ -1855,7 +1856,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);
if (IS_ERR(datamsg)) {
err = PTR_ERR(datamsg);
- goto err;
+ goto free-mem;
}
asoc->force_delay = !!(msg->msg_flags & MSG_MORE);
@@ -1869,7 +1870,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_primitive_SEND(net, asoc, datamsg);
if (err) {
sctp_datamsg_free(datamsg);
- goto err;
+ goto free-mem;
}
pr_debug("%s: we sent primitively\n", __func__);
@@ -1883,6 +1884,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = msg_len;
+free-mem:
+ if (mem)
+ sctp_stream_free(&asoc->stream);
+
err:
return err;
}
--
2.37.2
syzbot
Nov 20, 2022, 1:33:14 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
net/sctp/socket.c:1815:12: error: expected ';' before '-' token
net/sctp/socket.c:1834:13: error: expected ';' before '-' token
net/sctp/socket.c:1840:13: error: expected ';' before '-' token
net/sctp/socket.c:1847:14: error: expected ';' before '-' token
net/sctp/socket.c:1859:12: error: expected ';' before '-' token
net/sctp/socket.c:1873:12: error: expected ';' before '-' token
net/sctp/socket.c:1887:1: error: 'free' undeclared (first use in this function)
net/sctp/socket.c:1887:9: error: expected ';' before ':' token
net/sctp/socket.c:1873:3: error: label 'free' used but not defined
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
net/sctp/socket.c:1815:12: error: expected ';' before '-' token
net/sctp/socket.c:1834:13: error: expected ';' before '-' token
net/sctp/socket.c:1840:13: error: expected ';' before '-' token
net/sctp/socket.c:1847:14: error: expected ';' before '-' token
net/sctp/socket.c:1859:12: error: expected ';' before '-' token
net/sctp/socket.c:1873:12: error: expected ';' before '-' token
net/sctp/socket.c:1887:1: error: 'free' undeclared (first use in this function)
net/sctp/socket.c:1887:9: error: expected ';' before ':' token
net/sctp/socket.c:1873:3: error: label 'free' used but not defined
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1767c3e9880000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
ead...@sina.com
Nov 20, 2022, 1:50:32 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
Fix syzbot test err. And check the memory leak is fixed.
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b2d229d4ddb1
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1796,7 +1796,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
bool wait_connect = false;
struct sctp_chunk *chunk;
long timeo;
- int err;
+ int err, mem = 0;
if (sinfo->sinfo_stream >= asoc->stream.outcnt) {
err = -EINVAL;
@@ -1807,11 +1807,12 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_stream_init_ext(&asoc->stream, sinfo->sinfo_stream);
if (err)
goto err;
+ mem = 1;
}
if (sp->disable_fragments && msg_len > asoc->frag_point) {
err = -EMSGSIZE;
- goto err;
}
if (asoc->pmtu_pending) {
@@ -1830,20 +1831,20 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
if (err)
- goto err;
+ goto free_mem;
if (asoc->pmtu_pending) {
@@ -1830,20 +1831,20 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
if (err)
- goto err;
}
if (sctp_state(asoc, CLOSED)) {
err = sctp_primitive_ASSOCIATE(net, asoc, NULL);
if (err)
- goto err;
+ goto free_mem;
if (sctp_state(asoc, CLOSED)) {
err = sctp_primitive_ASSOCIATE(net, asoc, NULL);
if (err)
- goto err;
if (asoc->ep->intl_enable) {
timeo = sock_sndtimeo(sk, 0);
err = sctp_wait_for_connect(asoc, &timeo);
if (err) {
err = -ESRCH;
- goto err;
}
} else {
wait_connect = true;
@@ -1855,7 +1856,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);
if (IS_ERR(datamsg)) {
err = PTR_ERR(datamsg);
- goto err;
+ goto free_mem;
} else {
wait_connect = true;
@@ -1855,7 +1856,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
datamsg = sctp_datamsg_from_user(asoc, sinfo, &msg->msg_iter);
if (IS_ERR(datamsg)) {
err = PTR_ERR(datamsg);
- goto err;
}
asoc->force_delay = !!(msg->msg_flags & MSG_MORE);
@@ -1869,7 +1870,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_primitive_SEND(net, asoc, datamsg);
if (err) {
sctp_datamsg_free(datamsg);
- goto err;
+ goto free_mem;
asoc->force_delay = !!(msg->msg_flags & MSG_MORE);
@@ -1869,7 +1870,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_primitive_SEND(net, asoc, datamsg);
if (err) {
sctp_datamsg_free(datamsg);
- goto err;
}
pr_debug("%s: we sent primitively\n", __func__);
@@ -1883,6 +1884,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = msg_len;
+free_mem:
pr_debug("%s: we sent primitively\n", __func__);
@@ -1883,6 +1884,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = msg_len;
syzbot
Nov 20, 2022, 2:06:19 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in sctp_sched_prio_free
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 10e9f2067 P4D 10e9f2067 PUD 10e9fc067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4081 Comm: syz-executor.0 Not tainted 5.18.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003edf9e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888113ef2a80 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff8881134a4560
R13: 0000000000000000 R14: ffffc90003edf9f0 R15: ffffc90003edfbc0
FS: 000055555753e400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000001134c2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sctp_stream_free+0x28/0xb0 net/sctp/stream.c:190
sctp_association_free+0xda/0x2a0 net/sctp/associola.c:353
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:940 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1324 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1195 [inline]
sctp_do_sm+0x1cc9/0x2290 net/sctp/sm_sideeffect.c:1166
sctp_assoc_bh_rcv+0x1e3/0x300 net/sctp/associola.c:1054
sctp_inq_push+0x93/0xc0 net/sctp/inqueue.c:80
sctp_backlog_rcv+0xa2/0x4f0 net/sctp/input.c:344
sk_backlog_rcv include/net/sock.h:1051 [inline]
__release_sock+0xbe/0x140 net/core/sock.c:2794
release_sock+0x32/0xd0 net/core/sock.c:3327
sctp_close+0x212/0x490 net/sctp/socket.c:1533
inet_release+0x7c/0xe0 net/ipv4/af_inet.c:428
inet6_release+0x31/0x50 net/ipv6/af_inet6.c:481
__sock_release+0x47/0xd0 net/socket.c:650
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x154/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff885e3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd4b38b9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007ff885e3bd2b
RDX: 00007ff885fa07f0 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007ff885f9d960 R08: 0000000000000000 R09: 00007ff885fa07f8
R10: 00007ffd4b38bab0 R11: 0000000000000293 R12: 000000000000f0f9
R13: 00007ffd4b38bab0 R14: 00007ff885f9bf60 R15: 0000000000000032
</TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003edf9e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888113ef2a80 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff8881134a4560
R13: 0000000000000000 R14: ffffc90003edf9f0 R15: ffffc90003edfbc0
FS: 000055555753e400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000001134c2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f7 e5 mul %ebp
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 ea 07 shr $0x7,%rdx
9: 48 89 d1 mov %rdx,%rcx
c: 48 69 d2 aa 00 00 00 imul $0xaa,%rdx,%rdx
13: 48 c1 e1 0c shl $0xc,%rcx
17: 48 29 d0 sub %rdx,%rax
1a: 48 8d 04 40 lea (%rax,%rax,2),%rax
1e: 4c 8d 2c c1 lea (%rcx,%rax,8),%r13
22: 4c 89 ee mov %r13,%rsi
25: e8 1b a5 39 fe callq 0xfe39a545
* 2a: 48 83 78 08 00 cmpq $0x0,0x8(%rax) <-- trapping instruction
2f: 74 2f je 0x60
31: e8 ef 22 3c fd callq 0xfd3c2325
36: 4c 89 ee mov %r13,%rsi
39: 4c 89 e7 mov %r12,%rdi
3c: e8 .byte 0xe8
3d: 04 a5 add $0xa5,%al
3f: 39 .byte 0x39
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=17f1f9dd880000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in sctp_sched_prio_free
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 10e9f2067 P4D 10e9f2067 PUD 10e9fc067 PMD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4081 Comm: syz-executor.0 Not tainted 5.18.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003edf9e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888113ef2a80 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff8881134a4560
R13: 0000000000000000 R14: ffffc90003edf9f0 R15: ffffc90003edfbc0
FS: 000055555753e400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000001134c2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sctp_stream_free+0x28/0xb0 net/sctp/stream.c:190
sctp_association_free+0xda/0x2a0 net/sctp/associola.c:353
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:940 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1324 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1195 [inline]
sctp_do_sm+0x1cc9/0x2290 net/sctp/sm_sideeffect.c:1166
sctp_assoc_bh_rcv+0x1e3/0x300 net/sctp/associola.c:1054
sctp_inq_push+0x93/0xc0 net/sctp/inqueue.c:80
sctp_backlog_rcv+0xa2/0x4f0 net/sctp/input.c:344
sk_backlog_rcv include/net/sock.h:1051 [inline]
__release_sock+0xbe/0x140 net/core/sock.c:2794
release_sock+0x32/0xd0 net/core/sock.c:3327
sctp_close+0x212/0x490 net/sctp/socket.c:1533
inet_release+0x7c/0xe0 net/ipv4/af_inet.c:428
inet6_release+0x31/0x50 net/ipv6/af_inet6.c:481
__sock_release+0x47/0xd0 net/socket.c:650
sock_close+0x15/0x20 net/socket.c:1318
__fput+0x105/0x430 fs/file_table.c:317
task_work_run+0x73/0xb0 kernel/task_work.c:164
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
exit_to_user_mode_prepare+0x154/0x160 kernel/entry/common.c:201
__syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
syscall_exit_to_user_mode+0x1d/0x40 kernel/entry/common.c:294
do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff885e3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007ffd4b38b9b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007ff885e3bd2b
RDX: 00007ff885fa07f0 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007ff885f9d960 R08: 0000000000000000 R09: 00007ff885fa07f8
R10: 00007ffd4b38bab0 R11: 0000000000000293 R12: 000000000000f0f9
R13: 00007ffd4b38bab0 R14: 00007ff885f9bf60 R15: 0000000000000032
</TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003edf9e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888113ef2a80 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff8881134a4560
R13: 0000000000000000 R14: ffffc90003edf9f0 R15: ffffc90003edfbc0
FS: 000055555753e400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 00000001134c2000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: f7 e5 mul %ebp
2: 48 89 d8 mov %rbx,%rax
5: 48 c1 ea 07 shr $0x7,%rdx
9: 48 89 d1 mov %rdx,%rcx
c: 48 69 d2 aa 00 00 00 imul $0xaa,%rdx,%rdx
13: 48 c1 e1 0c shl $0xc,%rcx
17: 48 29 d0 sub %rdx,%rax
1a: 48 8d 04 40 lea (%rax,%rax,2),%rax
1e: 4c 8d 2c c1 lea (%rcx,%rax,8),%r13
22: 4c 89 ee mov %r13,%rsi
25: e8 1b a5 39 fe callq 0xfe39a545
* 2a: 48 83 78 08 00 cmpq $0x0,0x8(%rax) <-- trapping instruction
2f: 74 2f je 0x60
31: e8 ef 22 3c fd callq 0xfd3c2325
36: 4c 89 ee mov %r13,%rsi
39: 4c 89 e7 mov %r12,%rdi
3c: e8 .byte 0xe8
3d: 04 a5 add $0xa5,%al
3f: 39 .byte 0x39
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=120e25dd880000
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
ead...@sina.com
Nov 20, 2022, 2:33:46 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
Fix syzbot test NULL pointer issue. And check the memory leak is fixed.
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b2d229d4ddb1
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1796,7 +1796,7 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
bool wait_connect = false;
struct sctp_chunk *chunk;
long timeo;
- int err;
+ int err, mem = 0;
if (sinfo->sinfo_stream >= asoc->stream.outcnt) {
err = -EINVAL;
@@ -1807,11 +1807,12 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
err = sctp_stream_init_ext(&asoc->stream, sinfo->sinfo_stream);
if (err)
goto err;
+ mem = 1;
}
if (sp->disable_fragments && msg_len > asoc->frag_point) {
err = -EMSGSIZE;
- goto err;
+ goto free_mem;
}
if (asoc->pmtu_pending) {
syzbot
Nov 20, 2022, 2:55:30 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in sctp_sched_prio_free
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 10fa01067 P4D 10fa01067 PUD 10fa07067 PMD 0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in sctp_sched_prio_free
BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4075 Comm: syz-executor.0 Not tainted 5.18.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003d7f9e8 EFLAGS: 00010293
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88810ef68cc0 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff88810fa94560
R13: 0000000000000000 R14: ffffc90003d7f9f0 R15: ffffc90003d7fbc0
FS: 00005555567d4400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010eca7000 CR4: 00000000003506f0
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fff35b83480 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f1f0683bd2b
RDX: 00007f1f069a07f0 RSI: ffffffffffffffff RDI: 0000000000000003
RBP: 00007f1f0699d960 R08: 0000000000000000 R09: 00007f1f069a07f8
R10: 00007fff35b83580 R11: 0000000000000293 R12: 0000000000010774
R13: 00007fff35b83580 R14: 00007f1f0699bf60 R15: 0000000000000032
</TASK>
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RSP: 0018:ffffc90003d7f9e8 EFLAGS: 00010293
Modules linked in:
CR2: 0000000000000008
---[ end trace 0000000000000000 ]---
RIP: 0010:sctp_sched_prio_free+0x105/0x250 net/sctp/stream_sched_prio.c:221
Code: f7 e5 48 89 d8 48 c1 ea 07 48 89 d1 48 69 d2 aa 00 00 00 48 c1 e1 0c 48 29 d0 48 8d 04 40 4c 8d 2c c1 4c 89 ee e8 1b a5 39 fe <48> 83 78 08 00 74 2f e8 ef 22 3c fd 4c 89 ee 4c 89 e7 e8 04 a5 39
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88810ef68cc0 RSI: ffffffff8233be70 RDI: 0000000000000003
RBP: c0c0c0c0c0c0c0c1 R08: 0000000000000000 R09: 0000000000000004
R10: ffffffff8233be0e R11: 0000000000000000 R12: ffff88810fa94560
R13: 0000000000000000 R14: ffffc90003d7f9f0 R15: ffffc90003d7fbc0
FS: 00005555567d4400(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000010eca7000 CR4: 00000000003506f0
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=102b3909880000
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
ead...@sina.com
Nov 20, 2022, 3:54:51 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
Fix syzbot test boot issue. And check the memory leak is fixed.
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
+
err:
return err;
}
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -396,6 +396,8 @@ void sctp_stream_free(struct sctp_stream *stream);
void sctp_stream_clear(struct sctp_stream *stream);
void sctp_stream_update(struct sctp_stream *stream, struct sctp_stream *new);
+void sctp_stream_prio_free(struct sctp_stream *stream);
+
/* What is the current SSN number for this stream? */
#define sctp_ssn_peek(stream, type, sid) \
(sctp_stream_##type((stream), (sid))->ssn)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -182,12 +182,18 @@ int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid)
return ret;
}
-void sctp_stream_free(struct sctp_stream *stream)
+void sctp_stream_prio_free(struct sctp_stream *stream)
{
struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
+ sched->free(stream);
+}
+
+void sctp_stream_free(struct sctp_stream *stream)
+{
int i;
- sched->free(stream);
+ sctp_stream_prio_free(stream);
+
for (i = 0; i < stream->outcnt; i++)
kfree(SCTP_SO(stream, i)->ext);
genradix_free(&stream->out);
--
2.37.2
syzbot
Nov 20, 2022, 4:08:15 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required 'read' permission for 'disks/ci-upstream-gce-leak-test-job-test-job-image.tar.gz' ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build642820746=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bcc32a67
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bcc32a67bc7180173447e1a78c03dae096b4231\"
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
failed to create VM pool: failed to create GCE image: create image operation failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required 'read' permission for 'disks/ci-upstream-gce-leak-test-job-test-job-image.tar.gz' ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build642820746=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at 8bcc32a67
nothing to commit, working tree clean
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=8bcc32a67bc7180173447e1a78c03dae096b4231 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220415-122244'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"8bcc32a67bc7180173447e1a78c03dae096b4231\"
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1462c301880000
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
ead...@sina.com
Nov 20, 2022, 5:18:29 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
syzbot report:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
failed to create VM pool: failed to create GCE image: create image operation
failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required
'read' permission for 'disks/ci-upstream-gce-leak-test-job-test-job-image.tar
.gz' ForceSendFields:[] NullFields:[]}.
failed: &{Code:PERMISSIONS_ERROR ErrorDetails:[] Location: Message:Required
'read' permission for 'disks/ci-upstream-gce-leak-test-job-test-job-image.tar
.gz' ForceSendFields:[] NullFields:[]}.
syzbot
Nov 20, 2022, 5:28:31 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in sctp_sched_prio_set
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: memory leak
unreferenced object 0xffff88810f6e2c80 (size 64):
comm "syz-executor.0", pid 4081, jiffies 4294943417 (age 12.280s)
hex dump (first 32 bytes):
80 2c 6e 0f 81 88 ff ff 80 2c 6e 0f 81 88 ff ff .,n......,n.....
90 2c 6e 0f 81 88 ff ff 90 2c 6e 0f 81 88 ff ff .,n......,n.....
backtrace:
[<ffffffff83fa16a4>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_set+0x2c4/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
unreferenced object 0xffff8881134c3a00 (size 64):
comm "syz-executor.0", pid 4084, jiffies 4294943930 (age 7.150s)
hex dump (first 32 bytes):
00 3a 4c 13 81 88 ff ff 00 3a 4c 13 81 88 ff ff .:L......:L.....
10 3a 4c 13 81 88 ff ff 10 3a 4c 13 81 88 ff ff .:L......:L.....
backtrace:
[<ffffffff83fa16a4>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_set+0x2c4/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
unreferenced object 0xffff88810f6e2b80 (size 64):
comm "syz-executor.0", pid 4086, jiffies 4294943931 (age 7.140s)
hex dump (first 32 bytes):
80 2b 6e 0f 81 88 ff ff 80 2b 6e 0f 81 88 ff ff .+n......+n.....
90 2b 6e 0f 81 88 ff ff 90 2b 6e 0f 81 88 ff ff .+n......+n.....
backtrace:
[<ffffffff83fa16a4>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16a4>] sctp_sched_prio_set+0x2c4/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1596b6ed880000
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=15a0df95880000
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
ead...@sina.com
Nov 20, 2022, 6:15:13 AM11/20/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
> syzbot found the following issue on:
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
> HEAD commit: b2d229d4ddb1 Linux 5.18-rc3
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=17e439b8f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
> dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17daf0af700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10ae4d5cf00000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+29c402...@syzkaller.appspotmail.com
+++ b/net/sctp/stream_sched_prio.c
@@ -30,7 +30,7 @@ static struct sctp_stream_priorities *sctp_sched_prio_new_head(
{
struct sctp_stream_priorities *p;
- p = kmalloc(sizeof(*p), gfp);
+ p = kzalloc(sizeof(*p), gfp);
if (!p)
return NULL;
--
2.37.2
syzbot
Nov 20, 2022, 6:36:15 AM11/20/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in sctp_sched_prio_set
BUG: memory leak
unreferenced object 0xffff888112c17200 (size 64):
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in sctp_sched_prio_set
BUG: memory leak
comm "syz-executor.0", pid 4074, jiffies 4294943667 (age 12.940s)
hex dump (first 32 bytes):
00 72 c1 12 81 88 ff ff 00 72 c1 12 81 88 ff ff .r.......r......
10 72 c1 12 81 88 ff ff 10 72 c1 12 81 88 ff ff .r.......r......
backtrace:
[<ffffffff83fa16ab>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16ab>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_set+0x2cb/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888114319840 (size 64):
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
comm "syz-executor.0", pid 4077, jiffies 4294944218 (age 7.430s)
hex dump (first 32 bytes):
40 98 31 14 81 88 ff ff 40 98 31 14 81 88 ff ff @.1.....@.1.....
50 98 31 14 81 88 ff ff 50 98 31 14 81 88 ff ff P.1.....P.1.....
backtrace:
[<ffffffff83fa16ab>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16ab>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_set+0x2cb/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888114319bc0 (size 64):
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
comm "syz-executor.0", pid 4080, jiffies 4294944219 (age 7.420s)
hex dump (first 32 bytes):
c0 9b 31 14 81 88 ff ff c0 9b 31 14 81 88 ff ff ..1.......1.....
d0 9b 31 14 81 88 ff ff d0 9b 31 14 81 88 ff ff ..1.......1.....
backtrace:
[<ffffffff83fa16ab>] kmalloc include/linux/slab.h:581 [inline]
[<ffffffff83fa16ab>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_new_head net/sctp/stream_sched_prio.c:33 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_get_head net/sctp/stream_sched_prio.c:77 [inline]
[<ffffffff83fa16ab>] sctp_sched_prio_set+0x2cb/0x370 net/sctp/stream_sched_prio.c:159
[<ffffffff83f9b6f6>] sctp_stream_init_ext+0x86/0xf0 net/sctp/stream.c:176
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=154f96f9880000
[<ffffffff83f86e14>] sctp_sendmsg_to_asoc+0xc74/0xde0 net/sctp/socket.c:1807
[<ffffffff83f8f7cf>] sctp_sendmsg+0x99f/0x1030 net/sctp/socket.c:2032
[<ffffffff83b7a335>] inet_sendmsg+0x45/0x70 net/ipv4/af_inet.c:819
[<ffffffff837cb3f6>] sock_sendmsg_nosec net/socket.c:705 [inline]
[<ffffffff837cb3f6>] sock_sendmsg+0x56/0x80 net/socket.c:725
[<ffffffff837ce39c>] __sys_sendto+0x15c/0x200 net/socket.c:2040
[<ffffffff837ce466>] __do_sys_sendto net/socket.c:2052 [inline]
[<ffffffff837ce466>] __se_sys_sendto net/socket.c:2048 [inline]
[<ffffffff837ce466>] __x64_sys_sendto+0x26/0x30 net/socket.c:2048
[<ffffffff8451da45>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8451da45>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested on:
commit: b2d229d4 Linux 5.18-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=2197cd22d3971cc5
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=160dbb45880000
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Tetsuo Handa
Nov 23, 2022, 5:36:55 AM11/23/22
to syzbot, syzkall...@googlegroups.com, Vlad Yasevich, Neil Horman, Marcelo Ricardo Leitner, linux...@vger.kernel.org, da...@davemloft.net, ku...@kernel.org, net...@vger.kernel.org, pab...@redhat.com
syzbot is reporting memory leak on sctp_stream_priorities [1], for
sctp_stream_outq_migrate() is resetting SCTP_SO(stream, i)->ext to NULL
without clearing SCTP_SO(new, i)->ext->prio_head list allocated by
sctp_sched_prio_new_head(). Since sctp_sched_prio_free() is too late to
clear if stream->outcnt was already shrunk or SCTP_SO(stream, i)->ext
was already NULL, add a callback for clearing that list before shrinking
stream->outcnt and/or resetting SCTP_SO(stream, i)->ext.
Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 [1]
Reported-by: syzbot <syzbot+29c402...@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
I can observe that the reproducer no longer reports memory leak. But
is this change correct and sufficient? Are there similar locations?
include/net/sctp/stream_sched.h | 2 ++
net/sctp/stream.c | 3 +++
net/sctp/stream_sched_prio.c | 20 ++++++++++++++++++++
3 files changed, 25 insertions(+)
diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h
index 01a70b27e026..1a59d0f8ad79 100644
--- a/include/net/sctp/stream_sched.h
+++ b/include/net/sctp/stream_sched.h
@@ -28,6 +28,8 @@ struct sctp_sched_ops {
int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
/* Frees the entire thing */
void (*free)(struct sctp_stream *stream);
+ /* Free one sid */
+ void (*free_sid)(struct sctp_stream *stream, __u16 sid);
/* Enqueue a chunk */
void (*enqueue)(struct sctp_outq *q, struct sctp_datamsg *msg);
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index ef9fceadef8d..845a8173181e 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -60,6 +60,7 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
struct sctp_stream *new, __u16 outcnt)
{
int i;
+ struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
if (stream->outcnt > outcnt)
sctp_stream_shrink_out(stream, outcnt);
@@ -77,6 +78,8 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
}
for (i = outcnt; i < stream->outcnt; i++) {
+ if (sched->free_sid)
+ sched->free_sid(stream, i);
kfree(SCTP_SO(stream, i)->ext);
SCTP_SO(stream, i)->ext = NULL;
}
diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c
index 80b5a2c4cbc7..bde5537984a9 100644
--- a/net/sctp/stream_sched_prio.c
+++ b/net/sctp/stream_sched_prio.c
@@ -230,6 +230,25 @@ static void sctp_sched_prio_free(struct sctp_stream *stream)
}
}
+static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
+{
+ struct sctp_stream_priorities *prio, *n;
+ struct sctp_stream_out *sout = SCTP_SO(stream, sid);
+ struct sctp_stream_out_ext *soute = sout->ext;
+ LIST_HEAD(list);
+
+ if (!soute)
+ return;
+ prio = soute->prio_head;
+ if (!prio || !list_empty(&prio->prio_sched))
+ return;
+ list_add(&prio->prio_sched, &list);
+ list_for_each_entry_safe(prio, n, &list, prio_sched) {
+ list_del_init(&prio->prio_sched);
+ kfree(prio);
+ }
+}
+
static void sctp_sched_prio_enqueue(struct sctp_outq *q,
struct sctp_datamsg *msg)
{
@@ -323,6 +342,7 @@ static struct sctp_sched_ops sctp_sched_prio = {
.get = sctp_sched_prio_get,
.init = sctp_sched_prio_init,
.init_sid = sctp_sched_prio_init_sid,
+ .free_sid = sctp_sched_prio_free_sid,
.free = sctp_sched_prio_free,
.enqueue = sctp_sched_prio_enqueue,
.dequeue = sctp_sched_prio_dequeue,
--
2.34.1
sctp_stream_outq_migrate() is resetting SCTP_SO(stream, i)->ext to NULL
without clearing SCTP_SO(new, i)->ext->prio_head list allocated by
sctp_sched_prio_new_head(). Since sctp_sched_prio_free() is too late to
clear if stream->outcnt was already shrunk or SCTP_SO(stream, i)->ext
was already NULL, add a callback for clearing that list before shrinking
stream->outcnt and/or resetting SCTP_SO(stream, i)->ext.
Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 [1]
Reported-by: syzbot <syzbot+29c402...@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
I can observe that the reproducer no longer reports memory leak. But
is this change correct and sufficient? Are there similar locations?
include/net/sctp/stream_sched.h | 2 ++
net/sctp/stream.c | 3 +++
net/sctp/stream_sched_prio.c | 20 ++++++++++++++++++++
3 files changed, 25 insertions(+)
diff --git a/include/net/sctp/stream_sched.h b/include/net/sctp/stream_sched.h
index 01a70b27e026..1a59d0f8ad79 100644
--- a/include/net/sctp/stream_sched.h
+++ b/include/net/sctp/stream_sched.h
@@ -28,6 +28,8 @@ struct sctp_sched_ops {
int (*init_sid)(struct sctp_stream *stream, __u16 sid, gfp_t gfp);
/* Frees the entire thing */
void (*free)(struct sctp_stream *stream);
+ /* Free one sid */
+ void (*free_sid)(struct sctp_stream *stream, __u16 sid);
/* Enqueue a chunk */
void (*enqueue)(struct sctp_outq *q, struct sctp_datamsg *msg);
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index ef9fceadef8d..845a8173181e 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -60,6 +60,7 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
struct sctp_stream *new, __u16 outcnt)
{
int i;
+ struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
if (stream->outcnt > outcnt)
sctp_stream_shrink_out(stream, outcnt);
@@ -77,6 +78,8 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
}
for (i = outcnt; i < stream->outcnt; i++) {
+ if (sched->free_sid)
+ sched->free_sid(stream, i);
kfree(SCTP_SO(stream, i)->ext);
SCTP_SO(stream, i)->ext = NULL;
}
diff --git a/net/sctp/stream_sched_prio.c b/net/sctp/stream_sched_prio.c
index 80b5a2c4cbc7..bde5537984a9 100644
--- a/net/sctp/stream_sched_prio.c
+++ b/net/sctp/stream_sched_prio.c
@@ -230,6 +230,25 @@ static void sctp_sched_prio_free(struct sctp_stream *stream)
}
}
+static void sctp_sched_prio_free_sid(struct sctp_stream *stream, __u16 sid)
+{
+ struct sctp_stream_priorities *prio, *n;
+ struct sctp_stream_out *sout = SCTP_SO(stream, sid);
+ struct sctp_stream_out_ext *soute = sout->ext;
+ LIST_HEAD(list);
+
+ if (!soute)
+ return;
+ prio = soute->prio_head;
+ if (!prio || !list_empty(&prio->prio_sched))
+ return;
+ list_add(&prio->prio_sched, &list);
+ list_for_each_entry_safe(prio, n, &list, prio_sched) {
+ list_del_init(&prio->prio_sched);
+ kfree(prio);
+ }
+}
+
static void sctp_sched_prio_enqueue(struct sctp_outq *q,
struct sctp_datamsg *msg)
{
@@ -323,6 +342,7 @@ static struct sctp_sched_ops sctp_sched_prio = {
.get = sctp_sched_prio_get,
.init = sctp_sched_prio_init,
.init_sid = sctp_sched_prio_init_sid,
+ .free_sid = sctp_sched_prio_free_sid,
.free = sctp_sched_prio_free,
.enqueue = sctp_sched_prio_enqueue,
.dequeue = sctp_sched_prio_dequeue,
--
2.34.1
Marcelo Ricardo Leitner
Nov 23, 2022, 8:57:29 AM11/23/22
to Tetsuo Handa, syzbot, syzkall...@googlegroups.com, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, da...@davemloft.net, ku...@kernel.org, net...@vger.kernel.org, pab...@redhat.com
On Wed, Nov 23, 2022 at 07:36:00PM +0900, Tetsuo Handa wrote:
> syzbot is reporting memory leak on sctp_stream_priorities [1], for
> sctp_stream_outq_migrate() is resetting SCTP_SO(stream, i)->ext to NULL
> without clearing SCTP_SO(new, i)->ext->prio_head list allocated by
> sctp_sched_prio_new_head(). Since sctp_sched_prio_free() is too late to
> clear if stream->outcnt was already shrunk or SCTP_SO(stream, i)->ext
> was already NULL, add a callback for clearing that list before shrinking
> stream->outcnt and/or resetting SCTP_SO(stream, i)->ext.
>
> Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 [1]
> Reported-by: syzbot <syzbot+29c402...@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> ---
> I can observe that the reproducer no longer reports memory leak. But
> is this change correct and sufficient? Are there similar locations?
Thanks, but please see my email from yesterday. This is on the right
> syzbot is reporting memory leak on sctp_stream_priorities [1], for
> sctp_stream_outq_migrate() is resetting SCTP_SO(stream, i)->ext to NULL
> without clearing SCTP_SO(new, i)->ext->prio_head list allocated by
> sctp_sched_prio_new_head(). Since sctp_sched_prio_free() is too late to
> clear if stream->outcnt was already shrunk or SCTP_SO(stream, i)->ext
> was already NULL, add a callback for clearing that list before shrinking
> stream->outcnt and/or resetting SCTP_SO(stream, i)->ext.
>
> Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0 [1]
> Reported-by: syzbot <syzbot+29c402...@syzkaller.appspotmail.com>
> Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
> ---
> I can observe that the reproducer no longer reports memory leak. But
> is this change correct and sufficient? Are there similar locations?
way but a cleanup then is possible:
https://lore.kernel.org/linux-sctp/Y31ct%2FlSXN...@t14s.localdomain/
Marcelo
Tetsuo Handa
Nov 23, 2022, 6:45:34 PM11/23/22
to Marcelo Ricardo Leitner, syzbot, syzkall...@googlegroups.com, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, da...@davemloft.net, ku...@kernel.org, net...@vger.kernel.org, pab...@redhat.com
a thread at syzkaller-bugs group did not have your patch.
Please consider including syzbot+XXXXXX...@syzkaller.appspotmail.com
and syzkall...@googlegroups.com into the Cc: list so that we can google for
your patch.
ead...@sina.com
Dec 31, 2022, 10:35:40 PM12/31/22
to syzbot+29c402...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, Edward Adam Davis
On Mon, 19 Dec 2022 00:04:43 -0800
> HEAD commit: 13e3c7793e2f Merge tag 'for-netdev' of https://git.kernel...
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=177df7e0480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b0e91ad4b5f69c47
> dashboard link: https://syzkaller.appspot.com/bug?extid=b8e8c01c8ade4fe6e48f
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ceeb13880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/373a99daa295/disk-13e3c779.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/7fa71ed0fe17/vmlinux-13e3c779.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2842ad5c698b/bzImage-13e3c779.xz
syzbot report:
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925
Read of size 8 at addr ffff8880237d6018 by task syz-executor287/8300
Test 13e3c7793e2f uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 13e3c7793e2f
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4816,6 +4816,7 @@ find_get_pmu_context(struct pmu *pmu, struct perf_event_context *ctx,
raw_spin_lock_irq(&ctx->lock);
list_add(&epc->pmu_ctx_entry, &ctx->pmu_ctx_list);
epc->ctx = ctx;
+ get_ctx(ctx);
raw_spin_unlock_irq(&ctx->lock);
} else {
WARN_ON_ONCE(epc->ctx != ctx);
@@ -4862,6 +4863,7 @@ find_get_pmu_context(struct pmu *pmu, struct perf_event_context *ctx,
list_add(&epc->pmu_ctx_entry, &ctx->pmu_ctx_list);
epc->ctx = ctx;
+ get_ctx(&ctx);
found_epc:
if (task_ctx_data && !epc->task_ctx_data) {
@@ -4913,6 +4915,7 @@ static void put_pmu_ctx(struct perf_event_pmu_context *epc)
raw_spin_lock_irqsave(&ctx->lock, flags);
list_del_init(&epc->pmu_ctx_entry);
epc->ctx = NULL;
+ put_ctx(ctx);
raw_spin_unlock_irqrestore(&ctx->lock, flags);
}
--
2.37.2
> HEAD commit: 13e3c7793e2f Merge tag 'for-netdev' of https://git.kernel...
> git tree: bpf
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=177df7e0480000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b0e91ad4b5f69c47
> dashboard link: https://syzkaller.appspot.com/bug?extid=b8e8c01c8ade4fe6e48f
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e87100480000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16ceeb13880000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/373a99daa295/disk-13e3c779.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/7fa71ed0fe17/vmlinux-13e3c779.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2842ad5c698b/bzImage-13e3c779.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+b8e8c0...@syzkaller.appspotmail.com
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
syzbot report:
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925
Read of size 8 at addr ffff8880237d6018 by task syz-executor287/8300
Test 13e3c7793e2f uaf.
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git 13e3c7793e2f
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4816,6 +4816,7 @@ find_get_pmu_context(struct pmu *pmu, struct perf_event_context *ctx,
raw_spin_lock_irq(&ctx->lock);
list_add(&epc->pmu_ctx_entry, &ctx->pmu_ctx_list);
epc->ctx = ctx;
+ get_ctx(ctx);
raw_spin_unlock_irq(&ctx->lock);
} else {
WARN_ON_ONCE(epc->ctx != ctx);
@@ -4862,6 +4863,7 @@ find_get_pmu_context(struct pmu *pmu, struct perf_event_context *ctx,
list_add(&epc->pmu_ctx_entry, &ctx->pmu_ctx_list);
epc->ctx = ctx;
+ get_ctx(&ctx);
found_epc:
if (task_ctx_data && !epc->task_ctx_data) {
@@ -4913,6 +4915,7 @@ static void put_pmu_ctx(struct perf_event_pmu_context *epc)
raw_spin_lock_irqsave(&ctx->lock, flags);
list_del_init(&epc->pmu_ctx_entry);
epc->ctx = NULL;
+ put_ctx(ctx);
raw_spin_unlock_irqrestore(&ctx->lock, flags);
}
--
2.37.2
syzbot
Dec 31, 2022, 11:55:29 PM12/31/22
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
kernel/events/core.c:4866:16: error: passing argument 1 of 'get_ctx' from incompatible pointer type [-Werror=incompatible-pointer-types]
Tested on:
commit: 13e3c779 Merge tag 'for-netdev' of https://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
syzbot tried to test the proposed patch but the build/boot failed:
kernel/events/core.c:4866:16: error: passing argument 1 of 'get_ctx' from incompatible pointer type [-Werror=incompatible-pointer-types]
Tested on:
commit: 13e3c779 Merge tag 'for-netdev' of https://git.kernel...
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
dashboard link: https://syzkaller.appspot.com/bug?extid=29c402e56c4760763cc0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=105f03ca480000
Reply all
Reply to author
Forward
0 new messages