scsi: memory leak in sg_start_req

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

syzkaller has found the following memory leak:

unreferenced object 0xffff88004c190000 (size 8328):
  comm "syz-executor", pid 4627, jiffies 4294749150 (age 45.507s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    20 00 00 00 22 01 00 00 00 00 00 00 04 00 00 00   ..."...........
  backtrace:
    [<000000005955b5a9>] kmalloc_order+0x59/0x80 mm/slab_common.c:1124
    [<0000000043ae006e>] kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1133
    [<00000000d33b2e16>] kmalloc_large include/linux/slab.h:433 [inline]
    [<00000000d33b2e16>] __kmalloc+0x2c4/0x340 mm/slub.c:3751
    [<00000000e7430040>] kmalloc include/linux/slab.h:504 [inline]
    [<00000000e7430040>] bio_alloc_bioset+0x4d5/0x7e0 block/bio.c:450
    [<00000000f370e717>] bio_kmalloc include/linux/bio.h:410 [inline]
    [<00000000f370e717>] bio_copy_user_iov+0x2be/0xcb0 block/bio.c:1226
    [<000000001d0b79ed>] __blk_rq_map_user_iov block/blk-map.c:67 [inline]
    [<000000001d0b79ed>] blk_rq_map_user_iov+0x2b6/0x7d0 block/blk-map.c:136
    [<000000004200a869>] blk_rq_map_user+0x11e/0x170 block/blk-map.c:166
    [<000000008f21739e>] sg_start_req drivers/scsi/sg.c:1794 [inline]
    [<000000008f21739e>] sg_common_write.isra.16+0x14df/0x1ed0
drivers/scsi/sg.c:777
    [<00000000093f61e3>] sg_write+0x8a7/0xd7b drivers/scsi/sg.c:677
    [<00000000b67dafdc>] __vfs_write+0x10d/0x8f0 fs/read_write.c:480
    [<000000000638f16f>] vfs_write+0x1fd/0x570 fs/read_write.c:544
    [<000000006a7e6867>] SYSC_write fs/read_write.c:589 [inline]
    [<000000006a7e6867>] SyS_write+0xfa/0x250 fs/read_write.c:581

can be reproduced with the following program:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

int main()
{
  int fd = open("/dev/sg1", O_RDWR);
  const char *data =
         "\xb6\x3d\xb8\x5e\x1e\x8d\x22\x00\x00\x00\x00\x00\x00\x08\xaf\xd6\x1d"
         "\xcc\x43\x6a\xed\x5e\xd2\xbc\x70\x18\xce\xbc\x9b\x97\xae\x21\x91\x4d"
         "\x87\x2c\x67\x8c\xe2\x2c\x9b\x16\x0e\x96\xaa\x1f\xae\x1a";
  write(fd, data, 0x30);
  return 0;
}

if executed in a loop, memory consumption grows infinitely.

on upstream commit b2cd1df66037e7c4697c7e40496bf7e4a5e16a2d



[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux