Re: memory leak in create_ctx
Hello, syzbot has tested the proposed patch but the reproducer still triggered crash: memory leak in create_ctx 2019/07/01 05:38:26 executed programs: 23 BUG: memory leak unreferenced object 0x888102914e00 (size 512): comm "syz-executor.4", pid 7333, jiffies 4294944085 (age 13.950s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<2f2bb8be>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<2f2bb8be>] slab_post_alloc_hook mm/slab.h:439 [inline] [<2f2bb8be>] slab_alloc mm/slab.c:3326 [inline] [<2f2bb8be>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [] kmalloc include/linux/slab.h:547 [inline] [ ] kzalloc include/linux/slab.h:742 [inline] [ ] create_ctx+0x25/0x70 net/tls/tls_main.c:648 [ ] tls_init net/tls/tls_main.c:837 [inline] [ ] tls_init+0x97/0x1f0 net/tls/tls_main.c:819 [<9d663c39>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] [<9d663c39>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 [<551f7621>] do_tcp_setsockopt.isra.0+0x19a/0xd60 net/ipv4/tcp.c:2789 [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3103 [<85d221c1>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3129 [ ] __sys_setsockopt+0x98/0x120 net/socket.c:2072 [ ] __do_sys_setsockopt net/socket.c:2083 [inline] [ ] __se_sys_setsockopt net/socket.c:2080 [inline] [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 [ ] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<7383b736>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x888103860c00 (size 512): comm "syz-executor.0", pid 7342, jiffies 4294944115 (age 13.650s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<2f2bb8be>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<2f2bb8be>] slab_post_alloc_hook mm/slab.h:439 [inline] [<2f2bb8be>] slab_alloc mm/slab.c:3326 [inline] [<2f2bb8be>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [ ] kmalloc include/linux/slab.h:547 [inline] [ ] kzalloc include/linux/slab.h:742 [inline] [ ] create_ctx+0x25/0x70 net/tls/tls_main.c:648 [ ] tls_init net/tls/tls_main.c:837 [inline] [ ] tls_init+0x97/0x1f0 net/tls/tls_main.c:819 [<9d663c39>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] [<9d663c39>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 [<551f7621>] do_tcp_setsockopt.isra.0+0x19a/0xd60 net/ipv4/tcp.c:2789 [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3103 [<85d221c1>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3129 [ ] __sys_setsockopt+0x98/0x120 net/socket.c:2072 [ ] __do_sys_setsockopt net/socket.c:2083 [inline] [ ] __se_sys_setsockopt net/socket.c:2080 [inline] [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 [ ] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<7383b736>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0x88810e3e1c00 (size 512): comm "syz-executor.5", pid 7384, jiffies 4294944151 (age 13.290s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [<2f2bb8be>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<2f2bb8be>] slab_post_alloc_hook mm/slab.h:439 [inline] [<2f2bb8be>] slab_alloc mm/slab.c:3326 [inline] [<2f2bb8be>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [ ] kmalloc include/linux/slab.h:547 [inline] [ ] kzalloc include/linux/slab.h:742 [inline] [ ] create_ctx+0x25/0x70 net/tls/tls_main.c:648 [ ] tls_init net/tls/tls_main.c:837 [inline] [ ] tls_init+0x97/0x1f0 net/tls/tls_main.c:819 [<9d663c39>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] [<9d663c39>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 [<551f7621>] do_tcp_setsockopt.isra.0+0x19a/0xd60 net/ipv4/tcp.c:2789 [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3103 [<85d221c1>] sock_common_setsockopt+0x38/0x50 net
RE: memory leak in create_ctx
syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:79c3ba32 Merge tag 'drm-fixes-2019-06-07-1' of git://anong.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=170e0bfea0 > kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326 > dashboard link: https://syzkaller.appspot.com/bug?extid=06537213db7ba2745c4a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10aa806aa0 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+06537213db7ba2745...@syzkaller.appspotmail.com > > IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready > 2019/06/08 14:55:51 executed programs: 15 > 2019/06/08 14:55:56 executed programs: 31 > 2019/06/08 14:56:02 executed programs: 51 > BUG: memory leak > unreferenced object 0x888117ceae00 (size 512): >comm "syz-executor.3", pid 7233, jiffies 4294949016 (age 13.640s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >backtrace: > [] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x88810965dc00 (size 512): >comm "syz-executor.2", pid 7235, jiffies 4294949016 (age 13.640s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >backtrace: > [ ] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x8881207d7600 (size 512): >comm "syz-executor.5", pid 7244, jiffies 4294949019 (age 13.610s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >backtrace: > [ ] kmemleak_alloc_recursive > include/linux/kmemleak
Re: memory leak in create_ctx
Hillf Danton wrote: > > Hi Dmitry > > On Tue, 11 Jun 2019 19:45:28 +0800 Dmitry Vyukov wrote: > > > > I've run the repro as "./syz-execprog -repeat=0 -procs=6 repro" and > > in 10 mins I got the following splat, which indeed suggests a bpf bug. > > But we of course can have both bpf stack overflow and a memory leak in tls. > > > > > > > > 2019/06/11 10:26:52 executed programs: 887 > > 2019/06/11 10:26:57 executed programs: 899 > > 2019/06/11 10:27:02 executed programs: 916 > > [ 429.171049][ T9870] BUG: stack guard page was hit at a78467b9 > > (stack is 1452e9df..4fb93e51) > > [ 429.173714][ T9870] kernel stack overflow (double-fault): [#1] > > PREEMPT SMP > > [ 429.174819][ T9870] CPU: 3 PID: 9870 Comm: syz-executor Not tainted > > 5.2.0-rc4+ #6 > > [ 429.175901][ T9870] Hardware name: QEMU Standard PC (i440FX + PIIX, > > 1996), BIOS 1.10.2-1 04/01/2014 > > [ 429.177215][ T9870] RIP: 0010:tcp_bpf_unhash+0xc/0x80 > > [ 429.177950][ T9870] Code: 28 4c 89 ee 48 89 df ff 10 e8 30 56 66 fe > > 5b 41 5c 41 5d 41 5e 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 > > 54 53 48 89 fb 0f 56 66 fe e8 6a bb 5f fe 4c 8b a3 80 02 00 00 4d > > 85 e4 74 2f > > [ 429.180707][ T9870] RSP: 0018:c9000369 EFLAGS: 00010293 > > [ 429.181562][ T9870] RAX: 888066a72000 RBX: 88806695b640 RCX: > > 82c82f80 > > [ 429.182681][ T9870] RDX: RSI: 0007 RDI: > > 88806695b640 > > [ 429.183807][ T9870] RBP: c90003690018 R08: R09: > > > > [ 429.184931][ T9870] R10: c90003693e70 R11: R12: > > 82c82f10 > > [ 429.186104][ T9870] R13: 0007 R14: 88806695b710 R15: > > 88806695b710 > > [ 429.187303][ T9870] FS: 569fc940() > > GS:88807db8() knlGS: > > [ 429.188678][ T9870] CS: 0010 DS: ES: CR0: 80050033 > > [ 429.189674][ T9870] CR2: c9000368fff8 CR3: 762bc002 CR4: > > 007606e0 > > [ 429.190880][ T9870] DR0: DR1: DR2: > > > > [ 429.192094][ T9870] DR3: DR6: fffe0ff0 DR7: > > 0400 > > [ 429.193295][ T9870] PKRU: 5554 > > [ 429.193829][ T9870] Call Trace: > > [ 429.194326][ T9870] ? tcp_bpf_close+0xa0/0xa0 > > [ 429.195020][ T9870] tcp_bpf_unhash+0x76/0x80 > > [ 429.195706][ T9870] ? tcp_bpf_close+0xa0/0xa0 > > [ 429.196400][ T9870] tcp_bpf_unhash+0x76/0x80 > > [ 429.197079][ T9870] ? tcp_bpf_close+0xa0/0xa0 > > [ 429.197773][ T9870] tcp_bpf_unhash+0x76/0x80 > > [ 429.651942][ T9870] ? tcp_bpf_close+0xa0/0xa0 > > > ... duplicated info trimed ... > > > > [ 429.652512][ T9870] tcp_bpf_unhash+0x76/0x80 > > [ 429.656467][ T9870] ? tcp_bpf_close+0xa0/0xa0 > > [ 429.657037][ T9870] tcp_bpf_unhash+0x76/0x80 > > [ 429.657600][ T9870] tcp_set_state+0x7b/0x220 > > [ 429.658160][ T9870] ? put_object+0x20/0x30 > > [ 429.658699][ T9870] ? debug_smp_processor_id+0x2b/0x130 > > [ 429.659382][ T9870] tcp_disconnect+0x518/0x610 > > [ 429.659973][ T9870] tcp_close+0x41d/0x540 > > [ 429.660501][ T9870] ? tcp_check_oom+0x180/0x180 > > [ 429.661095][ T9870] tls_sk_proto_close+0x86/0x2a0 > > [ 429.661711][ T9870] ? locks_remove_posix+0x114/0x1c0 > > [ 429.662359][ T9870] inet_release+0x44/0x80 > > [ 429.662899][ T9870] inet6_release+0x36/0x50 > > [ 429.663453][ T9870] __sock_release+0x4b/0x100 > > [ 429.664024][ T9870] ? __sock_release+0x100/0x100 > > [ 429.664625][ T9870] sock_close+0x19/0x20 > > [ 429.665141][ T9870] __fput+0xe7/0x2f0 > > [ 429.665624][ T9870] fput+0x15/0x20 > > [ 429.666120][ T9870] task_work_run+0xa4/0xd0 > > [ 429.71][ T9870] exit_to_usermode_loop+0x16f/0x180 > > [ 429.667329][ T9870] do_syscall_64+0x187/0x1b0 > > [ 429.667920][ T9870] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > [ 429.668654][ T9870] RIP: 0033:0x412451 > > [ 429.669141][ T9870] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff > > ff 0f 83 94 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 > > 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 > > 08 48 3d 01 > > [ 429.671586][ T9870] RSP: 002b:7ffde18b5470 EFLAGS: 0293 > > ORIG_RAX: 0003 > > [ 429.672636][ T9870] RAX: RBX: 0005 RCX: > > 00412451 > > [ 429.673628][ T9870] RDX: RSI: 0081 RDI: > > 0004 > > [ 429.674643][ T9870] RBP: R08: 00721170 R09: > > > > [ 429.675641][ T9870] R10: 7ffde18b5580 R11: 0293 R12: > > > > [ 429.676636][ T9870] R13: 0071bf00 R14: 006e3140 R15: > > > > [ 429.677630][ T9870] Modules linked in: > > [ 429.678119][ T9870] ---[ end trace a429c7ce256ca7bb ]--- > > [ 429.678798][ T9870] RIP: 0010:tcp_bpf_unhash+0xc/0x80 > > [ 4
Re: memory leak in create_ctx
On Tue, 11 Jun 2019 13:45:11 +0200, Dmitry Vyukov wrote: > Do you see the bug? Jakub said he can't repro. > The repro has these suspicious bpf syscalls and there is currently > some nasty bpf bug that plagues us and leads to random assorted > splats. Ah, must be the BPF interaction indeed :S The reproducer text uses incorrect names: bpf$MAP_CREATE(0x0, &(0x7f000280)={0xf, 0x4, 0x4, 0x400, 0x0, 0x1}, 0x3c) # ^ this is a map create SOCKMAP socket$rxrpc(0x21, 0x2, 0x8a) r0 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r0, 0x6, 0x13, &(0x7fc0)=0x10001, 0x1d4) connect$inet6(r0, &(0x7f000140), 0x1c) bpf$MAP_CREATE(0x0, &(0x7f00)={0x5, 0x0, 0x0, 0x0, 0x80}, 0x3c) # ^ another map create (perf event array?) bpf$MAP_CREATE(0x2, &(0x7f003000)={0x3, 0x0, 0x77fffb, 0x0, 0x1002000, 0x0}, 0x2c) # ^ but this is MAP_UPDATE, not MAP_CREATE, it probably inserts the r0 # into the map setsockopt$inet6_tcp_TCP_ULP(r0, 0x6, 0x1f, &(0x7f40)='tls\x00', 0x4) That threw me off. > I've run the repro as "./syz-execprog -repeat=0 -procs=6 repro" and > in 10 mins I got the following splat, which indeed suggests a bpf bug. > But we of course can have both bpf stack overflow and a memory leak in tls.
Re: memory leak in create_ctx
,On Sun, Jun 9, 2019 at 4:56 AM Hillf Danton wrote: > > > Hi > > On Sat, 08 Jun 2019 12:13:06 -0700 (PDT) syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:79c3ba32 Merge tag 'drm-fixes-2019-06-07-1' of git://anong.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=170e0bfea0 > > kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326 > > dashboard link: https://syzkaller.appspot.com/bug?extid=06537213db7ba2745c4a > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10aa806aa0 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+06537213db7ba2745...@syzkaller.appspotmail.com > > > > IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready > > 2019/06/08 14:55:51 executed programs: 15 > > 2019/06/08 14:55:56 executed programs: 31 > > 2019/06/08 14:56:02 executed programs: 51 > > BUG: memory leak > > unreferenced object 0x888117ceae00 (size 512): > >comm "syz-executor.3", pid 7233, jiffies 4294949016 (age 13.640s) > >hex dump (first 32 bytes): > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >backtrace: > > [] kmemleak_alloc_recursive > > include/linux/kmemleak.h:55 [inline] > > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > > [ ] slab_alloc mm/slab.c:3326 [inline] > > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > > [ ] tls_init net/tls/tls_main.c:787 [inline] > > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > > net/ipv4/tcp.c:2784 > > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > > [ ] sock_common_setsockopt+0x38/0x50 > > net/core/sock.c:3124 > > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > > [ ] do_syscall_64+0x76/0x1a0 > > arch/x86/entry/common.c:301 > > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > BUG: memory leak > > unreferenced object 0x88810965dc00 (size 512): > >comm "syz-executor.2", pid 7235, jiffies 4294949016 (age 13.640s) > >hex dump (first 32 bytes): > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >backtrace: > > [ ] kmemleak_alloc_recursive > > include/linux/kmemleak.h:55 [inline] > > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > > [ ] slab_alloc mm/slab.c:3326 [inline] > > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > > [ ] tls_init net/tls/tls_main.c:787 [inline] > > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > > net/ipv4/tcp.c:2784 > > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > > [ ] sock_common_setsockopt+0x38/0x50 > > net/core/sock.c:3124 > > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > > [ ] do_syscall_64+0x76/0x1a0 > > arch/x86/entry/common.c:301 > > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > > > BUG: memory leak > > unreferenced object 0x8881207d7600 (size 512): > >comm "syz-executor.5", pid 7244, jiffies 4294949019 (age 13.610s) > >h
[net/tls] Re: memory leak in create_ctx
Looks like a TLS bug. icsk->icsk_ulp_data isn't always freed. On Sat, Jun 08, 2019 at 12:13:06PM -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:79c3ba32 Merge tag 'drm-fixes-2019-06-07-1' of git://anong.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=170e0bfea0 > kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326 > dashboard link: https://syzkaller.appspot.com/bug?extid=06537213db7ba2745c4a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10aa806aa0 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+06537213db7ba2745...@syzkaller.appspotmail.com > > IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready > 2019/06/08 14:55:51 executed programs: 15 > 2019/06/08 14:55:56 executed programs: 31 > 2019/06/08 14:56:02 executed programs: 51 > BUG: memory leak > unreferenced object 0x888117ceae00 (size 512): > comm "syz-executor.3", pid 7233, jiffies 4294949016 (age 13.640s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > backtrace: > [] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x88810965dc00 (size 512): > comm "syz-executor.2", pid 7235, jiffies 4294949016 (age 13.640s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > backtrace: > [ ] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x8881207d7600 (size 512): > comm "syz-executor.5", pid 7244, jiffies 4294949019 (age 13.610s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > backtrace: > [ ] kmemleak_alloc_re
Re: memory leak in create_ctx
On Sat, 08 Jun 2019 12:13:06 -0700, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:79c3ba32 Merge tag 'drm-fixes-2019-06-07-1' of git://anong.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=170e0bfea0 > kernel config: https://syzkaller.appspot.com/x/.config?x=d5c73825cbdc7326 > dashboard link: https://syzkaller.appspot.com/bug?extid=06537213db7ba2745c4a > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10aa806aa0 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+06537213db7ba2745...@syzkaller.appspotmail.com This one creates a TCPv6 socket, puts it in repair mode, connects and then adds a tls ULP. Apparently that leaks the entire TLS context but I can't repro.. > IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready > 2019/06/08 14:55:51 executed programs: 15 > 2019/06/08 14:55:56 executed programs: 31 > 2019/06/08 14:56:02 executed programs: 51 > BUG: memory leak > unreferenced object 0x888117ceae00 (size 512): >comm "syz-executor.3", pid 7233, jiffies 4294949016 (age 13.640s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >backtrace: > [] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x88810965dc00 (size 512): >comm "syz-executor.2", pid 7235, jiffies 4294949016 (age 13.640s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >backtrace: > [ ] kmemleak_alloc_recursive > include/linux/kmemleak.h:55 [inline] > [ ] slab_post_alloc_hook mm/slab.h:439 [inline] > [ ] slab_alloc mm/slab.c:3326 [inline] > [ ] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 > [<14132182>] kmalloc include/linux/slab.h:547 [inline] > [<14132182>] kzalloc include/linux/slab.h:742 [inline] > [<14132182>] create_ctx+0x25/0x70 net/tls/tls_main.c:601 > [ ] tls_init net/tls/tls_main.c:787 [inline] > [ ] tls_init+0x97/0x1e0 net/tls/tls_main.c:769 > [<37b0c43c>] __tcp_set_ulp net/ipv4/tcp_ulp.c:126 [inline] > [<37b0c43c>] tcp_set_ulp+0xe2/0x190 net/ipv4/tcp_ulp.c:147 > [<7a284277>] do_tcp_setsockopt.isra.0+0x19a/0xd60 > net/ipv4/tcp.c:2784 > [ ] tcp_setsockopt+0x71/0x80 net/ipv4/tcp.c:3098 > [ ] sock_common_setsockopt+0x38/0x50 > net/core/sock.c:3124 > [<06b0801f>] __sys_setsockopt+0x98/0x120 net/socket.c:2072 > [ ] __do_sys_setsockopt net/socket.c:2083 [inline] > [ ] __se_sys_setsockopt net/socket.c:2080 [inline] > [ ] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080 > [ ] do_syscall_64+0x76/0x1a0 > arch/x86/entry/common.c:301 > [ ] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > BUG: memory leak > unreferenced object 0x8881207d7600 (size 512): >comm "syz-executor.5", pid 7244, jiffies 4294949019 (age 13.610s) >hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00