2020-03-26 05:26:54

by Kyungtae Kim

[permalink] [raw]
Subject: memory leak in scsi_init_io

We report a bug (in linux-5.5.13) found by FuzzUSB (a modified version
of syzkaller)

A memory buffer (i.e., struct scatterlist) is allocated, and not freed properly.
(not sure about the point where the allocated memory region is leaking.)

==================================================================
BUG: memory leak
unreferenced object 0xffff88805b337280 (size 256):
comm "syz-executor.6", pid 5934, jiffies 4295016561 (age 16.340s)
hex dump (first 32 bytes):
00 46 5f 01 00 ea ff ff 00 00 00 00 00 10 00 00 .F_.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000006305194b>] kmemleak_alloc_recursive
2/./include/linux/kmemleak.h:43 [inline]
[<000000006305194b>] slab_post_alloc_hook 2/mm/slab.h:586 [inline]
[<000000006305194b>] slab_alloc_node 2/mm/slub.c:2767 [inline]
[<000000006305194b>] slab_alloc 2/mm/slub.c:2775 [inline]
[<000000006305194b>] kmem_cache_alloc+0x165/0x340 2/mm/slub.c:2780
[<000000003f20764c>] mempool_alloc_slab+0x44/0x70 2/mm/mempool.c:513
[<00000000561f62bb>] mempool_alloc+0x145/0x370 2/mm/mempool.c:393
[<00000000322111ed>] sg_pool_alloc+0xe6/0x1a0 2/lib/sg_pool.c:67
[<00000000b72ca391>] __sg_alloc_table+0xb0/0x370 2/lib/scatterlist.c:302
[<00000000c61ae208>] sg_alloc_table_chained+0x6c/0x1c0 2/lib/sg_pool.c:132
[<00000000cd52be39>] scsi_init_sgtable
2/drivers/scsi/scsi_lib.c:990 [inline]
[<00000000cd52be39>] scsi_init_io+0x10e/0x340 2/drivers/scsi/scsi_lib.c:1025
[<000000004dccec43>] sd_setup_read_write_cmnd
2/drivers/scsi/sd.c:1174 [inline]
[<000000004dccec43>] sd_init_command+0xbdc/0x3400 2/drivers/scsi/sd.c:1290
[<00000000644825df>] scsi_setup_fs_cmnd
2/drivers/scsi/scsi_lib.c:1211 [inline]
[<00000000644825df>] scsi_setup_cmnd 2/drivers/scsi/scsi_lib.c:1229 [inline]
[<00000000644825df>] scsi_mq_prep_fn 2/drivers/scsi/scsi_lib.c:1603 [inline]
[<00000000644825df>] scsi_queue_rq+0xf18/0x2a30
2/drivers/scsi/scsi_lib.c:1671
[<00000000d4c4c1c8>] blk_mq_dispatch_rq_list+0xa6e/0x1870
2/block/blk-mq.c:1238
[<00000000e1d472b3>] blk_mq_do_dispatch_sched+0x198/0x3f0
2/block/blk-mq-sched.c:115
[<000000002542d635>] blk_mq_sched_dispatch_requests+0x39a/0x600
2/block/blk-mq-sched.c:211
[<000000000ffcbd69>] __blk_mq_run_hw_queue+0x12b/0x250 2/block/blk-mq.c:1368
[<000000001cbeb84f>] __blk_mq_delay_run_hw_queue+0x467/0x4f0
2/block/blk-mq.c:1436
[<000000003a7eefb7>] blk_mq_run_hw_queue+0x178/0x320 2/block/blk-mq.c:1473
[<00000000bf63d47b>] blk_mq_get_tag+0x583/0xa00 2/block/blk-mq-tag.c:139
==================================================================