syzbot


WARNING: refcount bug in nr_insert_socket

Status: fixed on 2019/10/04 12:05
Reported-by: syzbot+ec1fd464d849d91c3665@syzkaller.appspotmail.com
Fix commit: 4638faac0327 netrom: hold sock when setting skb->destructor
First crash: 1729d, last: 1700d
Cause bisection: introduced by (bisect log) :
commit c8c8218ec5af5d2598381883acbefbf604e56b5e
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Thu Jun 27 21:30:58 2019 +0000

  netrom: fix a memory leak in nr_rx_frame()

Crash: WARNING: refcount bug in nr_insert_socket (log)
Repro: C syz .config
  
Discussions (2)
Title Replies (including bot) Last reply
Reminder: 13 open syzbot bugs in "net/netrom" subsystem 2 (2) 2019/07/24 17:02
WARNING: refcount bug in nr_insert_socket 0 (2) 2019/07/09 20:22

Sample crash report:
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 13610 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline]
WARNING: CPU: 1 PID: 13610 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 13610 Comm: syz-executor646 Not tainted 5.3.0-rc1+ #79
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 panic+0x2dc/0x755 kernel/panic.c:219
 __warn.cold+0x20/0x4c kernel/panic.c:576
 report_bug+0x263/0x2b0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:179 [inline]
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1026
RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline]
RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154
Code: 1d 48 87 64 06 31 ff 89 de e8 cb a3 35 fe 84 db 75 dd e8 82 a2 35 fe 48 c7 c7 c0 02 c6 87 c6 05 28 87 64 06 01 e8 67 05 07 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41
RSP: 0018:ffff8880ae909bf0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000100 RSI: ffffffff815c5bd6 RDI: ffffed1015d21370
RBP: ffff8880ae909c00 R08: ffff888091416580 R09: fffffbfff11b4285
R10: fffffbfff11b4284 R11: ffffffff88da1423 R12: ffff8880910560c0
R13: ffff8880910560a8 R14: ffff88808bc42d48 R15: ffff88808bc42d20
 sock_hold include/net/sock.h:649 [inline]
 sk_add_node include/net/sock.h:701 [inline]
 nr_insert_socket+0x2d/0xe0 net/netrom/af_netrom.c:137
 nr_rx_frame+0x1605/0x1e73 net/netrom/af_netrom.c:1023
 nr_loopback_timer+0x7b/0x170 net/netrom/nr_loopback.c:59
 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1322
 expire_timers kernel/time/timer.c:1366 [inline]
 __run_timers kernel/time/timer.c:1685 [inline]
 __run_timers kernel/time/timer.c:1653 [inline]
 run_timer_softirq+0x697/0x17a0 kernel/time/timer.c:1698
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:537 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1095
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:828
 </IRQ>
RIP: 0010:kobject_set_name_vargs+0x36/0x150 lib/kobject.c:286
Code: 89 f4 53 48 89 fb e8 29 cd 3a fa 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 f8 00 00 00 48 83 3b 00 <74> 0e e8 03 cd 3a fa 4d 85 e4 0f 84 ca 00 00 00 e8 f5 cc 3a fa 4c
RSP: 0018:ffff8880997ef858 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: dffffc0000000000 RBX: ffff888093b8a960 RCX: 1ffffffff134b2be
RDX: 1ffff1101277152c RSI: ffffffff8737dc07 RDI: ffff888093b8a960
RBP: ffff8880997ef870 R08: ffff888091416580 R09: ffff888093b8ab40
R10: ffffed101277156f R11: ffff888093b8ab7f R12: ffffffff88280180
R13: ffff8880997ef8a0 R14: ffff888093b8ad80 R15: 0000000000000300
 dev_set_name+0xbb/0xf0 drivers/base/core.c:1915
 netdev_register_kobject+0xc3/0x3b0 net/core/net-sysfs.c:1727
 register_netdevice+0x875/0xf10 net/core/dev.c:8723
 __ip_tunnel_create+0x36b/0x530 net/ipv4/ip_tunnel.c:269
 ip_tunnel_init_net+0x375/0x9e0 net/ipv4/ip_tunnel.c:1060
 ipip_init_net+0x2a/0x30 net/ipv4/ipip.c:653
 ops_init+0xb3/0x420 net/core/net_namespace.c:137
 setup_net+0x2d2/0x890 net/core/net_namespace.c:334
 copy_net_ns+0x290/0x41f net/core/net_namespace.c:475
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:103
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:202
 ksys_unshare+0x444/0x980 kernel/fork.c:2831
 __do_sys_unshare kernel/fork.c:2899 [inline]
 __se_sys_unshare kernel/fork.c:2897 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2897
 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x448cc9
Code: e8 ac e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 4b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fb9f4f92d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00000000006e4a18 RCX: 0000000000448cc9
RDX: 0000000000448cc9 RSI: 0000000000448cc9 RDI: 0000000040000000
RBP: 00000000006e4a10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e4a1c
R13: 00007fffd0ddcf7f R14: 00007fb9f4f939c0 R15: 00000000006e4a1c
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (55):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/28 05:26 upstream 5168afe6ef59 c85e1c5b .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/07/28 02:32 upstream 5168afe6ef59 c85e1c5b .config console log report syz C ci-upstream-kasan-gce-root
2019/07/26 20:34 upstream 6789f873ed37 3e5d1beb .config console log report syz C ci-upstream-kasan-gce-root
2019/07/26 03:49 upstream 6789f873ed37 732bc5a0 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/07/25 08:13 upstream bed38c3e2dca 32329ceb .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/07/25 07:05 upstream bed38c3e2dca 32329ceb .config console log report syz C ci-upstream-kasan-gce-root
2019/07/23 10:52 upstream c6dd78fcb8ee 55e0c077 .config console log report syz C ci-upstream-kasan-gce-root
2019/07/22 19:00 upstream c6dd78fcb8ee b3c615f5 .config console log report syz C ci-upstream-kasan-gce-root
2019/07/20 13:14 upstream abdfd52a295f 1656845f .config console log report syz C ci-upstream-kasan-gce-root
2019/07/17 12:01 upstream 3eb514866f20 0d10349c .config console log report syz C ci-upstream-kasan-gce-root
2019/07/17 06:18 upstream 3eb514866f20 0d10349c .config console log report syz C ci-upstream-kasan-gce-selinux-root
2019/07/25 04:56 net-old 107e47cc80ec 32329ceb .config console log report syz C ci-upstream-net-this-kasan-gce
2019/07/20 10:05 net-old 31cc088a4f5d 1656845f .config console log report syz C ci-upstream-net-this-kasan-gce
2019/07/31 07:48 net-next-old 31cc088a4f5d 7c7ded69 .config console log report syz C ci-upstream-net-kasan-gce
2019/07/26 22:21 net-next-old 31cc088a4f5d 3e5d1beb .config console log report syz C ci-upstream-net-kasan-gce
2019/07/25 07:09 net-next-old 31cc088a4f5d 32329ceb .config console log report syz C ci-upstream-net-kasan-gce
2019/07/25 04:27 net-next-old 31cc088a4f5d 32329ceb .config console log report syz C ci-upstream-net-kasan-gce
2019/07/22 13:37 net-next-old 31cc088a4f5d b3c615f5 .config console log report syz C ci-upstream-net-kasan-gce
2019/07/20 12:13 net-next-old 31cc088a4f5d 1656845f .config console log report syz C ci-upstream-net-kasan-gce
2019/07/17 05:35 net-next-old 192f0f8e9db7 0d10349c .config console log report syz C ci-upstream-net-kasan-gce
2019/07/25 06:32 linux-next 9e6dfe8045f8 32329ceb .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/07/20 06:12 linux-next 6d21a41b7b1f 1656845f .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/07/09 15:20 linux-next 4608a726c668 f62e1e85 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/07/28 08:36 upstream 5168afe6ef59 c85e1c5b .config console log report syz ci-upstream-kasan-gce-root
2019/07/26 21:32 upstream 6789f873ed37 3e5d1beb .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/07/20 03:02 net-old 8d650cdedaab 1656845f .config console log report syz ci-upstream-net-this-kasan-gce
2019/07/17 13:01 net-old a5b647007e9d 0d10349c .config console log report syz ci-upstream-net-this-kasan-gce
2019/07/26 00:52 linux-next 13bf6d6a51df 732bc5a0 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/07/17 15:41 linux-next e40115c06b1d f613a7c4 .config console log report syz ci-upstream-linux-next-kasan-gce-root
2019/08/03 02:34 upstream 97b00aff2c45 6affd8e8 .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/01 18:08 upstream 1e78030e5e5b 835dffe7 .config console log report ci-upstream-kasan-gce-root
2019/07/29 05:09 upstream a9815a4fa2fd c85e1c5b .config console log report ci-upstream-kasan-gce-root
2019/07/28 01:55 upstream 5168afe6ef59 c85e1c5b .config console log report ci-upstream-kasan-gce-root
2019/07/27 10:04 upstream 3ea54d9b0d65 c85e1c5b .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/25 20:44 upstream 6789f873ed37 732bc5a0 .config console log report ci-upstream-kasan-gce-root
2019/07/21 15:59 upstream c6dd78fcb8ee 1656845f .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/21 10:36 upstream c6dd78fcb8ee 1656845f .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/20 01:46 upstream 3bfe1fc46794 1656845f .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/19 06:37 upstream 3bfe1fc46794 7bb222f7 .config console log report ci-upstream-kasan-gce-root
2019/07/18 16:14 upstream 22051d9c4a57 7bb222f7 .config console log report ci-upstream-kasan-gce-selinux-root
2019/07/17 07:07 upstream 3eb514866f20 0d10349c .config console log report ci-upstream-kasan-gce-root
2019/07/12 13:53 upstream d7d170a8e357 baa5258a .config console log report ci-upstream-kasan-gce-selinux-root
2019/08/02 06:11 net-old 107e47cc80ec 835dffe7 .config console log report ci-upstream-net-this-kasan-gce
2019/08/01 00:37 net-old 107e47cc80ec c692b5bd .config console log report ci-upstream-net-this-kasan-gce
2019/07/17 22:10 net-old a5b647007e9d f613a7c4 .config console log report ci-upstream-net-this-kasan-gce
2019/07/28 04:13 net-next-old 31cc088a4f5d c85e1c5b .config console log report ci-upstream-net-kasan-gce
2019/07/26 18:52 net-next-old 31cc088a4f5d 3e5d1beb .config console log report ci-upstream-net-kasan-gce
2019/07/20 05:48 net-next-old 31cc088a4f5d 1656845f .config console log report ci-upstream-net-kasan-gce
2019/07/18 17:48 net-next-old 192f0f8e9db7 7bb222f7 .config console log report ci-upstream-net-kasan-gce
2019/07/22 08:46 linux-next 6d21a41b7b1f b3c615f5 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/07/20 06:49 linux-next 6d21a41b7b1f 1656845f .config console log report ci-upstream-linux-next-kasan-gce-root
2019/07/04 20:15 linux-next f9ca7f5a1eb9 55565fa0 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.