Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[syzkaller] memory leak in __get_filter #119

Closed
cpaasch opened this issue Nov 30, 2020 · 2 comments
Closed

[syzkaller] memory leak in __get_filter #119

cpaasch opened this issue Nov 30, 2020 · 2 comments
Labels
bug syzkaller

Comments

@cpaasch
Copy link
Member

cpaasch commented Nov 30, 2020 

write$P9_RFSYNC(r1, &(0x7f0000000000)={0x6}, 0xfffffdef)
r4 = eventfd2(0x0, 0x0)
syz_open_dev$ttys(0xc, 0x2, 0x1)
read$eventfd(r4, &(0x7f0000000040), 0x8)
write$eventfd(r4, &(0x7f0000000000), 0x8)
BUG: memory leak
unreferenced object 0xffffc9000002c000 (size 4096):
  comm "syz-executor.5", pid 7904, jiffies 4295639974 (age 99.529s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000dd31f0c3>] __vmalloc_node_range+0x545/0x930 mm/vmalloc.c:2569
    [<0000000067add9fa>] __vmalloc_node mm/vmalloc.c:2601 [inline]
    [<0000000067add9fa>] __vmalloc+0x69/0x80 mm/vmalloc.c:2615
    [<00000000eb7e56bb>] bpf_prog_alloc_no_stats+0x32/0x2b0 kernel/bpf/core.c:85
    [<00000000316299b1>] bpf_prog_alloc+0x2c/0x230 kernel/bpf/core.c:113
    [<00000000800e5c07>] __get_filter+0x115/0x2c0 net/core/filter.c:1491
    [<0000000097e262d5>] sk_attach_filter+0x20/0x300 net/core/filter.c:1526
    [<00000000db579581>] sock_setsockopt+0x2100/0x2710 net/core/sock.c:1060
    [<000000008861d9e3>] mptcp_setsockopt_sol_socket net/mptcp/protocol.c:2752 [inline]
    [<000000008861d9e3>] mptcp_setsockopt+0x3b7/0x760 net/mptcp/protocol.c:2791
    [<00000000cd80c519>] __sys_setsockopt+0x154/0x390 net/socket.c:2109
    [<00000000e3db7e12>] __do_sys_setsockopt net/socket.c:2120 [inline]
    [<00000000e3db7e12>] __se_sys_setsockopt net/socket.c:2117 [inline]
    [<00000000e3db7e12>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2117
    [<00000000a8f9d425>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000d41d03c0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff888109cae000 (size 1024):
  comm "syz-executor.5", pid 7904, jiffies 4295639974 (age 99.530s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000bba146ea>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000bba146ea>] kzalloc include/linux/slab.h:664 [inline]
    [<00000000bba146ea>] bpf_prog_alloc_no_stats+0xb9/0x2b0 kernel/bpf/core.c:89
    [<00000000316299b1>] bpf_prog_alloc+0x2c/0x230 kernel/bpf/core.c:113
    [<00000000800e5c07>] __get_filter+0x115/0x2c0 net/core/filter.c:1491
    [<0000000097e262d5>] sk_attach_filter+0x20/0x300 net/core/filter.c:1526
    [<00000000db579581>] sock_setsockopt+0x2100/0x2710 net/core/sock.c:1060
    [<000000008861d9e3>] mptcp_setsockopt_sol_socket net/mptcp/protocol.c:2752 [inline]
    [<000000008861d9e3>] mptcp_setsockopt+0x3b7/0x760 net/mptcp/protocol.c:2791
    [<00000000cd80c519>] __sys_setsockopt+0x154/0x390 net/socket.c:2109
    [<00000000e3db7e12>] __do_sys_setsockopt net/socket.c:2120 [inline]
    [<00000000e3db7e12>] __se_sys_setsockopt net/socket.c:2117 [inline]
    [<00000000e3db7e12>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2117
    [<00000000a8f9d425>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000d41d03c0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881067ab6a0 (size 16):
  comm "syz-executor.5", pid 7904, jiffies 4295639974 (age 99.530s)
  hex dump (first 16 bytes):
    02 00 96 03 81 88 ff ff 20 b7 7a 06 81 88 ff ff  ........ .z.....
  backtrace:
    [<00000000ebeb89af>] kmalloc include/linux/slab.h:552 [inline]
    [<00000000ebeb89af>] bpf_prog_store_orig_filter.isra.0+0x83/0x1f0 net/core/filter.c:1135
    [<00000000db7c48f4>] __get_filter+0x1ec/0x2c0 net/core/filter.c:1502
    [<0000000097e262d5>] sk_attach_filter+0x20/0x300 net/core/filter.c:1526
    [<00000000db579581>] sock_setsockopt+0x2100/0x2710 net/core/sock.c:1060
    [<000000008861d9e3>] mptcp_setsockopt_sol_socket net/mptcp/protocol.c:2752 [inline]
    [<000000008861d9e3>] mptcp_setsockopt+0x3b7/0x760 net/mptcp/protocol.c:2791
    [<00000000cd80c519>] __sys_setsockopt+0x154/0x390 net/socket.c:2109
    [<00000000e3db7e12>] __do_sys_setsockopt net/socket.c:2120 [inline]
    [<00000000e3db7e12>] __se_sys_setsockopt net/socket.c:2117 [inline]
    [<00000000e3db7e12>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2117
    [<00000000a8f9d425>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000d41d03c0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff8881067ab720 (size 16):
  comm "syz-executor.5", pid 7904, jiffies 4295639974 (age 99.530s)
  hex dump (first 16 bytes):
    34 00 00 00 22 53 00 00 06 00 00 00 05 00 00 00  4..."S..........
  backtrace:
    [<00000000a1d7cbac>] kmemdup+0x23/0x50 mm/util.c:128
    [<0000000052719007>] kmemdup include/linux/string.h:472 [inline]
    [<0000000052719007>] bpf_prog_store_orig_filter.isra.0+0x114/0x1f0 net/core/filter.c:1142
    [<00000000db7c48f4>] __get_filter+0x1ec/0x2c0 net/core/filter.c:1502
    [<0000000097e262d5>] sk_attach_filter+0x20/0x300 net/core/filter.c:1526
    [<00000000db579581>] sock_setsockopt+0x2100/0x2710 net/core/sock.c:1060
    [<000000008861d9e3>] mptcp_setsockopt_sol_socket net/mptcp/protocol.c:2752 [inline]
    [<000000008861d9e3>] mptcp_setsockopt+0x3b7/0x760 net/mptcp/protocol.c:2791
    [<00000000cd80c519>] __sys_setsockopt+0x154/0x390 net/socket.c:2109
    [<00000000e3db7e12>] __do_sys_setsockopt net/socket.c:2120 [inline]
    [<00000000e3db7e12>] __se_sys_setsockopt net/socket.c:2117 [inline]
    [<00000000e3db7e12>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2117
    [<00000000a8f9d425>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
    [<00000000d41d03c0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

HEAD is at:
68fb0bb ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201120T184745, mptcp_net-next/export) (10 days ago)
135baa6 ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (10 days ago)
501cae4 ("mptcp: use mptcp release_cb for delayed tasks") (10 days ago)
9f8e50c ("mptcp: avoid a few atomic ops in the rx path") (10 days ago)
a5b12eb ("mptcp: allocate TX skbs in msk context") (10 days ago)
b800415 ("mptcp: protect the rx path with the msk socket spinlock") (10 days ago)
20e1cdd ("mptcp: implement wmem reservation") (10 days ago)
5fb346f ("mptcp: open code mptcp variant for lock_sock") (10 days ago)
0dab9a0 ("mptcp: print out port and ahmac when receiving ADD_ADDR") (10 days ago)
257944f ("mptcp: add port parameter for mptcp_pm_announce_addr") (10 days ago)
dad7440 ("mptcp: send out dedicated packet for ADD_ADDR using port") (10 days ago)
935c768 ("mptcp: add the outgoing ADD_ADDR port support") (10 days ago)
3820b27 ("mptcp: use adding up size to get ADD_ADDR length") (10 days ago)
a09e810 ("mptcp: add port support for ADD_ADDR suboption writing") (10 days ago)
05ff94e ("mptcp: unify ADD_ADDR and ADD_ADDR6 suboptions writing") (10 days ago)
b424baa ("mptcp: unify ADD_ADDR and echo suboptions writing") (10 days ago)
b1007aa ("mptcp: refine MPTCP-level ack scheduling") (10 days ago)
c718c18 ("mptcp: track window announced to peer") (10 days ago)
941aa7e ("selftests: mptcp: add ADD_ADDR IPv6 test cases") (10 days ago)
5db0ba8 ("mptcp: send out dedicated ADD_ADDR packet") (10 days ago)
8ef3c33 ("mptcp: change add_addr_signal type") (10 days ago)
0493cf3 ("mptcp: keep unaccepted MPC subflow into join list") (10 days ago)
0b55511 ("selftests: mptcp: add link failure test case") (10 days ago)
21644a9 ("mptcp: skip to next candidate if subflow has unacked data") (10 days ago)
ffbf299 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (10 days ago)
954d68c ("bpf:selftests: add MPTCP test base") (10 days ago)
c6e76cc ("bpf: add 'bpf_mptcp_sock' structure and helper") (10 days ago)
593af25 ("mptcp: attach subflow socket to parent cgroup") (10 days ago)
0a18c41 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (10 days ago)
77ec7c2 ("mptcp: fix state tracking for fallback socket") (10 days ago)
3b75adb ("mptcp: drop WORKER_RUNNING status bit") (10 days ago)
51a3d22 ("mptcp: update rtx timeout only if required.") (10 days ago)
e76d795 ("nfc: s3fwrn5: Change the error code") (mptcp_net-next/net-next) (12 days ago)

No reproducer yet.

CONFIG-file:
CONFIG.txt
@cpaasch
Copy link
Member Author

cpaasch commented Jan 21, 2021

No more seen for a while. Let's close it in a week.

@cpaasch
Copy link
Member Author

cpaasch commented Mar 18, 2021

No more happening since then. Closing.

@cpaasch cpaasch closed this as completed Mar 18, 2021
matttbe pushed a commit that referenced this issue Jan 26, 2024
@chenhengqi @chenhuacai
LoongArch: BPF: Support 64-bit pointers to kfuncs
21c5ae5 
Like commit 1cf3bfc ("bpf: Support 64-bit pointers to kfuncs")
for s390x, add support for 64-bit pointers to kfuncs for LoongArch.
Since the infrastructure is already implemented in BPF core, the only
thing need to be done is to override bpf_jit_supports_far_kfunc_call().

Before this change, several test_verifier tests failed:

  # ./test_verifier | grep # | grep FAIL
  #119/p calls: invalid kfunc call: ptr_to_mem to struct with non-scalar FAIL
  #120/p calls: invalid kfunc call: ptr_to_mem to struct with nesting depth > 4 FAIL
  #121/p calls: invalid kfunc call: ptr_to_mem to struct with FAM FAIL
  #122/p calls: invalid kfunc call: reg->type != PTR_TO_CTX FAIL
  #123/p calls: invalid kfunc call: void * not allowed in func proto without mem size arg FAIL
  #124/p calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX FAIL
  #125/p calls: invalid kfunc call: reg->off must be zero when passed to release kfunc FAIL
  #126/p calls: invalid kfunc call: don't match first member type when passed to release kfunc FAIL
  #127/p calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset FAIL
  #128/p calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset FAIL
  #129/p calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #130/p calls: valid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID FAIL
  #486/p map_kptr: ref: reference state created and released on xchg FAIL

This is because the kfuncs in the loaded module are far away from
__bpf_call_base:

  ffff800002009440 t bpf_kfunc_call_test_fail1    [bpf_testmod]
  9000000002e128d8 T __bpf_call_base

The offset relative to __bpf_call_base does NOT fit in s32, which breaks
the assumption in BPF core. Enable bpf_jit_supports_far_kfunc_call() lifts
this limit.

Note that to reproduce the above result, tools/testing/selftests/bpf/config
should be applied, and run the test with JIT enabled, unpriv BPF enabled.

With this change, the test_verifier tests now all passed:

  # ./test_verifier
  ...
  Summary: 777 PASSED, 0 SKIPPED, 0 FAILED

Tested-by: Tiezhu Yang <[email protected]>
Signed-off-by: Hengqi Chen <[email protected]>
Signed-off-by: Huacai Chen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug syzkaller
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cpaasch @matttbe