Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756225AbbLAOIV (ORCPT ); Tue, 1 Dec 2015 09:08:21 -0500 Received: from www62.your-server.de ([213.133.104.62]:54627 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754886AbbLAOIT (ORCPT ); Tue, 1 Dec 2015 09:08:19 -0500 Message-ID: <565DA9BE.3060006@iogearbox.net> Date: Tue, 01 Dec 2015 15:07:58 +0100 From: Daniel Borkmann User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Eric Dumazet , Dmitry Vyukov CC: "David S. Miller" , Alexey Kuznetsov , James Morris , Hideaki YOSHIFUJI , Patrick McHardy , netdev , LKML , Vlad Yasevich , Neil Horman , linux-sctp@vger.kernel.org, syzkaller , Kostya Serebryany , Alexander Potapenko , Sasha Levin , Eric Dumazet Subject: Re: memory leak in do_ipv6_setsockopt References: <1448977016.25582.18.camel@edumazet-glaptop2.roam.corp.google.com> In-Reply-To: <1448977016.25582.18.camel@edumazet-glaptop2.roam.corp.google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3234 Lines: 94 On 12/01/2015 02:36 PM, Eric Dumazet wrote: > On Tue, 2015-12-01 at 13:27 +0100, Dmitry Vyukov wrote: >> Hello, >> >> The following program causes a memory leak : >> >> // autogenerated by syzkaller (http://github.com/google/syzkaller) >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> >> int main() >> { >> long r1 = syscall(SYS_socket, PF_INET6, >> SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_SCTP); >> const char *opt = "\x15\x53\x5e\x2d\x97\xab\xe1"; >> long r3 = syscall(SYS_setsockopt, r1, 0x29ul, 0x6ul, opt, 0x7ul); >> return 0; >> } >> >> >> unreferenced object 0xffff880039a55260 (size 64): >> comm "executor", pid 11746, jiffies 4298984475 (age 16.078s) >> hex dump (first 32 bytes): >> 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 /............... >> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >> backtrace: >> [< inline >] kmalloc include/linux/slab.h:463 >> [] sock_kmalloc+0x7f/0xc0 net/core/sock.c:1774 >> [] do_ipv6_setsockopt.isra.7+0x15d0/0x2830 >> net/ipv6/ipv6_sockglue.c:483 >> [] ipv6_setsockopt+0x9b/0x140 net/ipv6/ipv6_sockglue.c:885 >> [] sctp_setsockopt+0x15c/0x36c0 net/sctp/socket.c:3702 >> [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2645 >> [< inline >] SYSC_setsockopt net/socket.c:1757 >> [] SyS_setsockopt+0x158/0x240 net/socket.c:1736 >> >> >> I confirmed that running this program in a loop steadily increases >> number of objects in kmalloc-64 slab. The leak does not happen with >> IPPROTO_TCP, so probably it is sctp-related. > > Thanks for the report. > > Probably fixed by : > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index 897c01c029ca..8079ecd8465d 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -7375,6 +7375,12 @@ struct proto sctp_prot = { > > #if IS_ENABLED(CONFIG_IPV6) > > +static void sctp_v6_destroy_sock(struct sock *sk) > +{ > + sctp_destroy_sock(sk); > + inet6_destroy_sock(sk); > +} Yeah, we miss inet6_destroy_sock() in SCTP. :-( Looks good to me. > struct proto sctpv6_prot = { > .name = "SCTPv6", > .owner = THIS_MODULE, > @@ -7384,7 +7390,7 @@ struct proto sctpv6_prot = { > .accept = sctp_accept, > .ioctl = sctp_ioctl, > .init = sctp_init_sock, > - .destroy = sctp_destroy_sock, > + .destroy = sctp_v6_destroy_sock, > .shutdown = sctp_shutdown, > .setsockopt = sctp_setsockopt, > .getsockopt = sctp_getsockopt, > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/