search

multipath-tcp / mptcp_net-next

Development version of the Upstream MultiPath TCP Linux kernel 🐧
https://mptcp.dev
Other
284 stars 42 forks source link

[syzkaller] memory leak in sk_clone_lock #108

Closed cpaasch closed 3 years ago

cpaasch commented 3 years ago 
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '[localhost]:63195' (ECDSA) to the list of known hosts.
executing program
executing program
BUG: memory leak
unreferenced object 0xffff888106cb2e00 (size 2800):
  comm "softirq", pid 0, jiffies 4294868518 (age 20.738s)
  hex dump (first 32 bytes):
    7f 00 00 01 7f 00 00 01 8d 66 17 b4 00 00 00 00  .........f......
    02 00 07 40 00 00 00 00 98 22 cb 06 81 88 ff ff  ...@....."......
  backtrace:
    [<00000000c09ab652>] sk_prot_alloc.isra.0+0x57/0x260 net/core/sock.c:1660
    [<00000000c30d6958>] sk_clone_lock+0x45/0x1410 net/core/sock.c:1863
    [<00000000e4e5abb8>] inet_csk_clone_lock+0x21/0x470 net/ipv4/inet_connection_sock.c:830
    [<00000000aae760df>] tcp_create_openreq_child+0x30/0x1610 net/ipv4/tcp_minisocks.c:460
    [<00000000bf303e2d>] tcp_v4_syn_recv_sock+0xb6/0x1160 net/ipv4/tcp_ipv4.c:1514
    [<00000000cf027ef6>] subflow_syn_recv_sock+0x2be/0x1230 net/mptcp/subflow.c:555
    [<00000000580f0892>] tcp_check_req+0x677/0x1800 net/ipv4/tcp_minisocks.c:772
    [<0000000051f2f392>] tcp_v4_rcv+0x20b7/0x31c0 net/ipv4/tcp_ipv4.c:1973
    [<00000000fc4cae86>] ip_protocol_deliver_rcu+0x65/0x280 net/ipv4/ip_input.c:204
    [<00000000c5d96688>] ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
    [<00000000c5d96688>] NF_HOOK include/linux/netfilter.h:409 [inline]
    [<00000000c5d96688>] ip_local_deliver+0x341/0x4d0 net/ipv4/ip_input.c:252
    [<0000000018353b97>] dst_input include/net/dst.h:447 [inline]
    [<0000000018353b97>] ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
    [<0000000018353b97>] ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
    [<0000000018353b97>] NF_HOOK include/linux/netfilter.h:409 [inline]
    [<0000000018353b97>] ip_rcv+0x126/0x220 net/ipv4/ip_input.c:539
    [<00000000895b6114>] __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5315
    [<000000005d16798f>] __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5429
    [<00000000e6c57394>] process_backlog+0x23b/0x7e0 net/core/dev.c:6319
    [<00000000bf4e7124>] napi_poll net/core/dev.c:6763 [inline]
    [<00000000bf4e7124>] net_rx_action+0x421/0xed0 net/core/dev.c:6833
    [<00000000a8290c58>] __do_softirq+0x1b7/0x7fb kernel/softirq.c:298

BUG: memory leak
unreferenced object 0xffff88810432cf00 (size 192):
  comm "softirq", pid 0, jiffies 4294868518 (age 20.738s)
  hex dump (first 32 bytes):
    f0 c8 79 04 81 88 ff ff f0 c8 79 04 81 88 ff ff  ..y.......y.....
    f2 a7 50 9e dd 86 b7 0a c3 b3 24 22 cf 98 f4 42  ..P.......$"...B
  backtrace:
    [<00000000542f543b>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000542f543b>] kzalloc include/linux/slab.h:664 [inline]
    [<00000000542f543b>] subflow_create_ctx net/mptcp/subflow.c:1229 [inline]
    [<00000000542f543b>] subflow_ulp_clone+0x349/0xd80 net/mptcp/subflow.c:1364
    [<00000000d11d87c4>] inet_clone_ulp net/ipv4/inet_connection_sock.c:815 [inline]
    [<00000000d11d87c4>] inet_csk_clone_lock+0x3b6/0x470 net/ipv4/inet_connection_sock.c:858
    [<00000000aae760df>] tcp_create_openreq_child+0x30/0x1610 net/ipv4/tcp_minisocks.c:460
    [<00000000bf303e2d>] tcp_v4_syn_recv_sock+0xb6/0x1160 net/ipv4/tcp_ipv4.c:1514
    [<00000000cf027ef6>] subflow_syn_recv_sock+0x2be/0x1230 net/mptcp/subflow.c:555
    [<00000000580f0892>] tcp_check_req+0x677/0x1800 net/ipv4/tcp_minisocks.c:772
    [<0000000051f2f392>] tcp_v4_rcv+0x20b7/0x31c0 net/ipv4/tcp_ipv4.c:1973
    [<00000000fc4cae86>] ip_protocol_deliver_rcu+0x65/0x280 net/ipv4/ip_input.c:204
    [<00000000c5d96688>] ip_local_deliver_finish net/ipv4/ip_input.c:231 [inline]
    [<00000000c5d96688>] NF_HOOK include/linux/netfilter.h:409 [inline]
    [<00000000c5d96688>] ip_local_deliver+0x341/0x4d0 net/ipv4/ip_input.c:252
    [<0000000018353b97>] dst_input include/net/dst.h:447 [inline]
    [<0000000018353b97>] ip_rcv_finish net/ipv4/ip_input.c:428 [inline]
    [<0000000018353b97>] ip_rcv_finish net/ipv4/ip_input.c:414 [inline]
    [<0000000018353b97>] NF_HOOK include/linux/netfilter.h:409 [inline]
    [<0000000018353b97>] ip_rcv+0x126/0x220 net/ipv4/ip_input.c:539
    [<00000000895b6114>] __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5315
    [<000000005d16798f>] __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5429
    [<00000000e6c57394>] process_backlog+0x23b/0x7e0 net/core/dev.c:6319
    [<00000000bf4e7124>] napi_poll net/core/dev.c:6763 [inline]
    [<00000000bf4e7124>] net_rx_action+0x421/0xed0 net/core/dev.c:6833
    [<00000000a8290c58>] __do_softirq+0x1b7/0x7fb kernel/softirq.c:298
    [<00000000450c8e05>] asm_call_irq_on_stack+0x12/0x20

Reproducer

# {Threaded:false Collide:false Repeat:true RepeatTimes:0 Procs:1 Sandbox: Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:false UseTmpDir:false HandleSegv:false Repro:false Trace:false}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r1, &(0x7f00000013c0)={0x2, 0x4e20, @multicast1}, 0x10)
connect$inet(r1, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10)
listen(r1, 0x3)
connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x4b)

HEAD: 2d7e2cfcc130 ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201105T061029, mptcp_net-next/export) (7 days ago) b05f8b3a652b ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (7 days ago) 10caf376e969 ("mptcp: track window announced to peer") (7 days ago) 418ca1fe433b ("selftests: mptcp: add ADD_ADDR IPv6 test cases") (7 days ago) 1eedcb850333 ("mptcp: send out dedicated ADD_ADDR packet") (7 days ago) e88e50820922 ("mptcp: change add_addr_signal type") (7 days ago) 318dfb33afd5 ("mptcp: keep unaccepted MPC subflow into join list") (7 days ago) 11643ffeba22 ("selftests: mptcp: add link failure test case") (7 days ago) a7bd7ed62509 ("mptcp: skip to next candidate if subflow has unacked data") (7 days ago) bb42d1416bf8 ("mptcp: send explicit ack on delayed ack_seq incr") (7 days ago) 36c6e9976eae ("mptcp: keep track of advertised windows right edge") (7 days ago) e518da8ade94 ("mptcp: rework poll+nospace handling") (7 days ago) e81af88302e1 ("mptcp: try to push pending data on snd una updates") (7 days ago) 1cd22284eda5 ("mptcp: move page frag allocation in mptcp_sendmsg()") (7 days ago) 92fd8af5e25f ("mptcp: refactor shutdown and close") (7 days ago) 404eb18a6379 ("mptcp: introduce MPTCP snd_nxt") (7 days ago) 8521f48a11fc ("mptcp: add accounting for pending data") (7 days ago) 00637a928c4c ("mptcp: reduce the arguments of mptcp_sendmsg_frag") (7 days ago) 63f59dabb61e ("mptcp: introduce mptcp_schedule_work") (7 days ago) 6f83f9992bc0 ("tcp: factor out __tcp_close() helper") (7 days ago) 46e323657c32 ("mptcp: use tcp_build_frag()") (7 days ago) b7cfbf903413 ("tcp: factor out tcp_build_frag()") (7 days ago) 74c0724344d8 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (7 days ago) c82968a5ca08 ("bpf:selftests: add MPTCP test base") (7 days ago) 238fb240869b ("bpf: add 'bpf_mptcp_sock' structure and helper") (7 days ago) 66e73408b5b2 ("mptcp: attach subflow socket to parent cgroup") (7 days ago) 2295ca4483a4 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (7 days ago) b65ca4c38875 ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next") (mptcp_net-next/net-next) (8 days ago)

cpaasch commented 3 years ago

Different, but probably the same:

Syzkaller hit 'memory leak in inet_create' bug.

2020/11/16 22:10:29 executed programs: 61
2020/11/16 22:10:44 executed programs: 78
2020/11/16 22:10:58 executed programs: 99
2020/11/16 22:11:17 executed programs: 109
BUG: memory leak
unreferenced object 0xffff88810661e000 (size 4096):
  comm "syz-executor.5", pid 5068, jiffies 4295916275 (age 86.677s)
  hex dump (first 32 bytes):
    00 00 00 00 e0 00 00 02 00 00 00 00 00 00 20 4e  .............. N
    02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [<00000000b9898130>] kmalloc include/linux/slab.h:557 [inline]
    [<00000000b9898130>] sk_prot_alloc.isra.0+0x1bd/0x260 net/core/sock.c:1666
    [<000000004b8e9e59>] sk_alloc+0x33/0x870 net/core/sock.c:1720
    [<00000000e808c08b>] inet_create net/ipv4/af_inet.c:325 [inline]
    [<00000000e808c08b>] inet_create+0x34e/0xd90 net/ipv4/af_inet.c:248
    [<000000000961befb>] __sock_create+0x3e6/0x6c0 net/socket.c:1427
    [<000000007ec59eaf>] sock_create net/socket.c:1478 [inline]
    [<000000007ec59eaf>] __sys_socket+0xef/0x200 net/socket.c:1520
    [<00000000abfd6bd0>] __do_sys_socket net/socket.c:1529 [inline]
    [<00000000abfd6bd0>] __se_sys_socket net/socket.c:1527 [inline]
    [<00000000abfd6bd0>] __x64_sys_socket+0x6f/0xb0 net/socket.c:1527
    [<00000000b80e0ad4>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000ff96c59b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Syzkaller reproducer:
# {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:8 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:false VhciInjection:false Wifi:false Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false}
r0 = socket$inet_mptcp(0x2, 0x1, 0x106)
bind$inet(r0, &(0x7f00000013c0)={0x2, 0x4e20, @multicast2}, 0x10)
connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x4d)
setsockopt$inet_MCAST_JOIN_GROUP(r0, 0x0, 0x2a, 0x0, 0x0)
matttbe commented 3 years ago

@cpaasch may you check if this patches fix the two issues your reported please?

(soon in the export branch, max 1h)

Thanks Paolo for the fix!

cpaasch commented 3 years ago

Yes, issue is fixed!