syzbot

 sign-in | mailing list | source | docs
🐞 Open [1413]
Subsystems
🐞 Fixed [5827]
🐞 Invalid [14217]
Missing Backports [92]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

WARNING: refcount bug in j1939_session_put

Status: upstream: reported C repro on 2024/08/05 21:18
Subsystems: can
[Documentation on labels]
Reported-by: syzbot+ad601904231505ad6617@syzkaller.appspotmail.com
First crash: 111d, last: 32m
Cause bisection: introduced by (bisect log) :
commit c9c0ee5f20c593faf289fa8850c3ed84031dd12a
Author: Breno Leitao <leitao@debian.org>
Date: Mon Jul 29 10:47:40 2024 +0000

  net: skbuff: Skip early return in skb_unref when debugging

Crash: WARNING: refcount bug in j1939_session_put (log)
Repro: C syz .config
  
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] Monthly can report (Nov 2024) 0 (1) 2024/11/04 08:50
[PATCH net-next] can: j1939: fix uaf in j1939_session_destroy 8 (8) 2024/10/11 14:10
[syzbot] Monthly can report (Oct 2024) 0 (1) 2024/10/04 10:11
[syzbot] [can?] WARNING: refcount bug in j1939_session_put 13 (24) 2024/08/07 23:06
Last patch testing requests (11)
Created Duration User Patch Repo Result
2024/08/07 11:00 58m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/07 09:29 49m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/07 08:30 42m eadavis@qq.com upstream OK log
2024/08/07 06:56 1h23m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/07 06:21 17m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc report log
2024/08/07 02:39 25m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/07 01:42 16m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc report log
2024/08/07 01:19 16m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc report log
2024/08/07 00:56 24m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/06 13:39 24m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc OK log
2024/08/06 13:13 18m eadavis@qq.com patch git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 743ff02152bc report log

Sample crash report:
vcan0: j1939_tp_rxtimer: 0xffff888034beb800: rx timeout, send abort
vcan0: j1939_tp_rxtimer: 0xffff888034beb800: abort rx timeout. Force session deactivation
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Code: 60 ef 5f 8c e8 87 fc a0 fc 90 0f 0b 90 90 eb 99 e8 eb 06 e0 fc c6 05 ff d6 50 0b 01 90 48 c7 c7 c0 ef 5f 8c e8 67 fc a0 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 c8 06 e0 fc c6 05 d9 d6 50 0b 01 90
RSP: 0018:ffffc90000007c08 EFLAGS: 00010246
RAX: 14ca8013cdc76700 RBX: ffff88802fdd6ae4 RCX: ffffffff8e694640
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff8155d222 R09: 1ffff92000000f1c
R10: dffffc0000000000 R11: fffff52000000f1d R12: ffff888034beb868
R13: ffff88802fdd6ae4 R14: 1ffff1100697d718 R15: ffff888034beb800
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb82b948100 CR3: 000000007e7f0000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 kfree_skb_reason include/linux/skbuff.h:1262 [inline]
 kfree_skb include/linux/skbuff.h:1271 [inline]
 j1939_session_destroy net/can/j1939/transport.c:282 [inline]
 __j1939_session_release net/can/j1939/transport.c:294 [inline]
 kref_put include/linux/kref.h:65 [inline]
 j1939_session_put+0x1ed/0x440 net/can/j1939/transport.c:299
 j1939_tp_rxtimer+0x184/0x3d0 net/can/j1939/transport.c:1265
 __run_hrtimer kernel/time/hrtimer.c:1691 [inline]
 __hrtimer_run_queues+0x59b/0xd50 kernel/time/hrtimer.c:1755
 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1772
 handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:92 [inline]
RIP: 0010:acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112
Code: 90 90 90 90 90 90 90 90 90 65 48 8b 04 25 80 d7 03 00 48 f7 00 08 00 00 00 75 10 66 90 0f 00 2d 55 27 ab 00 f3 0f 1e fa fb f4 <fa> c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90
RSP: 0018:ffffffff8e607ca8 EFLAGS: 00000246
RAX: ffffffff8e694640 RBX: ffff8880202fc864 RCX: 000000000004edf9
RDX: 0000000000000001 RSI: ffff8880202fc800 RDI: ffff8880202fc864
RBP: 000000000003a978 R08: ffff8880b8637e9b R09: 1ffff110170c6fd3
R10: dffffc0000000000 R11: ffffffff8bbeda00 R12: ffff888020bd8000
R13: 0000000000000001 R14: 0000000000000001 R15: ffffffff8f11c460
 acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:702
 cpuidle_enter_state+0x109/0x470 drivers/cpuidle/cpuidle.c:264
 cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:385
 call_cpuidle kernel/sched/idle.c:155 [inline]
 cpuidle_idle_call kernel/sched/idle.c:230 [inline]
 do_idle+0x375/0x5d0 kernel/sched/idle.c:326
 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
 rest_init+0x2dc/0x300 init/main.c:747
 start_kernel+0x47f/0x500 init/main.c:1105
 x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:507
 x86_64_start_kernel+0x9f/0xa0 arch/x86/kernel/head64.c:488
 common_startup_64+0x13e/0x147
 </TASK>
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	65 48 8b 04 25 80 d7 	mov    %gs:0x3d780,%rax
  10:	03 00
  12:	48 f7 00 08 00 00 00 	testq  $0x8,(%rax)
  19:	75 10                	jne    0x2b
  1b:	66 90                	xchg   %ax,%ax
  1d:	0f 00 2d 55 27 ab 00 	verw   0xab2755(%rip)        # 0xab2779
  24:	f3 0f 1e fa          	endbr64
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	fa                   	cli <-- trapping instruction
  2b:	c3                   	ret
  2c:	cc                   	int3
  2d:	cc                   	int3
  2e:	cc                   	int3
  2f:	cc                   	int3
  30:	66 0f 1f 84 00 00 00 	nopw   0x0(%rax,%rax,1)
  37:	00 00
  39:	90                   	nop
  3a:	90                   	nop
  3b:	90                   	nop
  3c:	90                   	nop
  3d:	90                   	nop
  3e:	90                   	nop
  3f:	90                   	nop

Crashes (9862):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/11/06 08:08 upstream 2e1b3cc9d7f7 3a465482 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in j1939_session_put
2024/09/25 07:55 upstream 68e5c7d4cefb 349a68c4 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/10 22:57 net-next 774ca6d3bf24 6b856513 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 10:12 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 08:41 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 07:20 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 05:23 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 03:11 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/02 01:57 net-next 743ff02152bc 1e9c4cf3 .config strace log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/21 06:24 upstream 43fb83c17ba2 4b25d554 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/21 02:37 upstream bf9aa14fc523 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 14:50 upstream bf9aa14fc523 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in j1939_session_put
2024/11/20 03:19 upstream a5c93bfec0be 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in j1939_session_put
2024/11/19 20:05 upstream 158f238aa69d 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 15:48 upstream 158f238aa69d 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 08:15 upstream c6d64479d609 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 07:14 upstream c6d64479d609 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 07:08 upstream c6d64479d609 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in j1939_session_put
2024/11/19 04:20 upstream c6d64479d609 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 16:11 upstream c6d64479d609 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 WARNING: refcount bug in j1939_session_put
2024/11/20 20:47 upstream 8f7c8b88bda4 4fca1650 .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/20 11:31 upstream bf9aa14fc523 7d02db5a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/20 06:52 upstream bf9aa14fc523 7d02db5a .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/19 14:05 upstream 158f238aa69d 571351cb .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/19 09:28 upstream 9fb2cfa4635a 571351cb .config console log report [disk image (non-bootable)] [vmlinux] [kernel image] ci-snapshot-upstream-root WARNING: refcount bug in j1939_session_put
2024/11/21 01:09 net 66418447d27b 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/21 00:08 net 66418447d27b 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 19:21 net 66418447d27b 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 15:59 net 66418447d27b 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 13:37 net 66418447d27b 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 10:28 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 09:01 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 05:34 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 02:19 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 01:06 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 01:06 net 66418447d27b 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 22:57 net 66418447d27b 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 21:51 net 66418447d27b 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 18:55 net 66418447d27b 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 17:12 net 4262bacb748f 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 02:22 net 8ffade77b633 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 00:54 net 8ffade77b633 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/21 04:30 net-next dd7207838d38 4b25d554 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 22:48 net-next dd7207838d38 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 21:51 net-next dd7207838d38 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 18:04 net-next dd7207838d38 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 17:05 net-next dd7207838d38 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 13:05 net-next dd7207838d38 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/20 08:00 net-next dd7207838d38 7d02db5a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 18:51 net-next dd7207838d38 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 12:24 net-next e867ed3ac8aa 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 10:59 net-next e867ed3ac8aa 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/19 05:47 net-next e867ed3ac8aa 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/08/01 21:15 net-next 743ff02152bc 1e9c4cf3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-kasan-gce WARNING: refcount bug in j1939_session_put
2024/11/21 05:33 linux-next ac24e26aa08f 4b25d554 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/21 02:59 linux-next ac24e26aa08f 4fca1650 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 20:49 linux-next 414c97c966b6 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 09:15 linux-next 414c97c966b6 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in j1939_session_put
2024/11/19 03:22 linux-next ae58226b89ac 571351cb .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root WARNING: refcount bug in j1939_session_put
* Struck through repros no longer work on HEAD.