Skip to content

[syzkaller] memory leak in __ip_mc_join_group #110

New issue
New issue
Closed
Closed
[syzkaller] memory leak in __ip_mc_join_group#110
Assignees
fw-strlen
Labels
bugsyzkaller
@cpaasch

Description

@cpaasch
cpaasch
opened on Nov 17, 2020
b1a052dbee6adf064794f787b08e0a00e6d062777af6b2cf342c89c4427bc0318b11214a3c5a94a916cf915d24481f65a5462d81f5f269a679d225be7f29ebd48ebddc0de127325533eb1883c5822284d7d6919238840cab4e6374aa9e1803c5a9ae8d1fda1a7a38ddbb1649954be46fe223f61e7232864a2c12b456b534a54f90a5d9b31604ff3100c3fdffdc0c3f3f80924e1dec92522e8ccd464bacb5972801ddaa7864d8daedb72e124ce776ee943cd7bd1cbd0ea78814529", 0x1000, r4}, 0x68)
fcntl$notify(r1, 0x402, 0x1)
BUG: memory leak
unreferenced object 0xffff888107633680 (size 64):
  comm "syz-executor.5", pid 8625, jiffies 4295456608 (age 25.626s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 e0 00 00 02 ac 14 14 bb  ................
    01 00 00 00 01 00 00 00 00 0e 9a 07 81 88 ff ff  ................
  backtrace:
    [<00000000ee58576e>] kmalloc include/linux/slab.h:557 [inline]
    [<00000000ee58576e>] sock_kmalloc net/core/sock.c:2249 [inline]
    [<00000000ee58576e>] sock_kmalloc+0xb5/0x100 net/core/sock.c:2240
    [<00000000c7eecb78>] __ip_mc_join_group+0x27b/0x4a0 net/ipv4/igmp.c:2189
    [<000000008e81cde0>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1285 [inline]
    [<000000008e81cde0>] ip_setsockopt+0x2e20/0x31d0 net/ipv4/ip_sockglue.c:1423
    [<000000005fd7217d>] tcp_setsockopt+0x139/0x25f0 net/ipv4/tcp.c:3597
    [<00000000f9699b10>] mptcp_setsockopt+0x51d/0x650 net/mptcp/protocol.c:2863
    [<000000006719ff36>] __sys_setsockopt+0x14f/0x360 net/socket.c:2115
    [<0000000047dd27bf>] __do_sys_setsockopt net/socket.c:2126 [inline]
    [<0000000047dd27bf>] __se_sys_setsockopt net/socket.c:2123 [inline]
    [<0000000047dd27bf>] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:2123
    [<00000000c25e998f>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000a80f755a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881079a0e00 (size 64):
  comm "syz-executor.5", pid 8625, jiffies 4295456608 (age 25.626s)
  hex dump (first 32 bytes):
    0a 00 00 00 01 00 00 00 06 01 00 00 12 00 40 88  ..............@.
    80 30 15 00 00 ea ff ff e0 00 00 02 00 ea ff ff  .0..............
  backtrace:
    [<00000000ee58576e>] kmalloc include/linux/slab.h:557 [inline]
    [<00000000ee58576e>] sock_kmalloc net/core/sock.c:2249 [inline]
    [<00000000ee58576e>] sock_kmalloc+0xb5/0x100 net/core/sock.c:2240
    [<0000000036f57205>] ip_mc_source+0x8f8/0xf00 net/ipv4/igmp.c:2384
    [<00000000f6624f7d>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
    [<00000000f6624f7d>] ip_setsockopt+0x17ac/0x31d0 net/ipv4/ip_sockglue.c:1423
    [<000000005fd7217d>] tcp_setsockopt+0x139/0x25f0 net/ipv4/tcp.c:3597
    [<00000000f9699b10>] mptcp_setsockopt+0x51d/0x650 net/mptcp/protocol.c:2863
    [<000000006719ff36>] __sys_setsockopt+0x14f/0x360 net/socket.c:2115
    [<0000000047dd27bf>] __do_sys_setsockopt net/socket.c:2126 [inline]
    [<0000000047dd27bf>] __se_sys_setsockopt net/socket.c:2123 [inline]
    [<0000000047dd27bf>] __x64_sys_setsockopt+0xb9/0x150 net/socket.c:2123
    [<00000000c25e998f>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000a80f755a>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: leak checking failed

No reproducer yet.

HEAD is at:
0ba8e381319a ("mptcp: fix locking in mptcp_disconnect()") (HEAD) (7 days ago)
2231a14 ("DO-NOT-MERGE: mptcp: enabled by default") (tag: export/20210114T060000, mptcp_net-next/export) (7 days ago)
bdb95de ("DO-NOT-MERGE: mptcp: add GitHub Actions") (7 days ago)
37e13d6 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (7 days ago)
89c6174 ("mptcp: schedule work for better snd subflow selection") (7 days ago)
e61bdd4 ("mptcp: do not queue excessive data on subflows") (7 days ago)
22a5014 ("mptcp: re-enable sndbuf autotune") (7 days ago)
5ec4e3d ("mptcp: always graft subflow socket to parent") (7 days ago)
c7a8b47 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (7 days ago)
4aad7af ("bpf:selftests: add MPTCP test base") (7 days ago)
71880f9 ("bpf: add 'bpf_mptcp_sock' structure and helper") (7 days ago)
197e7ab ("bpf: expose is_mptcp flag to bpf_tcp_sock") (7 days ago)
127854a ("linux: handle MPTCP consistently with TCP") (7 days ago)
fe5b34d ("mptcp: better msk-level shutdown.") (7 days ago)
cdca685 ("mptcp: more strict state checking for acks") (7 days ago)
0ae5b43 ("tcp: assign skb hash after tcp_event_data_sent") (mptcp_net-next/net-next) (8 days ago)

syzkaller reproducer:

# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f00000013c0)={0x2, 0x4e20, @multicast2}, 0x10)
connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @local}, 0x10)
setsockopt$inet_mreqsrc(r0, 0x0, 0x27, &(0x7f0000000040)={@multicast2, @remote, @multicast2}, 0xc)

CONFIG-file:
CONFIG.txt

[UPDATE 01/21 : Added reproducer, updated HEAD, Crashlog, CONFIG.txt

Metadata

Metadata

Assignees

Labels

bugsyzkaller

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions