syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING: refcount bug in l2tp_session_create

Status: upstream: reported C repro on 2019/06/19 06:54
Reported-by: syzbot+46a11eae4fa1615d9e50@syzkaller.appspotmail.com
First crash: 2017d, last: 1659d
Fix bisection the fix commit could be any of (bisect log):
  aea8526edf59 Linux 4.14.133
  56dfe6252c68 Linux 4.14.188
   
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/25 04:32 14m retest repro linux-4.14.y report log
2022/09/07 11:27 9m retest repro linux-4.14.y report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2020/07/11 08:36 29m bisect fix linux-4.14.y OK (2) job log
2020/06/11 08:12 24m bisect fix linux-4.14.y OK (0) job log log
2020/05/12 07:46 25m bisect fix linux-4.14.y OK (0) job log log
2020/04/12 06:26 23m bisect fix linux-4.14.y OK (0) job log log
2020/03/13 06:01 25m bisect fix linux-4.14.y OK (0) job log log
2020/02/12 05:37 23m bisect fix linux-4.14.y OK (0) job log log
2020/01/13 04:39 25m bisect fix linux-4.14.y OK (0) job log log
2019/12/14 04:09 23m bisect fix linux-4.14.y OK (0) job log log

Sample crash report:
audit: type=1400 audit(1563565886.597:36): avc:  denied  { map } for  pid=7124 comm="syz-executor296" path="/root/syz-executor296693542" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
refcount_t: increment on 0; use-after-free.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7126 at lib/refcount.c:153 refcount_inc /lib/refcount.c:153 [inline]
WARNING: CPU: 0 PID: 7126 at lib/refcount.c:153 refcount_inc.cold+0x18/0x1f /lib/refcount.c:151
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 7126 Comm: syz-executor296 Not tainted 4.14.133 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack /lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c /lib/dump_stack.c:53
 panic+0x1f2/0x426 /kernel/panic.c:182
 __warn.cold+0x2f/0x36 /kernel/panic.c:546
 report_bug+0x216/0x254 /lib/bug.c:186
 fixup_bug /arch/x86/kernel/traps.c:177 [inline]
 fixup_bug /arch/x86/kernel/traps.c:172 [inline]
 do_error_trap+0x1bb/0x310 /arch/x86/kernel/traps.c:295
 do_invalid_op+0x1b/0x20 /arch/x86/kernel/traps.c:314
 invalid_op+0x1b/0x40 /arch/x86/entry/entry_64.S:960
RIP: 0010:refcount_inc /lib/refcount.c:153 [inline]
RIP: 0010:refcount_inc.cold+0x18/0x1f /lib/refcount.c:151
RSP: 0018:ffff8880974ffb70 EFLAGS: 00010286
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff866d0e00 RDI: ffffed1012e9ff64
RBP: ffff8880974ffb78 R08: 000000000000002b R09: ffff8880850e6f08
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88808b63a900
R13: 0000000000000002 R14: ffff888092c23a60 R15: ffff888092c23a40
 sock_hold /./include/net/sock.h:619 [inline]
 l2tp_session_add_to_tunnel /net/l2tp/l2tp_core.c:374 [inline]
 l2tp_session_create+0xb49/0x1600 /net/l2tp/l2tp_core.c:1846
 pppol2tp_connect+0x11bf/0x18b0 /net/l2tp/l2tp_ppp.c:721
 SYSC_connect+0x1f6/0x2d0 /net/socket.c:1655
 SyS_connect+0x24/0x30 /net/socket.c:1636
 do_syscall_64+0x1e8/0x640 /arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4412d9
RSP: 002b:00007ffc1b98e998 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004412d9
RDX: 0000000000000026 RSI: 0000000020000180 RDI: 0000000000000004
RBP: 000000000000f82b R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000402100
R13: 0000000000402190 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/19 19:54 linux-4.14.y aea8526edf59 8304907d .config console log report syz C ci2-linux-4-14
2019/11/01 02:05 linux-4.14.y ddef1e8e3f6e a41ca8fa .config console log report ci2-linux-4-14
2019/10/12 17:21 linux-4.14.y e132c8d7b58d 426631dd .config console log report ci2-linux-4-14
2019/10/04 05:13 linux-4.14.y f6e27dbb1afa fc17ba49 .config console log report ci2-linux-4-14
2019/09/30 14:53 linux-4.14.y f6e27dbb1afa c7a4fb99 .config console log report ci2-linux-4-14
2019/07/22 12:52 linux-4.14.y ff33472c282e b3c615f5 .config console log report ci2-linux-4-14
2019/07/19 19:32 linux-4.14.y aea8526edf59 8304907d .config console log report ci2-linux-4-14
2019/06/19 05:53 linux-4.14.y e861d0673eb8 34bf9440 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.