Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4649550ybi; Mon, 3 Jun 2019 14:45:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqwiaG5ieE0jL4DHfC2eIWGaRIPSkiLOFoeB7955nY/u+OGYiVWdATBIoQSr/gaaAnJ/vRTZ X-Received: by 2002:aa7:8752:: with SMTP id g18mr33848263pfo.240.1559598355778; Mon, 03 Jun 2019 14:45:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559598355; cv=none; d=google.com; s=arc-20160816; b=i8vNLdTypjwLFdCJghSL+IurSzNyBukEWTdvj7ewboqeaAuCMsVMYZOXVujK1F0azu CkRHiJZorcHLCBds9FXwBsVLa4UHOegKflODN3D9rxJLaDQgBFInmNzjtIAqomAlJDzv EDRgkO4F3GQeofb/tihLiwx14XcnuQuFBmvzvV3TNl7HSTVjk7MhJ5jBrJ3ZrkMDlwuH Kh8vyImKgySFj5bWDFKHPj97fofasRmgWalRRdseepwCiK4EHTMPDrWUuZ8r9C4BejHQ nUJOwnFx1yjVI5etWDA5elgYaMgJkhrfBL9Xk4IcAxPoVm8LxT0HgE5uUx/AxR9uZS6L ZCtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=D9L1Jq+hxREUkn7j1vdMv+UH7YlPMLB+o3N3grNVqpw=; b=r3tL3VfeNeZ7tettroPY9yA8329sBQYzd2JTvbzTWQ2j1nd4k1+13T6z05H3Ek9H2J 5rIgrBSkpaPllPcz03Mo0IdzN3oIqSE9PJdwu+5H978dqx+Q5PEBqpIA8HRJl7GwK9tV ohetUpyZxYLpyGXtgaxDmor/e2Ir1WSFvfMP63LdVklfi5izA05DlkA1G8ag0jjZk7x9 PYQsR9FXFCxBOQX2zTokHcmMYGmC28ylidCAwLH6oILaCYoGris1Eiu2ItkFKAw5RSl3 7y5ZbxT230PfaCiR2MmFCcjvt5Z3FrrvByBjIFlfvlaYv5ubKBRFgv68MTGpFHQYbpmR NFUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s138si15219816pfc.148.2019.06.03.14.45.40; Mon, 03 Jun 2019 14:45:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726686AbfFCVn1 (ORCPT + 99 others); Mon, 3 Jun 2019 17:43:27 -0400 Received: from ja.ssi.bg ([178.16.129.10]:55560 "EHLO ja.ssi.bg" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726102AbfFCVn1 (ORCPT ); Mon, 3 Jun 2019 17:43:27 -0400 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id x53LWMvZ008943; Tue, 4 Jun 2019 00:32:22 +0300 Date: Tue, 4 Jun 2019 00:32:22 +0300 (EEST) From: Julian Anastasov To: syzbot cc: coreteam@netfilter.org, "David S. Miller" , fw@strlen.de, kadlec@blackhole.kfki.hu, linux-kernel , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, pablo@netfilter.org, syzkaller-bugs@googlegroups.com, lvs-devel@vger.kernel.org Subject: Re: memory leak in nf_hook_entries_grow In-Reply-To: <0000000000002b2262058a70001d@google.com> Message-ID: References: <0000000000002b2262058a70001d@google.com> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Mon, 3 Jun 2019, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: 3ab4436f Merge tag 'nfsd-5.2-1' of git://linux-nfs.org/~bf.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=15feaf82a00000 > kernel config: https://syzkaller.appspot.com/x/.config?x=50393f7bfe444ff6 > dashboard link: https://syzkaller.appspot.com/bug?extid=722da59ccb264bc19910 > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12f02772a00000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1657b80ea00000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com > > 035][ T7273] IPVS: ftp: loaded support on port[0] = 21 > BUG: memory leak > unreferenced object 0xffff88810acd8a80 (size 96): > comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s) > hex dump (first 32 bytes): > 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P....... > 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w...... > backtrace: > [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 > [inline] > [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline] > [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline] > [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597 > [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline] > [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627 > [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline] > [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431 > [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline] > [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline] > [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 > net/netfilter/core.c:61 > [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 > net/netfilter/core.c:128 > [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 > net/netfilter/core.c:337 > [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 > net/netfilter/core.c:464 > [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 > net/netfilter/core.c:480 > [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 > net/netfilter/ipvs/ip_vs_core.c:2280 After commit "ipvs: Fix use-after-free in ip_vs_in" we planned to call nf_register_net_hooks() only when rule is created but this is net-next material and we should not leave leak in the error path. I'll post a patch that adds .init handler for ipvs_core_dev_ops, so that nf_register_net_hooks() is called there. > --- > This bug is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this bug report. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this bug, for details see: > https://goo.gl/tpsmEJ#testing-patches Regards -- Julian Anastasov