syzbot


WARNING: refcount bug in nfs_alloc_client

Status: fixed on 2018/05/08 18:30
Subsystems: nfs
[Documentation on labels]
Reported-by: syzbot+615bdb0e46647b9f35a4@syzkaller.appspotmail.com
Fix commit: 8e04944f0ea8 mm,vmscan: Allow preallocating memory for register_shrinker().
First crash: 2385d, last: 2384d

Sample crash report:
RBP: 000000000072bea0 R08: 0000000020000080 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000015
R13: 00000000000003fa R14: 00000000006f8010 R15: 0000000000000022
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 13294 at lib/refcount.c:153 refcount_inc+0x47/0x50 lib/refcount.c:153
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 13294 Comm: syz-executor4 Not tainted 4.16.0-rc6+ #43
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 panic+0x1e4/0x41c kernel/panic.c:183
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:refcount_inc+0x47/0x50 lib/refcount.c:153
RSP: 0018:ffff8801b6e6f3c0 EFLAGS: 00010286
RAX: dffffc0000000008 RBX: ffff8801b315e0c4 RCX: ffffffff815b423e
RDX: 0000000000005ca2 RSI: ffffc900038ad000 RDI: 1ffff10036dcddfd
RBP: ffff8801b6e6f3c8 R08: ffffffff88583118 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 1ffff10036dcde7c
R13: ffff8801b315e0c0 R14: 0000000000000011 R15: ffff8801d6bd6a08
 get_net include/net/net_namespace.h:204 [inline]
 nfs_alloc_client+0x452/0x710 fs/nfs/client.c:183
 nfs_get_client+0x7e2/0x13d0 fs/nfs/client.c:430
 nfs_init_server+0x358/0xf30 fs/nfs/client.c:670
 nfs_create_server+0x84/0x550 fs/nfs/client.c:953
 nfs_try_mount+0x147/0x9d0 fs/nfs/super.c:1884
 nfs_fs_mount+0xe9b/0x2d50 fs/nfs/super.c:2695
 mount_fs+0x66/0x2d0 fs/super.c:1222
 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:2509 [inline]
 do_new_mount fs/namespace.c:2512 [inline]
 do_mount+0xea4/0x2bb0 fs/namespace.c:2842
 SYSC_mount fs/namespace.c:3058 [inline]
 SyS_mount+0xab/0x120 fs/namespace.c:3035
 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x455269
RSP: 002b:00007f2aba3f2c68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f2aba3f36d4 RCX: 0000000000455269
RDX: 000000002015bffc RSI: 0000000020343ff8 RDI: 0000000020dba000
RBP: 000000000072bea0 R08: 000000002000a000 R09: 0000000000000000
R10: 0000000000000400 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000003fa R14: 00000000006f8010 R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/01 16:59 bpf-next 7828f20e3779 dc889257 .config console log report ci-upstream-bpf-next-kasan-gce
2018/03/31 13:46 bpf-next 7828f20e3779 8fbce0e4 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.