---------- Forwarded message ---------
보낸사람: Jinho Ju <wnwlsgh98(a)gmail.com>
Date: 2023년 12월 19일 (화) 오후 1:58
Subject: memory leak in batadv_iv_ogm_aggregate_new
To: <security(a)kernel.org>
Hello, I am "Jinho Ju" who is studying about Kernel security in Korea.
A "*memory leak in batadv_iv_ogm_aggregate_new*" was reported in Syzkaller
targeting 6.7-rc6 on December 19, 2023 at 02:03.
The environment in which this bug was detected is as follows.
Syzkaller version: 3222d10c
Kernel version: LInux kernel 6.7-rc6
The report provided by Syzkaller is as follows.
============================================================================================================
Syzkaller hit 'memory leak in batadv_iv_ogm_aggregate_new' bug.
BUG: memory leak
unreferenced object 0xffff8881104a6640 (size 240):
comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.160s)
hex dump (first 32 bytes):
00 64 54 0a 81 88 ff ff 57 24 00 00 ee 04 0c 07 .dT.....W$......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81daae1e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
[<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
[<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
[<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align
include/linux/skbuff.h:3245 [inline]
[<ffffffff8a2bf706>] netdev_alloc_skb_ip_align
include/linux/skbuff.h:3255 [inline]
[<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0
net/batman-adv/bat_iv_ogm.c:558
[<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add
net/batman-adv/bat_iv_ogm.c:670 [inline]
[<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0
net/batman-adv/bat_iv_ogm.c:833
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:868 [inline]
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:861 [inline]
[<ffffffff8a2c6413>]
batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930
net/batman-adv/bat_iv_ogm.c:1712
[<ffffffff8154b0c8>] process_one_work+0x878/0x15c0
kernel/workqueue.c:2627
[<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700
[inline]
[<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
[<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
[<ffffffff812fb685>] ret_from_fork+0x45/0x80
arch/x86/kernel/process.c:147
[<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20
arch/x86/entry/entry_64.S:242
BUG: memory leak
unreferenced object 0xffff888109b6c800 (size 1024):
comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s)
hex dump (first 32 bytes):
40 66 4a 10 81 88 ff ff 57 24 00 00 ee 04 03 07 @fJ.....W$......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81dacac3>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521
[<ffffffff81c12d0e>] __do_kmalloc_node mm/slab_common.c:1006 [inline]
[<ffffffff81c12d0e>] __kmalloc_node_track_caller+0x4e/0xd0
mm/slab_common.c:1027
[<ffffffff8855979d>] kmalloc_reserve+0xed/0x260 net/core/skbuff.c:582
[<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651
[<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
[<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align
include/linux/skbuff.h:3245 [inline]
[<ffffffff8a2bf706>] netdev_alloc_skb_ip_align
include/linux/skbuff.h:3255 [inline]
[<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0
net/batman-adv/bat_iv_ogm.c:558
[<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add
net/batman-adv/bat_iv_ogm.c:670 [inline]
[<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0
net/batman-adv/bat_iv_ogm.c:833
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:868 [inline]
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:861 [inline]
[<ffffffff8a2c6413>]
batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930
net/batman-adv/bat_iv_ogm.c:1712
[<ffffffff8154b0c8>] process_one_work+0x878/0x15c0
kernel/workqueue.c:2627
[<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700
[inline]
[<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
[<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
[<ffffffff812fb685>] ret_from_fork+0x45/0x80
arch/x86/kernel/process.c:147
[<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20
arch/x86/entry/entry_64.S:242
BUG: memory leak
unreferenced object 0xffff88810a546400 (size 512):
comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s)
hex dump (first 32 bytes):
18 41 68 12 81 88 ff ff 57 24 00 00 ee 04 15 07 .Ah.....W$......
00 00 00 00 00 00 00 00 10 64 54 0a 81 88 ff ff .........dT.....
backtrace:
[<ffffffff81dacac3>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521
[<ffffffff81c12436>] kmalloc_trace+0x26/0x60 mm/slab_common.c:1098
[<ffffffff8a32b710>] kmalloc include/linux/slab.h:600 [inline]
[<ffffffff8a32b710>] batadv_forw_packet_alloc+0x3b0/0x4d0
net/batman-adv/send.c:519
[<ffffffff8a2bf734>] batadv_iv_ogm_aggregate_new+0x134/0x4b0
net/batman-adv/bat_iv_ogm.c:562
[<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add
net/batman-adv/bat_iv_ogm.c:670 [inline]
[<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0
net/batman-adv/bat_iv_ogm.c:833
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:868 [inline]
[<ffffffff8a2c6413>] batadv_iv_ogm_schedule
net/batman-adv/bat_iv_ogm.c:861 [inline]
[<ffffffff8a2c6413>]
batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930
net/batman-adv/bat_iv_ogm.c:1712
[<ffffffff8154b0c8>] process_one_work+0x878/0x15c0
kernel/workqueue.c:2627
[<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700
[inline]
[<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
[<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
[<ffffffff812fb685>] ret_from_fork+0x45/0x80
arch/x86/kernel/process.c:147
[<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20
arch/x86/entry/entry_64.S:242
BUG: memory leak
unreferenced object 0xffff88801c47d580 (size 240):
comm "kworker/u4:3", pid 9303, jiffies 4295071249 (age 11.120s)
hex dump (first 32 bytes):
00 c8 b6 09 81 88 ff ff 57 24 00 00 44 05 d7 06 ........W$..D...
00 e0 ee 06 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81daaac5>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81daaac5>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81daaac5>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81daaac5>] slab_alloc mm/slab.c:3246 [inline]
[<ffffffff81daaac5>] __kmem_cache_alloc_lru mm/slab.c:3423 [inline]
[<ffffffff81daaac5>] kmem_cache_alloc+0x295/0x3e0 mm/slab.c:3432
[<ffffffff88573455>] skb_clone+0x145/0x3d0 net/core/skbuff.c:1916
[<ffffffff8a2c661d>] batadv_iv_ogm_send_to_if
net/batman-adv/bat_iv_ogm.c:387 [inline]
[<ffffffff8a2c661d>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420
[inline]
[<ffffffff8a2c661d>]
batadv_iv_send_outstanding_bat_ogm_packet+0x53d/0x930
net/batman-adv/bat_iv_ogm.c:1700
[<ffffffff8154b0c8>] process_one_work+0x878/0x15c0
kernel/workqueue.c:2627
[<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700
[inline]
[<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
[<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
[<ffffffff812fb685>] ret_from_fork+0x45/0x80
arch/x86/kernel/process.c:147
[<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20
arch/x86/entry/entry_64.S:242
BUG: memory leak
unreferenced object 0xffff88810f01b480 (size 240):
comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
hex dump (first 32 bytes):
80 86 e7 17 81 88 ff ff 00 00 00 00 67 05 9c 06 ............g...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81daae1e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
[<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
[<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
[<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225
[inline]
[<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
[<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680
net/mac80211/tx.c:5445
[<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280
net/mac80211/tx.c:5567
[<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442
[inline]
[<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750
drivers/net/wireless/virtual/mac80211_hwsim.c:2260
[<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570
net/mac80211/util.c:767
[<ffffffff89ebdc11>]
ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0
net/mac80211/util.c:803
[<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200
drivers/net/wireless/virtual/mac80211_hwsim.c:2290
[<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
[<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10
kernel/time/hrtimer.c:1752
[<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350
kernel/time/hrtimer.c:1769
[<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
BUG: memory leak
unreferenced object 0xffff88811de3bc80 (size 640):
comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
hex dump (first 32 bytes):
80 b4 01 0f 81 88 ff ff 00 00 00 00 67 05 92 06 ............g...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81daae1e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
[<ffffffff88559813>] kmalloc_reserve+0x163/0x260 net/core/skbuff.c:560
[<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651
[<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
[<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225
[inline]
[<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
[<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680
net/mac80211/tx.c:5445
[<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280
net/mac80211/tx.c:5567
[<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442
[inline]
[<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750
drivers/net/wireless/virtual/mac80211_hwsim.c:2260
[<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570
net/mac80211/util.c:767
[<ffffffff89ebdc11>]
ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0
net/mac80211/util.c:803
[<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200
drivers/net/wireless/virtual/mac80211_hwsim.c:2290
[<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
[<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10
kernel/time/hrtimer.c:1752
[<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350
kernel/time/hrtimer.c:1769
[<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
BUG: memory leak
unreferenced object 0xffff88810f01b200 (size 240):
comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
hex dump (first 32 bytes):
c0 29 86 0e 81 88 ff ff 00 00 00 00 67 05 9c 06 .)..........g...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81daae1e>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
[<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
[<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
[<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
[<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225
[inline]
[<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
[<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680
net/mac80211/tx.c:5445
[<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280
net/mac80211/tx.c:5567
[<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442
[inline]
[<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750
drivers/net/wireless/virtual/mac80211_hwsim.c:2260
[<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570
net/mac80211/util.c:767
[<ffffffff89ebdc11>]
ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0
net/mac80211/util.c:803
[<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200
drivers/net/wireless/virtual/mac80211_hwsim.c:2290
[<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
[<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10
kernel/time/hrtimer.c:1752
[<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350
kernel/time/hrtimer.c:1769
[<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none
SandboxArg:0 Leak:true NetInjection:true NetDevices:true NetReset:true
Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false
NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true
Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Repro:false
Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0
FaultNth:0}}
bind$packet(0xffffffffffffffff, &(0x7f0000000000)={0x11, 0x1a, 0x0, 0x1,
0x3}, 0x14)
r0 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
r1 = openat$cgroup_procs(0xffffffffffffffff,
&(0x7f0000000080)='cgroup.procs\x00', 0x2, 0x0)
r2 = syz_io_uring_setup(0x1aaa, &(0x7f00000000c0)={0x0, 0x70d1, 0x0, 0x0,
0x158}, &(0x7f0000000140), &(0x7f0000000180))
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000600), 0x40, 0x0)
io_uring_register$IORING_REGISTER_FILES_UPDATE(0xffffffffffffffff, 0x6,
&(0x7f0000000680)={0x3, 0x0, &(0x7f0000000640)=[0xffffffffffffffff,
0xffffffffffffffff, r0, r1, r2, 0xffffffffffffffff, 0xffffffffffffffff,
0xffffffffffffffff, 0xffffffffffffffff, r3]}, 0xa)
r4 = openat$cgroup_ro(0xffffffffffffffff, 0x0, 0x0, 0x0)
io_uring_register$IORING_REGISTER_IOWQ_MAX_WORKERS(r4, 0x13,
&(0x7f0000000700)=[0x200, 0x101], 0x2)
write$USERIO_CMD_SEND_INTERRUPT(r4, &(0x7f0000000740)={0x2, 0x7}, 0x2)
pipe2(0x0, 0x80080)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000980)={0x18, 0x0, 0x0,
&(0x7f0000000840)='GPL\x00', 0x850d, 0x0, 0x0, 0x41000, 0x24, '\x00', 0x0,
0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0,
&(0x7f0000000900)=[r4, 0xffffffffffffffff, r4]}, 0x90)
sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff,
&(0x7f0000000b00)={&(0x7f0000000a40)={0x10, 0x0, 0x0, 0x40000000}, 0xc,
&(0x7f0000000ac0)={&(0x7f0000000a80)={0x28, 0x0, 0x100, 0x70bd2a,
0x25dfdbfc, {}, [@ETHTOOL_A_LINKINFO_HEADER={0xc, 0x1, 0x0, 0x1,
[@ETHTOOL_A_HEADER_DEV_INDEX={0x8}]},
@ETHTOOL_A_LINKINFO_TP_MDIX_CTRL={0x5}]}, 0x28}, 0x1, 0x0, 0x0,
0x20000800}, 0x0)
============================================================================================================
I cannot rule out the possibility that this bug detected in Syzkaller
targeting 6.7-rc6 is false positive.
Also there are no reported records in 6.7-rc6.
I've attached C repro and .config.
Thank you So much.
JinHo Ju.
