Menu
▾
▴
tipc-discussion
|
From: Ying X. <yin...@wi...> - 2019-08-04 12:03:52
|
In this series, try to fix two memory leak issues and another issue of calling smp_processor_id() in preemptible context. Ying Xue (3): tipc: fix memory leak issue tipc: fix memory leak issue tipc: fix issue of calling smp_processor_id() in preemptible net/tipc/group.c | 22 +++++++++++++--------- net/tipc/node.c | 7 +++++-- net/tipc/udp_media.c | 12 +++++++++--- 3 files changed, 27 insertions(+), 14 deletions(-) -- 2.7.4 |
|
From: Ying X. <yin...@wi...> - 2019-08-09 07:29:58
|
In this series, try to fix two memory leak issues and another issue of calling smp_processor_id() in preemptible context. Ying Xue (3): tipc: fix memory leak issue tipc: fix memory leak issue tipc: fix issue of calling smp_processor_id() in preemptible net/tipc/group.c | 22 +++++++++++++--------- net/tipc/node.c | 7 +++++-- net/tipc/udp_media.c | 12 +++++++++--- 3 files changed, 27 insertions(+), 14 deletions(-) -- 2.7.4 |
|
From: Ying X. <yin...@wi...> - 2019-08-09 07:29:23
|
syzbot found the following memory leak issue:
[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/group.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
return NULL;
}
-static void tipc_group_add_to_tree(struct tipc_group *grp,
- struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+ struct tipc_member *m)
{
u64 nkey, key = (u64)m->node << 32 | m->port;
struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
n = &grp->members.rb_node;
while (*n) {
- tmp = container_of(*n, struct tipc_member, tree_node);
parent = *n;
tmp = container_of(parent, struct tipc_member, tree_node);
nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
else if (key > nkey)
n = &(*n)->rb_right;
else
- return;
+ return tmp;
}
rb_link_node(&m->tree_node, parent, n);
rb_insert_color(&m->tree_node, &grp->members);
+ return m;
}
static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
u32 node, u32 port,
u32 instance, int state)
{
- struct tipc_member *m;
+ struct tipc_member *m, *n;
m = kzalloc(sizeof(*m), GFP_ATOMIC);
if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
m->instance = instance;
m->bc_acked = grp->bc_snd_nxt - 1;
grp->member_cnt++;
- tipc_group_add_to_tree(grp, m);
- tipc_nlist_add(&grp->dests, m->node);
- m->state = state;
- return m;
+ n = tipc_group_add_to_tree(grp, m);
+ if (n == m) {
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ } else {
+ kfree(m);
+ }
+ return n;
}
void tipc_group_add_member(struct tipc_group *grp, u32 node,
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-09 07:29:25
|
syzbot found the following issue:
[ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.159480][ T8612] Call Trace:
[ 81.162789][ T8612] dump_stack+0x172/0x1f0
[ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
[ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
[ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
[ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
[ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
[ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
[ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
[ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
[ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
[ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
[ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
[ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
[ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
[ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
[ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
[ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.252020][ T8612] ? __nla_parse+0x43/0x60
[ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
[ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
[ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
[ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
[ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
[ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
[ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
[ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
[ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
[ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
[ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
[ 81.337511][ T8612] genl_rcv+0x29/0x40
[ 81.341485][ T8612] netlink_unicast+0x531/0x710
[ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
[ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
[ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
[ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
[ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
[ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
[ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
[ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
[ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
[ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
[ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
[ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
[ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
[ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
[ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
[ 81.457298][ T8612] ? call_rcu+0xb/0x10
[ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
[ 81.472249][ T8612] ? __fdget+0x1b/0x20
[ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
[ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
[ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
[ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
[ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
[ 81.523862][ T8612] do_syscall_64+0xfd/0x680
[ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.534234][ T8612] RIP: 0033:0x444679
[ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.
Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/udp_media.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
struct udp_bearer *ub;
int err = 0;
+ local_bh_disable();
+
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
goto out;
}
- if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
- return tipc_udp_xmit(net, skb, ub, src, dst,
- &ub->rcast.dst_cache);
+ if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+ err = tipc_udp_xmit(net, skb, ub, src, dst,
+ &ub->rcast.dst_cache);
+ local_bh_enable();
+ return err;
+ }
/* Replicast, send an skb to each configured IP address */
list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
err = 0;
out:
kfree_skb(skb);
+ local_bh_enable();
return err;
}
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-09 07:30:01
|
syzbot found the following memory leak:
[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/node.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);
- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+ }
tipc_node_put(n);
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-12 07:45:49
|
In this series, try to fix two memory leak issues and another issue of calling smp_processor_id() in preemptible context. Changes since v1: - Fix "Reported-by:" missing in patch #3, which was reported by Jakub Kicinski Ying Xue (3): tipc: fix memory leak issue tipc: fix memory leak issue tipc: fix issue of calling smp_processor_id() in preemptible net/tipc/group.c | 22 +++++++++++++--------- net/tipc/node.c | 7 +++++-- net/tipc/udp_media.c | 12 +++++++++--- 3 files changed, 27 insertions(+), 14 deletions(-) -- 2.7.4 |
|
From: Ying X. <yin...@wi...> - 2019-08-12 07:44:59
|
syzbot found the following memory leak issue:
[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/group.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
return NULL;
}
-static void tipc_group_add_to_tree(struct tipc_group *grp,
- struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+ struct tipc_member *m)
{
u64 nkey, key = (u64)m->node << 32 | m->port;
struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
n = &grp->members.rb_node;
while (*n) {
- tmp = container_of(*n, struct tipc_member, tree_node);
parent = *n;
tmp = container_of(parent, struct tipc_member, tree_node);
nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
else if (key > nkey)
n = &(*n)->rb_right;
else
- return;
+ return tmp;
}
rb_link_node(&m->tree_node, parent, n);
rb_insert_color(&m->tree_node, &grp->members);
+ return m;
}
static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
u32 node, u32 port,
u32 instance, int state)
{
- struct tipc_member *m;
+ struct tipc_member *m, *n;
m = kzalloc(sizeof(*m), GFP_ATOMIC);
if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
m->instance = instance;
m->bc_acked = grp->bc_snd_nxt - 1;
grp->member_cnt++;
- tipc_group_add_to_tree(grp, m);
- tipc_nlist_add(&grp->dests, m->node);
- m->state = state;
- return m;
+ n = tipc_group_add_to_tree(grp, m);
+ if (n == m) {
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ } else {
+ kfree(m);
+ }
+ return n;
}
void tipc_group_add_member(struct tipc_group *grp, u32 node,
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-12 07:45:05
|
syzbot found the following issue:
[ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.159480][ T8612] Call Trace:
[ 81.162789][ T8612] dump_stack+0x172/0x1f0
[ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
[ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
[ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
[ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
[ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
[ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
[ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
[ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
[ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
[ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
[ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
[ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
[ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
[ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
[ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
[ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.252020][ T8612] ? __nla_parse+0x43/0x60
[ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
[ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
[ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
[ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
[ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
[ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
[ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
[ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
[ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
[ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
[ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
[ 81.337511][ T8612] genl_rcv+0x29/0x40
[ 81.341485][ T8612] netlink_unicast+0x531/0x710
[ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
[ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
[ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
[ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
[ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
[ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
[ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
[ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
[ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
[ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
[ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
[ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
[ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
[ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
[ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
[ 81.457298][ T8612] ? call_rcu+0xb/0x10
[ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
[ 81.472249][ T8612] ? __fdget+0x1b/0x20
[ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
[ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
[ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
[ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
[ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
[ 81.523862][ T8612] do_syscall_64+0xfd/0x680
[ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.534234][ T8612] RIP: 0033:0x444679
[ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.
Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/udp_media.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
struct udp_bearer *ub;
int err = 0;
+ local_bh_disable();
+
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
goto out;
}
- if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
- return tipc_udp_xmit(net, skb, ub, src, dst,
- &ub->rcast.dst_cache);
+ if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+ err = tipc_udp_xmit(net, skb, ub, src, dst,
+ &ub->rcast.dst_cache);
+ local_bh_enable();
+ return err;
+ }
/* Replicast, send an skb to each configured IP address */
list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
err = 0;
out:
kfree_skb(skb);
+ local_bh_enable();
return err;
}
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-12 07:45:46
|
syzbot found the following memory leak:
[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/node.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);
- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+ }
tipc_node_put(n);
--
2.7.4
|
|
From: David M. <da...@da...> - 2019-08-12 15:25:46
|
From: Ying Xue <yin...@wi...> Date: Mon, 12 Aug 2019 15:32:39 +0800 > Ying Xue (3): > tipc: fix memory leak issue > tipc: fix memory leak issue Please make the subject lines for these two patches unique. Perhaps mention what part of the tipc code has the memory leak you are fixing. Thanks. |
|
From: Xin L. <luc...@gm...> - 2020-02-20 20:11:04
|
On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dv...@go...> wrote:
>
> On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dv...@go...> wrote:
> >
> > On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <yin...@wi...> wrote:
> > >
> > > syzbot found the following issue:
> > >
> > > [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
> > > [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
> > > [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
> > > [ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > [ 81.159480][ T8612] Call Trace:
> > > [ 81.162789][ T8612] dump_stack+0x172/0x1f0
> > > [ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
> > > [ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
> > > [ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
> > > [ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
> > > [ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
> > > [ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
> > > [ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
> > > [ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
> > > [ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
> > > [ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
> > > [ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
In tipc_bearer_xmit_skb(), b->media->send_msg()/tipc_udp_send_msg()
is called under rcu_read_lock(), which is already ensure it's a
non-preemptible context.
What I saw here is imbalance rcu_read_(un)lock() call somewhere.
> > > [ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
> > > [ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
> > > [ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
> > > [ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
> > > [ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
> > > [ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
> > > [ 81.252020][ T8612] ? __nla_parse+0x43/0x60
> > > [ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
> > > [ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
> > > [ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
> > > [ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
> > > [ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
> > > [ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
> > > [ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
> > > [ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
> > > [ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
> > > [ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
> > > [ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
> > > [ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
> > > [ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
> > > [ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
> > > [ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
> > > [ 81.337511][ T8612] genl_rcv+0x29/0x40
> > > [ 81.341485][ T8612] netlink_unicast+0x531/0x710
> > > [ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
> > > [ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
> > > [ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
> > > [ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
> > > [ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
> > > [ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
> > > [ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
> > > [ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
> > > [ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
> > > [ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
> > > [ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
> > > [ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
> > > [ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
> > > [ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
> > > [ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
> > > [ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
> > > [ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
> > > [ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
> > > [ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
> > > [ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
> > > [ 81.457298][ T8612] ? call_rcu+0xb/0x10
> > > [ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
> > > [ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
> > > [ 81.472249][ T8612] ? __fdget+0x1b/0x20
> > > [ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
> > > [ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
> > > [ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
> > > [ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
> > > [ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
> > > [ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
> > > [ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
> > > [ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
> > > [ 81.523862][ T8612] do_syscall_64+0xfd/0x680
> > > [ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > [ 81.534234][ T8612] RIP: 0033:0x444679
> > > [ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> > > [ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> > > [ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
> > > [ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
> > > [ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
> > > [ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
> > > [ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
> > >
> > > In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
> > > smp_processor_id() called by dst_cache_get() cannot be invoked in
> > > preemptible context, as a result, the complaint above was reported.
> > >
> > > Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
> > > Reported-by: syz...@sy...
> > > Signed-off-by: Hillf Danton <hd...@si...>
> > > Signed-off-by: Ying Xue <yin...@wi...>
> >
> > Hi,
> >
> > Was this ever merged?
> > The bug is still open, alive and kicking:
> > https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
> >
> > and one of the top crashers currently.
> > Along with few other top crashers, these bugs prevent most of the
> > other kernel testing from happening.
>
> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>
> +jmaloy new email address
>
> > > ---
> > > net/tipc/udp_media.c | 12 +++++++++---
> > > 1 file changed, 9 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
> > > index 287df687..ca3ae2e 100644
> > > --- a/net/tipc/udp_media.c
> > > +++ b/net/tipc/udp_media.c
> > > @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > struct udp_bearer *ub;
> > > int err = 0;
> > >
> > > + local_bh_disable();
> > > +
> > > if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
> > > err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
> > > if (err)
> > > @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > goto out;
> > > }
> > >
> > > - if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
> > > - return tipc_udp_xmit(net, skb, ub, src, dst,
> > > - &ub->rcast.dst_cache);
> > > + if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
> > > + err = tipc_udp_xmit(net, skb, ub, src, dst,
> > > + &ub->rcast.dst_cache);
> > > + local_bh_enable();
> > > + return err;
> > > + }
> > >
> > > /* Replicast, send an skb to each configured IP address */
> > > list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
> > > @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
> > > err = 0;
> > > out:
> > > kfree_skb(skb);
> > > + local_bh_enable();
> > > return err;
> > > }
> > >
> > > --
> > > 2.7.4
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to syz...@go....
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.
|
|
From: Jon M. <jm...@re...> - 2020-03-18 14:28:10
|
On 2/20/20 10:44 AM, Xin Long wrote:
> On Wed, Feb 19, 2020 at 4:34 PM Dmitry Vyukov <dv...@go...> wrote:
>> On Wed, Feb 19, 2020 at 9:29 AM Dmitry Vyukov <dv...@go...> wrote:
>>> On Mon, Aug 12, 2019 at 9:44 AM Ying Xue <yin...@wi...> wrote:
>>>> syzbot found the following issue:
>>>>
>>>> [ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
>>>> [ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
>>>> [ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[...]
>>>> Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
>>>> Reported-by: syz...@sy...
>>>> Signed-off-by: Hillf Danton <hd...@si...>
>>>> Signed-off-by: Ying Xue <yin...@wi...>
>>> Hi,
>>>
>>> Was this ever merged?
>>> The bug is still open, alive and kicking:
>>> https://syzkaller.appspot.com/bug?extid=1a68504d96cd17b33a05
>>>
>>> and one of the top crashers currently.
>>> Along with few other top crashers, these bugs prevent most of the
>>> other kernel testing from happening.
>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
>>
>> +jmaloy new email address
Acked-by: Jon Maloy <jm...@re...>
>>
>>>> ---
>>>> net/tipc/udp_media.c | 12 +++++++++---
>>>> 1 file changed, 9 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
>>>> index 287df687..ca3ae2e 100644
>>>> --- a/net/tipc/udp_media.c
>>>> +++ b/net/tipc/udp_media.c
>>>> @@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>>>> struct udp_bearer *ub;
>>>> int err = 0;
>>>>
>>>> + local_bh_disable();
>>>> +
>>>> if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
>>>> err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
>>>> if (err)
>>>> @@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>>>> goto out;
>>>> }
>>>>
>>>> - if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
>>>> - return tipc_udp_xmit(net, skb, ub, src, dst,
>>>> - &ub->rcast.dst_cache);
>>>> + if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
>>>> + err = tipc_udp_xmit(net, skb, ub, src, dst,
>>>> + &ub->rcast.dst_cache);
>>>> + local_bh_enable();
>>>> + return err;
>>>> + }
>>>>
>>>> /* Replicast, send an skb to each configured IP address */
>>>> list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
>>>> @@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
>>>> err = 0;
>>>> out:
>>>> kfree_skb(skb);
>>>> + local_bh_enable();
>>>> return err;
>>>> }
>>>>
>>>> --
>>>> 2.7.4
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an email to syz...@go....
>>>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1565595162-1383-4-git-send-email-ying.xue%40windriver.com.
|
|
From: Ying X. <yin...@wi...> - 2019-08-04 12:04:25
|
syzbot found the following issue:
[ 81.119772][ T8612] BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor834/8612
[ 81.136212][ T8612] caller is dst_cache_get+0x3d/0xb0
[ 81.141450][ T8612] CPU: 0 PID: 8612 Comm: syz-executor834 Not tainted 5.2.0-rc6+ #48
[ 81.149435][ T8612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 81.159480][ T8612] Call Trace:
[ 81.162789][ T8612] dump_stack+0x172/0x1f0
[ 81.167123][ T8612] debug_smp_processor_id+0x251/0x280
[ 81.172479][ T8612] dst_cache_get+0x3d/0xb0
[ 81.176928][ T8612] tipc_udp_xmit.isra.0+0xc4/0xb80
[ 81.182046][ T8612] ? kasan_kmalloc+0x9/0x10
[ 81.186531][ T8612] ? tipc_udp_addr2str+0x170/0x170
[ 81.191641][ T8612] ? __copy_skb_header+0x2e8/0x560
[ 81.196750][ T8612] ? __skb_checksum_complete+0x3f0/0x3f0
[ 81.202364][ T8612] ? netdev_alloc_frag+0x1b0/0x1b0
[ 81.207452][ T8612] ? skb_copy_header+0x21/0x2b0
[ 81.212282][ T8612] ? __pskb_copy_fclone+0x516/0xc90
[ 81.217470][ T8612] tipc_udp_send_msg+0x29a/0x4b0
[ 81.222400][ T8612] tipc_bearer_xmit_skb+0x16c/0x360
[ 81.227585][ T8612] tipc_enable_bearer+0xabe/0xd20
[ 81.232606][ T8612] ? __nla_validate_parse+0x2d0/0x1ee0
[ 81.238048][ T8612] ? tipc_bearer_xmit_skb+0x360/0x360
[ 81.243401][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.247710][ T8612] ? nla_memcpy+0xb0/0xb0
[ 81.252020][ T8612] ? __nla_parse+0x43/0x60
[ 81.256417][ T8612] __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.261856][ T8612] ? __tipc_nl_bearer_enable+0x2de/0x3a0
[ 81.267467][ T8612] ? tipc_nl_bearer_disable+0x40/0x40
[ 81.272848][ T8612] ? unwind_get_return_address+0x58/0xa0
[ 81.278501][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.283190][ T8612] tipc_nl_bearer_enable+0x23/0x40
[ 81.288300][ T8612] genl_family_rcv_msg+0x74b/0xf90
[ 81.293404][ T8612] ? genl_unregister_family+0x790/0x790
[ 81.298935][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.303852][ T8612] ? __netlink_lookup+0x3fa/0x7b0
[ 81.308865][ T8612] genl_rcv_msg+0xca/0x16c
[ 81.313266][ T8612] netlink_rcv_skb+0x177/0x450
[ 81.318043][ T8612] ? genl_family_rcv_msg+0xf90/0xf90
[ 81.323311][ T8612] ? netlink_ack+0xb50/0xb50
[ 81.327906][ T8612] ? lock_acquire+0x16f/0x3f0
[ 81.332589][ T8612] ? kasan_check_write+0x14/0x20
[ 81.337511][ T8612] genl_rcv+0x29/0x40
[ 81.341485][ T8612] netlink_unicast+0x531/0x710
[ 81.346268][ T8612] ? netlink_attachskb+0x770/0x770
[ 81.351374][ T8612] ? _copy_from_iter_full+0x25d/0x8c0
[ 81.356765][ T8612] ? __sanitizer_cov_trace_cmp8+0x18/0x20
[ 81.362479][ T8612] ? __check_object_size+0x3d/0x42f
[ 81.367667][ T8612] netlink_sendmsg+0x8ae/0xd70
[ 81.372415][ T8612] ? netlink_unicast+0x710/0x710
[ 81.377520][ T8612] ? aa_sock_msg_perm.isra.0+0xba/0x170
[ 81.383051][ T8612] ? apparmor_socket_sendmsg+0x2a/0x30
[ 81.388530][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.394775][ T8612] ? security_socket_sendmsg+0x8d/0xc0
[ 81.400240][ T8612] ? netlink_unicast+0x710/0x710
[ 81.405161][ T8612] sock_sendmsg+0xd7/0x130
[ 81.409561][ T8612] ___sys_sendmsg+0x803/0x920
[ 81.414220][ T8612] ? copy_msghdr_from_user+0x430/0x430
[ 81.419667][ T8612] ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 81.425461][ T8612] ? debug_object_active_state+0x25d/0x380
[ 81.431255][ T8612] ? __lock_acquire+0x54f/0x5490
[ 81.436174][ T8612] ? kasan_check_read+0x11/0x20
[ 81.441208][ T8612] ? _raw_spin_unlock_irqrestore+0xa4/0xe0
[ 81.447008][ T8612] ? mark_held_locks+0xf0/0xf0
[ 81.451768][ T8612] ? __call_rcu.constprop.0+0x28b/0x720
[ 81.457298][ T8612] ? call_rcu+0xb/0x10
[ 81.461353][ T8612] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 81.467589][ T8612] ? __fget_light+0x1a9/0x230
[ 81.472249][ T8612] ? __fdget+0x1b/0x20
[ 81.476301][ T8612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 81.482545][ T8612] __sys_sendmsg+0x105/0x1d0
[ 81.487115][ T8612] ? __ia32_sys_shutdown+0x80/0x80
[ 81.492208][ T8612] ? blkcg_maybe_throttle_current+0x5e2/0xfb0
[ 81.498272][ T8612] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 81.503726][ T8612] ? do_syscall_64+0x26/0x680
[ 81.508385][ T8612] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.514444][ T8612] ? do_syscall_64+0x26/0x680
[ 81.519110][ T8612] __x64_sys_sendmsg+0x78/0xb0
[ 81.523862][ T8612] do_syscall_64+0xfd/0x680
[ 81.528352][ T8612] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 81.534234][ T8612] RIP: 0033:0x444679
[ 81.538114][ T8612] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 81.557709][ T8612] RSP: 002b:00007fff0201a8b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[ 81.566147][ T8612] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 0000000000444679
[ 81.574108][ T8612] RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
[ 81.582152][ T8612] RBP: 00000000006cf018 R08: 0000000000000001 R09: 00000000004002e0
[ 81.590113][ T8612] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000402320
[ 81.598089][ T8612] R13: 00000000004023b0 R14: 0000000000000000 R15: 0000000000
In commit e9c1a793210f ("tipc: add dst_cache support for udp media")
dst_cache_get() was introduced to be called in tipc_udp_xmit(). But
smp_processor_id() called by dst_cache_get() cannot be invoked in
preemptible context, as a result, the complaint above was reported.
Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media")
syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/udp_media.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 287df687..ca3ae2e 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -224,6 +224,8 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
struct udp_bearer *ub;
int err = 0;
+ local_bh_disable();
+
if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
if (err)
@@ -237,9 +239,12 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
goto out;
}
- if (addr->broadcast != TIPC_REPLICAST_SUPPORT)
- return tipc_udp_xmit(net, skb, ub, src, dst,
- &ub->rcast.dst_cache);
+ if (addr->broadcast != TIPC_REPLICAST_SUPPORT) {
+ err = tipc_udp_xmit(net, skb, ub, src, dst,
+ &ub->rcast.dst_cache);
+ local_bh_enable();
+ return err;
+ }
/* Replicast, send an skb to each configured IP address */
list_for_each_entry_rcu(rcast, &ub->rcast.list, list) {
@@ -259,6 +264,7 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
err = 0;
out:
kfree_skb(skb);
+ local_bh_enable();
return err;
}
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-04 12:04:50
|
syzbot found the following memory leak:
[ 68.602482][ T7130] kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff88810df83c00 (size 512):
comm "softirq", pid 0, jiffies 4294942354 (age 19.830s)
hex dump (first 32 bytes):
38 1a 0d 0f 81 88 ff ff 38 1a 0d 0f 81 88 ff ff 8.......8.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009375ee42>] kmem_cache_alloc_node+0x153/0x2a0
[<000000004c563922>] __alloc_skb+0x6e/0x210
[<00000000ec87bfa1>] tipc_buf_acquire+0x2f/0x80
[<00000000d151ef84>] tipc_msg_create+0x37/0xe0
[<000000008bb437b0>] tipc_group_create_event+0xb3/0x1b0
[<00000000947b1d0f>] tipc_group_proto_rcv+0x569/0x640
[<00000000b75ab039>] tipc_sk_filter_rcv+0x9ac/0xf20
[<000000000dab7a6c>] tipc_sk_rcv+0x494/0x8a0
[<00000000023a7ddd>] tipc_node_xmit+0x196/0x1f0
[<00000000337dd9eb>] tipc_node_distr_xmit+0x7d/0x120
[<00000000b6375182>] tipc_group_delete+0xe6/0x130
[<000000000361ba2b>] tipc_sk_leave+0x57/0xb0
[<000000009df90505>] tipc_release+0x7b/0x5e0
[<000000009f3189da>] __sock_release+0x4b/0xe0
[<00000000d3568ee0>] sock_close+0x1b/0x30
[<00000000266a6215>] __fput+0xed/0x300
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/node.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 7ca0190..d1852fc 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1469,10 +1469,13 @@ int tipc_node_xmit(struct net *net, struct sk_buff_head *list,
spin_unlock_bh(&le->lock);
tipc_node_read_unlock(n);
- if (unlikely(rc == -ENOBUFS))
+ if (unlikely(rc == -ENOBUFS)) {
tipc_node_link_down(n, bearer_id, false);
- else
+ skb_queue_purge(list);
+ skb_queue_purge(&xmitq);
+ } else {
tipc_bearer_xmit(net, bearer_id, &xmitq, &le->maddr);
+ }
tipc_node_put(n);
--
2.7.4
|
|
From: Ying X. <yin...@wi...> - 2019-08-04 12:04:51
|
syzbot found the following memory leak issue:
[ 72.286706][ T7064] kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
BUG: memory leak
unreferenced object 0xffff888122bca200 (size 128):
comm "syz-executor232", pid 7065, jiffies 4294943817 (age 8.880s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 18 a2 bc 22 81 88 ff ff ..........."....
backtrace:
[<000000005bada299>] kmem_cache_alloc_trace+0x145/0x2c0
[<00000000e7bcdc9f>] tipc_group_create_member+0x3c/0x190
[<0000000005f56f40>] tipc_group_add_member+0x34/0x40
[<0000000044406683>] tipc_nametbl_build_group+0x9b/0xf0
[<000000009f71e803>] tipc_setsockopt+0x170/0x490
[<000000007f61cbc2>] __sys_setsockopt+0x10f/0x220
[<00000000cc630372>] __x64_sys_setsockopt+0x26/0x30
[<00000000ec30be33>] do_syscall_64+0x76/0x1a0
[<00000000271be3e6>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported-by: syz...@sy...
Signed-off-by: Hillf Danton <hd...@si...>
Signed-off-by: Ying Xue <yin...@wi...>
---
net/tipc/group.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 5f98d38..cbc540a 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -273,8 +273,8 @@ static struct tipc_member *tipc_group_find_node(struct tipc_group *grp,
return NULL;
}
-static void tipc_group_add_to_tree(struct tipc_group *grp,
- struct tipc_member *m)
+struct tipc_member *tipc_group_add_to_tree(struct tipc_group *grp,
+ struct tipc_member *m)
{
u64 nkey, key = (u64)m->node << 32 | m->port;
struct rb_node **n, *parent = NULL;
@@ -282,7 +282,6 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
n = &grp->members.rb_node;
while (*n) {
- tmp = container_of(*n, struct tipc_member, tree_node);
parent = *n;
tmp = container_of(parent, struct tipc_member, tree_node);
nkey = (u64)tmp->node << 32 | tmp->port;
@@ -291,17 +290,18 @@ static void tipc_group_add_to_tree(struct tipc_group *grp,
else if (key > nkey)
n = &(*n)->rb_right;
else
- return;
+ return tmp;
}
rb_link_node(&m->tree_node, parent, n);
rb_insert_color(&m->tree_node, &grp->members);
+ return m;
}
static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
u32 node, u32 port,
u32 instance, int state)
{
- struct tipc_member *m;
+ struct tipc_member *m, *n;
m = kzalloc(sizeof(*m), GFP_ATOMIC);
if (!m)
@@ -315,10 +315,14 @@ static struct tipc_member *tipc_group_create_member(struct tipc_group *grp,
m->instance = instance;
m->bc_acked = grp->bc_snd_nxt - 1;
grp->member_cnt++;
- tipc_group_add_to_tree(grp, m);
- tipc_nlist_add(&grp->dests, m->node);
- m->state = state;
- return m;
+ n = tipc_group_add_to_tree(grp, m);
+ if (n == m) {
+ tipc_nlist_add(&grp->dests, m->node);
+ m->state = state;
+ } else {
+ kfree(m);
+ }
+ return n;
}
void tipc_group_add_member(struct tipc_group *grp, u32 node,
--
2.7.4
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X