net/8021q: memory leak in register_vlan_dev

Tue, 09 Jan 2018 10:54:53 -0800 

Hello,

syzkaller has hit the following memory leak on 4.15-rc7:

unreferenced object 0xffff88007b704140 (size 256):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.848s)
  hex dump (first 32 bytes):
    00 40 b7 2c 00 88 ff ff 00 00 00 00 00 00 00 00  .@.,............
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<000000004d4e9ef7>] kmalloc include/linux/slab.h:499 [inline]
    [<000000004d4e9ef7>] kzalloc include/linux/slab.h:688 [inline]
    [<000000004d4e9ef7>] vlan_info_alloc net/8021q/vlan_core.c:152 [inline]
    [<000000004d4e9ef7>] vlan_vid_add+0x710/0xb20 net/8021q/vlan_core.c:244
    [<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692

unreferenced object 0xffff88007c49aea0 (size 32):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.862s)
  hex dump (first 32 bytes):
    e0 41 70 7b 00 88 ff ff e0 41 70 7b 00 88 ff ff  .Ap{.....Ap{....
    81 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<000000003d983c2c>] kmalloc include/linux/slab.h:499 [inline]
    [<000000003d983c2c>] kzalloc include/linux/slab.h:688 [inline]
    [<000000003d983c2c>] vlan_vid_info_alloc net/8021q/vlan_core.c:196 [inline]
    [<000000003d983c2c>] __vlan_vid_add net/8021q/vlan_core.c:213 [inline]
    [<000000003d983c2c>] vlan_vid_add+0x45a/0xb20 net/8021q/vlan_core.c:251
    [<000000000e87916f>] register_vlan_dev+0xbf/0x600 net/8021q/vlan.c:150
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692

unreferenced object 0xffff88007d87a200 (size 4096):
  comm "syz-executor6", pid 5661, jiffies 4294856803 (age 9.863s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000050f8eb54>] kmemleak_alloc_recursive
include/linux/kmemleak.h:55 [inline]
    [<0000000050f8eb54>] slab_post_alloc_hook mm/slab.h:440 [inline]
    [<0000000050f8eb54>] slab_alloc_node mm/slub.c:2725 [inline]
    [<0000000050f8eb54>] slab_alloc mm/slub.c:2733 [inline]
    [<0000000050f8eb54>] kmem_cache_alloc_trace+0x126/0x290 mm/slub.c:2750
    [<00000000b52b3185>] kmalloc include/linux/slab.h:499 [inline]
    [<00000000b52b3185>] kzalloc include/linux/slab.h:688 [inline]
    [<00000000b52b3185>] vlan_group_prealloc_vid net/8021q/vlan.c:70 [inline]
    [<00000000b52b3185>] register_vlan_dev+0x4ac/0x600 net/8021q/vlan.c:168
    [<00000000b2f0a3d2>] register_vlan_device net/8021q/vlan.c:273 [inline]
    [<00000000b2f0a3d2>] vlan_ioctl_handler+0xbac/0x140d net/8021q/vlan.c:593
    [<00000000c951ea6d>] sock_ioctl+0x2f8/0x460 net/socket.c:1039
    [<00000000e2a8e27a>] vfs_ioctl fs/ioctl.c:46 [inline]
    [<00000000e2a8e27a>] file_ioctl fs/ioctl.c:500 [inline]
    [<00000000e2a8e27a>] do_vfs_ioctl+0x1cf/0x16b0 fs/ioctl.c:684
    [<00000000ec28ff91>] SYSC_ioctl fs/ioctl.c:701 [inline]
    [<00000000ec28ff91>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:692


Reproducer:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <unistd.h>

int main()
{
  long r[2];
  syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0);
  r[0] = syscall(__NR_open, "/dev/net/tun", 0);
  *(uint8_t*)0x20927fd8 = 0x73;
  *(uint8_t*)0x20927fd9 = 0x79;
  *(uint8_t*)0x20927fda = 0x7a;
  *(uint8_t*)0x20927fdb = 0x30;
  *(uint8_t*)0x20927fdc = 0;
  *(uint32_t*)0x20927fe8 = 5;
  *(uint32_t*)0x20927fec = 0;
  *(uint64_t*)0x20927ff0 = 0x20c15000;
  *(uint32_t*)0x20c15000 = 0;
  *(uint32_t*)0x20c15004 = 0;
  *(uint16_t*)0x20c15008 = 0;
  syscall(__NR_ioctl, r[0], 0x400454ca, 0x20927fd8);
  r[1] = syscall(__NR_socket, 2, 2, 0);
  memcpy((void*)0x20006000,
    "\x1b\x52\x03\x10\xb5\x64\xc4\x23\x54\xe2\xd0\xb8\xa1\x4e\x1a\xd7", 16);
  *(uint32_t*)0x20006010 = 0;
  *(uint32_t*)0x20006014 = 0;
  *(uint64_t*)0x20006018 = 0x20006000;
  *(uint32_t*)0x20006000 = 0;
  *(uint8_t*)0x20006004 = 0x73;
  *(uint8_t*)0x20006005 = 0x79;
  *(uint8_t*)0x20006006 = 0x7a;
  *(uint8_t*)0x20006007 = 0x30;
  *(uint8_t*)0x20006008 = 0;
  syscall(__NR_ioctl, r[1], 0x8983, 0x20006000);
  return 0;
}

Reply via email to