LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* memory leak in do_seccomp
@ 2021-07-31 19:20 Sudip Mukherjee
2021-08-01 3:25 ` Kees Cook
0 siblings, 1 reply; 11+ messages in thread
From: Sudip Mukherjee @ 2021-07-31 19:20 UTC (permalink / raw)
To: Kees Cook, Andy Lutomirski, Will Drewry, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
Yonghong Song, John Fastabend, KP Singh
Cc: linux-kernel, netdev, bpf
Hi All,
We had been running syzkaller on v5.10.y and a "memory leak in
do_seccomp" was being reported on it. I got some time to check that
today and have managed to get a syzkaller
reproducer. I dont have a C reproducer which I can share but I can use
the syz-reproducer to reproduce this with next-20210730.
The old report on v5.10.y is at
https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f
BUG: memory leak
unreferenced object 0xffff888019282c00 (size 512):
comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000762c0963>] do_seccomp+0x2d5/0x27d0
[<0000000006e512d1>] do_syscall_64+0x3b/0x90
[<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffffc900006b5000 (size 4096):
comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
hex dump (first 32 bytes):
01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0
[<000000002686628f>] __vmalloc_node+0xb5/0x100
[<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350
[<0000000009149728>] bpf_prog_alloc+0x24/0x170
[<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
[<000000000c70eb02>] do_seccomp+0x325/0x27d0
[<0000000006e512d1>] do_syscall_64+0x3b/0x90
[<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888026eb1000 (size 2048):
comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350
[<0000000009149728>] bpf_prog_alloc+0x24/0x170
[<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
[<000000000c70eb02>] do_seccomp+0x325/0x27d0
[<0000000006e512d1>] do_syscall_64+0x3b/0x90
[<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888014dddac0 (size 16):
comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
hex dump (first 16 bytes):
01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff ................
backtrace:
[<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0
[<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
[<000000000c70eb02>] do_seccomp+0x325/0x27d0
[<0000000006e512d1>] do_syscall_64+0x3b/0x90
[<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888014dfefc8 (size 8):
comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
hex dump (first 8 bytes):
06 00 00 00 ff ff ff 7f ........
backtrace:
[<00000000ee5550f8>] kmemdup+0x23/0x50
[<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0
[<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
[<000000000c70eb02>] do_seccomp+0x325/0x27d0
[<0000000006e512d1>] do_syscall_64+0x3b/0x90
[<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Not sure if this has been already reported or not, but I will be happy
to test if you have a fix for this.
--
Regards
Sudip
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2021-07-31 19:20 memory leak in do_seccomp Sudip Mukherjee
@ 2021-08-01 3:25 ` Kees Cook
2021-08-01 21:10 ` Sudip Mukherjee
0 siblings, 1 reply; 11+ messages in thread
From: Kees Cook @ 2021-08-01 3:25 UTC (permalink / raw)
To: Sudip Mukherjee
Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev,
bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen,
Sargun Dhillon, Christian Brauner
On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote:
> Hi All,
>
> We had been running syzkaller on v5.10.y and a "memory leak in
> do_seccomp" was being reported on it. I got some time to check that
> today and have managed to get a syzkaller
> reproducer. I dont have a C reproducer which I can share but I can use
> the syz-reproducer to reproduce this with next-20210730.
> The old report on v5.10.y is at
> https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f
Thanks for the details!
Is this the same as what syzbot saw here (with a C reproducer)?
https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987
I can't figure out what happened with the "Patch testing request" that
was made; there's no link?
>
> BUG: memory leak
> unreferenced object 0xffff888019282c00 (size 512):
> comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
> hex dump (first 32 bytes):
> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<00000000762c0963>] do_seccomp+0x2d5/0x27d0
Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I
expect it'll be:
sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN);
> [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
The "size 512" in your v5.10.y report is from seccomp_prepare_filter()
(noted above). seccomp_prepare_filter() cleans up its error paths.
>
> BUG: memory leak
> unreferenced object 0xffffc900006b5000 (size 4096):
> comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
> hex dump (first 32 bytes):
> 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<00000000854901e5>] __vmalloc_node_range+0x550/0x9a0
> [<000000002686628f>] __vmalloc_node+0xb5/0x100
> [<0000000004cbd298>] bpf_prog_alloc_no_stats+0x38/0x350
> [<0000000009149728>] bpf_prog_alloc+0x24/0x170
> [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
> [<000000000c70eb02>] do_seccomp+0x325/0x27d0
> [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Again, I'm curious about where do_seccomp+0x325/0x27d0 is for this, but
the matching one in v5.10 shows:
ret = bpf_prog_create_from_user(&sfilter->prog, fprog,
seccomp_check_filter, save_orig);
This and everything remaining below else has bpf_prog_create_from_user()
in the allocation path.
>
> BUG: memory leak
> unreferenced object 0xffff888026eb1000 (size 2048):
> comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<0000000072de7240>] bpf_prog_alloc_no_stats+0xeb/0x350
> [<0000000009149728>] bpf_prog_alloc+0x24/0x170
> [<000000000fe7f1e7>] bpf_prog_create_from_user+0xad/0x2e0
> [<000000000c70eb02>] do_seccomp+0x325/0x27d0
> [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> BUG: memory leak
> unreferenced object 0xffff888014dddac0 (size 16):
> comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
> hex dump (first 16 bytes):
> 01 00 ca 08 80 88 ff ff c8 ef df 14 80 88 ff ff ................
These are two kernel pointers:
0xffff888008ca0001 (unaligned by 1 byte?!)
0xffff888014dfefc8
Ah, no, this is from:
struct sock_fprog_kern {
u16 len;
struct sock_filter *filter;
};
The "ca 08 80 88 ff ff" bytes are uninitialized padding. ;) "len" has
a value of 1 (which matches the syzkaller reproducer args below of a
single BPF instruction).
fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL);
if (!fp->orig_prog)
return -ENOMEM;
fkprog = fp->orig_prog;
fkprog->len = fprog->len;
...
fkprog->filter = kmemdup(fp->insns, fsize,
GFP_KERNEL | __GFP_NOWARN);
> backtrace:
> [<00000000c5d4ed93>] bpf_prog_store_orig_filter+0x7b/0x1e0
> [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
> [<000000000c70eb02>] do_seccomp+0x325/0x27d0
> [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> BUG: memory leak
> unreferenced object 0xffff888014dfefc8 (size 8):
> comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.842s)
> hex dump (first 8 bytes):
> 06 00 00 00 ff ff ff 7f ........
This contains a userspace (likely stack) pointer, and is referenced
by the second pointer above. (i.e. kmemdup() above, but how have the
contents become a user stack pointer?)
> backtrace:
> [<00000000ee5550f8>] kmemdup+0x23/0x50
> [<00000000f1acd067>] bpf_prog_store_orig_filter+0x103/0x1e0
> [<000000007cb21c2a>] bpf_prog_create_from_user+0x1c6/0x2e0
> [<000000000c70eb02>] do_seccomp+0x325/0x27d0
> [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Not sure if this has been already reported or not, but I will be happy
> to test if you have a fix for this.
I was suspecting a missing error path free near bpf_prepare_filter()
as called by bpf_prog_create_from_user() here:
/* bpf_prepare_filter() already takes care of freeing
* memory in case something goes wrong.
*/
fp = bpf_prepare_filter(fp, trans);
if (IS_ERR(fp))
return PTR_ERR(fp);
Since only seccomp and af_packet use bpf_prog_create_from_user(),
and af_packet sets neither a "trans" callback nor save_orig. But if
"trans" fails (due to some BPF instructions seccomp doesn't support),
I'd expect this leak to be detected more often.
bpf_prepare_filter() is documented as cleaning up allocations on failure,
though I notice its cleanup differs from bpf_prog_create_from_user()'s,
which uses __bpf_prog_free() instead of __bfp_prog_release(). But
that should only make a difference for orig_prog getting freed,
and bpf_prog_store_orig_filter() should already be freeing that on
failures too.
Similarly, bpf_migrate_filter() cleanups up on failure too, so this
doesn't seem to be it:
if (!fp->jited)
fp = bpf_migrate_filter(fp);
return fp;
So, I'm going to assume the missing free is somehow related to
process management, since I see the Syzkaller reproducer mentions
SECCOMP_SET_MODE_FILTER_LISTENER, fork(), and ptrace(). :)
Quoting from the v5.10.y report:
> # {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:8 Slowdown:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:false Wifi:false IEEE802154:false Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false}
> seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000000)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
0x1 is SECCOMP_SET_MODE_FILTER
0x0 is empty flags
{0x6, 0x0, 0x0, 0x7fffffff} is
BPF_STMT(BPF_RET, SECCOMP_RET_ALLOW | 0xffff)
For "SECCOMP_SET_MODE_FILTER_LISTENER", defined here:
https://github.com/google/syzkaller/blob/master/sys/linux/seccomp.txt#L15
I was expecting flags to include SECCOMP_FILTER_FLAG_NEW_LISTENER:
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(
op const[SECCOMP_SET_MODE_FILTER],
flags flags[seccomp_flags_listener],
arg ptr[in, sock_fprog]) fd_seccomp (breaks_returns)
For the flags:
seccomp_flags_listener = SECCOMP_FILTER_FLAG_NEW_LISTENER,
SECCOMP_FILTER_FLAG_LOG_LISTENER,
SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER
which is:
SECCOMP_FILTER_FLAG_LOG_LISTENER = 10
SECCOMP_FILTER_FLAG_NEW_LISTENER = 8
SECCOMP_FILTER_FLAG_SPEC_ALLOW = 4
SECCOMP_FILTER_FLAG_SPEC_ALLOW_LISTENER = 12
How is flags 0 above? (Maybe I don't understand the syzkaller reproducer
meaning fully?)
> r0 = fork()
> ptrace(0x10, r0)
0x10 is PTRACE_ATTACH
My best guess is there is some LISTENER refcount state we can get into
where all the processes die, but a reference is left alive.
-Kees
--
Kees Cook
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2021-08-01 3:25 ` Kees Cook
@ 2021-08-01 21:10 ` Sudip Mukherjee
0 siblings, 0 replies; 11+ messages in thread
From: Sudip Mukherjee @ 2021-08-01 21:10 UTC (permalink / raw)
To: Kees Cook
Cc: Andy Lutomirski, Will Drewry, Alexei Starovoitov,
Daniel Borkmann, Andrii Nakryiko, Martin KaFai Lau, Song Liu,
Yonghong Song, John Fastabend, KP Singh, linux-kernel, netdev,
bpf, alaaemadhossney.ae, syzkaller, Jann Horn, Tycho Andersen,
Sargun Dhillon, Christian Brauner
Hi Kees,
On Sun, Aug 1, 2021 at 4:26 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Sat, Jul 31, 2021 at 08:20:29PM +0100, Sudip Mukherjee wrote:
> > Hi All,
> >
> > We had been running syzkaller on v5.10.y and a "memory leak in
> > do_seccomp" was being reported on it. I got some time to check that
> > today and have managed to get a syzkaller
> > reproducer. I dont have a C reproducer which I can share but I can use
> > the syz-reproducer to reproduce this with next-20210730.
> > The old report on v5.10.y is at
> > https://elisa-builder-00.iol.unh.edu/syzkaller/report?id=f6ddd3b592f00e95f9cbd2e74f70a5b04b015c6f
>
> Thanks for the details!
>
> Is this the same as what syzbot saw here (with a C reproducer)?
> https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987
Looks similar but it says its fixed and I still get it with the
reproducer I have.
>
> I can't figure out what happened with the "Patch testing request" that
> was made; there's no link?
Looks like it has been merged with a566a9012acd ("seccomp: don't leak
memory when filter install races")
>
> >
> > BUG: memory leak
> > unreferenced object 0xffff888019282c00 (size 512):
> > comm "syz-executor.1", pid 7389, jiffies 4294761829 (age 17.841s)
> > hex dump (first 32 bytes):
> > 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
> > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > backtrace:
> > [<00000000762c0963>] do_seccomp+0x2d5/0x27d0
>
> Can you run "./scripts/faddr2line do_seccomp+0x2d5/0x27d0" for this? I
> expect it'll be:
> sfilter = kzalloc(sizeof(*sfilter), GFP_KERNEL | __GFP_NOWARN);
Yes, it is from "(inlined by) seccomp_prepare_filter at kernel/seccomp.c:661".
I did:
$ scripts/faddr2line vmlinux do_seccomp+0x2d5/0x27d0
do_seccomp+0x2d5/0x27d0:
kmalloc at include/linux/slab.h:591
(inlined by) kzalloc at include/linux/slab.h:721
(inlined by) seccomp_prepare_filter at kernel/seccomp.c:661
(inlined by) seccomp_prepare_user_filter at kernel/seccomp.c:703
(inlined by) seccomp_set_mode_filter at kernel/seccomp.c:1852
(inlined by) do_seccomp at kernel/seccomp.c:1972
>
> > [<0000000006e512d1>] do_syscall_64+0x3b/0x90
> > [<0000000094ae9ff8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
<snip>
>
> My best guess is there is some LISTENER refcount state we can get into
> where all the processes die, but a reference is left alive.
Will be happy to run any debug patch if you need.
--
Regards
Sudip
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-09-01 15:08 ` Kees Cook
@ 2020-09-01 15:26 ` Tycho Andersen
0 siblings, 0 replies; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01 15:26 UTC (permalink / raw)
To: Kees Cook
Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad
On Tue, Sep 01, 2020 at 08:08:13AM -0700, Kees Cook wrote:
> On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > > syzbot has found a reproducer for the following issue on:
> > > > >
> > > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > > git tree: upstream
> > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > > >
> > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > > >
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > executing program
> > > > > BUG: memory leak
> > > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > > > hex dump (first 32 bytes):
> > > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> > > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> > > > > backtrace:
> > > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > > >
> > > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > > but it looks like this is filter->notif. The only way that's possible is
> > > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > > got called... which would imply a reference counting problem. The way
> > > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > > reproducer into the actual seccomp arguments, etc.
> > >
> > > Looks like it's just a bunch of threads in the same thread group
> > > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > > the patch below look reasonable?
> > >
> > > I didn't send it separately since I'm in the process of switching my
> > > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > > that that e-mail really is me too :). I can send it the normal way if
> > > it looks good.
> > >
> > >
> > > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > > From: Tycho Andersen <tycho@tycho.pizza>
> > > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > > Subject: [PATCH] seccomp: don't leak memory when filter install races
> > >
> > > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > > the listener fd, then check to see if we can actually use it later in
> > > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > > group has installed a filter and caused some divergence. If we can't, we
> > > partially clean up the newly allocated file: we put the fd, put the file,
> > > but don't actually clean up the *memory* that was allocated at
> > > filter->notif. Let's clean that up too.
> > >
> > > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > > ---
> > > kernel/seccomp.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > > index 3ee59ce0a323..21a76127833f 100644
> > > --- a/kernel/seccomp.c
> > > +++ b/kernel/seccomp.c
> > > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> > > listener_f->private_data = NULL;
> > > fput(listener_f);
> > > put_unused_fd(listener);
> > > + kfree(filter->notif);
> > > + filter->notif = NULL;
> >
> > Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> > I can fix that and send out a real patch that's actually tested at
> > some point tomorrow.
>
> Ah! Yes, nice catch. I was staring at the wrong failure path. :)
>
> I'm thinking the free/NULL pattern, since it's repeated in a few places,
> should likely be a short helper. I'll stare at this some more...
I think (?) it's just two, one here and one in
seccomp_notify_release() but agreed. Maybe something like (untested):
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3b593b4caaa5..bb0dd9ae699a 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1109,13 +1109,12 @@ static long seccomp_set_mode_strict(void)
}
#ifdef CONFIG_SECCOMP_FILTER
-static int seccomp_notify_release(struct inode *inode, struct file *file)
+static void seccomp_notify_detach(struct seccomp_filter *filter)
{
- struct seccomp_filter *filter = file->private_data;
struct seccomp_knotif *knotif;
if (!filter)
- return 0;
+ return;
mutex_lock(&filter->notify_lock);
@@ -1142,6 +1141,13 @@ static int seccomp_notify_release(struct inode *inode, struct file *file)
kfree(filter->notif);
filter->notif = NULL;
mutex_unlock(&filter->notify_lock);
+}
+
+static int seccomp_notify_release(struct inode *inode, struct file *file)
+{
+ struct seccomp_filter *filter = file->private_data;
+
+ seccomp_notify_detach(filter);
__put_seccomp_filter(filter);
return 0;
}
@@ -1581,8 +1587,7 @@ static long seccomp_set_mode_filter(unsigned int flags,
listener_f->private_data = NULL;
fput(listener_f);
put_unused_fd(listener);
- kfree(prepared->notif);
- filter->notif = NULL;
+ seccomp_notify_detach(prepared);
} else {
fd_install(listener, listener_f);
ret = listener;
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-09-01 1:14 ` Tycho Andersen
2020-09-01 10:07 ` Christian Brauner
@ 2020-09-01 15:08 ` Kees Cook
2020-09-01 15:26 ` Tycho Andersen
1 sibling, 1 reply; 11+ messages in thread
From: Kees Cook @ 2020-09-01 15:08 UTC (permalink / raw)
To: Tycho Andersen
Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad
On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > syzbot has found a reproducer for the following issue on:
> > > >
> > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > git tree: upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > >
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > BUG: memory leak
> > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > > hex dump (first 32 bytes):
> > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> > > > backtrace:
> > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >
> > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > but it looks like this is filter->notif. The only way that's possible is
> > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > got called... which would imply a reference counting problem. The way
> > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > reproducer into the actual seccomp arguments, etc.
> >
> > Looks like it's just a bunch of threads in the same thread group
> > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > the patch below look reasonable?
> >
> > I didn't send it separately since I'm in the process of switching my
> > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > that that e-mail really is me too :). I can send it the normal way if
> > it looks good.
> >
> >
> > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > From: Tycho Andersen <tycho@tycho.pizza>
> > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > Subject: [PATCH] seccomp: don't leak memory when filter install races
> >
> > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > the listener fd, then check to see if we can actually use it later in
> > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > group has installed a filter and caused some divergence. If we can't, we
> > partially clean up the newly allocated file: we put the fd, put the file,
> > but don't actually clean up the *memory* that was allocated at
> > filter->notif. Let's clean that up too.
> >
> > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > ---
> > kernel/seccomp.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index 3ee59ce0a323..21a76127833f 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> > listener_f->private_data = NULL;
> > fput(listener_f);
> > put_unused_fd(listener);
> > + kfree(filter->notif);
> > + filter->notif = NULL;
>
> Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> I can fix that and send out a real patch that's actually tested at
> some point tomorrow.
Ah! Yes, nice catch. I was staring at the wrong failure path. :)
I'm thinking the free/NULL pattern, since it's repeated in a few places,
should likely be a short helper. I'll stare at this some more...
--
Kees Cook
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-09-01 1:14 ` Tycho Andersen
@ 2020-09-01 10:07 ` Christian Brauner
2020-09-01 15:08 ` Kees Cook
1 sibling, 0 replies; 11+ messages in thread
From: Christian Brauner @ 2020-09-01 10:07 UTC (permalink / raw)
To: Tycho Andersen
Cc: Kees Cook, Christian Brauner, linux-kernel, luto, syzbot,
syzkaller-bugs, wad
On Mon, Aug 31, 2020 at 07:14:59PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> > On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > > syzbot has found a reproducer for the following issue on:
> > > >
> > > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > > git tree: upstream
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > > >
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > executing program
> > > > BUG: memory leak
> > > > unreferenced object 0xffff88811ba93600 (size 64):
> > > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > > hex dump (first 32 bytes):
> > > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> > > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> > > > backtrace:
> > > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > >
> > > I haven't narrowed this down yet (and it *might* be a false positive),
> > > but it looks like this is filter->notif. The only way that's possible is
> > > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > > got called... which would imply a reference counting problem. The way
> > > there doesn't jump out at me yet, but I haven't yet decoded the C
> > > reproducer into the actual seccomp arguments, etc.
> >
> > Looks like it's just a bunch of threads in the same thread group
> > trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> > the patch below look reasonable?
> >
> > I didn't send it separately since I'm in the process of switching my
> > e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> > that that e-mail really is me too :). I can send it the normal way if
> > it looks good.
> >
> >
> > From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> > From: Tycho Andersen <tycho@tycho.pizza>
> > Date: Mon, 31 Aug 2020 17:55:07 -0600
> > Subject: [PATCH] seccomp: don't leak memory when filter install races
> >
> > In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> > the listener fd, then check to see if we can actually use it later in
> > seccomp_may_assign_mode(), which can fail if anyone else in our thread
> > group has installed a filter and caused some divergence. If we can't, we
> > partially clean up the newly allocated file: we put the fd, put the file,
> > but don't actually clean up the *memory* that was allocated at
> > filter->notif. Let's clean that up too.
> >
> > Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> > ---
> > kernel/seccomp.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> > index 3ee59ce0a323..21a76127833f 100644
> > --- a/kernel/seccomp.c
> > +++ b/kernel/seccomp.c
> > @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> > listener_f->private_data = NULL;
> > fput(listener_f);
> > put_unused_fd(listener);
> > + kfree(filter->notif);
> > + filter->notif = NULL;
>
> Oof, actually this isn't quite right. It should be s/filter/prepared/g.
> I can fix that and send out a real patch that's actually tested at
> some point tomorrow.
Please do. :)
Do we have tests for this scenario in the selftests, Tycho?
Christian
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-09-01 0:09 ` Tycho Andersen
@ 2020-09-01 1:14 ` Tycho Andersen
2020-09-01 10:07 ` Christian Brauner
2020-09-01 15:08 ` Kees Cook
0 siblings, 2 replies; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01 1:14 UTC (permalink / raw)
To: Kees Cook
Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs, wad
On Mon, Aug 31, 2020 at 06:09:15PM -0600, Tycho Andersen wrote:
> On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> > On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > > compiler: gcc (GCC) 10.1.0-syz 20200507
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> > >
> > > executing program
> > > executing program
> > > executing program
> > > executing program
> > > executing program
> > > BUG: memory leak
> > > unreferenced object 0xffff88811ba93600 (size 64):
> > > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > > hex dump (first 32 bytes):
> > > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> > > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> > > backtrace:
> > > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> >
> > I haven't narrowed this down yet (and it *might* be a false positive),
> > but it looks like this is filter->notif. The only way that's possible is
> > if seccomp_notify_release() was never called *and* seccomp_filter_free()
> > got called... which would imply a reference counting problem. The way
> > there doesn't jump out at me yet, but I haven't yet decoded the C
> > reproducer into the actual seccomp arguments, etc.
>
> Looks like it's just a bunch of threads in the same thread group
> trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
> the patch below look reasonable?
>
> I didn't send it separately since I'm in the process of switching my
> e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
> that that e-mail really is me too :). I can send it the normal way if
> it looks good.
>
>
> From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
> From: Tycho Andersen <tycho@tycho.pizza>
> Date: Mon, 31 Aug 2020 17:55:07 -0600
> Subject: [PATCH] seccomp: don't leak memory when filter install races
>
> In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
> the listener fd, then check to see if we can actually use it later in
> seccomp_may_assign_mode(), which can fail if anyone else in our thread
> group has installed a filter and caused some divergence. If we can't, we
> partially clean up the newly allocated file: we put the fd, put the file,
> but don't actually clean up the *memory* that was allocated at
> filter->notif. Let's clean that up too.
>
> Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
> Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
> ---
> kernel/seccomp.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/kernel/seccomp.c b/kernel/seccomp.c
> index 3ee59ce0a323..21a76127833f 100644
> --- a/kernel/seccomp.c
> +++ b/kernel/seccomp.c
> @@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
> listener_f->private_data = NULL;
> fput(listener_f);
> put_unused_fd(listener);
> + kfree(filter->notif);
> + filter->notif = NULL;
Oof, actually this isn't quite right. It should be s/filter/prepared/g.
I can fix that and send out a real patch that's actually tested at
some point tomorrow.
Tycho
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-08-31 23:25 ` Kees Cook
@ 2020-09-01 0:09 ` Tycho Andersen
2020-09-01 1:14 ` Tycho Andersen
0 siblings, 1 reply; 11+ messages in thread
From: Tycho Andersen @ 2020-09-01 0:09 UTC (permalink / raw)
To: Kees Cook
Cc: Christian Brauner, linux-kernel, luto, syzbot, syzkaller-bugs,
wad, Tycho Andersen
On Mon, Aug 31, 2020 at 04:25:35PM -0700, Kees Cook wrote:
> On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> > dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
> >
> > executing program
> > executing program
> > executing program
> > executing program
> > executing program
> > BUG: memory leak
> > unreferenced object 0xffff88811ba93600 (size 64):
> > comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> > hex dump (first 32 bytes):
> > 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> > 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> > backtrace:
> > [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> > [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> > [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> > [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> > [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> > [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> > [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> I haven't narrowed this down yet (and it *might* be a false positive),
> but it looks like this is filter->notif. The only way that's possible is
> if seccomp_notify_release() was never called *and* seccomp_filter_free()
> got called... which would imply a reference counting problem. The way
> there doesn't jump out at me yet, but I haven't yet decoded the C
> reproducer into the actual seccomp arguments, etc.
Looks like it's just a bunch of threads in the same thread group
trying to install a filter with TSYNC and NEW_LISTENER turned on. Does
the patch below look reasonable?
I didn't send it separately since I'm in the process of switching my
e-mail address to tycho@tycho.pizza; let this e-mail serve as proof
that that e-mail really is me too :). I can send it the normal way if
it looks good.
From d497e787e8e1b3e8b9230fdc4c9802616709c920 Mon Sep 17 00:00:00 2001
From: Tycho Andersen <tycho@tycho.pizza>
Date: Mon, 31 Aug 2020 17:55:07 -0600
Subject: [PATCH] seccomp: don't leak memory when filter install races
In seccomp_set_mode_filter() with TSYNC | NEW_LISTENER, we first initialize
the listener fd, then check to see if we can actually use it later in
seccomp_may_assign_mode(), which can fail if anyone else in our thread
group has installed a filter and caused some divergence. If we can't, we
partially clean up the newly allocated file: we put the fd, put the file,
but don't actually clean up the *memory* that was allocated at
filter->notif. Let's clean that up too.
Fixes: 51891498f2da ("seccomp: allow TSYNC and USER_NOTIF together")
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
Signed-off-by: Tycho Andersen <tycho@tycho.pizza>
---
kernel/seccomp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 3ee59ce0a323..21a76127833f 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -1581,6 +1581,8 @@ static long seccomp_set_mode_filter(unsigned int flags,
listener_f->private_data = NULL;
fput(listener_f);
put_unused_fd(listener);
+ kfree(filter->notif);
+ filter->notif = NULL;
} else {
fd_install(listener, listener_f);
ret = listener;
base-commit: b51594df17d0ce80b9f9f35394a1f42d7ac94472
--
2.25.1
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-08-31 3:50 ` syzbot
@ 2020-08-31 23:25 ` Kees Cook
2020-09-01 0:09 ` Tycho Andersen
0 siblings, 1 reply; 11+ messages in thread
From: Kees Cook @ 2020-08-31 23:25 UTC (permalink / raw)
To: Tycho Andersen, Christian Brauner
Cc: linux-kernel, luto, syzbot, syzkaller-bugs, wad
On Sun, Aug 30, 2020 at 08:50:15PM -0700, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
> kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
> dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
>
> executing program
> executing program
> executing program
> executing program
> executing program
> BUG: memory leak
> unreferenced object 0xffff88811ba93600 (size 64):
> comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
> 08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
> backtrace:
> [<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
> [<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
> [<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
> [<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
> [<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
> [<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> [<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
I haven't narrowed this down yet (and it *might* be a false positive),
but it looks like this is filter->notif. The only way that's possible is
if seccomp_notify_release() was never called *and* seccomp_filter_free()
got called... which would imply a reference counting problem. The way
there doesn't jump out at me yet, but I haven't yet decoded the C
reproducer into the actual seccomp arguments, etc.
--
Kees Cook
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: memory leak in do_seccomp
2020-08-11 17:06 syzbot
@ 2020-08-31 3:50 ` syzbot
2020-08-31 23:25 ` Kees Cook
0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2020-08-31 3:50 UTC (permalink / raw)
To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook,
kpsingh, linux-kernel, luto, netdev, songliubraving,
syzkaller-bugs, wad, yhs
syzbot has found a reproducer for the following issue on:
HEAD commit: dcc5c6f0 Merge tag 'x86-urgent-2020-08-30' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b297d5900000
kernel config: https://syzkaller.appspot.com/x/.config?x=903b9fecc3c6d231
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14649561900000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=118aacc1900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
executing program
executing program
executing program
executing program
executing program
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 21.940s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 21.930s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 23.180s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 23.170s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 24.450s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 24.440s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 25.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 25.700s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 28.150s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 28.140s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93600 (size 64):
comm "syz-executor680", pid 6503, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 36 a9 1b 81 88 ff ff .........6......
08 36 a9 1b 81 88 ff ff 11 ce 98 89 3a d5 b4 8f .6..........:...
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba936c0 (size 64):
comm "syz-executor680", pid 6507, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 c8 36 a9 1b 81 88 ff ff .........6......
c8 36 a9 1b 81 88 ff ff da fb d1 41 a1 10 39 25 .6.........A..9%
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93700 (size 64):
comm "syz-executor680", pid 6509, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 37 a9 1b 81 88 ff ff .........7......
08 37 a9 1b 81 88 ff ff d9 22 de 70 43 30 b3 2f .7.......".pC0./
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811ba93800 (size 64):
comm "syz-executor680", pid 6511, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 38 a9 1b 81 88 ff ff .........8......
08 38 a9 1b 81 88 ff ff e4 c1 14 15 81 90 49 44 .8............ID
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb800 (size 64):
comm "syz-executor680", pid 6506, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 b8 3c 19 81 88 ff ff ..........<.....
08 b8 3c 19 81 88 ff ff 87 43 ff ae fd 23 b0 15 ..<......C...#..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb740 (size 64):
comm "syz-executor680", pid 6513, jiffies 4294951104 (age 29.390s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b7 3c 19 81 88 ff ff ........H.<.....
48 b7 3c 19 81 88 ff ff 0b 68 b6 93 80 9b 8d 35 H.<......h.....5
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881193cb640 (size 64):
comm "syz-executor680", pid 6515, jiffies 4294951105 (age 29.380s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 48 b6 3c 19 81 88 ff ff ........H.<.....
48 b6 3c 19 81 88 ff ff b4 5e 22 0a b5 50 fa a5 H.<......^"..P..
backtrace:
[<00000000896418b0>] kmalloc include/linux/slab.h:554 [inline]
[<00000000896418b0>] kzalloc include/linux/slab.h:666 [inline]
[<00000000896418b0>] init_listener kernel/seccomp.c:1473 [inline]
[<00000000896418b0>] seccomp_set_mode_filter kernel/seccomp.c:1546 [inline]
[<00000000896418b0>] do_seccomp+0x8ce/0xd40 kernel/seccomp.c:1649
[<000000002b04976c>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000322b4126>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
executing program
executing program
^ permalink raw reply [flat|nested] 11+ messages in thread
* memory leak in do_seccomp
@ 2020-08-11 17:06 syzbot
2020-08-31 3:50 ` syzbot
0 siblings, 1 reply; 11+ messages in thread
From: syzbot @ 2020-08-11 17:06 UTC (permalink / raw)
To: andriin, ast, bpf, daniel, john.fastabend, kafai, keescook,
kpsingh, linux-kernel, luto, netdev, songliubraving,
syzkaller-bugs, wad, yhs
Hello,
syzbot found the following issue on:
HEAD commit: 449dc8c9 Merge tag 'for-v5.9' of git://git.kernel.org/pub/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d816c2900000
kernel config: https://syzkaller.appspot.com/x/.config?x=4810fa4a53b3aa2c
dashboard link: https://syzkaller.appspot.com/bug?extid=3ad9614a12f80994c32e
compiler: gcc (GCC) 10.1.0-syz 20200507
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=153d30e2900000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3ad9614a12f80994c32e@syzkaller.appspotmail.com
2020/08/09 00:29:47 executed programs: 3
BUG: memory leak
unreferenced object 0xffff88811310ea80 (size 96):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 30 e0 00 00 c9 ff ff .........0......
backtrace:
[<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
[<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
[<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
[<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffffc90000e03000 (size 4096):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
01 00 03 00 00 00 00 00 00 00 00 00 05 00 00 00 ................
2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -...............
backtrace:
[<000000003b6a39af>] __vmalloc_node_range+0x2e1/0x3c0 mm/vmalloc.c:2520
[<00000000eee59e12>] __vmalloc_node mm/vmalloc.c:2552 [inline]
[<00000000eee59e12>] __vmalloc+0x49/0x50 mm/vmalloc.c:2566
[<000000006e13ac2a>] bpf_prog_alloc_no_stats+0x32/0x100 kernel/bpf/core.c:85
[<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111
[<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409
[<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
[<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888113bc1c00 (size 1024):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000000466b245>] kmalloc include/linux/slab.h:554 [inline]
[<000000000466b245>] kzalloc include/linux/slab.h:666 [inline]
[<000000000466b245>] bpf_prog_alloc_no_stats+0x73/0x100 kernel/bpf/core.c:89
[<00000000cff3572c>] bpf_prog_alloc+0x1c/0xb0 kernel/bpf/core.c:111
[<000000003222ffa9>] bpf_prog_create_from_user+0x5f/0x2a0 net/core/filter.c:1409
[<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
[<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881154cb860 (size 32):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
01 00 73 74 65 6d 64 2d 00 5c d6 19 81 88 ff ff ..stemd-.\......
65 72 76 69 63 65 00 00 00 00 00 00 00 00 00 00 ervice..........
backtrace:
[<00000000561d65d4>] kmalloc include/linux/slab.h:554 [inline]
[<00000000561d65d4>] bpf_prog_store_orig_filter+0x33/0xa0 net/core/filter.c:1131
[<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422
[<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
[<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888119d65c00 (size 32):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
06 00 00 00 fb ff ff 7f 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000ad603142>] kmemdup+0x23/0x50 mm/util.c:127
[<0000000001d3eabf>] kmemdup include/linux/string.h:479 [inline]
[<0000000001d3eabf>] bpf_prog_store_orig_filter+0x5e/0xa0 net/core/filter.c:1138
[<000000005d9b7cd2>] bpf_prog_create_from_user+0xda/0x2a0 net/core/filter.c:1422
[<00000000baa576ae>] seccomp_prepare_filter kernel/seccomp.c:567 [inline]
[<00000000baa576ae>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<00000000baa576ae>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<00000000baa576ae>] do_seccomp+0x32e/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881131ecb00 (size 96):
comm "syz-executor.0", pid 6688, jiffies 4294954707 (age 12.810s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
80 ea 10 13 81 88 ff ff 00 b0 d8 00 00 c9 ff ff ................
backtrace:
[<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
[<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
[<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
[<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811310e400 (size 96):
comm "syz-executor.0", pid 6702, jiffies 4294955242 (age 7.460s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 50 e1 00 00 c9 ff ff .........P......
backtrace:
[<0000000073bb6e7d>] kmalloc include/linux/slab.h:554 [inline]
[<0000000073bb6e7d>] kzalloc include/linux/slab.h:666 [inline]
[<0000000073bb6e7d>] seccomp_prepare_filter kernel/seccomp.c:562 [inline]
[<0000000073bb6e7d>] seccomp_prepare_user_filter kernel/seccomp.c:604 [inline]
[<0000000073bb6e7d>] seccomp_set_mode_filter kernel/seccomp.c:1535 [inline]
[<0000000073bb6e7d>] do_seccomp+0x2ec/0xd40 kernel/seccomp.c:1649
[<00000000658618a4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000b8258e4d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-08-01 21:11 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-31 19:20 memory leak in do_seccomp Sudip Mukherjee
2021-08-01 3:25 ` Kees Cook
2021-08-01 21:10 ` Sudip Mukherjee
-- strict thread matches above, loose matches on Subject: below --
2020-08-11 17:06 syzbot
2020-08-31 3:50 ` syzbot
2020-08-31 23:25 ` Kees Cook
2020-09-01 0:09 ` Tycho Andersen
2020-09-01 1:14 ` Tycho Andersen
2020-09-01 10:07 ` Christian Brauner
2020-09-01 15:08 ` Kees Cook
2020-09-01 15:26 ` Tycho Andersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).