LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* memory leak in do_seccomp
@ 2020-08-11 17:06 syzbot
  2020-08-31  3:50 ` syzbot
  0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2020-08-11 17:06 UTC (permalink / raw)
  To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook,
	kpsingh, linux-kernel, luto, netdev, songliubraving,
	syzkaller-bugs, wad, yhs

Hello,

syzbot found the following issue on:

HEAD commit:    449dc8c9 Merge tag 'for-v5.9' of git://git.kernel.org/pub/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d816c2900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4810fa4a53b3aa2c
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=153d30e2900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com

2020/08/09 00:29:47 executed programs: 3
BUG: memory leak
unreferenced object 0xffff88811310ea80 (size 96):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 30 e0 00 00 c9 ff ff  .........0......
  backtrace:
    [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
    [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffffc90000e03000 (size 4096):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    01 00 03 00 00 00 00 00 00 00 00 00 05 00 00 00  ................
    2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  -...............
  backtrace:
    [<000000003b6a39af>] __vmalloc_node_range+0x2e1/0x3c0 mm/vmalloc.c:2520
    [<00000000eee59e12>] __vmalloc_node mm/vmalloc.c:2552 [inline]
    [<00000000eee59e12>] __vmalloc+0x49/0x50 mm/vmalloc.c:2566
    [<000000006e13ac2a>] bpf_prog_alloc_no_stats+0x32/0x100 kernel/bpf/core.c:85
    [<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111
    [<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409
    [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
    [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888113bc1c00 (size 1024):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<000000000466b245>] kmalloc include/linux/slab.h:554 [inline]
    [<000000000466b245>] kzalloc include/linux/slab.h:666 [inline]
    [<000000000466b245>] bpf_prog_alloc_no_stats+0x73/0x100 kernel/bpf/core.c:89
    [<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111
    [<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409
    [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
    [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881154cb860 (size 32):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    01 00 73 74 65 6d 64 2d 00 5c d6 19 81 88 ff ff  ..stemd-.\......
    65 72 76 69 63 65 00 00 00 00 00 00 00 00 00 00  ervice..........
  backtrace:
    [<00000000561d65d4>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000561d65d4>] bpf_prog_store_orig_filter+0x33/0xa0 net/core/filter.c:1131
    [<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422
    [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
    [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888119d65c00 (size 32):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    06 00 00 00 fb ff ff 7f 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000ad603142>] kmemdup+0x23/0x50 mm/util.c:127
    [<0000000001d3eabf>] kmemdup include/linux/string.h:479 [inline]
    [<0000000001d3eabf>] bpf_prog_store_orig_filter+0x5e/0xa0 net/core/filter.c:1138
    [<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422
    [<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
    [<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881131ecb00 (size 96):
  comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    80 ea 10 13 81 88 ff ff 00 b0 d8 00 00 c9 ff ff  ................
  backtrace:
    [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
    [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811310e400 (size 96):
  comm "syz-executor.0", pid 6702, jiffies 4294955242 (age 7.460s)
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 50 e1 00 00 c9 ff ff  .........P......
  backtrace:
    [<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
    [<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
    [<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
    [<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
    [<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
    [<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-08-11 17:06 memory leak in do_seccomp syzbot
@ 2020-08-31  3:50 ` syzbot
  2020-08-31 23:25   ` Kees Cook
  0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2020-08-31  3:50 UTC (permalink / raw)
  To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook,
	kpsingh, linux-kernel, luto, netdev, songliubraving,
	syzkaller-bugs, wad, yhs

syzbot has found a reproducer for the following issue on:

HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
compiler:       gcc (GCC) 10.1.0-syz 20200507
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com

executing program
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 21.940s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 21.930s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 23.180s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 23.170s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 24.450s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 24.440s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 25.710s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 25.700s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 28.150s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 28.140s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
  comm "syz-executor680", pid 6503, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
    08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
  comm "syz-executor680", pid 6507, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff  .........6......
    c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25  .6.........A..9%
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
  comm "syz-executor680", pid 6509, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff  .........7......
    08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f  .7.......".pC0./
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
  comm "syz-executor680", pid 6511, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff  .........8......
    08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44  .8............ID
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
  comm "syz-executor680", pid 6506, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff  ..........<.....
    08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15  ..<......C...#..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
  comm "syz-executor680", pid 6513, jiffies 4294951104 (age 29.390s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff  ........H.<.....
    48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35  H.<......h.....5
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
  comm "syz-executor680", pid 6515, jiffies 4294951105 (age 29.380s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff  ........H.<.....
    48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5  H.<......^"..P..
  backtrace:
    [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
    [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
    [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
    [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
    [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
    [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
    [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

executing program
executing program


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-08-31  3:50 ` syzbot
@ 2020-08-31 23:25   ` Kees Cook
  2020-09-01  0:09     ` Tycho Andersen
  0 siblings, 1 reply; 11+ messages in thread
From: Kees Cook @ 2020-08-31 23:25 UTC (permalink / raw)
  To: Tycho Andersen, Christian Brauner
  Cc: linux-kernel, luto, syzbot, syzkaller-bugs, wad

On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> 
> executing program
> executing program
> executing program
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff88811ba93600 (size 64):
>   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
>     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
>   backtrace:
>     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
>     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
>     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
>     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
>     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
>     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

I haven't narrowed this down yet (and it *might* be a false positive),
but it looks like this is filter->notif. The only way that's possible is
if seccomp_notify_release() was never called *and* seccomp_filter_free()
got called... which would imply a reference counting problem. The way
there doesn't jump out at me yet, but I haven't yet decoded the C
reproducer into the actual seccomp arguments, etc.

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-08-31 23:25   ` Kees Cook
@ 2020-09-01  0:09     ` Tycho Andersen
  2020-09-01  1:14       ` Tycho Andersen
  0 siblings, 1 reply; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01  0:09 UTC (permalink / raw)
  To: Kees Cook
  Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs,
	wad, Tycho Andersen

On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> > 
> > HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > 
> > executing program
> > executing program
> > executing program
> > executing program
> > executing program
> > BUG: memory leak
> > unreferenced object 0xffff88811ba93600 (size 64):
> >   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> >   hex dump (first 32 bytes):
> >     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
> >     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
> >   backtrace:
> >     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> >     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> >     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> >     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> >     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> >     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> >     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> I haven't narrowed this down yet (and it *might* be a false positive),
> but it looks like this is filter->notif. The only way that's possible is
> if seccomp_notify_release() was never called *and* seccomp_filter_free()
> got called... which would imply a reference counting problem. The way
> there doesn't jump out at me yet, but I haven't yet decoded the C
> reproducer into the actual seccomp arguments, etc.

Looks like it's just a bunch of threads in the same thread group
trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
the patch below look reasonable?

I didn't send it separately since I'm in the process of switching my
e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
that that e-mail really is me too :). I can send it the normal way if
it looks good.


From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@tycho.pizza>
Date: Mon, 31 Aug 2020 17:55:07 -0600
Subject: [PATCH] seccomp: don't leak memory when filter install races

In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
the listener fd, then check to see if we can actually use it later in
seccomp_may_assign_mode(), which can fail if anyone else in our thread
group has installed a filter and caused some divergence. If we can't, we
partially clean up the newly allocated file: we put the fd, put the file,
but don't actually clean up the *memory* that was allocated at
filter->notif. Let's clean that up too.

Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
---
 kernel/seccomp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3ee59ce0a323..21a76127833f 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
 			listener_f->private_data = NULL;
 			fput(listener_f);
 			put_unused_fd(listener);
+			kfree(filter->notif);
+			filter->notif = NULL;
 		} else {
 			fd_install(listener, listener_f);
 			ret = listener;

base-commit: b51594df17d0ce80b9f9f35394a1f42d7ac94472
-- 
2.25.1


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-09-01  0:09     ` Tycho Andersen
@ 2020-09-01  1:14       ` Tycho Andersen
  2020-09-01 10:07         ` Christian Brauner
  2020-09-01 15:08         ` Kees Cook
  0 siblings, 2 replies; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01  1:14 UTC (permalink / raw)
  To: Kees Cook
  Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad

On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > syzbot has found a reproducer for the following issue on:
> > > 
> > > HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > 
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > 
> > > executing program
> > > executing program
> > > executing program
> > > executing program
> > > executing program
> > > BUG: memory leak
> > > unreferenced object 0xffff88811ba93600 (size 64):
> > >   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > >   hex dump (first 32 bytes):
> > >     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
> > >     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
> > >   backtrace:
> > >     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > >     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > >     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > >     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > >     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > >     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > >     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > 
> > I haven't narrowed this down yet (and it *might* be a false positive),
> > but it looks like this is filter->notif. The only way that's possible is
> > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > got called... which would imply a reference counting problem. The way
> > there doesn't jump out at me yet, but I haven't yet decoded the C
> > reproducer into the actual seccomp arguments, etc.
> 
> Looks like it's just a bunch of threads in the same thread group
> trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> the patch below look reasonable?
> 
> I didn't send it separately since I'm in the process of switching my
> e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> that that e-mail really is me too :). I can send it the normal way if
> it looks good.
> 
> 
> From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> From: Tycho Andersen <tycho@tycho.pizza>
> Date: Mon, 31 Aug 2020 17:55:07 -0600
> Subject: [PATCH] seccomp: don't leak memory when filter install races
> 
> In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> the listener fd, then check to see if we can actually use it later in
> seccomp_may_assign_mode(), which can fail if anyone else in our thread
> group has installed a filter and caused some divergence. If we can't, we
> partially clean up the newly allocated file: we put the fd, put the file,
> but don't actually clean up the *memory* that was allocated at
> filter->notif. Let's clean that up too.
> 
> Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> ---
>  kernel/seccomp.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 3ee59ce0a323..21a76127833f 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
>  			listener_f->private_data = NULL;
>  			fput(listener_f);
>  			put_unused_fd(listener);
> +			kfree(filter->notif);
> +			filter->notif = NULL;

Oof, actually this isn't quite right. It should be s/filter/prepared/g.
I can fix that and send out a real patch that's actually tested at
some point tomorrow.

Tycho

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-09-01  1:14       ` Tycho Andersen
@ 2020-09-01 10:07         ` Christian Brauner
  2020-09-01 15:08         ` Kees Cook
  1 sibling, 0 replies; 11+ messages in thread
From: Christian Brauner @ 2020-09-01 10:07 UTC (permalink / raw)
  To: Tycho Andersen
  Cc: Kees Cook, Christian Brauner, linux-kernel, luto, syzbot,
	syzkaller-bugs, wad

On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > syzbot has found a reproducer for the following issue on:
> > > > 
> > > > HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > git tree:       upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > > 
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > > 
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > BUG: memory leak
> > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > >   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > >   hex dump (first 32 bytes):
> > > >     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
> > > >     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
> > > >   backtrace:
> > > >     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > >     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > >     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > >     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > >     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > >     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > >     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > 
> > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > but it looks like this is filter->notif. The only way that's possible is
> > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > got called... which would imply a reference counting problem. The way
> > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > reproducer into the actual seccomp arguments, etc.
> > 
> > Looks like it's just a bunch of threads in the same thread group
> > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > the patch below look reasonable?
> > 
> > I didn't send it separately since I'm in the process of switching my
> > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > that that e-mail really is me too :). I can send it the normal way if
> > it looks good.
> > 
> > 
> > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > From: Tycho Andersen <tycho@tycho.pizza>
> > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > Subject: [PATCH] seccomp: don't leak memory when filter install races
> > 
> > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > the listener fd, then check to see if we can actually use it later in
> > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > group has installed a filter and caused some divergence. If we can't, we
> > partially clean up the newly allocated file: we put the fd, put the file,
> > but don't actually clean up the *memory* that was allocated at
> > filter->notif. Let's clean that up too.
> > 
> > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > ---
> >  kernel/seccomp.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index 3ee59ce0a323..21a76127833f 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> >  			listener_f->private_data = NULL;
> >  			fput(listener_f);
> >  			put_unused_fd(listener);
> > +			kfree(filter->notif);
> > +			filter->notif = NULL;
> 
> Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> I can fix that and send out a real patch that's actually tested at
> some point tomorrow.

Please do. :)
Do we have tests for this scenario in the selftests, Tycho?

Christian

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-09-01  1:14       ` Tycho Andersen
  2020-09-01 10:07         ` Christian Brauner
@ 2020-09-01 15:08         ` Kees Cook
  2020-09-01 15:26           ` Tycho Andersen
  1 sibling, 1 reply; 11+ messages in thread
From: Kees Cook @ 2020-09-01 15:08 UTC (permalink / raw)
  To: Tycho Andersen
  Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad

On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > syzbot has found a reproducer for the following issue on:
> > > > 
> > > > HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > git tree:       upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > > 
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > > 
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > BUG: memory leak
> > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > >   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > >   hex dump (first 32 bytes):
> > > >     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
> > > >     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
> > > >   backtrace:
> > > >     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > >     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > >     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > >     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > >     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > >     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > >     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > 
> > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > but it looks like this is filter->notif. The only way that's possible is
> > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > got called... which would imply a reference counting problem. The way
> > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > reproducer into the actual seccomp arguments, etc.
> > 
> > Looks like it's just a bunch of threads in the same thread group
> > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > the patch below look reasonable?
> > 
> > I didn't send it separately since I'm in the process of switching my
> > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > that that e-mail really is me too :). I can send it the normal way if
> > it looks good.
> > 
> > 
> > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > From: Tycho Andersen <tycho@tycho.pizza>
> > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > Subject: [PATCH] seccomp: don't leak memory when filter install races
> > 
> > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > the listener fd, then check to see if we can actually use it later in
> > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > group has installed a filter and caused some divergence. If we can't, we
> > partially clean up the newly allocated file: we put the fd, put the file,
> > but don't actually clean up the *memory* that was allocated at
> > filter->notif. Let's clean that up too.
> > 
> > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > ---
> >  kernel/seccomp.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index 3ee59ce0a323..21a76127833f 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> >  			listener_f->private_data = NULL;
> >  			fput(listener_f);
> >  			put_unused_fd(listener);
> > +			kfree(filter->notif);
> > +			filter->notif = NULL;
> 
> Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> I can fix that and send out a real patch that's actually tested at
> some point tomorrow.

Ah! Yes, nice catch. I was staring at the wrong failure path. :)

I'm thinking the free/NULL pattern, since it's repeated in a few places,
should likely be a short helper. I'll stare at this some more...

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2020-09-01 15:08         ` Kees Cook
@ 2020-09-01 15:26           ` Tycho Andersen
  0 siblings, 0 replies; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01 15:26 UTC (permalink / raw)
  To: Kees Cook
  Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad

On Tue, Sep 01, 2020 at 08:08:13AM -0700, Kees Cook wrote:
> On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > > syzbot has found a reproducer for the following issue on:
> > > > > 
> > > > > HEAD commit:    dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > > git tree:       upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > > compiler:       gcc (GCC) 10.1.0-syz 20200507
> > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > > > 
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > > > 
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > BUG: memory leak
> > > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > > >   comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > > >   hex dump (first 32 bytes):
> > > > >     00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff  .........6......
> > > > >     08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f  .6..........:...
> > > > >   backtrace:
> > > > >     [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > > >     [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > > >     [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > > >     [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > > >     [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > > >     [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > > >     [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > > 
> > > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > > but it looks like this is filter->notif. The only way that's possible is
> > > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > > got called... which would imply a reference counting problem. The way
> > > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > > reproducer into the actual seccomp arguments, etc.
> > > 
> > > Looks like it's just a bunch of threads in the same thread group
> > > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > > the patch below look reasonable?
> > > 
> > > I didn't send it separately since I'm in the process of switching my
> > > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > > that that e-mail really is me too :). I can send it the normal way if
> > > it looks good.
> > > 
> > > 
> > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > > From: Tycho Andersen <tycho@tycho.pizza>
> > > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > > Subject: [PATCH] seccomp: don't leak memory when filter install races
> > > 
> > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > > the listener fd, then check to see if we can actually use it later in
> > > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > > group has installed a filter and caused some divergence. If we can't, we
> > > partially clean up the newly allocated file: we put the fd, put the file,
> > > but don't actually clean up the *memory* that was allocated at
> > > filter->notif. Let's clean that up too.
> > > 
> > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > > ---
> > >  kernel/seccomp.c | 2 ++
> > >  1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > > index 3ee59ce0a323..21a76127833f 100644
> > > --- a/kernel/seccomp.c
> > > +++ b/kernel/seccomp.c
> > > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> > >  			listener_f->private_data = NULL;
> > >  			fput(listener_f);
> > >  			put_unused_fd(listener);
> > > +			kfree(filter->notif);
> > > +			filter->notif = NULL;
> > 
> > Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> > I can fix that and send out a real patch that's actually tested at
> > some point tomorrow.
> 
> Ah! Yes, nice catch. I was staring at the wrong failure path. :)
> 
> I'm thinking the free/NULL pattern, since it's repeated in a few places,
> should likely be a short helper. I'll stare at this some more...

I think (?) it's just two, one here and one in
seccomp_notify_release() but agreed. Maybe something like (untested):

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3b593b4caaa5..bb0dd9ae699a 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1109,13 +1109,12 @@ static long seccomp_set_mode_strict(void)
 }
 
 #ifdef CONFIG_SECCOMP_FILTER
-static int seccomp_notify_release(struct inode *inode, struct file *file)
+static void seccomp_notify_detach(struct seccomp_filter *filter)
 {
-	struct seccomp_filter *filter = file->private_data;
 	struct seccomp_knotif *knotif;
 
 	if (!filter)
-		return 0;
+		return;
 
 	mutex_lock(&filter->notify_lock);
 
@@ -1142,6 +1141,13 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
 	kfree(filter->notif);
 	filter->notif = NULL;
 	mutex_unlock(&filter->notify_lock);
+}
+
+static int seccomp_notify_release(struct inode *inode, struct file *file)
+{
+	struct seccomp_filter *filter = file->private_data;
+
+	seccomp_notify_detach(filter);
 	__put_seccomp_filter(filter);
 	return 0;
 }
@@ -1581,8 +1587,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
 			listener_f->private_data = NULL;
 			fput(listener_f);
 			put_unused_fd(listener);
-			kfree(prepared->notif);
-			filter->notif = NULL;
+			seccomp_notify_detach(prepared);
 		} else {
 			fd_install(listener, listener_f);
 			ret = listener;

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2021-08-01  3:25 ` Kees Cook
@ 2021-08-01 21:10   ` Sudip Mukherjee
  0 siblings, 0 replies; 11+ messages in thread
From: Sudip Mukherjee @ 2021-08-01 21:10 UTC (permalink / raw)
  To: Kees Cook
  Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
	Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev,
	bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen,
	Sargun Dhillon, Christian Brauner

Hi Kees,

On Sun, Aug 1, 2021 at 4:26 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote:
> > Hi All,
> >
> > We had been running syzkaller on v5.10.y and a "memory leak in
> > do_seccomp" was being reported on it. I got some time to check that
> > today and have managed to get a syzkaller
> > reproducer. I dont have a C reproducer which I can share but I can use
> > the syz-reproducer to reproduce this with next-20210730.
> > The old report on v5.10.y is at
> > https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f
>
> Thanks for the details!
>
> Is this the same as what syzbot saw here (with a C reproducer)?
> https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987

Looks similar but it says its fixed and I still get it with the
reproducer I have.

>
> I can't figure out what happened with the "Patch testing request" that
> was made; there's no link?

Looks like it has been merged with a566a9012acd ("seccomp: don't leak
memory when filter install races")

>
> >
> > BUG: memory leak
> > unreferenced object 0xffff888019282c00 (size 512):
> >   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
> >   hex dump (first 32 bytes):
> >     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
> >     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   backtrace:
> >     [<00000000762c0963>] do_seccomp+0x2d5/0x27d0
>
> Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I
> expect it'll be:
>         sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN);

Yes, it is from "(inlined by) seccomp_prepare_filter at kernel/seccomp.c:661".
I did:
$ scripts/faddr2line vmlinux do_seccomp+0x2d5/0x27d0
do_seccomp+0x2d5/0x27d0:
kmalloc at include/linux/slab.h:591
(inlined by) kzalloc at include/linux/slab.h:721
(inlined by) seccomp_prepare_filter at kernel/seccomp.c:661
(inlined by) seccomp_prepare_user_filter at kernel/seccomp.c:703
(inlined by) seccomp_set_mode_filter at kernel/seccomp.c:1852
(inlined by) do_seccomp at kernel/seccomp.c:1972

>
> >     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> >     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
>

<snip>

>
> My best guess is there is some LISTENER refcount state we can get into
> where all the processes die, but a reference is left alive.

Will be happy to run any debug patch if you need.


-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: memory leak in do_seccomp
  2021-07-31 19:20 Sudip Mukherjee
@ 2021-08-01  3:25 ` Kees Cook
  2021-08-01 21:10   ` Sudip Mukherjee
  0 siblings, 1 reply; 11+ messages in thread
From: Kees Cook @ 2021-08-01  3:25 UTC (permalink / raw)
  To: Sudip Mukherjee
  Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
	Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev,
	bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen,
	Sargun Dhillon, Christian Brauner

On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote:
> Hi All,
> 
> We had been running syzkaller on v5.10.y and a "memory leak in
> do_seccomp" was being reported on it. I got some time to check that
> today and have managed to get a syzkaller
> reproducer. I dont have a C reproducer which I can share but I can use
> the syz-reproducer to reproduce this with next-20210730.
> The old report on v5.10.y is at
> https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f

Thanks for the details!

Is this the same as what syzbot saw here (with a C reproducer)?
https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987

I can't figure out what happened with the "Patch testing request" that
was made; there's no link?

> 
> BUG: memory leak
> unreferenced object 0xffff888019282c00 (size 512):
>   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
>   hex dump (first 32 bytes):
>     01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000762c0963>] do_seccomp+0x2d5/0x27d0

Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I
expect it'll be:
        sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN);

>     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
>     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

The "size 512" in your v5.10.y report is from seccomp_prepare_filter()
(noted above). seccomp_prepare_filter() cleans up its error paths.

> 
> BUG: memory leak
> unreferenced object 0xffffc900006b5000 (size 4096):
>   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0
>     [<000000002686628f>] __vmalloc_node+0xb5/0x100
>     [<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350
>     [<0000000009149728>] bpf_prog_alloc+0x24/0x170
>     [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
>     [<000000000c70eb02>] do_seccomp+0x325/0x27d0
>     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
>     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Again, I'm curious about where do_seccomp+0x325/0x27d0 is for this, but
the matching one in v5.10 shows:
        ret = bpf_prog_create_from_user(&sfilter->prog, fprog,
                                        seccomp_check_filter, save_orig);

This and everything remaining below else has bpf_prog_create_from_user()
in the allocation path.

> 
> BUG: memory leak
> unreferenced object 0xffff888026eb1000 (size 2048):
>   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
>   hex dump (first 32 bytes):
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace:
>     [<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350
>     [<0000000009149728>] bpf_prog_alloc+0x24/0x170
>     [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
>     [<000000000c70eb02>] do_seccomp+0x325/0x27d0
>     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
>     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> BUG: memory leak
> unreferenced object 0xffff888014dddac0 (size 16):
>   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
>   hex dump (first 16 bytes):
>     01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff  ................

These are two kernel pointers:
	0xffff888008ca0001 (unaligned by 1 byte?!)
	0xffff888014dfefc8

Ah, no, this is from:

struct sock_fprog_kern {
        u16                     len;
        struct sock_filter      *filter;
};

The "ca 08 80 88 ff ff" bytes are uninitialized padding. ;) "len" has
a value of 1 (which matches the syzkaller reproducer args below of a
single BPF instruction).

        fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL);
        if (!fp->orig_prog)
                return -ENOMEM;

        fkprog = fp->orig_prog;
        fkprog->len = fprog->len;
	...
        fkprog->filter = kmemdup(fp->insns, fsize,
                                 GFP_KERNEL | __GFP_NOWARN);

>   backtrace:
>     [<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0
>     [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
>     [<000000000c70eb02>] do_seccomp+0x325/0x27d0
>     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
>     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> BUG: memory leak
> unreferenced object 0xffff888014dfefc8 (size 8):
>   comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
>   hex dump (first 8 bytes):
>     06 00 00 00 ff ff ff 7f                          ........

This contains a userspace (likely stack) pointer, and is referenced
by the second pointer above. (i.e. kmemdup() above, but how have the
contents become a user stack pointer?)

>   backtrace:
>     [<00000000ee5550f8>] kmemdup+0x23/0x50
>     [<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0
>     [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
>     [<000000000c70eb02>] do_seccomp+0x325/0x27d0
>     [<0000000006e512d1>] do_syscall_64+0x3b/0x90
>     [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
> 
> Not sure if this has been already reported or not, but I will be happy
> to test if you have a fix for this.

I was suspecting a missing error path free near bpf_prepare_filter()
as called by bpf_prog_create_from_user() here:

        /* bpf_prepare_filter() already takes care of freeing
         * memory in case something goes wrong.
         */
        fp = bpf_prepare_filter(fp, trans);
        if (IS_ERR(fp))
                return PTR_ERR(fp);

Since only seccomp and af_packet use bpf_prog_create_from_user(),
and af_packet sets neither a "trans" callback nor save_orig. But if
"trans" fails (due to some BPF instructions seccomp doesn't support),
I'd expect this leak to be detected more often.

bpf_prepare_filter() is documented as cleaning up allocations on failure,
though I notice its cleanup differs from bpf_prog_create_from_user()'s,
which uses __bpf_prog_free() instead of __bfp_prog_release(). But
that should only make a difference for orig_prog getting freed,
and bpf_prog_store_orig_filter() should already be freeing that on
failures too.

Similarly, bpf_migrate_filter() cleanups up on failure too, so this
doesn't seem to be it:

        if (!fp->jited)
                fp = bpf_migrate_filter(fp);

        return fp;

So, I'm going to assume the missing free is somehow related to
process management, since I see the Syzkaller reproducer mentions
SECCOMP_SET_MODE_FILTER_LISTENER, fork(), and ptrace(). :)

Quoting from the v5.10.y report:
> # {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false}
> seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x7fffffff}]})

0x1 is SECCOMP_SET_MODE_FILTER
0x0 is empty flags
{0x6, 0x0, 0x0, 0x7fffffff} is
	BPF_STMT(BPF_RET, SECCOMP_RET_ALLOW | 0xffff)

For "SECCOMP_SET_MODE_FILTER_LISTENER", defined here:
https://github.com/google/syzkaller/blob/master/sys/linux/seccomp.txt#L15
I was expecting flags to include SECCOMP_FILTER_FLAG_NEW_LISTENER:
	seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(
			op const[SECCOMP_SET_MODE_FILTER],
			flags flags[seccomp_flags_listener],
			arg ptr[in, sock_fprog]) fd_seccomp (breaks_returns)

For the flags:

	seccomp_flags_listener = SECCOMP_FILTER_FLAG_NEW_LISTENER,
				 SECCOMP_FILTER_FLAG_LOG_LISTENER,
				 SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER

which is:

	SECCOMP_FILTER_FLAG_LOG_LISTENER = 10
	SECCOMP_FILTER_FLAG_NEW_LISTENER = 8
	SECCOMP_FILTER_FLAG_SPEC_ALLOW = 4
	SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER = 12

How is flags 0 above? (Maybe I don't understand the syzkaller reproducer
meaning fully?)

> r0 = fork()
> ptrace(0x10, r0)

0x10 is PTRACE_ATTACH

My best guess is there is some LISTENER refcount state we can get into
where all the processes die, but a reference is left alive.

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 11+ messages in thread

* memory leak in do_seccomp
@ 2021-07-31 19:20 Sudip Mukherjee
  2021-08-01  3:25 ` Kees Cook
  0 siblings, 1 reply; 11+ messages in thread
From: Sudip Mukherjee @ 2021-07-31 19:20 UTC (permalink / raw)
  To: Kees Cook, Andy Lutomirski, Will Drewry, Alexei Starovoitov,
	Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
	Yonghong Song, John Fastabend, KP Singh
  Cc: linux-kernel, netdev, bpf

Hi All,

We had been running syzkaller on v5.10.y and a "memory leak in
do_seccomp" was being reported on it. I got some time to check that
today and have managed to get a syzkaller
reproducer. I dont have a C reproducer which I can share but I can use
the syz-reproducer to reproduce this with next-20210730.
The old report on v5.10.y is at
https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f

BUG: memory leak
unreferenced object 0xffff888019282c00 (size 512):
  comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000762c0963>] do_seccomp+0x2d5/0x27d0
    [<0000000006e512d1>] do_syscall_64+0x3b/0x90
    [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffffc900006b5000 (size 4096):
  comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0
    [<000000002686628f>] __vmalloc_node+0xb5/0x100
    [<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350
    [<0000000009149728>] bpf_prog_alloc+0x24/0x170
    [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
    [<000000000c70eb02>] do_seccomp+0x325/0x27d0
    [<0000000006e512d1>] do_syscall_64+0x3b/0x90
    [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888026eb1000 (size 2048):
  comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350
    [<0000000009149728>] bpf_prog_alloc+0x24/0x170
    [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
    [<000000000c70eb02>] do_seccomp+0x325/0x27d0
    [<0000000006e512d1>] do_syscall_64+0x3b/0x90
    [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888014dddac0 (size 16):
  comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
  hex dump (first 16 bytes):
    01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff  ................
  backtrace:
    [<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0
    [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
    [<000000000c70eb02>] do_seccomp+0x325/0x27d0
    [<0000000006e512d1>] do_syscall_64+0x3b/0x90
    [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

BUG: memory leak
unreferenced object 0xffff888014dfefc8 (size 8):
  comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
  hex dump (first 8 bytes):
    06 00 00 00 ff ff ff 7f                          ........
  backtrace:
    [<00000000ee5550f8>] kmemdup+0x23/0x50
    [<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0
    [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
    [<000000000c70eb02>] do_seccomp+0x325/0x27d0
    [<0000000006e512d1>] do_syscall_64+0x3b/0x90
    [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Not sure if this has been already reported or not, but I will be happy
to test if you have a fix for this.


-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-08-01 21:11 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-11 17:06 memory leak in do_seccomp syzbot
2020-08-31  3:50 ` syzbot
2020-08-31 23:25   ` Kees Cook
2020-09-01  0:09     ` Tycho Andersen
2020-09-01  1:14       ` Tycho Andersen
2020-09-01 10:07         ` Christian Brauner
2020-09-01 15:08         ` Kees Cook
2020-09-01 15:26           ` Tycho Andersen
2021-07-31 19:20 Sudip Mukherjee
2021-08-01  3:25 ` Kees Cook
2021-08-01 21:10   ` Sudip Mukherjee

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).