net/8021q: memory leak in register_vlan_dev
From: Dmitry Vyukov
Date: Tue Jan 09 2018 - 13:53:57 EST
Hello,
syzkaller has hit the following memory leak on 4.15-rc7:
unreferenced object 0xffff88007b704140 (size 256):
comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.848s)
hex dump (first 32 bytes):
00 40 b7 2c 00 88 ff ff 00 00 00 00 00 00 00 00 .@.,............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
[<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
[<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
[<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
[<000000004d4e9ef7>] kmalloc include/linux/slab.h:499 [inline]
[<000000004d4e9ef7>] kzalloc include/linux/slab.h:688 [inline]
[<000000004d4e9ef7>] vlan_info_alloc net/8021q/vlan_core.c:152 [inline]
[<000000004d4e9ef7>] vlan_vid_add+0x710/0xb20 net/8021q/vlan_core.c:244
[<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
[<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
[<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
[<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
[<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
[<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
[<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
[<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692
unreferenced object 0xffff88007c49aea0 (size 32):
comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.862s)
hex dump (first 32 bytes):
e0 41 70 7b 00 88 ff ff e0 41 70 7b 00 88 ff ff .Ap{.....Ap{....
81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
[<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
[<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
[<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
[<000000003d983c2c>] kmalloc include/linux/slab.h:499 [inline]
[<000000003d983c2c>] kzalloc include/linux/slab.h:688 [inline]
[<000000003d983c2c>] vlan_vid_info_alloc net/8021q/vlan_core.c:196 [inline]
[<000000003d983c2c>] __vlan_vid_add net/8021q/vlan_core.c:213 [inline]
[<000000003d983c2c>] vlan_vid_add+0x45a/0xb20 net/8021q/vlan_core.c:251
[<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
[<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
[<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
[<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
[<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
[<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
[<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
[<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692
unreferenced object 0xffff88007d87a200 (size 4096):
comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.863s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
[<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
[<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
[<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
[<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
[<00000000b52b3185>] kmalloc include/linux/slab.h:499 [inline]
[<00000000b52b3185>] kzalloc include/linux/slab.h:688 [inline]
[<00000000b52b3185>] vlan_group_prealloc_vid net/8021q/vlan.c:70 [inline]
[<00000000b52b3185>] register_vlan_dev+0x4ac/0x600 net/8021q/vlan.c:168
[<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
[<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
[<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
[<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
[<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
[<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
[<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692
Reproducer:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>
int main()
{
long r[2];
syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
r[0] = syscall(__NR_open, "/dev/net/tun", 0);
*(uint8_t*)0x20927fd8 = 0x73;
*(uint8_t*)0x20927fd9 = 0x79;
*(uint8_t*)0x20927fda = 0x7a;
*(uint8_t*)0x20927fdb = 0x30;
*(uint8_t*)0x20927fdc = 0;
*(uint32_t*)0x20927fe8 = 5;
*(uint32_t*)0x20927fec = 0;
*(uint64_t*)0x20927ff0 = 0x20c15000;
*(uint32_t*)0x20c15000 = 0;
*(uint32_t*)0x20c15004 = 0;
*(uint16_t*)0x20c15008 = 0;
syscall(__NR_ioctl, r[0], 0x400454ca, 0x20927fd8);
r[1] = syscall(__NR_socket, 2, 2, 0);
memcpy((void*)0x20006000,
"\x1b\x52\x03\x10\xb5\x64\xc4\x23\x54\xe2\xd0\xb8\xa1\x4e\x1a\xd7", 16);
*(uint32_t*)0x20006010 = 0;
*(uint32_t*)0x20006014 = 0;
*(uint64_t*)0x20006018 = 0x20006000;
*(uint32_t*)0x20006000 = 0;
*(uint8_t*)0x20006004 = 0x73;
*(uint8_t*)0x20006005 = 0x79;
*(uint8_t*)0x20006006 = 0x7a;
*(uint8_t*)0x20006007 = 0x30;
*(uint8_t*)0x20006008 = 0;
syscall(__NR_ioctl, r[1], 0x8983, 0x20006000);
return 0;
}