Re: net/tipc: memory leak in tipc_release
On Thu, Dec 31, 2015 at 11:35 AM, Dmitry Vyukov wrote: > Hello, > > The following program, if run a parallel loop, leads to a leak of 2 > objects allocated in tipc_release: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include > #include > #include > #include > #include > > long r[86]; > > int main() > { > memset(r, -1, sizeof(r)); > r[0] = syscall(SYS_mmap, 0x2000ul, 0x11000ul, 0x3ul, > 0x32ul, 0xul, 0x0ul); > r[1] = syscall(SYS_eventfd, 0x7ul, 0, 0, 0, 0, 0); > r[2] = syscall(SYS_close, r[1], 0, 0, 0, 0, 0); > r[3] = syscall(SYS_socket, 0x1eul, 0x2ul, 0x0ul, 0, 0, 0); > r[4] = syscall(SYS_io_setup, 0x5ul, 0x20001d8bul, 0, 0, 0, 0); > if (r[4] != -1) > r[5] = *(uint64_t*)0x20001d8b; > r[6] = syscall(SYS_fcntl, r[1], 0x406ul, r[3], 0, 0, 0); > *(uint16_t*)0x20007000 = (uint16_t)0x27; > *(uint32_t*)0x20007002 = (uint32_t)0x3; > *(uint32_t*)0x20007006 = (uint32_t)0x6; > *(uint32_t*)0x2000700a = (uint32_t)0x1; > r[11] = syscall(SYS_connect, r[6], 0x20007000ul, 0x10ul, 0, 0, 0); > r[12] = syscall(SYS_dup3, r[6], r[1], 0x8ul, 0, 0, 0); > *(uint64_t*)0x20002000 = (uint64_t)0x20002fc0; > *(uint64_t*)0x20002008 = (uint64_t)0x20002fd8; > *(uint64_t*)0x20002010 = (uint64_t)0x2000246d; > *(uint64_t*)0x20002fc0 = (uint64_t)0x8; > *(uint32_t*)0x20002fc8 = (uint32_t)0x0; > *(uint32_t*)0x20002fcc = (uint32_t)0x9; > *(uint16_t*)0x20002fd0 = (uint16_t)0x5; > *(uint16_t*)0x20002fd2 = (uint16_t)0x0; > *(uint32_t*)0x20002fd4 = r[1]; > *(uint64_t*)0x20002fd8 = (uint64_t)0x20002934; > *(uint64_t*)0x20002fe0 = (uint64_t)0x5e; > *(uint64_t*)0x20002fe8 = (uint64_t)0xfff7; > *(uint64_t*)0x20002ff0 = (uint64_t)0x20002000; > *(uint32_t*)0x20002ff8 = (uint32_t)0x0; > *(uint32_t*)0x20002ffc = r[1]; > *(uint64_t*)0x20002000 = (uint64_t)0x20003000; > *(uint32_t*)0x20002008 = (uint32_t)0x5; > *(uint32_t*)0x2000200c = (uint32_t)0x2; > *(uint64_t*)0x20002010 = (uint64_t)0x1; > *(uint64_t*)0x20002018 = (uint64_t)0x7; > *(uint64_t*)0x20002020 = (uint64_t)0x2; > *(uint64_t*)0x20002028 = (uint64_t)0x4; > *(uint64_t*)0x20002030 = (uint64_t)0x0; > *(uint64_t*)0x20002038 = (uint64_t)0x1; > *(uint64_t*)0x20002040 = (uint64_t)0x4; > *(uint64_t*)0x20002048 = (uint64_t)0x9; > *(uint64_t*)0x20002fd8 = (uint64_t)0x5; > *(uint32_t*)0x20002fe0 = (uint32_t)0x0; > *(uint32_t*)0x20002fe4 = (uint32_t)0x8; > *(uint16_t*)0x20002fe8 = (uint16_t)0x7; > *(uint16_t*)0x20002fea = (uint16_t)0x; > *(uint32_t*)0x20002fec = (uint32_t)0x; > *(uint64_t*)0x20002ff0 = (uint64_t)0x20005fe3; > *(uint64_t*)0x20002ff8 = (uint64_t)0x2e; > *(uint64_t*)0x20003000 = (uint64_t)0x8; > *(uint64_t*)0x20003008 = (uint64_t)0x20002a50; > *(uint32_t*)0x20003010 = (uint32_t)0x1; > *(uint32_t*)0x20003014 = r[1]; > *(uint64_t*)0x20002a50 = (uint64_t)0x20003000; > *(uint32_t*)0x20002a58 = (uint32_t)0xb; > *(uint32_t*)0x20002a5c = (uint32_t)0x1; > *(uint64_t*)0x20002a60 = (uint64_t)0x5; > *(uint64_t*)0x20002a68 = (uint64_t)0xacf; > *(uint64_t*)0x20002a70 = (uint64_t)0x8a; > *(uint64_t*)0x20002a78 = (uint64_t)0x3; > *(uint64_t*)0x20002a80 = (uint64_t)0x8d; > *(uint64_t*)0x20002a88 = (uint64_t)0xf5a; > *(uint64_t*)0x20002a90 = (uint64_t)0xd94; > *(uint64_t*)0x20002a98 = (uint64_t)0x9; > *(uint64_t*)0x2000246d = (uint64_t)0x0; > *(uint32_t*)0x20002475 = (uint32_t)0x0; > *(uint32_t*)0x20002479 = (uint32_t)0x2; > *(uint16_t*)0x2000247d = (uint16_t)0x2; > *(uint16_t*)0x2000247f = (uint16_t)0x0; > *(uint32_t*)0x20002481 = r[1]; > *(uint64_t*)0x20002485 = (uint64_t)0x20002d52; > *(uint64_t*)0x2000248d = (uint64_t)0x11; > *(uint64_t*)0x20002495 = (uint64_t)0x4; > *(uint64_t*)0x2000249d = (uint64_t)0x20002fb0; > *(uint32_t*)0x200024a5 = (uint32_t)0x1; > *(uint32_t*)0x200024a9 = r[1]; > *(uint64_t*)0x20002fb0 = (uint64_t)0x20003000; > *(uint32_t*)0x20002fb8 = (uint32_t)0x4; > *(uint32_t*)0x20002fbc = (uint32_t)0x2; > *(uint64_t*)0x20002fc0 = (uint64_t)0x3; > *(uint64_t*)0x20002fc8 = (uint64_t)0x6; > *(uint64_t*)0x20002fd0 = (uint64_t)0xe3; > *(uint64_t*)0x20002fd8 = (uint64_t)0xee; > *(uint64_t*)0x20002fe0 = (uint64_t)0x8; > *(uint64_t*)0x20002fe8 = (uint64_t)0x1; > *(uint64_t*)0x20002ff0 = (uint64_t)0x4; > *(uint64_t*)0x20002ff8 = (uint64_t)0x8; > r[85] = syscall(SYS_io_submit, r[5], 0x3ul, 0x20002000ul, 0
net/tipc: memory leak in tipc_release
Hello, The following program, if run a parallel loop, leads to a leak of 2 objects allocated in tipc_release: // autogenerated by syzkaller (http://github.com/google/syzkaller) #include #include #include #include #include long r[86]; int main() { memset(r, -1, sizeof(r)); r[0] = syscall(SYS_mmap, 0x2000ul, 0x11000ul, 0x3ul, 0x32ul, 0xul, 0x0ul); r[1] = syscall(SYS_eventfd, 0x7ul, 0, 0, 0, 0, 0); r[2] = syscall(SYS_close, r[1], 0, 0, 0, 0, 0); r[3] = syscall(SYS_socket, 0x1eul, 0x2ul, 0x0ul, 0, 0, 0); r[4] = syscall(SYS_io_setup, 0x5ul, 0x20001d8bul, 0, 0, 0, 0); if (r[4] != -1) r[5] = *(uint64_t*)0x20001d8b; r[6] = syscall(SYS_fcntl, r[1], 0x406ul, r[3], 0, 0, 0); *(uint16_t*)0x20007000 = (uint16_t)0x27; *(uint32_t*)0x20007002 = (uint32_t)0x3; *(uint32_t*)0x20007006 = (uint32_t)0x6; *(uint32_t*)0x2000700a = (uint32_t)0x1; r[11] = syscall(SYS_connect, r[6], 0x20007000ul, 0x10ul, 0, 0, 0); r[12] = syscall(SYS_dup3, r[6], r[1], 0x8ul, 0, 0, 0); *(uint64_t*)0x20002000 = (uint64_t)0x20002fc0; *(uint64_t*)0x20002008 = (uint64_t)0x20002fd8; *(uint64_t*)0x20002010 = (uint64_t)0x2000246d; *(uint64_t*)0x20002fc0 = (uint64_t)0x8; *(uint32_t*)0x20002fc8 = (uint32_t)0x0; *(uint32_t*)0x20002fcc = (uint32_t)0x9; *(uint16_t*)0x20002fd0 = (uint16_t)0x5; *(uint16_t*)0x20002fd2 = (uint16_t)0x0; *(uint32_t*)0x20002fd4 = r[1]; *(uint64_t*)0x20002fd8 = (uint64_t)0x20002934; *(uint64_t*)0x20002fe0 = (uint64_t)0x5e; *(uint64_t*)0x20002fe8 = (uint64_t)0xfff7; *(uint64_t*)0x20002ff0 = (uint64_t)0x20002000; *(uint32_t*)0x20002ff8 = (uint32_t)0x0; *(uint32_t*)0x20002ffc = r[1]; *(uint64_t*)0x20002000 = (uint64_t)0x20003000; *(uint32_t*)0x20002008 = (uint32_t)0x5; *(uint32_t*)0x2000200c = (uint32_t)0x2; *(uint64_t*)0x20002010 = (uint64_t)0x1; *(uint64_t*)0x20002018 = (uint64_t)0x7; *(uint64_t*)0x20002020 = (uint64_t)0x2; *(uint64_t*)0x20002028 = (uint64_t)0x4; *(uint64_t*)0x20002030 = (uint64_t)0x0; *(uint64_t*)0x20002038 = (uint64_t)0x1; *(uint64_t*)0x20002040 = (uint64_t)0x4; *(uint64_t*)0x20002048 = (uint64_t)0x9; *(uint64_t*)0x20002fd8 = (uint64_t)0x5; *(uint32_t*)0x20002fe0 = (uint32_t)0x0; *(uint32_t*)0x20002fe4 = (uint32_t)0x8; *(uint16_t*)0x20002fe8 = (uint16_t)0x7; *(uint16_t*)0x20002fea = (uint16_t)0x; *(uint32_t*)0x20002fec = (uint32_t)0x; *(uint64_t*)0x20002ff0 = (uint64_t)0x20005fe3; *(uint64_t*)0x20002ff8 = (uint64_t)0x2e; *(uint64_t*)0x20003000 = (uint64_t)0x8; *(uint64_t*)0x20003008 = (uint64_t)0x20002a50; *(uint32_t*)0x20003010 = (uint32_t)0x1; *(uint32_t*)0x20003014 = r[1]; *(uint64_t*)0x20002a50 = (uint64_t)0x20003000; *(uint32_t*)0x20002a58 = (uint32_t)0xb; *(uint32_t*)0x20002a5c = (uint32_t)0x1; *(uint64_t*)0x20002a60 = (uint64_t)0x5; *(uint64_t*)0x20002a68 = (uint64_t)0xacf; *(uint64_t*)0x20002a70 = (uint64_t)0x8a; *(uint64_t*)0x20002a78 = (uint64_t)0x3; *(uint64_t*)0x20002a80 = (uint64_t)0x8d; *(uint64_t*)0x20002a88 = (uint64_t)0xf5a; *(uint64_t*)0x20002a90 = (uint64_t)0xd94; *(uint64_t*)0x20002a98 = (uint64_t)0x9; *(uint64_t*)0x2000246d = (uint64_t)0x0; *(uint32_t*)0x20002475 = (uint32_t)0x0; *(uint32_t*)0x20002479 = (uint32_t)0x2; *(uint16_t*)0x2000247d = (uint16_t)0x2; *(uint16_t*)0x2000247f = (uint16_t)0x0; *(uint32_t*)0x20002481 = r[1]; *(uint64_t*)0x20002485 = (uint64_t)0x20002d52; *(uint64_t*)0x2000248d = (uint64_t)0x11; *(uint64_t*)0x20002495 = (uint64_t)0x4; *(uint64_t*)0x2000249d = (uint64_t)0x20002fb0; *(uint32_t*)0x200024a5 = (uint32_t)0x1; *(uint32_t*)0x200024a9 = r[1]; *(uint64_t*)0x20002fb0 = (uint64_t)0x20003000; *(uint32_t*)0x20002fb8 = (uint32_t)0x4; *(uint32_t*)0x20002fbc = (uint32_t)0x2; *(uint64_t*)0x20002fc0 = (uint64_t)0x3; *(uint64_t*)0x20002fc8 = (uint64_t)0x6; *(uint64_t*)0x20002fd0 = (uint64_t)0xe3; *(uint64_t*)0x20002fd8 = (uint64_t)0xee; *(uint64_t*)0x20002fe0 = (uint64_t)0x8; *(uint64_t*)0x20002fe8 = (uint64_t)0x1; *(uint64_t*)0x20002ff0 = (uint64_t)0x4; *(uint64_t*)0x20002ff8 = (uint64_t)0x8; r[85] = syscall(SYS_io_submit, r[5], 0x3ul, 0x20002000ul, 0, 0, 0); return 0; } unreferenced object 0x88004be2cf00 (size 456): comm "syz-executor", pid 26609, jiffies 4295874528 (age 578.093s) hex dump (first 32 bytes): f8 7a f3 4b 00 88 ff ff f8 7a f3 4b 00 88 ff ff .z.K.z.K 00 00 00