Re: [syzbot] memory leak in h4_recv_buf

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in h4_recv_buf

2021/07/19 05:31:04 executed programs: 8
BUG: memory leak
unreferenced object 0xffff888110b60c00 (size 232):
comm "syz-executor.3", pid 10605, jiffies 4294944539 (age 22.210s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d6b938d8>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff8881274ed800 (size 1024):
comm "syz-executor.3", pid 10605, jiffies 4294944539 (age 22.210s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e99b3747>] kmalloc_reserve net/core/skbuff.c:355 [inline]
[<00000000e99b3747>] __alloc_skb+0xdf/0x280 net/core/skbuff.c:426
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888110ace800 (size 232):
comm "syz-executor.2", pid 10655, jiffies 4294944629 (age 21.310s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d6b938d8>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae



Tested on:

commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1569cf78300000
kernel config: https://syzkaller.appspot.com/x/.config?x=7cd9a07e043c7c3f
dashboard link: https://syzkaller.appspot.com/bug?extid=97388eb9d31b997fe1d0
compiler:

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

drivers/bluetooth/hci_ldisc.c:504:22: error: 'struct hci_uart' has no member named 'rx_lock'; did you mean 'proto_lock'?
drivers/bluetooth/hci_ldisc.c:614:17: error: 'struct hci_uart' has no member named 'rx_lock'; did you mean 'proto_lock'?
drivers/bluetooth/hci_ldisc.c:620:19: error: 'struct hci_uart' has no member named 'rx_lock'; did you mean 'proto_lock'?


Tested on:

commit: a1833a54 smpboot: fix duplicate and misplaced inlining..
git tree: upstream

dashboard link: https://syzkaller.appspot.com/bug?extid=97388eb9d31b997fe1d0
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=10b1f80a300000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+97388e...@syzkaller.appspotmail.com

Tested on:

commit: ff117646 Linux 5.14-rc3
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=b569cddf2de2a96d
dashboard link: https://syzkaller.appspot.com/bug?extid=97388eb9d31b997fe1d0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
patch: https://syzkaller.appspot.com/x/patch.diff?x=1148300a300000

Note: testing is done by a robot and is best-effort only.