[Linux Kernel Bug][ipv6/udp] memory leak in __ip6_append_data

From: Chenyuan Yang
Date: Fri Jan 26 2024 - 18:17:23 EST

Next message: Ricardo Ribalda: "[PATCH 00/17] media: kerneldoc warnings"
Previous message: Chris Li: "Re: [PATCH RFC 1/6] arm64: mm: swap: support THP_SWAP on hardware with MTE"
Next in thread: Willem de Bruijn: "Re: [Linux Kernel Bug][ipv6/udp] memory leak in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Linux Developers for Ipv6 Network,

We encountered "memory leak in __ip6_append_data" when testing the
ipv6 udp socket with Syzkaller and our generated specifications.

The reproducers and config for the kernel are attached.

```
BUG: memory leak
unreferenced object 0xffff888018322900 (size 240):
comm "syz-executor115", pid 8030, jiffies 4294985782 (age 11.650s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 40 5a 8b 14 80 88 ff ff ........@Z......
backtrace:
[<ffffffff81625419>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81625419>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81625419>] slab_alloc_node mm/slub.c:3478 [inline]
[<ffffffff81625419>] kmem_cache_alloc_node+0x2e9/0x440 mm/slub.c:3523
[<ffffffff83e747e7>] __alloc_skb+0x1f7/0x220 net/core/skbuff.c:641
[<ffffffff83e6a06b>] alloc_skb include/linux/skbuff.h:1286 [inline]
[<ffffffff83e6a06b>] sock_omalloc+0x5b/0xa0 net/core/sock.c:2657
[<ffffffff83e7d702>] msg_zerocopy_alloc net/core/skbuff.c:1552 [inline]
[<ffffffff83e7d702>] msg_zerocopy_realloc+0xf2/0x340 net/core/skbuff.c:1628
[<ffffffff8430d3a2>] __ip6_append_data.isra.0+0x1432/0x1e50
net/ipv6/ip6_output.c:1517
[<ffffffff8430decf>] ip6_append_data+0x10f/0x2e0 net/ipv6/ip6_output.c:1832
[<ffffffff84352bd1>] udpv6_sendmsg+0x851/0x1690 net/ipv6/udp.c:1602
[<ffffffff84305b39>] inet6_sendmsg+0x49/0x70 net/ipv6/af_inet6.c:657
[<ffffffff83e5e954>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e5e954>] __sock_sendmsg+0x54/0xb0 net/socket.c:745
[<ffffffff83e61982>] __sys_sendto+0x172/0x220 net/socket.c:2194
[<ffffffff83e61a58>] __do_sys_sendto net/socket.c:2206 [inline]
[<ffffffff83e61a58>] __se_sys_sendto net/socket.c:2202 [inline]
[<ffffffff83e61a58>] __x64_sys_sendto+0x28/0x30 net/socket.c:2202
[<ffffffff84ae676f>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
[<ffffffff84ae676f>] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b

BUG: memory leak
unreferenced object 0xffff888014a58280 (size 640):
comm "syz-executor115", pid 8030, jiffies 4294985782 (age 11.650s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff81625419>] kmemleak_alloc_recursive
include/linux/kmemleak.h:42 [inline]
[<ffffffff81625419>] slab_post_alloc_hook mm/slab.h:766 [inline]
[<ffffffff81625419>] slab_alloc_node mm/slub.c:3478 [inline]
[<ffffffff81625419>] kmem_cache_alloc_node+0x2e9/0x440 mm/slub.c:3523
[<ffffffff83e70b20>] kmalloc_reserve+0xe0/0x170 net/core/skbuff.c:560
[<ffffffff83e746c1>] __alloc_skb+0xd1/0x220 net/core/skbuff.c:651
[<ffffffff83e6a06b>] alloc_skb include/linux/skbuff.h:1286 [inline]
[<ffffffff83e6a06b>] sock_omalloc+0x5b/0xa0 net/core/sock.c:2657
[<ffffffff83e7d702>] msg_zerocopy_alloc net/core/skbuff.c:1552 [inline]
[<ffffffff83e7d702>] msg_zerocopy_realloc+0xf2/0x340 net/core/skbuff.c:1628
[<ffffffff8430d3a2>] __ip6_append_data.isra.0+0x1432/0x1e50
net/ipv6/ip6_output.c:1517
[<ffffffff8430decf>] ip6_append_data+0x10f/0x2e0 net/ipv6/ip6_output.c:1832
[<ffffffff84352bd1>] udpv6_sendmsg+0x851/0x1690 net/ipv6/udp.c:1602
[<ffffffff84305b39>] inet6_sendmsg+0x49/0x70 net/ipv6/af_inet6.c:657
[<ffffffff83e5e954>] sock_sendmsg_nosec net/socket.c:730 [inline]
[<ffffffff83e5e954>] __sock_sendmsg+0x54/0xb0 net/socket.c:745
[<ffffffff83e61982>] __sys_sendto+0x172/0x220 net/socket.c:2194
[<ffffffff83e61a58>] __do_sys_sendto net/socket.c:2206 [inline]
[<ffffffff83e61a58>] __se_sys_sendto net/socket.c:2202 [inline]
[<ffffffff83e61a58>] __x64_sys_sendto+0x28/0x30 net/socket.c:2202
[<ffffffff84ae676f>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
[<ffffffff84ae676f>] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
[<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0x6b

Syzkaller reproducer:
# {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:
SandboxArg:0 Leak:true NetInjection:false NetDevices:false
NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false
KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false
Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false
HandleSegv:false Repro:false Trace:false LegacyOptions:{Collide:false
Fault:false FaultCall:0 FaultNth:0}}
r0 = socket$KGPT_inet6_udp(0xa, 0x2, 0x11)
setsockopt$sock_int(r0, 0x1, 0x3c, &(0x7f0000000000)=0x1, 0x4)
sendto$KGPT_inet6_dgram_ops(r0, 0x0, 0x0, 0x24008006,
&(0x7f0000000180)={0xa, 0x4e20, 0x0, @loopback, 0x6}, 0x1c) (async)
sendto$KGPT_inet6_dgram_ops(r0, &(0x7f00000015c0)="98", 0x1,
0x4000040, &(0x7f0000000040)={0xa, 0x4e24, 0x0, @empty, 0x1}, 0x1c)
(rerun: 64)
```

It seems that when sending the message, `__ip6_append_data` tries
allocating the memory for the new message by `msg_zerocopy_realloc`
(https://elixir.bootlin.com/linux/v6.7/source/net/ipv6/ip6_output.c#L1517),
whose memory is leaked.

If you have any questions or require more information, please feel
free to contact us.

Reported-by: Chenyuan Yang <chenyuan0y@xxxxxxxxx>

Best,
Chenyuan

Attachment: report-and-repro
Description: Binary data

Attachment: config
Description: Binary data

Next message: Ricardo Ribalda: "[PATCH 00/17] media: kerneldoc warnings"
Previous message: Chris Li: "Re: [PATCH RFC 1/6] arm64: mm: swap: support THP_SWAP on hardware with MTE"
Next in thread: Willem de Bruijn: "Re: [Linux Kernel Bug][ipv6/udp] memory leak in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]