syzbot

 sign-in | mailing list | source | docs
🐞 Open [37] 🐞 Fixed [435] 🐞 Invalid [318] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

panic: Decrementing non-positive ref count ADDR, owned by vfs.FileDescription

Status: fixed on 2021/01/27 04:55
Reported-by: syzbot+aa26482e9c4887aff259@syzkaller.appspotmail.com
Fix commit: abdff887483f Do not send SCM Rights more than once when message is truncated.
First crash: 1230d, last: 1227d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
gvisor panic: Decrementing non-positive ref count ADDR, owned by vfs.FileDescription (2) 1 1211d 1211d 0/26 closed as invalid on 2021/02/10 18:34

Sample crash report:
panic: Decrementing non-positive ref count 0xc00092a0c0, owned by vfs.FileDescription

goroutine 1228 [running]:
panic(0xfd2320, 0xc0000aca20)
	GOROOT/src/runtime/panic.go:1064 +0x470 fp=0xc0005273f8 sp=0xc000527340 pc=0x437110
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescriptionRefs).DecRef(0xc00092a0c0, 0xc000527480)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/vfs/file_description_refs.go:117 +0x18c fp=0xc000527470 sp=0xc0005273f8 pc=0x7aac4c
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).DecRef(0xc00092a0c0, 0x1328480, 0xc0008b6a80)
	pkg/sentry/vfs/file_description.go:163 +0x69 fp=0xc0005274b0 sp=0xc000527470 pc=0x7a5689
gvisor.dev/gvisor/pkg/sentry/socket/control.(*RightsFilesVFS2).Release(0xc000354700, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/control/control_vfs2.go:87 +0x65 fp=0xc0005274f0 sp=0xc0005274b0 pc=0xa25fc5
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*ControlMessages).Release(...)
	pkg/sentry/socket/unix/transport/unix.go:79
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*message).Release(...)
	pkg/sentry/socket/unix/transport/unix.go:285
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*queue).Reset(0xc0000c2f00, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/queue.go:63 +0xbe fp=0xc000527520 sp=0xc0005274f0 pc=0x70751e
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*queue).DecRef.func1()
	pkg/sentry/socket/unix/transport/queue.go:75 +0x3c fp=0xc000527548 sp=0xc000527520 pc=0x70ec3c
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*queueRefs).DecRef(0xc0000c2f00, 0xc0005275d0)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/socket/unix/transport/queue_refs.go:123 +0x5a fp=0xc0005275c0 sp=0xc000527548 pc=0x70887a
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*queue).DecRef(0xc0000c2f00, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/queue.go:72 +0x69 fp=0xc000527600 sp=0xc0005275c0 pc=0x707609
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*connectedEndpoint).Release(0xc000646140, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/unix.go:717 +0x45 fp=0xc000527628 sp=0xc000527600 pc=0x70b005
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*connectionedEndpoint).Close(0xc000924100, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/connectioned.go:242 +0x1f3 fp=0xc000527688 sp=0xc000527628 pc=0x704a13
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).DecRef.func1()
	pkg/sentry/socket/unix/unix_vfs2.go:101 +0xd6 fp=0xc0005276d8 sp=0xc000527688 pc=0xb49f36
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*socketVFS2Refs).DecRef(0xc00092a130, 0xc000527760)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/socket/unix/socket_vfs2_refs.go:123 +0x5a fp=0xc000527750 sp=0xc0005276d8 pc=0xb40e9a
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).DecRef(0xc00092a0c0, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/unix_vfs2.go:98 +0x6d fp=0xc000527790 sp=0xc000527750 pc=0xb460ed
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).Release(0xc00092a0c0, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/unix_vfs2.go:112 +0x3f fp=0xc0005277b8 sp=0xc000527790 pc=0xb4613f
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).DecRef.func1()
	pkg/sentry/vfs/file_description.go:187 +0x202 fp=0xc000527890 sp=0xc0005277b8 pc=0x7c9582
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescriptionRefs).DecRef(0xc00092a0c0, 0xc000527918)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/vfs/file_description_refs.go:123 +0x5a fp=0xc000527908 sp=0xc000527890 pc=0x7aab1a
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).DecRef(0xc00092a0c0, 0x1328480, 0xc0008b6a80)
	pkg/sentry/vfs/file_description.go:163 +0x69 fp=0xc000527948 sp=0xc000527908 pc=0x7a5689
gvisor.dev/gvisor/pkg/sentry/socket/control.(*RightsFilesVFS2).Release(0xc000354700, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/control/control_vfs2.go:87 +0x65 fp=0xc000527988 sp=0xc000527948 pc=0xa25fc5
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*ControlMessages).Release(...)
	pkg/sentry/socket/unix/transport/unix.go:79
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*streamQueueReceiver).Release(0xc000926000, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/unix.go:574 +0xc2 fp=0xc0005279b0 sp=0xc000527988 pc=0x70ab22
gvisor.dev/gvisor/pkg/sentry/socket/unix/transport.(*connectionedEndpoint).Close(0xc000924000, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/transport/connectioned.go:246 +0x1ba fp=0xc000527a10 sp=0xc0005279b0 pc=0x7049da
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).DecRef.func1()
	pkg/sentry/socket/unix/unix_vfs2.go:101 +0xd6 fp=0xc000527a60 sp=0xc000527a10 pc=0xb49f36
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*socketVFS2Refs).DecRef(0xc00092a070, 0xc000527ae8)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/socket/unix/socket_vfs2_refs.go:123 +0x5a fp=0xc000527ad8 sp=0xc000527a60 pc=0xb40e9a
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).DecRef(0xc00092a000, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/unix_vfs2.go:98 +0x6d fp=0xc000527b18 sp=0xc000527ad8 pc=0xb460ed
gvisor.dev/gvisor/pkg/sentry/socket/unix.(*SocketVFS2).Release(0xc00092a000, 0x1328480, 0xc0008b6a80)
	pkg/sentry/socket/unix/unix_vfs2.go:112 +0x3f fp=0xc000527b40 sp=0xc000527b18 pc=0xb4613f
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).DecRef.func1()
	pkg/sentry/vfs/file_description.go:187 +0x202 fp=0xc000527c18 sp=0xc000527b40 pc=0x7c9582
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescriptionRefs).DecRef(0xc00092a000, 0xc000527ca0)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/vfs/file_description_refs.go:123 +0x5a fp=0xc000527c90 sp=0xc000527c18 pc=0x7aab1a
gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).DecRef(0xc00092a000, 0x1328480, 0xc0008b6a80)
	pkg/sentry/vfs/file_description.go:163 +0x69 fp=0xc000527cd0 sp=0xc000527c90 pc=0x7a5689
gvisor.dev/gvisor/pkg/sentry/kernel.(*FDTable).dropVFS2(0xc0004547b0, 0x1328480, 0xc0008b6a80, 0xc00092a000)
	pkg/sentry/kernel/fd_table.go:171 +0x145 fp=0xc000527d50 sp=0xc000527cd0 pc=0x994165
gvisor.dev/gvisor/pkg/sentry/kernel.(*FDTable).RemoveIf(0xc0004547b0, 0x1328480, 0xc0008b6a80, 0x11edfb0)
	pkg/sentry/kernel/fd_table.go:672 +0x1d6 fp=0xc000527e08 sp=0xc000527d50 pc=0x9965f6
gvisor.dev/gvisor/pkg/sentry/kernel.(*FDTable).DecRef.func1()
	pkg/sentry/kernel/fd_table.go:186 +0x48 fp=0xc000527e38 sp=0xc000527e08 pc=0x9ed9c8
gvisor.dev/gvisor/pkg/sentry/kernel.(*FDTableRefs).DecRef(0xc0004547b0, 0xc000527ec0)
	bazel-out/k8-fastbuild-ST-3bfd66f45e612c1a5c797474a25664e227d81bf914f3b08a40e00b2e2692afa4/bin/pkg/sentry/kernel/fd_table_refs.go:123 +0x5a fp=0xc000527eb0 sp=0xc000527e38 pc=0x996bda
gvisor.dev/gvisor/pkg/sentry/kernel.(*FDTable).DecRef(0xc0004547b0, 0x1328480, 0xc0008b6a80)
	pkg/sentry/kernel/fd_table.go:185 +0x69 fp=0xc000527ef0 sp=0xc000527eb0 pc=0x994349
gvisor.dev/gvisor/pkg/sentry/kernel.(*runExitMain).execute(0x0, 0xc0008b6a80, 0x12fa5e0, 0x0)
	pkg/sentry/kernel/task_exit.go:276 +0x1f1 fp=0xc000527f60 sp=0xc000527ef0 pc=0x9bcff1
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run(0xc0008b6a80, 0x19)
	pkg/sentry/kernel/task_run.go:97 +0x1af fp=0xc000527fd0 sp=0xc000527f60 pc=0x9c620f
runtime.goexit()
	src/runtime/asm_amd64.s:1374 +0x1 fp=0xc000527fd8 sp=0xc000527fd0 pc=0x470681
created by gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).Start
	pkg/sentry/kernel/task_start.go:323 +0xfe

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/08 18:19 gvisor 7817e3b5e420 c104d4a3 .config console log report syz C ci-gvisor-kvm
2021/01/08 18:05 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-2-race
2021/01/08 17:46 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-1-cover
2021/01/08 17:42 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-2-cover
2021/01/08 17:42 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-1-race
2021/01/08 17:42 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-3
2021/01/08 17:39 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-1
2021/01/08 17:39 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-2
2021/01/08 17:38 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-3-race
2021/01/08 17:16 gvisor bf343394d498 c104d4a3 .config console log report syz C ci-gvisor-ptrace-3-cover
2021/01/10 23:53 gvisor 7817e3b5e420 2c1f2513 .config console log report syz ci-gvisor-kvm-cover
2021/01/08 17:00 gvisor bf343394d498 c104d4a3 .config console log report info ci-gvisor-ptrace-3-cover
* Struck through repros no longer work on HEAD.