[syzbot] [wireless?] [net?] memory leak in ieee80211_add_key
21 views
Skip to first unread message
syzbot
Oct 10, 2023, 8:19:52 PM10/10/23
to da...@davemloft.net, edum...@google.com, joha...@sipsolutions.net, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: af95dc6fdc25 Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111f9141680000
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12874a7e680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eba911680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8bc195198bd8/disk-af95dc6f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/769216d795c4/vmlinux-af95dc6f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ceb9e44a618/bzImage-af95dc6f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c7f9b4...@syzkaller.appspotmail.com
executing program
executing program
BUG: memory leak
unreferenced object 0xffff8881419b3000 (size 1024):
comm "syz-executor294", pid 5023, jiffies 4294944772 (age 13.090s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 30 9b 41 81 88 ff ff .........0.A....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848575dc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff848575dc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848575dc>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff8881419b3400 (size 1024):
comm "syz-executor294", pid 5025, jiffies 4294945317 (age 7.640s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 34 9b 41 81 88 ff ff .........4.A....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848575dc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff848575dc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848575dc>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: af95dc6fdc25 Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=111f9141680000
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12874a7e680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17eba911680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8bc195198bd8/disk-af95dc6f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/769216d795c4/vmlinux-af95dc6f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ceb9e44a618/bzImage-af95dc6f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c7f9b4...@syzkaller.appspotmail.com
executing program
executing program
BUG: memory leak
unreferenced object 0xffff8881419b3000 (size 1024):
comm "syz-executor294", pid 5023, jiffies 4294944772 (age 13.090s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 30 9b 41 81 88 ff ff .........0.A....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848575dc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff848575dc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848575dc>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff8881419b3400 (size 1024):
comm "syz-executor294", pid 5025, jiffies 4294945317 (age 7.640s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 34 9b 41 81 88 ff ff .........4.A....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848575dc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff848575dc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848575dc>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
ead...@sina.com
Oct 10, 2023, 11:37:59 PM10/10/23
to syzbot+c7f9b4...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward AD <ead...@sina.com>
please test mem leak in ieee80211_add_key
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 0665ff5e456e..e63dbef621e5 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -737,6 +737,7 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
}
memcpy(key->conf.key, key_data, key_len);
INIT_LIST_HEAD(&key->list);
+ printk("%s, %p\n", __func__, key);
return key;
}
@@ -761,6 +762,7 @@ static void ieee80211_key_free_common(struct ieee80211_key *key)
ieee80211_aes_gcm_key_free(key->u.gcmp.tfm);
break;
}
+ printk("%s, %p\n", __func__, key);
kfree_sensitive(key);
}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 931a03f4549c..871af6931d68 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4764,6 +4764,7 @@ static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
err = rdev_add_key(rdev, dev, link_id, key.idx,
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr, &key.p);
+ printk("%s, %p, %p, %d\n", __func__, dev, key, err);
if (err)
GENL_SET_ERR_MSG(info, "key addition failed");
}
@@ -4824,6 +4825,7 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr);
+ printk("%s, %p, %p, %d\n", __func__, dev, key, err);
#ifdef CONFIG_CFG80211_WEXT
if (!err) {
if (key.idx == wdev->wext.default_key)
@@ -11515,6 +11517,7 @@ static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
return -EOPNOTSUPP;
+ printk("%s, %p\n", __func__, dev);
return cfg80211_leave_ibss(rdev, dev, false);
}
@@ -12160,6 +12163,7 @@ static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
wdev_lock(dev->ieee80211_ptr);
ret = cfg80211_disconnect(rdev, dev, reason, true);
wdev_unlock(dev->ieee80211_ptr);
+ printk("%s, %p\n", __func__, dev);
return ret;
}
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index e6fdb0b8187d..7c7e75f3fa6e 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -168,6 +168,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
* Delete all the keys ... pairwise keys can't really
* exist any more anyway, but default keys might.
*/
+ printk("%s, %p\n", __func__, dev);
if (rdev->ops->del_key)
for (i = 0; i < 6; i++)
rdev_del_key(rdev, dev, -1, i, false, NULL);
please test mem leak in ieee80211_add_key
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 0665ff5e456e..e63dbef621e5 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -737,6 +737,7 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
}
memcpy(key->conf.key, key_data, key_len);
INIT_LIST_HEAD(&key->list);
+ printk("%s, %p\n", __func__, key);
return key;
}
@@ -761,6 +762,7 @@ static void ieee80211_key_free_common(struct ieee80211_key *key)
ieee80211_aes_gcm_key_free(key->u.gcmp.tfm);
break;
}
+ printk("%s, %p\n", __func__, key);
kfree_sensitive(key);
}
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 931a03f4549c..871af6931d68 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4764,6 +4764,7 @@ static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
err = rdev_add_key(rdev, dev, link_id, key.idx,
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr, &key.p);
+ printk("%s, %p, %p, %d\n", __func__, dev, key, err);
if (err)
GENL_SET_ERR_MSG(info, "key addition failed");
}
@@ -4824,6 +4825,7 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr);
+ printk("%s, %p, %p, %d\n", __func__, dev, key, err);
#ifdef CONFIG_CFG80211_WEXT
if (!err) {
if (key.idx == wdev->wext.default_key)
@@ -11515,6 +11517,7 @@ static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
return -EOPNOTSUPP;
+ printk("%s, %p\n", __func__, dev);
return cfg80211_leave_ibss(rdev, dev, false);
}
@@ -12160,6 +12163,7 @@ static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
wdev_lock(dev->ieee80211_ptr);
ret = cfg80211_disconnect(rdev, dev, reason, true);
wdev_unlock(dev->ieee80211_ptr);
+ printk("%s, %p\n", __func__, dev);
return ret;
}
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index e6fdb0b8187d..7c7e75f3fa6e 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -168,6 +168,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
* Delete all the keys ... pairwise keys can't really
* exist any more anyway, but default keys might.
*/
+ printk("%s, %p\n", __func__, dev);
if (rdev->ops->del_key)
for (i = 0; i < 6; i++)
rdev_del_key(rdev, dev, -1, i, false, NULL);
syzbot
Oct 10, 2023, 11:59:29 PM10/10/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ieee80211_add_key
BUG: memory leak
unreferenced object 0xffff88811b16a400 (size 1024):
comm "syz-executor.0", pid 5740, jiffies 4294947034 (age 14.290s)
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
comm "syz-executor.0", pid 5742, jiffies 4294947037 (age 14.260s)
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
comm "syz-executor.0", pid 5747, jiffies 4294947628 (age 8.350s)
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11ea0565680000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ieee80211_add_key
BUG: memory leak
unreferenced object 0xffff88811b16a400 (size 1024):
comm "syz-executor.0", pid 5740, jiffies 4294947034 (age 14.290s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a4 16 1b 81 88 ff ff ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88811b169c00 (size 1024):
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "syz-executor.0", pid 5742, jiffies 4294947037 (age 14.260s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 9c 16 1b 81 88 ff ff ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88811b39d400 (size 1024):
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "syz-executor.0", pid 5747, jiffies 4294947628 (age 8.350s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 d4 39 1b 81 88 ff ff ..........9.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff848576cc>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff848576cc>] ieee80211_key_alloc+0x5c/0x5b0 net/mac80211/key.c:603
[<ffffffff8482b1d2>] ieee80211_add_key+0x162/0x540 net/mac80211/cfg.c:500
[<ffffffff8477c428>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c428>] nl80211_new_key+0x318/0x580 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=11ea0565680000
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16b4d0e9680000
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
ead...@sina.com
Oct 11, 2023, 2:04:46 AM10/11/23
to syzbot+c7f9b4...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
From: Edward AD <ead...@sina.com>
please test mem leak in ieee80211_add_key
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
please test mem leak in ieee80211_add_key
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
index 0e3a1753a51c..f9b9aaa024bd 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -496,6 +496,7 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
default:
break;
}
+ printk("%s, %p, %d, %d\n", __func__, dev, link_id, key_idx);
key = ieee80211_key_alloc(params->cipher, key_idx, params->key_len,
params->key, params->seq_len, params->seq);
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 0665ff5e456e..d46e10af9a1d 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -737,6 +737,7 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
}
memcpy(key->conf.key, key_data, key_len);
INIT_LIST_HEAD(&key->list);
+ printk("%s, %p, %d, %d\n", __func__, key, key->conf.link_id, idx);
+++ b/net/mac80211/key.c
@@ -737,6 +737,7 @@ ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
}
memcpy(key->conf.key, key_data, key_len);
INIT_LIST_HEAD(&key->list);
return key;
}
@@ -761,6 +762,7 @@ static void ieee80211_key_free_common(struct ieee80211_key *key)
ieee80211_aes_gcm_key_free(key->u.gcmp.tfm);
break;
}
+ printk("%s, %p\n", __func__, key);
kfree_sensitive(key);
}
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index e6fdb0b8187d..7c7e75f3fa6e 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -168,6 +168,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
* Delete all the keys ... pairwise keys can't really
* exist any more anyway, but default keys might.
*/
+ printk("%s, %p\n", __func__, dev);
if (rdev->ops->del_key)
for (i = 0; i < 6; i++)
rdev_del_key(rdev, dev, -1, i, false, NULL);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index e6fdb0b8187d..7c7e75f3fa6e 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -168,6 +168,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
* Delete all the keys ... pairwise keys can't really
* exist any more anyway, but default keys might.
*/
+ printk("%s, %p\n", __func__, dev);
if (rdev->ops->del_key)
for (i = 0; i < 6; i++)
rdev_del_key(rdev, dev, -1, i, false, NULL);
index 931a03f4549c..c72c3bdd4121 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4764,6 +4764,7 @@ static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
err = rdev_add_key(rdev, dev, link_id, key.idx,
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr, &key.p);
+ printk("%s, %p, %d, %d, %d\n", __func__, dev, key.idx, link_id, err);
+++ b/net/wireless/nl80211.c
@@ -4764,6 +4764,7 @@ static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
err = rdev_add_key(rdev, dev, link_id, key.idx,
key.type == NL80211_KEYTYPE_PAIRWISE,
mac_addr, &key.p);
Johannes Berg
Oct 11, 2023, 2:59:13 AM10/11/23
to syzbot, da...@davemloft.net, edum...@google.com, ku...@kernel.org, linux-...@vger.kernel.org, linux-w...@vger.kernel.org, net...@vger.kernel.org, pab...@redhat.com, syzkall...@googlegroups.com
https://patchwork.kernel.org/project/linux-wireless/patch/20231005210917....@sipsolutions.net/
though the patch isn't in the tree yet - will take care of it later
today (I hope).
johannes
syzbot
Oct 11, 2023, 3:43:33 AM10/11/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc005abbc20 0xc005abbd10 0xc005abbdb0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3364506028=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at ea12a9187
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ea12a9187acad46e97f58d5ee56a47b503e7434f\"
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
syzbot tried to test the proposed patch but the build/boot failed:
create image operation failed: &{Code:ZONE_RESOURCE_POOL_EXHAUSTED_WITH_DETAILS ErrorDetails:[0xc005abbc20 0xc005abbd10 0xc005abbdb0] Location: Message:The zone 'projects/syzkaller/zones/us-central1-c' does not have enough resources available to fulfill the request. '(resource type:compute)'. ForceSendFields:[] NullFields:[]}.
syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3364506028=/tmp/go-build -gno-record-gcc-switches"
git status (err=<nil>)
HEAD detached at ea12a9187
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:32: run command via tools/syz-env for best compatibility, see:
Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ea12a9187acad46e97f58d5ee56a47b503e7434f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20231006-120333'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ea12a9187acad46e97f58d5ee56a47b503e7434f\"
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=176724d9680000
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
ead...@sina.com
Oct 11, 2023, 9:35:06 AM10/11/23
to syzbot+c7f9b4...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
syzbot
Oct 11, 2023, 9:47:33 AM10/11/23
to ead...@sina.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ___neigh_create
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: memory leak
unreferenced object 0xffff888141124400 (size 512):
comm "kworker/0:1", pid 9, jiffies 4294940595 (age 78.200s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 13 25 86 ff ff ff ff ..........%.....
40 85 07 08 81 88 ff ff 43 80 ff ff 00 00 00 00 @.......C.......
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83ef8832>] neigh_alloc net/core/neighbour.c:486 [inline]
[<ffffffff83ef8832>] ___neigh_create+0xf2/0xe10 net/core/neighbour.c:640
[<ffffffff8434bd2e>] ip6_finish_output2+0x73e/0x990 net/ipv6/ip6_output.c:126
[<ffffffff84351151>] __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
[<ffffffff84351151>] ip6_finish_output+0x291/0x510 net/ipv6/ip6_output.c:207
[<ffffffff84351471>] NF_HOOK_COND include/linux/netfilter.h:293 [inline]
[<ffffffff84351471>] ip6_output+0xa1/0x1c0 net/ipv6/ip6_output.c:228
[<ffffffff843a14e9>] dst_output include/net/dst.h:458 [inline]
[<ffffffff843a14e9>] NF_HOOK.constprop.0+0x49/0x110 include/linux/netfilter.h:304
[<ffffffff843a17d3>] mld_sendpack+0x223/0x350 net/ipv6/mcast.c:1818
[<ffffffff843a4ba0>] mld_send_cr net/ipv6/mcast.c:2119 [inline]
[<ffffffff843a4ba0>] mld_ifc_work+0x2b0/0x6b0 net/ipv6/mcast.c:2651
[<ffffffff812c8d9d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99c7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99c7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6d9b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149f85>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
BUG: memory leak
unreferenced object 0xffff888141125800 (size 512):
comm "kworker/0:1", pid 9, jiffies 4294940597 (age 78.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 13 25 86 ff ff ff ff ..........%.....
00 86 07 08 81 88 ff ff 45 80 ff ff 00 00 00 00 ........E.......
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83ef8832>] neigh_alloc net/core/neighbour.c:486 [inline]
[<ffffffff83ef8832>] ___neigh_create+0xf2/0xe10 net/core/neighbour.c:640
[<ffffffff8434bd2e>] ip6_finish_output2+0x73e/0x990 net/ipv6/ip6_output.c:126
[<ffffffff84351151>] __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
[<ffffffff84351151>] ip6_finish_output+0x291/0x510 net/ipv6/ip6_output.c:207
[<ffffffff84351471>] NF_HOOK_COND include/linux/netfilter.h:293 [inline]
[<ffffffff84351471>] ip6_output+0xa1/0x1c0 net/ipv6/ip6_output.c:228
[<ffffffff843a14e9>] dst_output include/net/dst.h:458 [inline]
[<ffffffff843a14e9>] NF_HOOK.constprop.0+0x49/0x110 include/linux/netfilter.h:304
[<ffffffff843a17d3>] mld_sendpack+0x223/0x350 net/ipv6/mcast.c:1818
[<ffffffff843a4ba0>] mld_send_cr net/ipv6/mcast.c:2119 [inline]
[<ffffffff843a4ba0>] mld_ifc_work+0x2b0/0x6b0 net/ipv6/mcast.c:2651
[<ffffffff812c8d9d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99c7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99c7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6d9b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149f85>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
BUG: memory leak
unreferenced object 0xffff888141124200 (size 512):
comm "kworker/0:1", pid 9, jiffies 4294940597 (age 78.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 13 25 86 ff ff ff ff ..........%.....
40 85 07 08 81 88 ff ff 45 80 ff ff 00 00 00 00 @.......E.......
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83ef8832>] neigh_alloc net/core/neighbour.c:486 [inline]
[<ffffffff83ef8832>] ___neigh_create+0xf2/0xe10 net/core/neighbour.c:640
[<ffffffff8434bd2e>] ip6_finish_output2+0x73e/0x990 net/ipv6/ip6_output.c:126
[<ffffffff84351151>] __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
[<ffffffff84351151>] ip6_finish_output+0x291/0x510 net/ipv6/ip6_output.c:207
[<ffffffff84351471>] NF_HOOK_COND include/linux/netfilter.h:293 [inline]
[<ffffffff84351471>] ip6_output+0xa1/0x1c0 net/ipv6/ip6_output.c:228
[<ffffffff8438ac19>] dst_output include/net/dst.h:458 [inline]
[<ffffffff8438ac19>] NF_HOOK.constprop.0+0x49/0x110 include/linux/netfilter.h:304
[<ffffffff8438af29>] ndisc_send_skb+0x249/0x3c0 net/ipv6/ndisc.c:509
[<ffffffff8438fc05>] ndisc_send_ns+0x85/0xf0 net/ipv6/ndisc.c:667
[<ffffffff8436423e>] addrconf_dad_work+0x67e/0x980 net/ipv6/addrconf.c:4213
[<ffffffff812c8d9d>] process_one_work+0x23d/0x530 kernel/workqueue.c:2630
[<ffffffff812c99c7>] process_scheduled_works kernel/workqueue.c:2703 [inline]
[<ffffffff812c99c7>] worker_thread+0x327/0x590 kernel/workqueue.c:2784
[<ffffffff812d6d9b>] kthread+0x12b/0x170 kernel/kthread.c:388
[<ffffffff81149f85>] ret_from_fork+0x45/0x50 arch/x86/kernel/process.c:147
[<ffffffff81002be1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
BUG: memory leak
unreferenced object 0xffff8881008aba00 (size 512):
comm "dhcpcd", pid 4693, jiffies 4294940607 (age 78.080s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 13 25 86 ff ff ff ff ..........%.....
c0 83 07 08 81 88 ff ff 4f 80 ff ff 00 00 00 00 ........O.......
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff83ef8832>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff83ef8832>] neigh_alloc net/core/neighbour.c:486 [inline]
[<ffffffff83ef8832>] ___neigh_create+0xf2/0xe10 net/core/neighbour.c:640
[<ffffffff8434bd2e>] ip6_finish_output2+0x73e/0x990 net/ipv6/ip6_output.c:126
[<ffffffff84351151>] __ip6_finish_output net/ipv6/ip6_output.c:196 [inline]
[<ffffffff84351151>] ip6_finish_output+0x291/0x510 net/ipv6/ip6_output.c:207
[<ffffffff84351471>] NF_HOOK_COND include/linux/netfilter.h:293 [inline]
[<ffffffff84351471>] ip6_output+0xa1/0x1c0 net/ipv6/ip6_output.c:228
[<ffffffff844133e2>] dst_output include/net/dst.h:458 [inline]
[<ffffffff844133e2>] ip6_local_out+0x52/0x70 net/ipv6/output_core.c:155
[<ffffffff84351fa7>] ip6_send_skb+0x27/0xc0 net/ipv6/ip6_output.c:2017
[<ffffffff843520b7>] ip6_push_pending_frames+0x77/0x90 net/ipv6/ip6_output.c:2037
[<ffffffff8439b3eb>] rawv6_push_pending_frames net/ipv6/raw.c:581 [inline]
[<ffffffff8439b3eb>] rawv6_sendmsg+0x189b/0x1db0 net/ipv6/raw.c:920
[<ffffffff84265f79>] inet_sendmsg+0x49/0x70 net/ipv4/af_inet.c:840
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16826829680000
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=108f17f1680000
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 11, 2023, 8:55:46 PM10/11/23
to syzbot+c7f9b4...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 5cec0c251e86..065a9205a858 100644
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -566,6 +566,8 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
/* KRACK protection, shouldn't happen but just silently accept key */
if (err == -EALREADY)
err = 0;
+ if (err == -EINVAL)
+ ieee80211_key_free_unused(key);
return err;
}
syzbot
Oct 11, 2023, 9:26:32 PM10/11/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ieee80211_add_key
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
2023/10/12 01:25:39 executed programs: 3
BUG: memory leak
unreferenced object 0xffff88811c2c7400 (size 1024):
comm "syz-executor.0", pid 5745, jiffies 4294946944 (age 13.620s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 74 2c 1c 81 88 ff ff .........t,.....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485760c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x570 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
unreferenced object 0xffff8881445dc400 (size 1024):
comm "syz-executor.0", pid 5747, jiffies 4294946945 (age 13.610s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 c4 5d 44 81 88 ff ff ..........]D....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485760c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x570 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
unreferenced object 0xffff8881445dc000 (size 1024):
comm "syz-executor.0", pid 5752, jiffies 4294947510 (age 7.960s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 c0 5d 44 81 88 ff ff ..........]D....
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485760c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485760c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x570 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12126829680000
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15a9522e680000
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Lizhi Xu
Oct 11, 2023, 9:37:41 PM10/11/23
to syzbot+c7f9b4...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git af95dc6fdc25
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 0e3a1753a51c..8a0ea62d87c8 100644
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -569,6 +569,10 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
/* KRACK protection, shouldn't happen but just silently accept key */
if (err == -EALREADY)
err = 0;
+ else if (err < 0) {
if (err == -EALREADY)
err = 0;
+ printk("%d, %p, %s\n", err, key, __func__);
+ ieee80211_key_free_unused(key);
+ }
out_unlock:
mutex_unlock(&local->sta_mtx);
syzbot
Oct 11, 2023, 10:00:34 PM10/11/23
to lizh...@windriver.com, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ieee80211_add_key
2023/10/12 01:59:25 executed programs: 3
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in ieee80211_add_key
BUG: memory leak
unreferenced object 0xffff88810e3a3000 (size 1024):
comm "syz-executor.0", pid 5745, jiffies 4294946841 (age 13.560s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 30 3a 0e 81 88 ff ff .........0:.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485762c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x590 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88810e3a2800 (size 1024):
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "syz-executor.0", pid 5747, jiffies 4294946842 (age 13.550s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 28 3a 0e 81 88 ff ff .........(:.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485762c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x590 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
unreferenced object 0xffff88810e3a0800 (size 1024):
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
BUG: memory leak
comm "syz-executor.0", pid 5751, jiffies 4294947405 (age 7.920s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 08 3a 0e 81 88 ff ff ..........:.....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kmalloc include/linux/slab.h:603 [inline]
[<ffffffff8157491b>] __do_kmalloc_node mm/slab_common.c:1022 [inline]
[<ffffffff8157491b>] __kmalloc+0x4b/0x150 mm/slab_common.c:1036
[<ffffffff8485762c>] kzalloc include/linux/slab.h:720 [inline]
[<ffffffff8485762c>] ieee80211_key_alloc+0x5c/0x590 net/mac80211/key.c:603
[<ffffffff8482b0d2>] ieee80211_add_key+0x162/0x590 net/mac80211/cfg.c:500
[<ffffffff8477c375>] rdev_add_key net/wireless/rdev-ops.h:87 [inline]
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=127b6b59680000
[<ffffffff8477c375>] nl80211_new_key+0x315/0x540 net/wireless/nl80211.c:4764
[<ffffffff84033bb6>] genl_family_rcv_msg_doit+0x116/0x180 net/netlink/genetlink.c:971
[<ffffffff840347dd>] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
[<ffffffff840347dd>] genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1066
[<ffffffff84032191>] netlink_rcv_skb+0x91/0x1d0 net/netlink/af_netlink.c:2545
[<ffffffff840335f8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:1075
[<ffffffff84031092>] netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
[<ffffffff84031092>] netlink_unicast+0x2c2/0x440 net/netlink/af_netlink.c:1368
[<ffffffff840315b5>] netlink_sendmsg+0x3a5/0x740 net/netlink/af_netlink.c:1910
[<ffffffff83e96c12>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e96c12>] __sock_sendmsg+0x52/0xa0 net/socket.c:745
[<ffffffff83e97265>] ____sys_sendmsg+0x365/0x470 net/socket.c:2558
[<ffffffff83e9b6d9>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2612
[<ffffffff83e9b886>] __sys_sendmsg+0xa6/0x120 net/socket.c:2641
[<ffffffff84b38548>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84b38548>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Tested on:
commit: af95dc6f Merge tag 'pci-v6.6-fixes-2' of git://git.ker..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=92fc678f64486a09
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1789cc61680000
dashboard link: https://syzkaller.appspot.com/bug?extid=c7f9b4282ce793ea2456
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Jan 14, 2024, 7:07:14 PM1/14/24
to syzkall...@googlegroups.com
Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.
No recent activity, existing reproducers are no longer triggering the issue.
Reply all
Reply to author
Forward
0 new messages