---------- Forwarded message --------- 보낸사람: Jinho Ju wnwlsgh98@gmail.com Date: 2023년 12월 19일 (화) 오후 1:58 Subject: memory leak in batadv_iv_ogm_aggregate_new To: security@kernel.org
Hello, I am "Jinho Ju" who is studying about Kernel security in Korea. A "*memory leak in batadv_iv_ogm_aggregate_new*" was reported in Syzkaller targeting 6.7-rc6 on December 19, 2023 at 02:03. The environment in which this bug was detected is as follows. Syzkaller version: 3222d10c Kernel version: LInux kernel 6.7-rc6 The report provided by Syzkaller is as follows. ============================================================================================================ Syzkaller hit 'memory leak in batadv_iv_ogm_aggregate_new' bug.
BUG: memory leak unreferenced object 0xffff8881104a6640 (size 240): comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.160s) hex dump (first 32 bytes): 00 64 54 0a 81 88 ff ff 57 24 00 00 ee 04 0c 07 .dT.....W$...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509 [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641 [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715 [<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align include/linux/skbuff.h:3245 [inline] [<ffffffff8a2bf706>] netdev_alloc_skb_ip_align include/linux/skbuff.h:3255 [inline] [<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0 net/batman-adv/bat_iv_ogm.c:558 [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline] [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833 [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline] [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline] [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712 [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627 [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline] [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781 [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388 [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
BUG: memory leak unreferenced object 0xffff888109b6c800 (size 1024): comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s) hex dump (first 32 bytes): 40 66 4a 10 81 88 ff ff 57 24 00 00 ee 04 03 07 @fJ.....W$...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81dacac3>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521 [<ffffffff81c12d0e>] __do_kmalloc_node mm/slab_common.c:1006 [inline] [<ffffffff81c12d0e>] __kmalloc_node_track_caller+0x4e/0xd0 mm/slab_common.c:1027 [<ffffffff8855979d>] kmalloc_reserve+0xed/0x260 net/core/skbuff.c:582 [<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651 [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715 [<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align include/linux/skbuff.h:3245 [inline] [<ffffffff8a2bf706>] netdev_alloc_skb_ip_align include/linux/skbuff.h:3255 [inline] [<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0 net/batman-adv/bat_iv_ogm.c:558 [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline] [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833 [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline] [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline] [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712 [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627 [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline] [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781 [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388 [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
BUG: memory leak unreferenced object 0xffff88810a546400 (size 512): comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s) hex dump (first 32 bytes): 18 41 68 12 81 88 ff ff 57 24 00 00 ee 04 15 07 .Ah.....W$...... 00 00 00 00 00 00 00 00 10 64 54 0a 81 88 ff ff .........dT..... backtrace: [<ffffffff81dacac3>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521 [<ffffffff81c12436>] kmalloc_trace+0x26/0x60 mm/slab_common.c:1098 [<ffffffff8a32b710>] kmalloc include/linux/slab.h:600 [inline] [<ffffffff8a32b710>] batadv_forw_packet_alloc+0x3b0/0x4d0 net/batman-adv/send.c:519 [<ffffffff8a2bf734>] batadv_iv_ogm_aggregate_new+0x134/0x4b0 net/batman-adv/bat_iv_ogm.c:562 [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline] [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833 [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline] [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline] [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712 [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627 [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline] [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781 [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388 [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
BUG: memory leak unreferenced object 0xffff88801c47d580 (size 240): comm "kworker/u4:3", pid 9303, jiffies 4295071249 (age 11.120s) hex dump (first 32 bytes): 00 c8 b6 09 81 88 ff ff 57 24 00 00 44 05 d7 06 ........W$..D... 00 e0 ee 06 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81daaac5>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81daaac5>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81daaac5>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81daaac5>] slab_alloc mm/slab.c:3246 [inline] [<ffffffff81daaac5>] __kmem_cache_alloc_lru mm/slab.c:3423 [inline] [<ffffffff81daaac5>] kmem_cache_alloc+0x295/0x3e0 mm/slab.c:3432 [<ffffffff88573455>] skb_clone+0x145/0x3d0 net/core/skbuff.c:1916 [<ffffffff8a2c661d>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:387 [inline] [<ffffffff8a2c661d>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] [<ffffffff8a2c661d>] batadv_iv_send_outstanding_bat_ogm_packet+0x53d/0x930 net/batman-adv/bat_iv_ogm.c:1700 [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627 [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline] [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781 [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388 [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
BUG: memory leak unreferenced object 0xffff88810f01b480 (size 240): comm "softirq", pid 0, jiffies 4295071837 (age 10.950s) hex dump (first 32 bytes): 80 86 e7 17 81 88 ff ff 00 00 00 00 67 05 9c 06 ............g... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509 [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641 [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715 [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline] [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline] [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445 [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567 [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline] [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260 [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767 [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803 [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290 [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline] [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752 [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769 [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
BUG: memory leak unreferenced object 0xffff88811de3bc80 (size 640): comm "softirq", pid 0, jiffies 4295071837 (age 10.950s) hex dump (first 32 bytes): 80 b4 01 0f 81 88 ff ff 00 00 00 00 67 05 92 06 ............g... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509 [<ffffffff88559813>] kmalloc_reserve+0x163/0x260 net/core/skbuff.c:560 [<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651 [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715 [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline] [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline] [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445 [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567 [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline] [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260 [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767 [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803 [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290 [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline] [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752 [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769 [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
BUG: memory leak unreferenced object 0xffff88810f01b200 (size 240): comm "softirq", pid 0, jiffies 4295071837 (age 10.950s) hex dump (first 32 bytes): c0 29 86 0e 81 88 ff ff 00 00 00 00 67 05 9c 06 .)..........g... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline] [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline] [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline] [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509 [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641 [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715 [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline] [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline] [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445 [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567 [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline] [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260 [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767 [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803 [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290 [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline] [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752 [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769 [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553
Syzkaller reproducer: # {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}} bind$packet(0xffffffffffffffff, &(0x7f0000000000)={0x11, 0x1a, 0x0, 0x1, 0x3}, 0x14) r0 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0) r1 = openat$cgroup_procs(0xffffffffffffffff, &(0x7f0000000080)='cgroup.procs\x00', 0x2, 0x0) r2 = syz_io_uring_setup(0x1aaa, &(0x7f00000000c0)={0x0, 0x70d1, 0x0, 0x0, 0x158}, &(0x7f0000000140), &(0x7f0000000180)) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000600), 0x40, 0x0) io_uring_register$IORING_REGISTER_FILES_UPDATE(0xffffffffffffffff, 0x6, &(0x7f0000000680)={0x3, 0x0, &(0x7f0000000640)=[0xffffffffffffffff, 0xffffffffffffffff, r0, r1, r2, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, r3]}, 0xa) r4 = openat$cgroup_ro(0xffffffffffffffff, 0x0, 0x0, 0x0) io_uring_register$IORING_REGISTER_IOWQ_MAX_WORKERS(r4, 0x13, &(0x7f0000000700)=[0x200, 0x101], 0x2) write$USERIO_CMD_SEND_INTERRUPT(r4, &(0x7f0000000740)={0x2, 0x7}, 0x2) pipe2(0x0, 0x80080) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000980)={0x18, 0x0, 0x0, &(0x7f0000000840)='GPL\x00', 0x850d, 0x0, 0x0, 0x41000, 0x24, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000900)=[r4, 0xffffffffffffffff, r4]}, 0x90) sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000b00)={&(0x7f0000000a40)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000ac0)={&(0x7f0000000a80)={0x28, 0x0, 0x100, 0x70bd2a, 0x25dfdbfc, {}, [@ETHTOOL_A_LINKINFO_HEADER={0xc, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}]}, @ETHTOOL_A_LINKINFO_TP_MDIX_CTRL={0x5}]}, 0x28}, 0x1, 0x0, 0x0, 0x20000800}, 0x0)
============================================================================================================
I cannot rule out the possibility that this bug detected in Syzkaller targeting 6.7-rc6 is false positive.
Also there are no reported records in 6.7-rc6.
I've attached C repro and .config.
Thank you So much.
JinHo Ju.