syzbot

 sign-in | mailing list | source | docs
🐞 Open [1514]
Subsystems
🐞 Fixed [6487]
🐞 Invalid [16474]
Missing Backports [199]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

WARNING: refcount bug in sock_common_setsockopt

Status: closed as invalid on 2019/01/26 08:32
Subsystems: fs mm
[Documentation on labels]
Reported-by: syzbot+d9d3c4098b7a2c7a88ee@syzkaller.appspotmail.com
First crash: 2384d, last: 2384d

Sample crash report:
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 handle_userfault.cold+0x3d/0x5c fs/userfaultfd.c:431
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 9742 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
WARNING: CPU: 1 PID: 9742 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Kernel panic - not syncing: panic_on_warn set ...
 do_anonymous_page mm/memory.c:2921 [inline]
 handle_pte_fault mm/memory.c:3785 [inline]
 __handle_mm_fault+0x4563/0x55a0 mm/memory.c:3911
 handle_mm_fault+0x4ec/0xc80 mm/memory.c:3948
 do_user_addr_fault arch/x86/mm/fault.c:1475 [inline]
 __do_page_fault+0x5da/0xd60 arch/x86/mm/fault.c:1541
 do_page_fault+0xe6/0x7d8 arch/x86/mm/fault.c:1572
 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1143
RIP: 0010:__get_user_4+0x21/0x30 arch/x86/lib/getuser.S:78
Code: 50 ff 31 c0 0f 1f 00 c3 90 48 83 c0 03 72 55 65 48 8b 14 25 40 ee 01 00 48 3b 82 18 14 00 00 73 43 48 19 d2 48 21 d0 0f 1f 00 <8b> 50 fd 31 c0 0f 1f 00 c3 66 0f 1f 44 00 00 48 83 c0 07 72 25 65
RSP: 0018:ffff88804c3478c8 EFLAGS: 00010202
RAX: 0000000020013e98 RBX: dffffc0000000000 RCX: ffffc9000c43a000
RDX: ffffffffffffffff RSI: ffffffff81b4efc3 RDI: 0000000000000286
RBP: ffff88804c347d18 R08: ffff88804f316480 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000004
R13: 0000000000000084 R14: 0000000000000008 R15: ffff88808aab9800
 sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2991
 __sys_setsockopt+0x1b0/0x3a0 net/socket.c:1902
 __do_sys_setsockopt net/socket.c:1913 [inline]
 __se_sys_setsockopt net/socket.c:1910 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1910
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458099
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3411986c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458099
RDX: 0000000000000008 RSI: 0000000000000084 RDI: 0000000000000006
RBP: 000000000073bf00 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000020013e95 R11: 0000000000000246 R12: 00007f34119876d4
R13: 00000000004cc6e8 R14: 00000000004da518 R15: 00000000ffffffff
CPU: 1 PID: 9742 Comm: syz-executor0 Not tainted 5.0.0-rc3+ #42
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
kobject: 'loop1' (0000000036284287): fill_kobj_path: path = '/devices/virtual/block/loop1'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
kobject: 'loop1' (0000000036284287): kobject_uevent_env
 panic+0x2cb/0x65c kernel/panic.c:214
kobject: 'loop1' (0000000036284287): fill_kobj_path: path = '/devices/virtual/block/loop1'
kobject: 'loop1' (0000000036284287): kobject_uevent_env
 __warn.cold+0x20/0x48 kernel/panic.c:571
 report_bug+0x263/0x2b0 lib/bug.c:186
kobject: 'loop1' (0000000036284287): fill_kobj_path: path = '/devices/virtual/block/loop1'
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Code: 1d ec 69 c8 06 31 ff 89 de e8 7b 21 f2 fd 84 db 75 dd e8 32 20 f2 fd 48 c7 c7 e0 9d 81 88 c6 05 cc 69 c8 06 01 e8 ff 6c bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
RSP: 0018:ffff88804bcaf6e0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90005ff4000
RDX: 00000000000269a5 RSI: ffffffff816854c6 RDI: 0000000000000005
RBP: ffff88804bcaf6f0 R08: ffff8880960be200 R09: ffff8880960beaa0
R10: ffff8880960be200 R11: 0000000000000000 R12: ffff8880983baf18
R13: 0000000000000000 R14: ffff88808d721478 R15: ffff88804bcaf7f8
 kref_get include/linux/kref.h:47 [inline]
 kobject_get+0x66/0xc0 lib/kobject.c:613
 cdev_get+0x60/0xb0 fs/char_dev.c:358
 chrdev_open+0xc8/0x7c0 fs/char_dev.c:403
 do_dentry_open+0x48a/0x1210 fs/open.c:771
 vfs_open+0xa0/0xd0 fs/open.c:880
 do_last fs/namei.c:3418 [inline]
 path_openat+0x144f/0x5650 fs/namei.c:3534
 do_filp_open+0x26f/0x370 fs/namei.c:3564
 do_sys_open+0x59a/0x7c0 fs/open.c:1063
 __do_sys_open fs/open.c:1081 [inline]
 __se_sys_open fs/open.c:1076 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1076
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x412041
Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 b4 17 00 00 c3 48 83 ec 08 e8 2a fa ff ff 48 89 04 24 b8 02 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 73 fa ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007f3557d187a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 6666666666666667 RCX: 0000000000412041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f3557d18850
RBP: 000000000073bfa0 R08: 000000000000000f R09: 0000000000000000
R10: 00007f3557d199d0 R11: 0000000000000293 R12: 00007f3557d196d4
R13: 00000000004c6b60 R14: 00000000004dbfe8 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/01/25 08:43 upstream c04e2a780caf bfab9cd8 .config console log report ci-upstream-kasan-gce-root
* Struck through repros no longer work on HEAD.