Re: net/tipc: memory leak in tipc_release
On Thu, Dec 31, 2015 at 11:35 AM, Dmitry Vyukov wrote:
> Hello,
>
> The following program, if run a parallel loop, leads to a leak of 2
> objects allocated in tipc_release:
>
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include
> #include
> #include
> #include
> #include
>
> long r[86];
>
> int main()
> {
> memset(r, -1, sizeof(r));
> r[0] = syscall(SYS_mmap, 0x2000ul, 0x11000ul, 0x3ul,
> 0x32ul, 0xul, 0x0ul);
> r[1] = syscall(SYS_eventfd, 0x7ul, 0, 0, 0, 0, 0);
> r[2] = syscall(SYS_close, r[1], 0, 0, 0, 0, 0);
> r[3] = syscall(SYS_socket, 0x1eul, 0x2ul, 0x0ul, 0, 0, 0);
> r[4] = syscall(SYS_io_setup, 0x5ul, 0x20001d8bul, 0, 0, 0, 0);
> if (r[4] != -1)
> r[5] = *(uint64_t*)0x20001d8b;
> r[6] = syscall(SYS_fcntl, r[1], 0x406ul, r[3], 0, 0, 0);
> *(uint16_t*)0x20007000 = (uint16_t)0x27;
> *(uint32_t*)0x20007002 = (uint32_t)0x3;
> *(uint32_t*)0x20007006 = (uint32_t)0x6;
> *(uint32_t*)0x2000700a = (uint32_t)0x1;
> r[11] = syscall(SYS_connect, r[6], 0x20007000ul, 0x10ul, 0, 0, 0);
> r[12] = syscall(SYS_dup3, r[6], r[1], 0x8ul, 0, 0, 0);
> *(uint64_t*)0x20002000 = (uint64_t)0x20002fc0;
> *(uint64_t*)0x20002008 = (uint64_t)0x20002fd8;
> *(uint64_t*)0x20002010 = (uint64_t)0x2000246d;
> *(uint64_t*)0x20002fc0 = (uint64_t)0x8;
> *(uint32_t*)0x20002fc8 = (uint32_t)0x0;
> *(uint32_t*)0x20002fcc = (uint32_t)0x9;
> *(uint16_t*)0x20002fd0 = (uint16_t)0x5;
> *(uint16_t*)0x20002fd2 = (uint16_t)0x0;
> *(uint32_t*)0x20002fd4 = r[1];
> *(uint64_t*)0x20002fd8 = (uint64_t)0x20002934;
> *(uint64_t*)0x20002fe0 = (uint64_t)0x5e;
> *(uint64_t*)0x20002fe8 = (uint64_t)0xfff7;
> *(uint64_t*)0x20002ff0 = (uint64_t)0x20002000;
> *(uint32_t*)0x20002ff8 = (uint32_t)0x0;
> *(uint32_t*)0x20002ffc = r[1];
> *(uint64_t*)0x20002000 = (uint64_t)0x20003000;
> *(uint32_t*)0x20002008 = (uint32_t)0x5;
> *(uint32_t*)0x2000200c = (uint32_t)0x2;
> *(uint64_t*)0x20002010 = (uint64_t)0x1;
> *(uint64_t*)0x20002018 = (uint64_t)0x7;
> *(uint64_t*)0x20002020 = (uint64_t)0x2;
> *(uint64_t*)0x20002028 = (uint64_t)0x4;
> *(uint64_t*)0x20002030 = (uint64_t)0x0;
> *(uint64_t*)0x20002038 = (uint64_t)0x1;
> *(uint64_t*)0x20002040 = (uint64_t)0x4;
> *(uint64_t*)0x20002048 = (uint64_t)0x9;
> *(uint64_t*)0x20002fd8 = (uint64_t)0x5;
> *(uint32_t*)0x20002fe0 = (uint32_t)0x0;
> *(uint32_t*)0x20002fe4 = (uint32_t)0x8;
> *(uint16_t*)0x20002fe8 = (uint16_t)0x7;
> *(uint16_t*)0x20002fea = (uint16_t)0x;
> *(uint32_t*)0x20002fec = (uint32_t)0x;
> *(uint64_t*)0x20002ff0 = (uint64_t)0x20005fe3;
> *(uint64_t*)0x20002ff8 = (uint64_t)0x2e;
> *(uint64_t*)0x20003000 = (uint64_t)0x8;
> *(uint64_t*)0x20003008 = (uint64_t)0x20002a50;
> *(uint32_t*)0x20003010 = (uint32_t)0x1;
> *(uint32_t*)0x20003014 = r[1];
> *(uint64_t*)0x20002a50 = (uint64_t)0x20003000;
> *(uint32_t*)0x20002a58 = (uint32_t)0xb;
> *(uint32_t*)0x20002a5c = (uint32_t)0x1;
> *(uint64_t*)0x20002a60 = (uint64_t)0x5;
> *(uint64_t*)0x20002a68 = (uint64_t)0xacf;
> *(uint64_t*)0x20002a70 = (uint64_t)0x8a;
> *(uint64_t*)0x20002a78 = (uint64_t)0x3;
> *(uint64_t*)0x20002a80 = (uint64_t)0x8d;
> *(uint64_t*)0x20002a88 = (uint64_t)0xf5a;
> *(uint64_t*)0x20002a90 = (uint64_t)0xd94;
> *(uint64_t*)0x20002a98 = (uint64_t)0x9;
> *(uint64_t*)0x2000246d = (uint64_t)0x0;
> *(uint32_t*)0x20002475 = (uint32_t)0x0;
> *(uint32_t*)0x20002479 = (uint32_t)0x2;
> *(uint16_t*)0x2000247d = (uint16_t)0x2;
> *(uint16_t*)0x2000247f = (uint16_t)0x0;
> *(uint32_t*)0x20002481 = r[1];
> *(uint64_t*)0x20002485 = (uint64_t)0x20002d52;
> *(uint64_t*)0x2000248d = (uint64_t)0x11;
> *(uint64_t*)0x20002495 = (uint64_t)0x4;
> *(uint64_t*)0x2000249d = (uint64_t)0x20002fb0;
> *(uint32_t*)0x200024a5 = (uint32_t)0x1;
> *(uint32_t*)0x200024a9 = r[1];
> *(uint64_t*)0x20002fb0 = (uint64_t)0x20003000;
> *(uint32_t*)0x20002fb8 = (uint32_t)0x4;
> *(uint32_t*)0x20002fbc = (uint32_t)0x2;
> *(uint64_t*)0x20002fc0 = (uint64_t)0x3;
> *(uint64_t*)0x20002fc8 = (uint64_t)0x6;
> *(uint64_t*)0x20002fd0 = (uint64_t)0xe3;
> *(uint64_t*)0x20002fd8 = (uint64_t)0xee;
> *(uint64_t*)0x20002fe0 = (uint64_t)0x8;
> *(uint64_t*)0x20002fe8 = (uint64_t)0x1;
> *(uint64_t*)0x20002ff0 = (uint64_t)0x4;
> *(uint64_t*)0x20002ff8 = (uint64_t)0x8;
> r[85] = syscall(SYS_io_submit, r[5], 0x3ul, 0x20002000ul, 0
net/tipc: memory leak in tipc_release
Hello,
The following program, if run a parallel loop, leads to a leak of 2
objects allocated in tipc_release:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include
#include
#include
#include
#include
long r[86];
int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x2000ul, 0x11000ul, 0x3ul,
0x32ul, 0xul, 0x0ul);
r[1] = syscall(SYS_eventfd, 0x7ul, 0, 0, 0, 0, 0);
r[2] = syscall(SYS_close, r[1], 0, 0, 0, 0, 0);
r[3] = syscall(SYS_socket, 0x1eul, 0x2ul, 0x0ul, 0, 0, 0);
r[4] = syscall(SYS_io_setup, 0x5ul, 0x20001d8bul, 0, 0, 0, 0);
if (r[4] != -1)
r[5] = *(uint64_t*)0x20001d8b;
r[6] = syscall(SYS_fcntl, r[1], 0x406ul, r[3], 0, 0, 0);
*(uint16_t*)0x20007000 = (uint16_t)0x27;
*(uint32_t*)0x20007002 = (uint32_t)0x3;
*(uint32_t*)0x20007006 = (uint32_t)0x6;
*(uint32_t*)0x2000700a = (uint32_t)0x1;
r[11] = syscall(SYS_connect, r[6], 0x20007000ul, 0x10ul, 0, 0, 0);
r[12] = syscall(SYS_dup3, r[6], r[1], 0x8ul, 0, 0, 0);
*(uint64_t*)0x20002000 = (uint64_t)0x20002fc0;
*(uint64_t*)0x20002008 = (uint64_t)0x20002fd8;
*(uint64_t*)0x20002010 = (uint64_t)0x2000246d;
*(uint64_t*)0x20002fc0 = (uint64_t)0x8;
*(uint32_t*)0x20002fc8 = (uint32_t)0x0;
*(uint32_t*)0x20002fcc = (uint32_t)0x9;
*(uint16_t*)0x20002fd0 = (uint16_t)0x5;
*(uint16_t*)0x20002fd2 = (uint16_t)0x0;
*(uint32_t*)0x20002fd4 = r[1];
*(uint64_t*)0x20002fd8 = (uint64_t)0x20002934;
*(uint64_t*)0x20002fe0 = (uint64_t)0x5e;
*(uint64_t*)0x20002fe8 = (uint64_t)0xfff7;
*(uint64_t*)0x20002ff0 = (uint64_t)0x20002000;
*(uint32_t*)0x20002ff8 = (uint32_t)0x0;
*(uint32_t*)0x20002ffc = r[1];
*(uint64_t*)0x20002000 = (uint64_t)0x20003000;
*(uint32_t*)0x20002008 = (uint32_t)0x5;
*(uint32_t*)0x2000200c = (uint32_t)0x2;
*(uint64_t*)0x20002010 = (uint64_t)0x1;
*(uint64_t*)0x20002018 = (uint64_t)0x7;
*(uint64_t*)0x20002020 = (uint64_t)0x2;
*(uint64_t*)0x20002028 = (uint64_t)0x4;
*(uint64_t*)0x20002030 = (uint64_t)0x0;
*(uint64_t*)0x20002038 = (uint64_t)0x1;
*(uint64_t*)0x20002040 = (uint64_t)0x4;
*(uint64_t*)0x20002048 = (uint64_t)0x9;
*(uint64_t*)0x20002fd8 = (uint64_t)0x5;
*(uint32_t*)0x20002fe0 = (uint32_t)0x0;
*(uint32_t*)0x20002fe4 = (uint32_t)0x8;
*(uint16_t*)0x20002fe8 = (uint16_t)0x7;
*(uint16_t*)0x20002fea = (uint16_t)0x;
*(uint32_t*)0x20002fec = (uint32_t)0x;
*(uint64_t*)0x20002ff0 = (uint64_t)0x20005fe3;
*(uint64_t*)0x20002ff8 = (uint64_t)0x2e;
*(uint64_t*)0x20003000 = (uint64_t)0x8;
*(uint64_t*)0x20003008 = (uint64_t)0x20002a50;
*(uint32_t*)0x20003010 = (uint32_t)0x1;
*(uint32_t*)0x20003014 = r[1];
*(uint64_t*)0x20002a50 = (uint64_t)0x20003000;
*(uint32_t*)0x20002a58 = (uint32_t)0xb;
*(uint32_t*)0x20002a5c = (uint32_t)0x1;
*(uint64_t*)0x20002a60 = (uint64_t)0x5;
*(uint64_t*)0x20002a68 = (uint64_t)0xacf;
*(uint64_t*)0x20002a70 = (uint64_t)0x8a;
*(uint64_t*)0x20002a78 = (uint64_t)0x3;
*(uint64_t*)0x20002a80 = (uint64_t)0x8d;
*(uint64_t*)0x20002a88 = (uint64_t)0xf5a;
*(uint64_t*)0x20002a90 = (uint64_t)0xd94;
*(uint64_t*)0x20002a98 = (uint64_t)0x9;
*(uint64_t*)0x2000246d = (uint64_t)0x0;
*(uint32_t*)0x20002475 = (uint32_t)0x0;
*(uint32_t*)0x20002479 = (uint32_t)0x2;
*(uint16_t*)0x2000247d = (uint16_t)0x2;
*(uint16_t*)0x2000247f = (uint16_t)0x0;
*(uint32_t*)0x20002481 = r[1];
*(uint64_t*)0x20002485 = (uint64_t)0x20002d52;
*(uint64_t*)0x2000248d = (uint64_t)0x11;
*(uint64_t*)0x20002495 = (uint64_t)0x4;
*(uint64_t*)0x2000249d = (uint64_t)0x20002fb0;
*(uint32_t*)0x200024a5 = (uint32_t)0x1;
*(uint32_t*)0x200024a9 = r[1];
*(uint64_t*)0x20002fb0 = (uint64_t)0x20003000;
*(uint32_t*)0x20002fb8 = (uint32_t)0x4;
*(uint32_t*)0x20002fbc = (uint32_t)0x2;
*(uint64_t*)0x20002fc0 = (uint64_t)0x3;
*(uint64_t*)0x20002fc8 = (uint64_t)0x6;
*(uint64_t*)0x20002fd0 = (uint64_t)0xe3;
*(uint64_t*)0x20002fd8 = (uint64_t)0xee;
*(uint64_t*)0x20002fe0 = (uint64_t)0x8;
*(uint64_t*)0x20002fe8 = (uint64_t)0x1;
*(uint64_t*)0x20002ff0 = (uint64_t)0x4;
*(uint64_t*)0x20002ff8 = (uint64_t)0x8;
r[85] = syscall(SYS_io_submit, r[5], 0x3ul, 0x20002000ul, 0, 0, 0);
return 0;
}
unreferenced object 0x88004be2cf00 (size 456):
comm "syz-executor", pid 26609, jiffies 4295874528 (age 578.093s)
hex dump (first 32 bytes):
f8 7a f3 4b 00 88 ff ff f8 7a f3 4b 00 88 ff ff .z.K.z.K
00 00 00
