memory leak in do_ipv6_setsockopt

139 views
Skip to first unread message

Dmitry Vyukov

unread,
Dec 1, 2015, 7:27:42 AM12/1/15
to David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Hello,

The following program causes a memory leak :

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <stdint.h>
#include <linux/in.h>
#include <linux/socket.h>

int main()
{
long r1 = syscall(SYS_socket, PF_INET6,
SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_SCTP);
const char *opt = "\x15\x53\x5e\x2d\x97\xab\xe1";
long r3 = syscall(SYS_setsockopt, r1, 0x29ul, 0x6ul, opt, 0x7ul);
return 0;
}


unreferenced object 0xffff880039a55260 (size 64):
comm "executor", pid 11746, jiffies 4298984475 (age 16.078s)
hex dump (first 32 bytes):
2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 /...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[< inline >] kmalloc include/linux/slab.h:463
[<ffffffff848a2f5f>] sock_kmalloc+0x7f/0xc0 net/core/sock.c:1774
[<ffffffff84e5bea0>] do_ipv6_setsockopt.isra.7+0x15d0/0x2830
net/ipv6/ipv6_sockglue.c:483
[<ffffffff84e5d19b>] ipv6_setsockopt+0x9b/0x140 net/ipv6/ipv6_sockglue.c:885
[<ffffffff8544616c>] sctp_setsockopt+0x15c/0x36c0 net/sctp/socket.c:3702
[<ffffffff848a2035>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2645
[< inline >] SYSC_setsockopt net/socket.c:1757
[<ffffffff8489f1d8>] SyS_setsockopt+0x158/0x240 net/socket.c:1736


I confirmed that running this program in a loop steadily increases
number of objects in kmalloc-64 slab. The leak does not happen with
IPPROTO_TCP, so probably it is sctp-related.

On commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8 (Nov 29).

Eric Dumazet

unread,
Dec 1, 2015, 8:36:58 AM12/1/15
to Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Thanks for the report.

Probably fixed by :

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 897c01c029ca..8079ecd8465d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7375,6 +7375,12 @@ struct proto sctp_prot = {

#if IS_ENABLED(CONFIG_IPV6)

+static void sctp_v6_destroy_sock(struct sock *sk)
+{
+ sctp_destroy_sock(sk);
+ inet6_destroy_sock(sk);
+}
+
struct proto sctpv6_prot = {
.name = "SCTPv6",
.owner = THIS_MODULE,
@@ -7384,7 +7390,7 @@ struct proto sctpv6_prot = {
.accept = sctp_accept,
.ioctl = sctp_ioctl,
.init = sctp_init_sock,
- .destroy = sctp_destroy_sock,
+ .destroy = sctp_v6_destroy_sock,
.shutdown = sctp_shutdown,
.setsockopt = sctp_setsockopt,
.getsockopt = sctp_getsockopt,


Daniel Borkmann

unread,
Dec 1, 2015, 9:08:28 AM12/1/15
to Eric Dumazet, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Yeah, we miss inet6_destroy_sock() in SCTP. :-(

Looks good to me.

> struct proto sctpv6_prot = {
> .name = "SCTPv6",
> .owner = THIS_MODULE,
> @@ -7384,7 +7390,7 @@ struct proto sctpv6_prot = {
> .accept = sctp_accept,
> .ioctl = sctp_ioctl,
> .init = sctp_init_sock,
> - .destroy = sctp_destroy_sock,
> + .destroy = sctp_v6_destroy_sock,
> .shutdown = sctp_shutdown,
> .setsockopt = sctp_setsockopt,
> .getsockopt = sctp_getsockopt,
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majo...@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>

Eric Dumazet

unread,
Dec 1, 2015, 9:16:46 AM12/1/15
to Daniel Borkmann, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
On Tue, 2015-12-01 at 15:07 +0100, Daniel Borkmann wrote:

> Yeah, we miss inet6_destroy_sock() in SCTP. :-(
>
> Looks good to me.

OK, I will send a formal (and tested ;) ) patch.

Thanks.


Daniel Borkmann

unread,
Dec 1, 2015, 9:24:47 AM12/1/15
to Eric Dumazet, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
I was shortly wondering whether there could be a use-after-free by
doing this after sctp_destroy_sock() due to the sctp_endpoint_destroy()
that would eventually drop a ref on the socket, but the endpoint holds
a separate ref, so we should be good.

Thanks,
Daniel

Eric Dumazet

unread,
Dec 1, 2015, 9:38:46 AM12/1/15
to Daniel Borkmann, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
More generically ->destroy() caller must keep a reference on the socket.

inet_csk_destroy_sock() for example uses sk after

sk->sk_prot->destroy(sk);



Daniel Borkmann

unread,
Dec 1, 2015, 9:49:44 AM12/1/15
to Eric Dumazet, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
Right, and later on, we might call into ->sk_destruct() when there are no
more refs (in SCTP case: sctp_destruct_sock()).

Thanks,
Daniel

Eric Dumazet

unread,
Dec 1, 2015, 10:20:11 AM12/1/15
to Daniel Borkmann, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
From: Eric Dumazet <edum...@google.com>

Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.

We need to call inet6_destroy_sock() to properly release
inet6 specific fields.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Eric Dumazet <edum...@google.com>
---
net/sctp/socket.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 897c01c029ca..9d0b9bae9052 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7375,6 +7375,13 @@ struct proto sctp_prot = {

#if IS_ENABLED(CONFIG_IPV6)

+#include <net/transp_v6.h>
+static void sctp_v6_destroy_sock(struct sock *sk)
+{
+ sctp_destroy_sock(sk);
+ inet6_destroy_sock(sk);
+}
+
struct proto sctpv6_prot = {
.name = "SCTPv6",
.owner = THIS_MODULE,
@@ -7384,7 +7391,7 @@ struct proto sctpv6_prot = {

Daniel Borkmann

unread,
Dec 1, 2015, 10:55:58 AM12/1/15
to Eric Dumazet, Dmitry Vyukov, David S. Miller, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI, Patrick McHardy, netdev, LKML, Vlad Yasevich, Neil Horman, linux...@vger.kernel.org, syzkaller, Kostya Serebryany, Alexander Potapenko, Sasha Levin, Eric Dumazet
On 12/01/2015 04:20 PM, Eric Dumazet wrote:
> From: Eric Dumazet <edum...@google.com>
>
> Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.
>
> We need to call inet6_destroy_sock() to properly release
> inet6 specific fields.
>
> Reported-by: Dmitry Vyukov <dvy...@google.com>
> Signed-off-by: Eric Dumazet <edum...@google.com>

Acked-by: Daniel Borkmann <dan...@iogearbox.net>

David Miller

unread,
Dec 3, 2015, 12:06:45 PM12/3/15
to eric.d...@gmail.com, dan...@iogearbox.net, dvy...@google.com, kuz...@ms2.inr.ac.ru, jmo...@namei.org, yosh...@linux-ipv6.org, ka...@trash.net, net...@vger.kernel.org, linux-...@vger.kernel.org, vyas...@gmail.com, nho...@tuxdriver.com, linux...@vger.kernel.org, syzk...@googlegroups.com, k...@google.com, gli...@google.com, sasha...@oracle.com, edum...@google.com
From: Eric Dumazet <eric.d...@gmail.com>
Date: Tue, 01 Dec 2015 07:20:07 -0800

> From: Eric Dumazet <edum...@google.com>
>
> Dmitry Vyukov reported a memory leak using IPV6 SCTP sockets.
>
> We need to call inet6_destroy_sock() to properly release
> inet6 specific fields.
>
> Reported-by: Dmitry Vyukov <dvy...@google.com>
> Signed-off-by: Eric Dumazet <edum...@google.com>

Applied and queued up for -stable, thanks.
Reply all
Reply to author
Forward
0 new messages