2019-06-24 07:28:51

by syzbot

[permalink] [raw]
Subject: memory leak in fdb_create

Hello,

syzbot found the following crash on:

HEAD commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12970eb2a00000
kernel config: https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10546026a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: [email protected]

ffffffffda RBX: 0000000000000000 RCX: 0000000000441519
BUG: memory leak
unreferenced object 0xffff888123886800 (size 128):
comm "softirq", pid 0, jiffies 4294945699 (age 13.160s)
hex dump (first 32 bytes):
81 89 f8 20 81 88 ff ff 00 00 00 00 00 00 00 00 ... ............
32 f9 fc b7 11 e2 01 00 00 00 00 00 00 00 00 00 2...............
backtrace:
[<00000000ca2421fa>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000ca2421fa>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000ca2421fa>] slab_alloc mm/slab.c:3326 [inline]
[<00000000ca2421fa>] kmem_cache_alloc+0x134/0x270 mm/slab.c:3488
[<000000007faade68>] fdb_create+0x49/0x5a0 net/bridge/br_fdb.c:492
[<00000000772dfc36>] fdb_insert+0xb7/0x100 net/bridge/br_fdb.c:536
[<00000000ded35dd0>] br_fdb_insert+0x3b/0x60 net/bridge/br_fdb.c:552
[<00000000758ae277>] __vlan_add+0x617/0xdf0 net/bridge/br_vlan.c:284
[<0000000054c3b165>] br_vlan_add+0x26f/0x480 net/bridge/br_vlan.c:678
[<00000000ed895462>] br_vlan_init+0xe9/0x130 net/bridge/br_vlan.c:1061
[<00000000f916c753>] br_dev_init+0xa6/0x170 net/bridge/br_device.c:137
[<00000000a4e1a1ea>] register_netdevice+0xbf/0x600 net/core/dev.c:8663
[<00000000bdcf4ebd>] register_netdev+0x24/0x40 net/core/dev.c:8851
[<0000000042e6c0c4>] br_add_bridge+0x5e/0xa0 net/bridge/br_if.c:456
[<0000000036402409>] br_ioctl_deviceless_stub+0x30c/0x350
net/bridge/br_ioctl.c:374
[<00000000e57c9a76>] sock_ioctl+0x287/0x480 net/socket.c:1141
[<00000000109b8329>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000109b8329>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000109b8329>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<00000000d8eb5a5e>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000cd162915>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000cd162915>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000cd162915>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718

BUG: memory leak
unreferenced object 0xffff88811ced2de0 (size 32):
comm "syz-executor140", pid 6998, jiffies 4294945699 (age 13.160s)
hex dump (first 32 bytes):
d3 d2 f1 a7 6c 83 5b 30 30 15 a1 6f 77 3f 00 00 ....l.[00..ow?..
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d53fdc1e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000d53fdc1e>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000d53fdc1e>] slab_alloc mm/slab.c:3326 [inline]
[<00000000d53fdc1e>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000d53fdc1e>] __kmalloc_track_caller+0x15d/0x2c0 mm/slab.c:3675
[<00000000c742d29c>] kstrdup+0x3a/0x70 mm/util.c:52
[<00000000d3df5d2b>] kstrdup_const+0x48/0x60 mm/util.c:74
[<00000000d75a8fa8>] kvasprintf_const+0x7e/0xe0 lib/kasprintf.c:48
[<00000000ebee37a0>] kobject_set_name_vargs+0x40/0xe0 lib/kobject.c:289
[<00000000c23c056a>] dev_set_name+0x63/0x90 drivers/base/core.c:1915
[<000000004c47b6d3>] netdev_register_kobject+0x5a/0x1b0
net/core/net-sysfs.c:1727
[<000000005fb074af>] register_netdevice+0x397/0x600 net/core/dev.c:8733
[<00000000bdcf4ebd>] register_netdev+0x24/0x40 net/core/dev.c:8851
[<0000000042e6c0c4>] br_add_bridge+0x5e/0xa0 net/bridge/br_if.c:456
[<0000000036402409>] br_ioctl_deviceless_stub+0x30c/0x350
net/bridge/br_ioctl.c:374
[<00000000e57c9a76>] sock_ioctl+0x287/0x480 net/socket.c:1141
[<00000000109b8329>] vfs_ioctl fs/ioctl.c:46 [inline]
[<00000000109b8329>] file_ioctl fs/ioctl.c:509 [inline]
[<00000000109b8329>] do_vfs_ioctl+0x62a/0x810 fs/ioctl.c:696
[<00000000d8eb5a5e>] ksys_ioctl+0x86/0xb0 fs/ioctl.c:713
[<00000000cd162915>] __do_sys_ioctl fs/ioctl.c:720 [inline]
[<00000000cd162915>] __se_sys_ioctl fs/ioctl.c:718 [inline]
[<00000000cd162915>] __x64_sys_ioctl+0x1e/0x30 fs/ioctl.c:718
[<0000000069b4ac36>] do_syscall_64+0x76/0x1a0
arch/x86/entry/common.c:301



---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches


2019-07-28 14:21:06

by syzbot

[permalink] [raw]
Subject: Re: memory leak in fdb_create

syzbot has bisected this bug to:

commit 04cf31a759ef575f750a63777cee95500e410994
Author: Michael Ellerman <[email protected]>
Date: Thu Mar 24 11:04:01 2016 +0000

ftrace: Make ftrace_location_range() global

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1538c778600000
start commit: abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=1738c778600000
console output: https://syzkaller.appspot.com/x/log.txt?x=1338c778600000
kernel config: https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10546026a00000

Reported-by: [email protected]
Fixes: 04cf31a759ef ("ftrace: Make ftrace_location_range() global")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

2019-07-28 16:53:02

by Nikolay Aleksandrov

[permalink] [raw]
Subject: Re: memory leak in fdb_create

On 28/07/2019 17:20, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit 04cf31a759ef575f750a63777cee95500e410994
> Author: Michael Ellerman <[email protected]>
> Date:   Thu Mar 24 11:04:01 2016 +0000
>
>     ftrace: Make ftrace_location_range() global
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1538c778600000
> start commit:   abf02e29 Merge tag 'pm-5.2-rc6' of git://git.kernel.org/pu..
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=1738c778600000
> console output: https://syzkaller.appspot.com/x/log.txt?x=1338c778600000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=56f1da14935c3cce
> dashboard link: https://syzkaller.appspot.com/bug?extid=88533dc8b582309bf3ee
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16de5c06a00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10546026a00000
>
> Reported-by: [email protected]
> Fixes: 04cf31a759ef ("ftrace: Make ftrace_location_range() global")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

I see the problem, it'd happen if the multicast stats memory allocation fails on bridge
init then the fdb added due to the default vlan would remain and the bridge kmem cache
would be destroyed while not empty (you can even trigger a BUG because of that).
I'll post a patch shortly after running a few tests.

Thanks,
Nik