---------- Forwarded message ---------
보낸사람: Jinho Ju <wnwlsgh98@gmail.com>
Date: 2023년 12월 19일 (화) 오후 1:58
Subject: memory leak in batadv_iv_ogm_aggregate_new
To: <security@kernel.org>


Hello, I am "Jinho Ju" who is studying about Kernel security in Korea.
A "memory leak in batadv_iv_ogm_aggregate_new" was reported in Syzkaller targeting 6.7-rc6 on December 19, 2023 at 02:03.
The environment in which this bug was detected is as follows.
Syzkaller version: 3222d10c
Kernel version: LInux kernel 6.7-rc6
The report provided by Syzkaller is as follows.
============================================================================================================
Syzkaller hit 'memory leak in batadv_iv_ogm_aggregate_new' bug.

BUG: memory leak
unreferenced object 0xffff8881104a6640 (size 240):
  comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.160s)
  hex dump (first 32 bytes):
    00 64 54 0a 81 88 ff ff 57 24 00 00 ee 04 0c 07  .dT.....W$......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
    [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
    [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
    [<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align include/linux/skbuff.h:3245 [inline]
    [<ffffffff8a2bf706>] netdev_alloc_skb_ip_align include/linux/skbuff.h:3255 [inline]
    [<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0 net/batman-adv/bat_iv_ogm.c:558
    [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline]
    [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline]
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline]
    [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712
    [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627
    [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline]
    [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
    [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
    [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
    [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

BUG: memory leak
unreferenced object 0xffff888109b6c800 (size 1024):
  comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s)
  hex dump (first 32 bytes):
    40 66 4a 10 81 88 ff ff 57 24 00 00 ee 04 03 07  @fJ.....W$......
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81dacac3>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521
    [<ffffffff81c12d0e>] __do_kmalloc_node mm/slab_common.c:1006 [inline]
    [<ffffffff81c12d0e>] __kmalloc_node_track_caller+0x4e/0xd0 mm/slab_common.c:1027
    [<ffffffff8855979d>] kmalloc_reserve+0xed/0x260 net/core/skbuff.c:582
    [<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651
    [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
    [<ffffffff8a2bf706>] __netdev_alloc_skb_ip_align include/linux/skbuff.h:3245 [inline]
    [<ffffffff8a2bf706>] netdev_alloc_skb_ip_align include/linux/skbuff.h:3255 [inline]
    [<ffffffff8a2bf706>] batadv_iv_ogm_aggregate_new+0x106/0x4b0 net/batman-adv/bat_iv_ogm.c:558
    [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline]
    [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline]
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline]
    [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712
    [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627
    [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline]
    [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
    [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
    [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
    [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

BUG: memory leak
unreferenced object 0xffff88810a546400 (size 512):
  comm "kworker/u4:3", pid 9303, jiffies 4295071144 (age 12.170s)
  hex dump (first 32 bytes):
    18 41 68 12 81 88 ff ff 57 24 00 00 ee 04 15 07  .Ah.....W$......
    00 00 00 00 00 00 00 00 10 64 54 0a 81 88 ff ff  .........dT.....
  backtrace:
    [<ffffffff81dacac3>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81dacac3>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81dacac3>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81dacac3>] __kmem_cache_alloc_node+0x1e3/0x4c0 mm/slab.c:3521
    [<ffffffff81c12436>] kmalloc_trace+0x26/0x60 mm/slab_common.c:1098
    [<ffffffff8a32b710>] kmalloc include/linux/slab.h:600 [inline]
    [<ffffffff8a32b710>] batadv_forw_packet_alloc+0x3b0/0x4d0 net/batman-adv/send.c:519
    [<ffffffff8a2bf734>] batadv_iv_ogm_aggregate_new+0x134/0x4b0 net/batman-adv/bat_iv_ogm.c:562
    [<ffffffff8a2c55b3>] batadv_iv_ogm_queue_add net/batman-adv/bat_iv_ogm.c:670 [inline]
    [<ffffffff8a2c55b3>] batadv_iv_ogm_schedule_buff+0x983/0x14b0 net/batman-adv/bat_iv_ogm.c:833
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:868 [inline]
    [<ffffffff8a2c6413>] batadv_iv_ogm_schedule net/batman-adv/bat_iv_ogm.c:861 [inline]
    [<ffffffff8a2c6413>] batadv_iv_send_outstanding_bat_ogm_packet+0x333/0x930 net/batman-adv/bat_iv_ogm.c:1712
    [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627
    [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline]
    [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
    [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
    [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
    [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

BUG: memory leak
unreferenced object 0xffff88801c47d580 (size 240):
  comm "kworker/u4:3", pid 9303, jiffies 4295071249 (age 11.120s)
  hex dump (first 32 bytes):
    00 c8 b6 09 81 88 ff ff 57 24 00 00 44 05 d7 06  ........W$..D...
    00 e0 ee 06 81 88 ff ff 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81daaac5>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81daaac5>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81daaac5>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81daaac5>] slab_alloc mm/slab.c:3246 [inline]
    [<ffffffff81daaac5>] __kmem_cache_alloc_lru mm/slab.c:3423 [inline]
    [<ffffffff81daaac5>] kmem_cache_alloc+0x295/0x3e0 mm/slab.c:3432
    [<ffffffff88573455>] skb_clone+0x145/0x3d0 net/core/skbuff.c:1916
    [<ffffffff8a2c661d>] batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:387 [inline]
    [<ffffffff8a2c661d>] batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
    [<ffffffff8a2c661d>] batadv_iv_send_outstanding_bat_ogm_packet+0x53d/0x930 net/batman-adv/bat_iv_ogm.c:1700
    [<ffffffff8154b0c8>] process_one_work+0x878/0x15c0 kernel/workqueue.c:2627
    [<ffffffff8154c665>] process_scheduled_works kernel/workqueue.c:2700 [inline]
    [<ffffffff8154c665>] worker_thread+0x855/0x1200 kernel/workqueue.c:2781
    [<ffffffff8156bf0c>] kthread+0x2cc/0x3b0 kernel/kthread.c:388
    [<ffffffff812fb685>] ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
    [<ffffffff81004b71>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

BUG: memory leak
unreferenced object 0xffff88810f01b480 (size 240):
  comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
  hex dump (first 32 bytes):
    80 86 e7 17 81 88 ff ff 00 00 00 00 67 05 9c 06  ............g...
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
    [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
    [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
    [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
    [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
    [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445
    [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567
    [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline]
    [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260
    [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767
    [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803
    [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290
    [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
    [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752
    [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769
    [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553

BUG: memory leak
unreferenced object 0xffff88811de3bc80 (size 640):
  comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
  hex dump (first 32 bytes):
    80 b4 01 0f 81 88 ff ff 00 00 00 00 67 05 92 06  ............g...
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
    [<ffffffff88559813>] kmalloc_reserve+0x163/0x260 net/core/skbuff.c:560
    [<ffffffff88562259>] __alloc_skb+0x129/0x330 net/core/skbuff.c:651
    [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
    [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
    [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
    [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445
    [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567
    [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline]
    [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260
    [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767
    [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803
    [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290
    [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
    [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752
    [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769
    [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553

BUG: memory leak
unreferenced object 0xffff88810f01b200 (size 240):
  comm "softirq", pid 0, jiffies 4295071837 (age 10.950s)
  hex dump (first 32 bytes):
    c0 29 86 0e 81 88 ff ff 00 00 00 00 67 05 9c 06  .)..........g...
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff81daae1e>] kmemleak_alloc_recursive include/linux/kmemleak.h:42 [inline]
    [<ffffffff81daae1e>] slab_post_alloc_hook mm/slab.h:766 [inline]
    [<ffffffff81daae1e>] slab_alloc_node mm/slab.c:3237 [inline]
    [<ffffffff81daae1e>] kmem_cache_alloc_node+0x20e/0x510 mm/slab.c:3509
    [<ffffffff885623ba>] __alloc_skb+0x28a/0x330 net/core/skbuff.c:641
    [<ffffffff8856d704>] __netdev_alloc_skb+0x74/0x400 net/core/skbuff.c:715
    [<ffffffff89e93c53>] netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
    [<ffffffff89e93c53>] dev_alloc_skb include/linux/skbuff.h:3238 [inline]
    [<ffffffff89e93c53>] __ieee80211_beacon_get+0xbf3/0x1680 net/mac80211/tx.c:5445
    [<ffffffff89e948f6>] ieee80211_beacon_get_tim+0xa6/0x280 net/mac80211/tx.c:5567
    [<ffffffff864c017e>] ieee80211_beacon_get include/net/mac80211.h:5442 [inline]
    [<ffffffff864c017e>] mac80211_hwsim_beacon_tx+0x40e/0x750 drivers/net/wireless/virtual/mac80211_hwsim.c:2260
    [<ffffffff89eb6bd8>] __iterate_interfaces+0x2c8/0x570 net/mac80211/util.c:767
    [<ffffffff89ebdc11>] ieee80211_iterate_active_interfaces_atomic+0x71/0x1b0 net/mac80211/util.c:803
    [<ffffffff864a2c51>] mac80211_hwsim_beacon+0x101/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2290
    [<ffffffff8174ea54>] __run_hrtimer kernel/time/hrtimer.c:1688 [inline]
    [<ffffffff8174ea54>] __hrtimer_run_queues+0x604/0xc10 kernel/time/hrtimer.c:1752
    [<ffffffff8174f1df>] hrtimer_run_softirq+0x17f/0x350 kernel/time/hrtimer.c:1769
    [<ffffffff8a6b2774>] __do_softirq+0x1d4/0x85e kernel/softirq.c:553



Syzkaller reproducer:
# {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:false CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}
bind$packet(0xffffffffffffffff, &(0x7f0000000000)={0x11, 0x1a, 0x0, 0x1, 0x3}, 0x14)
r0 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
r1 = openat$cgroup_procs(0xffffffffffffffff, &(0x7f0000000080)='cgroup.procs\x00', 0x2, 0x0)
r2 = syz_io_uring_setup(0x1aaa, &(0x7f00000000c0)={0x0, 0x70d1, 0x0, 0x0, 0x158}, &(0x7f0000000140), &(0x7f0000000180))
r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000600), 0x40, 0x0)
io_uring_register$IORING_REGISTER_FILES_UPDATE(0xffffffffffffffff, 0x6, &(0x7f0000000680)={0x3, 0x0, &(0x7f0000000640)=[0xffffffffffffffff, 0xffffffffffffffff, r0, r1, r2, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, r3]}, 0xa)
r4 = openat$cgroup_ro(0xffffffffffffffff, 0x0, 0x0, 0x0)
io_uring_register$IORING_REGISTER_IOWQ_MAX_WORKERS(r4, 0x13, &(0x7f0000000700)=[0x200, 0x101], 0x2)
write$USERIO_CMD_SEND_INTERRUPT(r4, &(0x7f0000000740)={0x2, 0x7}, 0x2)
pipe2(0x0, 0x80080)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000980)={0x18, 0x0, 0x0, &(0x7f0000000840)='GPL\x00', 0x850d, 0x0, 0x0, 0x41000, 0x24, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000000900)=[r4, 0xffffffffffffffff, r4]}, 0x90)
sendmsg$ETHTOOL_MSG_LINKINFO_SET(0xffffffffffffffff, &(0x7f0000000b00)={&(0x7f0000000a40)={0x10, 0x0, 0x0, 0x40000000}, 0xc, &(0x7f0000000ac0)={&(0x7f0000000a80)={0x28, 0x0, 0x100, 0x70bd2a, 0x25dfdbfc, {}, [@ETHTOOL_A_LINKINFO_HEADER={0xc, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_INDEX={0x8}]}, @ETHTOOL_A_LINKINFO_TP_MDIX_CTRL={0x5}]}, 0x28}, 0x1, 0x0, 0x0, 0x20000800}, 0x0)

============================================================================================================
I cannot rule out the possibility that this bug detected in Syzkaller targeting 6.7-rc6 is false positive.
Also there are no reported records in 6.7-rc6.
I've attached C repro and .config.
Thank you So much.
JinHo Ju.