Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4649550ybi;
        Mon, 3 Jun 2019 14:45:55 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwiaG5ieE0jL4DHfC2eIWGaRIPSkiLOFoeB7955nY/u+OGYiVWdATBIoQSr/gaaAnJ/vRTZ
X-Received: by 2002:aa7:8752:: with SMTP id g18mr33848263pfo.240.1559598355778;
        Mon, 03 Jun 2019 14:45:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1559598355; cv=none;
        d=google.com; s=arc-20160816;
        b=i8vNLdTypjwLFdCJghSL+IurSzNyBukEWTdvj7ewboqeaAuCMsVMYZOXVujK1F0azu
         CkRHiJZorcHLCBds9FXwBsVLa4UHOegKflODN3D9rxJLaDQgBFInmNzjtIAqomAlJDzv
         EDRgkO4F3GQeofb/tihLiwx14XcnuQuFBmvzvV3TNl7HSTVjk7MhJ5jBrJ3ZrkMDlwuH
         Kh8vyImKgySFj5bWDFKHPj97fofasRmgWalRRdseepwCiK4EHTMPDrWUuZ8r9C4BejHQ
         nUJOwnFx1yjVI5etWDA5elgYaMgJkhrfBL9Xk4IcAxPoVm8LxT0HgE5uUx/AxR9uZS6L
         ZCtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=D9L1Jq+hxREUkn7j1vdMv+UH7YlPMLB+o3N3grNVqpw=;
        b=r3tL3VfeNeZ7tettroPY9yA8329sBQYzd2JTvbzTWQ2j1nd4k1+13T6z05H3Ek9H2J
         5rIgrBSkpaPllPcz03Mo0IdzN3oIqSE9PJdwu+5H978dqx+Q5PEBqpIA8HRJl7GwK9tV
         ohetUpyZxYLpyGXtgaxDmor/e2Ir1WSFvfMP63LdVklfi5izA05DlkA1G8ag0jjZk7x9
         PYQsR9FXFCxBOQX2zTokHcmMYGmC28ylidCAwLH6oILaCYoGris1Eiu2ItkFKAw5RSl3
         7y5ZbxT230PfaCiR2MmFCcjvt5Z3FrrvByBjIFlfvlaYv5ubKBRFgv68MTGpFHQYbpmR
         NFUw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s138si15219816pfc.148.2019.06.03.14.45.40;
        Mon, 03 Jun 2019 14:45:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726686AbfFCVn1 (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Mon, 3 Jun 2019 17:43:27 -0400
Received: from ja.ssi.bg ([178.16.129.10]:55560 "EHLO ja.ssi.bg"
        rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726102AbfFCVn1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Jun 2019 17:43:27 -0400
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
        by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id x53LWMvZ008943;
        Tue, 4 Jun 2019 00:32:22 +0300
Date:   Tue, 4 Jun 2019 00:32:22 +0300 (EEST)
From:   Julian Anastasov <ja@ssi.bg>
To:     syzbot <syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com>
cc:     coreteam@netfilter.org, "David S. Miller" <davem@davemloft.net>,
        fw@strlen.de, kadlec@blackhole.kfki.hu,
        linux-kernel <linux-kernel@vger.kernel.org>,
        netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
        pablo@netfilter.org, syzkaller-bugs@googlegroups.com,
        lvs-devel@vger.kernel.org
Subject: Re: memory leak in nf_hook_entries_grow
In-Reply-To: <0000000000002b2262058a70001d@google.com>
Message-ID: <alpine.LFD.2.21.1906040021510.3876@ja.home.ssi.bg>
References: <0000000000002b2262058a70001d@google.com>
User-Agent: Alpine 2.21 (LFD 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


	Hello,

On Mon, 3 Jun 2019, syzbot wrote:

> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    3ab4436f Merge tag 'nfsd-5.2-1' of git://linux-nfs.org/~bf..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15feaf82a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=50393f7bfe444ff6
> dashboard link: https://syzkaller.appspot.com/bug?extid=722da59ccb264bc19910
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12f02772a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1657b80ea00000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com
> 
> 035][ T7273] IPVS: ftp: loaded support on port[0] = 21
> BUG: memory leak
> unreferenced object 0xffff88810acd8a80 (size 96):
>  comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s)
>  hex dump (first 32 bytes):
>    02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff  ........P.......
>    00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff  .........w......
>  backtrace:
>    [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55
>    [inline]
>    [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline]
>    [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline]
>    [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597
>    [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline]
>    [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627
>    [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline]
>    [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431
>    [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline]
>    [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline]
>    [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60
>    net/netfilter/core.c:61
>    [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270
>    net/netfilter/core.c:128
>    [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170
>    net/netfilter/core.c:337
>    [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0
>    net/netfilter/core.c:464
>    [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0
>    net/netfilter/core.c:480
>    [<000000002ea868e0>] __ip_vs_init+0xe8/0x170
>    net/netfilter/ipvs/ip_vs_core.c:2280

	After commit "ipvs: Fix use-after-free in ip_vs_in" we planned
to call nf_register_net_hooks() only when rule is created but this
is net-next material and we should not leave leak in the error path.
I'll post a patch that adds .init handler for ipvs_core_dev_ops, so
that nf_register_net_hooks() is called there.

> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

Regards

--
Julian Anastasov <ja@ssi.bg>