Syzkaller hit 'memory leak in do_seccomp' bug. 2021/12/11 06:23:55 executed programs: 15 2021/12/11 06:24:03 executed programs: 17 2021/12/11 06:24:11 executed programs: 19 BUG: memory leak unreferenced object 0xffff88800d769000 (size 512): comm "syz-executor.0", pid 867, jiffies 4295137561 (age 21.462s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: [<000000008dd43d55>] kmalloc include/linux/slab.h:581 [inline] [<000000008dd43d55>] kzalloc include/linux/slab.h:715 [inline] [<000000008dd43d55>] seccomp_prepare_filter kernel/seccomp.c:661 [inline] [<000000008dd43d55>] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] [<000000008dd43d55>] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] [<000000008dd43d55>] do_seccomp+0x2d5/0x27e0 kernel/seccomp.c:1944 [<00000000d018d7ee>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000d018d7ee>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<0000000088336466>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffffc90000714000 (size 4096): comm "syz-executor.0", pid 867, jiffies 4295137561 (age 21.462s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000008c4f3579>] __vmalloc_node_range+0x8a7/0xe70 mm/vmalloc.c:3110 [<00000000b69e6a08>] __vmalloc_node+0xb5/0x100 mm/vmalloc.c:3147 [<0000000087b26107>] bpf_prog_alloc_no_stats+0x38/0x340 kernel/bpf/core.c:88 [<00000000b6d5e2fd>] bpf_prog_alloc+0x24/0x170 kernel/bpf/core.c:122 [<00000000c5471122>] bpf_prog_create_from_user+0xad/0x2e0 net/core/filter.c:1413 [<000000009050a743>] seccomp_prepare_filter kernel/seccomp.c:666 [inline] [<000000009050a743>] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] [<000000009050a743>] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] [<000000009050a743>] do_seccomp+0x325/0x27e0 kernel/seccomp.c:1944 [<00000000d018d7ee>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000d018d7ee>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<0000000088336466>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff8880183c8000 (size 2048): comm "syz-executor.0", pid 867, jiffies 4295137561 (age 21.462s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000000231d3a0>] kmalloc include/linux/slab.h:581 [inline] [<000000000231d3a0>] kzalloc include/linux/slab.h:715 [inline] [<000000000231d3a0>] bpf_prog_alloc_no_stats+0xeb/0x340 kernel/bpf/core.c:92 [<00000000b6d5e2fd>] bpf_prog_alloc+0x24/0x170 kernel/bpf/core.c:122 [<00000000c5471122>] bpf_prog_create_from_user+0xad/0x2e0 net/core/filter.c:1413 [<000000009050a743>] seccomp_prepare_filter kernel/seccomp.c:666 [inline] [<000000009050a743>] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] [<000000009050a743>] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] [<000000009050a743>] do_seccomp+0x325/0x27e0 kernel/seccomp.c:1944 [<00000000d018d7ee>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000d018d7ee>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<0000000088336466>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff8880085d0940 (size 16): comm "syz-executor.0", pid 867, jiffies 4295137561 (age 21.462s) hex dump (first 16 bytes): 01 00 f2 0d 80 88 ff ff 48 c8 79 08 80 88 ff ff ........H.y..... backtrace: [<000000009a915644>] kmalloc include/linux/slab.h:581 [inline] [<000000009a915644>] bpf_prog_store_orig_filter+0x7b/0x1e0 net/core/filter.c:1136 [<000000002a4ce91f>] bpf_prog_create_from_user+0x1c6/0x2e0 net/core/filter.c:1426 [<000000009050a743>] seccomp_prepare_filter kernel/seccomp.c:666 [inline] [<000000009050a743>] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] [<000000009050a743>] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] [<000000009050a743>] do_seccomp+0x325/0x27e0 kernel/seccomp.c:1944 [<00000000d018d7ee>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000d018d7ee>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<0000000088336466>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff88800879c848 (size 8): comm "syz-executor.0", pid 867, jiffies 4295137561 (age 21.462s) hex dump (first 8 bytes): 06 00 00 00 00 00 ff 7f ........ backtrace: [<00000000d93ee775>] kmemdup+0x23/0x50 mm/util.c:128 [<000000004ebafec9>] kmemdup include/linux/fortify-string.h:304 [inline] [<000000004ebafec9>] bpf_prog_store_orig_filter+0x103/0x1e0 net/core/filter.c:1143 [<000000002a4ce91f>] bpf_prog_create_from_user+0x1c6/0x2e0 net/core/filter.c:1426 [<000000009050a743>] seccomp_prepare_filter kernel/seccomp.c:666 [inline] [<000000009050a743>] seccomp_prepare_user_filter kernel/seccomp.c:703 [inline] [<000000009050a743>] seccomp_set_mode_filter kernel/seccomp.c:1824 [inline] [<000000009050a743>] do_seccomp+0x325/0x27e0 kernel/seccomp.c:1944 [<00000000d018d7ee>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000d018d7ee>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<0000000088336466>] entry_SYSCALL_64_after_hwframe+0x44/0xae Syzkaller reproducer: # {Threaded:true Collide:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none Leak:true NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true UseTmpDir:true HandleSegv:true Repro:false Trace:false LegacyOptions:{Fault:false FaultCall:0 FaultNth:0}} r0 = openat(0xffffffffffffff9c, 0x0, 0x101042, 0x0) r1 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]}) ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r0, 0x81f8943c, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_INFO(0xffffffffffffffff, 0x81f8943c, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_INFO(r0, 0x81f8943c, 0x0) ioctl$BTRFS_IOC_TREE_SEARCH(r1, 0xd0009411, 0x0) ioctl$BTRFS_IOC_INO_LOOKUP_USER(r0, 0xd000943e, 0x0) ioctl$BTRFS_IOC_TREE_SEARCH(r0, 0xd0009411, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r0, 0xd000943d, 0x0) ioctl$BTRFS_IOC_TREE_SEARCH_V2(r0, 0xc0709411, 0x0) ioctl$BTRFS_IOC_TREE_SEARCH(r1, 0xd0009411, 0x0) ioctl$BTRFS_IOC_INO_LOOKUP_USER(r1, 0xd000943e, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r1, 0xd000943d, 0x0) ioctl$BTRFS_IOC_TREE_SEARCH(r0, 0xd0009411, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r0, 0xd000943d, 0x0) ioctl$BTRFS_IOC_GET_SUBVOL_ROOTREF(r1, 0xd000943d, 0x0) fdatasync(r0) r2 = fork() wait4(r2, 0x0, 0x1, 0x0)