Hello,
syzbot found the following crash on:
HEAD commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15193256a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
dashboard link: https://syzkaller.appspot.com/bug?extid=03e5c8ebd22cc6c3a8cb
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13244221a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117b2432a00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]
ram
executing program
BUG: memory leak
unreferenced object 0xffff8881204d7800 (size 2048):
comm "syz-executor855", pid 6936, jiffies 4294941958 (age 26.780s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
20 00 00 00 02 01 00 00 00 00 00 00 08 00 00 00 ...............
backtrace:
[<00000000c5e27070>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000c5e27070>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000c5e27070>] slab_alloc mm/slab.c:3326 [inline]
[<00000000c5e27070>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000c5e27070>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
[<000000004415e750>] kmalloc include/linux/slab.h:552 [inline]
[<000000004415e750>] bio_alloc_bioset+0x1b8/0x2c0 block/bio.c:439
[<000000002da58d1d>] bio_kmalloc include/linux/bio.h:391 [inline]
[<000000002da58d1d>] bio_copy_user_iov+0x113/0x4a0 block/bio.c:1275
[<00000000b4b23d95>] __blk_rq_map_user_iov block/blk-map.c:67 [inline]
[<00000000b4b23d95>] blk_rq_map_user_iov+0xc6/0x2b0 block/blk-map.c:136
[<00000000edad5f7e>] blk_rq_map_user+0x71/0xb0 block/blk-map.c:166
[<00000000c94723b5>] sg_start_req drivers/scsi/sg.c:1813 [inline]
[<00000000c94723b5>] sg_common_write.isra.0+0x619/0xa10
drivers/scsi/sg.c:809
[<00000000b11f3605>] sg_write.part.0+0x325/0x570 drivers/scsi/sg.c:709
[<00000000aba41953>] sg_write+0x44/0x64 drivers/scsi/sg.c:617
[<00000000afecd177>] __vfs_write+0x43/0xa0 fs/read_write.c:494
[<00000000de690898>] vfs_write fs/read_write.c:558 [inline]
[<00000000de690898>] vfs_write+0xee/0x210 fs/read_write.c:542
[<00000000705a35b0>] ksys_write+0x7c/0x130 fs/read_write.c:611
[<000000009efb9e6c>] __do_sys_write fs/read_write.c:623 [inline]
[<000000009efb9e6c>] __se_sys_write fs/read_write.c:620 [inline]
[<000000009efb9e6c>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
[<00000000f9e48771>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301
[<00000000d5cff9fc>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot has bisected this bug to:
commit 664820265d70a759dceca87b6eb200cd2b93cda8
Author: Mike Snitzer <[email protected]>
Date: Thu Feb 18 20:44:39 2016 +0000
dm: do not return target from dm_get_live_table_for_ioctl()
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13f4eb64600000
start commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=100ceb64600000
console output: https://syzkaller.appspot.com/x/log.txt?x=17f4eb64600000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb38d33cd06d8d48
dashboard link: https://syzkaller.appspot.com/bug?extid=03e5c8ebd22cc6c3a8cb
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13244221a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=117b2432a00000
Reported-by: [email protected]
Fixes: 664820265d70 ("dm: do not return target from
dm_get_live_table_for_ioctl()")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
On 7/29/19 8:38 AM, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 664820265d70a759dceca87b6eb200cd2b93cda8
> Author: Mike Snitzer <[email protected]>
> Date: Thu Feb 18 20:44:39 2016 +0000
>
> dm: do not return target from dm_get_live_table_for_ioctl()
>
This(and previous bisection) look not related to the reported leak.
A possible reason may be KASAN can't recognize the failure path of bio_alloc_bioset()
where mempool_free() is called but not kmalloc(p).
But it's not a real bug, because we have the condition if (nr_iovecs > inline_vecs).
Below fix may avoid the syzbot bug report..
diff --git a/block/bio.c b/block/bio.c
index 4db1008..04a7879 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -513,8 +513,10 @@ struct bio *bio_alloc_bioset(gfp_t gfp_mask, unsigned int nr_iovecs,
bvl = bvec_alloc(gfp_mask, nr_iovecs, &idx, &bs->bvec_pool);
}
- if (unlikely(!bvl))
- goto err_free;
+ if (unlikely(!bvl)) {
+ mempool_free(p, &bs->bio_pool);
+ return NULL;
+ }
bio->bi_flags |= idx << BVEC_POOL_OFFSET;
} else if (nr_iovecs) {
@@ -525,10 +527,6 @@ struct bio *bio_alloc_bioset(gfp_t gfp_mask, unsigned int nr_iovecs,
bio->bi_max_vecs = nr_iovecs;
bio->bi_io_vec = bvl;
return bio;
-
-err_free:
- mempool_free(p, &bs->bio_pool);
- return NULL;
}
EXPORT_SYMBOL(bio_alloc_bioset);
Regards, -Bob
> bisection log: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_bisect.txt-3Fx-3D13f4eb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=MNjYy_nft_s0ErmK2n89p7y2yhKmeWlxWch0z7_dsm8&e=start commit: 0011572c Merge branch 'for-5.2-fixes' of git://git.kernel...
> git tree: upstream
> final crash: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_report.txt-3Fx-3D100ceb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=iviPOQNPEIjkuqBma_VWEQ9l1Ve3eOiTwads42E4ZPo&e=console output: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_log.txt-3Fx-3D17f4eb64600000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=MBwnFwjEcSQfYymfv8EYt_EawVdK9vD-OAqDMutO-YY&e=kernel config: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_.config-3Fx-3Dcb38d33cd06d8d48&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=SqmDUenNFS-961PGgiMW5mIUv0nIBrf0oBrzUxYZ8Do&e=dashboard link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_bug-3Fextid-3D03e5c8ebd22cc6c3a8cb&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=jKd2ocY5X94uyB8Or-OC3yffbOgClPQPlXqFnLzvvSY&e=syz repro: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_repro.syz-3Fx-3D13244221a00000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=K-C39Kcd1oEOtJKwnby-s1EyEZZA10mr9bcXZ0J9Kh0&e=C reproducer: https://urldefense.proofpoint.com/v2/url?u=https-3A__syzkaller.appspot.com_x_repro.c-3Fx-3D117b2432a00000&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=7J685CwQN6_FA2KgO3Vgy1msF0zi5O0OqZj_bgvEqBE&e=
> Reported-by: [email protected]
> Fixes: 664820265d70 ("dm: do not return target from dm_get_live_table_for_ioctl()")
>
> For information about bisection process see: https://urldefense.proofpoint.com/v2/url?u=https-3A__goo.gl_tpsmEJ-23bisection&d=DwIBaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=1ktT0U2YS_I8Zz2o-MS1YcCAzWZ6hFGtyTgvVMGM7gI&m=NfGQRVxYCfZacAKiml9Wue-G1r2h8qkuAhAMOx_uFcc&s=rs52TkiEQCrV4V8YQa2wT55HD8E-0AX9pn7MNIDcje4&e=