sctp: memory leak in sctp_endpoint_init

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

syzkaller has hit the following memory leak on 4.15-rc7.
Reproducer is attached.

unferenced object 0xffff88007bbaa720 (size 32):
  comm "syz-executor4", pid 12479, jiffies 4295951917 (age 9.779s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000ce041e0c>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<00000000ce041e0c>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<00000000ce041e0c>] slab_alloc_node mm/slub.c:2725 [inline]
    [<00000000ce041e0c>] slab_alloc mm/slub.c:2733 [inline]
    [<00000000ce041e0c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<0000000052b69e97>] kmalloc include/linux/slab.h:499 [inline]
    [<0000000052b69e97>] kzalloc include/linux/slab.h:688 [inline]
    [<0000000052b69e97>] sctp_endpoint_init net/sctp/endpointola.c:66 [inline]
    [<0000000052b69e97>] sctp_endpoint_new+0x16d/0xef0
net/sctp/endpointola.c:195
    [<00000000b78002d9>] sctp_init_sock+0xc18/0x13e0 net/sctp/socket.c:4490
    [<00000000fe5de849>] inet6_create+0xba7/0x1290 net/ipv6/af_inet6.c:255
    [<00000000bb006173>] __sock_create+0x521/0x920 net/socket.c:1265
    [<00000000a8d6fbc0>] sock_create net/socket.c:1305 [inline]
    [<00000000a8d6fbc0>] SYSC_socket net/socket.c:1335 [inline]
    [<00000000a8d6fbc0>] SyS_socket+0x102/0x1f0 net/socket.c:1315
    [<000000004dc391b5>] entry_SYSCALL_64_fastpath+0x23/0x9a
    [<00000000c66d20cc>] 0xffffffffffffffff

2018/01/09 15:50:01 BUG: memory leak
unreferenced object 0xffff88007bbaac30 (size 32):
  comm "syz-executor4", pid 12479, jiffies 4295951917 (age 9.791s)
  hex dump (first 32 bytes):
    f0 45 4b 2a 00 88 ff ff f0 45 4b 2a 00 88 ff ff  .EK*.....EK*....
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000ce041e0c>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<00000000ce041e0c>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<00000000ce041e0c>] slab_alloc_node mm/slub.c:2725 [inline]
    [<00000000ce041e0c>] slab_alloc mm/slub.c:2733 [inline]
    [<00000000ce041e0c>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<0000000069bdc070>] kmalloc include/linux/slab.h:499 [inline]
    [<0000000069bdc070>] kzalloc include/linux/slab.h:688 [inline]
    [<0000000069bdc070>] sctp_auth_shkey_create+0xbb/0x1f0 net/sctp/auth.c:99
    [<00000000604efa40>] sctp_endpoint_init net/sctp/endpointola.c:151 [inline]
    [<00000000604efa40>] sctp_endpoint_new+0x65b/0xef0
net/sctp/endpointola.c:195
    [<00000000b78002d9>] sctp_init_sock+0xc18/0x13e0 net/sctp/socket.c:4490
    [<00000000fe5de849>] inet6_create+0xba7/0x1290 net/ipv6/af_inet6.c:255
    [<00000000bb006173>] __sock_create+0x521/0x920 net/socket.c:1265
    [<00000000a8d6fbc0>] sock_create net/socket.c:1305 [inline]
    [<00000000a8d6fbc0>] SYSC_socket net/socket.c:1335 [inline]
    [<00000000a8d6fbc0>] SyS_socket+0x102/0x1f0 net/socket.c:1315
    [<000000004dc391b5>] entry_SYSCALL_64_fastpath+0x23/0x9a
    [<00000000c66d20cc>] 0xffffffffffffffff

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#define _GNU_SOURCE
#include <endian.h>
#include <linux/futex.h>
#include <pthread.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

struct thread_t {
  int created, running, call;
  pthread_t th;
};

static struct thread_t threads[16];
static void execute_call(int call);
static int running;
static int collide;

static void* thr(void* arg)
{
  struct thread_t* th = (struct thread_t*)arg;
  for (;;) {
    while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE))
      syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0);
    execute_call(th->call);
    __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED);
    __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE);
    syscall(SYS_futex, &th->running, FUTEX_WAKE);
  }
  return 0;
}

static void execute(int num_calls)
{
  int call, thread;
  running = 0;
  for (call = 0; call < num_calls; call++) {
    for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) {
      struct thread_t* th = &threads[thread];
      if (!th->created) {
        th->created = 1;
        pthread_attr_t attr;
        pthread_attr_init(&attr);
        pthread_attr_setstacksize(&attr, 128 << 10);
        pthread_create(&th->th, &attr, thr, th);
      }
      if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) {
        th->call = call;
        __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED);
        __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE);
        syscall(SYS_futex, &th->running, FUTEX_WAKE);
        if (collide && call % 2)
          break;
        struct timespec ts;
        ts.tv_sec = 0;
        ts.tv_nsec = 20 * 1000 * 1000;
        syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts);
        if (running)
          usleep((call == num_calls - 1) ? 10000 : 1000);
        break;
      }
    }
  }
}

long r[1];
void execute_call(int call)
{
  switch (call) {
  case 0:
    syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
    break;
  case 1:
    syscall(__NR_getpid);
    break;
  case 2:
    r[0] = syscall(__NR_socket, 0xa, 5, 0x84);
    break;
  case 3:
    *(uint64_t*)0x2046eff0 = 0;
    *(uint64_t*)0x2046eff8 = 0;
    syscall(__NR_setrlimit, 7, 0x2046eff0);
    break;
  case 4:
    *(uint32_t*)0x202bf000 = 0;
    syscall(__NR_ioctl, r[0], 0x894c, 0x202bf000);
    break;
  }
}

void loop()
{
  memset(r, -1, sizeof(r));
  execute(5);
  collide = 1;
  execute(5);
}

int main()
{
  loop();
  return 0;
}
[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux