syzbot

 sign-in | mailing list | source | docs
🐞 Open [734]
🐞 Fixed [51]
🐞 Invalid [497]
Missing Backports [57]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
💬 Send us feedback

WARNING: refcount bug in blk_mq_free_request

Status: upstream: reported C repro on 2024/08/08 02:49
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+68d100a516c9c17658b1@syzkaller.appspotmail.com
First crash: 59d, last: 2d13h
Bug presence (2)
Date Name Commit Repro Result
2024/09/30 linux-5.15.y (ToT) 3a5928702e71 C [report] WARNING: refcount bug in blk_mq_free_request
2024/09/30 upstream (ToT) 9852d85ec9d4 C Didn't crash
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: refcount bug in blk_mq_free_request (3) block 1 1227d 1223d 0/28 auto-closed as invalid on 2021/09/25 02:34
upstream WARNING: refcount bug in blk_mq_free_request block 1 2137d 2131d 0/28 auto-closed as invalid on 2019/05/29 00:00
upstream WARNING: refcount bug in blk_mq_free_request (2) block C done error 5 1888d 1888d 15/28 fixed on 2020/06/30 18:57
Fix bisection attempts (1)
Created Duration User Patch Repo Result
2024/10/03 19:40 5m fix candidate upstream error job log

Sample crash report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 20 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 20 Comm: ksoftirqd/1 Not tainted 5.15.167-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
sp : ffff80001bcf7b40
x29: ffff80001bcf7b40 x28: fffffbffefff3600 x27: 1fffe0001991c903
x26: 1fffe0001991c903 x25: 0000000000000000
 x24: 0000000000000001
x23: dfff800000000000 x22: fffffbffefff36c8 x21: 0000000000000003
x20: ffff0000cc8e48e8
 x19: ffff800016f0c000 x18: 0000000000000101
x17: 0000000000000000 x16: ffff800011ac23e0 x15: 00000000ffffffff
x14: ffff0000c0a80000
 x13: 0000000000121b58 x12: 0000000000000001
x11: 0000000000000100 x10: 0000000000000000 x9 : 03a3309e4d8a9600
x8 : 03a3309e4d8a9600
 x7 : 0000000000121b58 x6 : 0000000000121b28
x5 : ffff80001bcf72b8 x4 : ffff800014b76320 x3 : ffff80000a987d1c

x2 : ffff0001b41aed10 x1 : 0000000000000100 x0 : 0000000000000026
Call trace:
 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 blk_mq_free_request+0x440/0x584 block/blk-mq.c:543
 __blk_mq_end_request+0x318/0x350 block/blk-mq.c:568
 blk_mq_end_request+0x68/0x88 block/blk-mq.c:577
 nbd_complete_rq+0x48/0x154 drivers/block/nbd.c:360
 blk_complete_reqs block/blk-mq.c:587 [inline]
 blk_done_softirq+0x11c/0x168 block/blk-mq.c:592
 handle_softirqs+0x384/0xdbc kernel/softirq.c:558
 run_ksoftirqd+0x6c/0x29c kernel/softirq.c:925
 smpboot_thread_fn+0x4b0/0x920 kernel/smpboot.c:164
 kthread+0x37c/0x45c kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 965579
hardirqs last  enabled at (965578): [<ffff80000832c17c>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:257
hardirqs last disabled at (965579): [<ffff800011abda6c>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:396
softirqs last  enabled at (965532): [<ffff8000081b6d74>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last  enabled at (965532): [<ffff8000081b6d74>] handle_softirqs+0xb88/0xdbc kernel/softirq.c:586
softirqs last disabled at (965537): [<ffff8000081b98a4>] run_ksoftirqd+0x6c/0x29c kernel/softirq.c:925
---[ end trace 8b4f5a70527e24e6 ]---

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/28 07:11 linux-5.15.y 3a5928702e71 440b26ec .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/09/27 04:54 linux-5.15.y 3a5928702e71 9314348a .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/10/03 21:02 linux-5.15.y 3a5928702e71 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/10/03 21:02 linux-5.15.y 3a5928702e71 d7906eff .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/10/03 08:38 linux-5.15.y 3a5928702e71 a4c7fd36 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/09/28 02:39 linux-5.15.y 3a5928702e71 440b26ec .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/09/27 00:38 linux-5.15.y 3a5928702e71 9314348a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/09/27 00:36 linux-5.15.y 3a5928702e71 9314348a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
2024/08/08 02:48 linux-5.15.y 7e89efd3ae1c de12cf65 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in blk_mq_free_request
* Struck through repros no longer work on HEAD.