syzbot


WARNING in refcount_error_report

Status: fixed on 2020/01/03 09:37
Reported-by: syzbot+d9edb6a284634510dff2@syzkaller.appspotmail.com
Fix commit: 7272e8e3bfa3 inet: protect against too small mtu values.
First crash: 1816d, last: 1816d
Fix bisection: fixed by (bisect log) :
commit 7272e8e3bfa354a4f2c829a80180f01dc66d4861
Author: Eric Dumazet <edumazet@google.com>
Date: Fri Dec 6 04:43:46 2019 +0000

  inet: protect against too small mtu values.

  

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
8021q: adding VLAN 0 to HW filter on device batadv0
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
refcount_t overflow at refcount_add arch/x86/include/asm/refcount.h:43 [inline] in syz-executor.0[7357], uid/euid: 0/0
refcount_t overflow at skb_set_owner_w+0x1f8/0x300 net/core/sock.c:1846 in syz-executor.0[7357], uid/euid: 0/0
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7357 at kernel/panic.c:613 refcount_error_report+0x1b2/0x210 kernel/panic.c:613
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 7357 Comm: syz-executor.0 Not tainted 4.14.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 panic+0x1f9/0x42d kernel/panic.c:183
 __warn.cold+0x2f/0x2f kernel/panic.c:547
 report_bug+0x216/0x254 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:177 [inline]
 fixup_bug arch/x86/kernel/traps.c:172 [inline]
 do_error_trap+0x1bb/0x310 arch/x86/kernel/traps.c:295
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:refcount_error_report+0x1b2/0x210 kernel/panic.c:613
RSP: 0018:ffff888097d773b0 EFLAGS: 00010286
RAX: 0000000000000059 RBX: ffff888097d775c8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff86ac2f80 RDI: ffffed1012faee6c
RBP: ffff888097d773e8 R08: 0000000000000059 R09: ffff888076196b20
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff86a81e20
R13: 0000000000000000 R14: ffff888076196280 R15: 0000000000000006
 ex_handler_refcount+0x126/0x1a0 arch/x86/mm/extable.c:78
 fixup_exception+0x8b/0xb9 arch/x86/mm/extable.c:197
 do_trap_no_signal arch/x86/kernel/traps.c:208 [inline]
 do_trap+0x65/0x250 arch/x86/kernel/traps.c:257
 do_error_trap+0x153/0x310 arch/x86/kernel/traps.c:301
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:314
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:963
RIP: 0010:refcount_add arch/x86/include/asm/refcount.h:43 [inline]
RIP: 0010:skb_set_owner_w+0x1f8/0x300 net/core/sock.c:1846
RSP: 0018:ffff888097d77670 EFLAGS: 00010a82
RAX: 0000000000040100 RBX: ffff88809e685400 RCX: ffff88809dac787c
RDX: 1ffff11013cd0a9c RSI: ffff88809dac7640 RDI: ffff88809e6854e0
RBP: ffff888097d77690 R08: 1ffff110313c8c90 R09: ffff888189e46480
R10: ffffed10313c8c94 R11: ffff888189e464a3 R12: ffff88809dac7640
R13: ffff88809e685460 R14: ffff88809e685418 R15: ffff88809dac7640
 sock_wmalloc+0xc6/0xf0 net/core/sock.c:1932
 ip_append_page+0x5fd/0xe40 net/ipv4/ip_output.c:1243
 udp_sendpage+0x176/0x3e0 net/ipv4/udp.c:1155
 inet_sendpage+0x157/0x580 net/ipv4/af_inet.c:779
 kernel_sendpage+0x92/0xf0 net/socket.c:3406
 sock_sendpage+0x8b/0xc0 net/socket.c:871
 pipe_to_sendpage+0x242/0x340 fs/splice.c:451
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x348/0x780 fs/splice.c:626
 splice_from_pipe+0xf0/0x150 fs/splice.c:661
 generic_splice_sendpage+0x3c/0x50 fs/splice.c:832
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x123/0x190 fs/splice.c:1018
 splice_direct_to_actor+0x29e/0x7b0 fs/splice.c:973
 do_splice_direct+0x18d/0x230 fs/splice.c:1061
 do_sendfile+0x4db/0xbd0 fs/read_write.c:1441
 SYSC_sendfile64 fs/read_write.c:1502 [inline]
 SyS_sendfile64+0x102/0x110 fs/read_write.c:1488
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45a679
RSP: 002b:00007f624d297c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 000000000045a679
RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000005
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000010001 R11: 0000000000000246 R12: 00007f624d2986d4
R13: 00000000004c8d9f R14: 00000000004e0670 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/02 00:16 linux-4.14.y fbc5fe7a54d0 f879db37 .config console log report syz ci2-linux-4-14
* Struck through repros no longer work on HEAD.