syzbot


WARNING: refcount bug in p9_client_walk

Status: upstream: reported C repro on 2022/11/21 16:08
Reported-by: syzbot+2600f43a81c05675a9ae@syzkaller.appspotmail.com
First crash: 13d, last: 10d

Sample crash report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 3123 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 3123 Comm: syz-executor293 Not tainted 6.1.0-rc6-syzkaller-32653-g65762d97e6fa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
sp : ffff800012e239a0
x29: ffff800012e239a0 x28: 0000000000000040 x27: ffff0000ca7319c0
x26: 0000000000008000 x25: 0000000000000000 x24: ffff0000cb3c1088
x23: 0000000000000000 x22: 0000000000000000 x21: ffff0000cd13800c
x20: 0000000000000003 x19: ffff80000d990000 x18: 00000000000000c0
x17: ffff80000ddda198 x16: ffff80000dc18158 x15: ffff0000c9323480
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c9323480
x11: ff808000081c4d40 x10: 0000000000000000 x9 : e14a204da9a56700
x8 : e14a204da9a56700 x7 : ffff80000c0b1cb4 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000026
Call trace:
 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 p9_fid_put include/net/9p/client.h:275 [inline]
 p9_client_walk+0x2a4/0x2e8 net/9p/client.c:1190
 v9fs_vfs_lookup+0xa0/0x37c fs/9p/vfs_inode.c:777
 v9fs_vfs_atomic_open+0x78/0x478 fs/9p/vfs_inode.c:819
 atomic_open fs/namei.c:3276 [inline]
 lookup_open fs/namei.c:3384 [inline]
 open_last_lookups fs/namei.c:3481 [inline]
 path_openat+0x67c/0x11c4 fs/namei.c:3710
 do_filp_open+0xdc/0x1b8 fs/namei.c:3740
 do_sys_openat2+0xb8/0x22c fs/open.c:1310
 do_sys_open fs/open.c:1326 [inline]
 __do_sys_openat fs/open.c:1342 [inline]
 __se_sys_openat fs/open.c:1337 [inline]
 __arm64_sys_openat+0xb0/0xe0 fs/open.c:1337
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
irq event stamp: 1140
hardirqs last  enabled at (1139): [<ffff8000081c3024>] __up_console_sem+0xb0/0xfc kernel/printk/printk.c:261
hardirqs last disabled at (1140): [<ffff80000c0a4074>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (934): [<ffff80000843d9e8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last  enabled at (934): [<ffff80000843d9e8>] bdi_register_va+0x2b4/0x328 mm/backing-dev.c:889
softirqs last disabled at (932): [<ffff80000843d898>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (932): [<ffff80000843d898>] bdi_register_va+0x164/0x328 mm/backing-dev.c:879
---[ end trace 0000000000000000 ]---

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-gce-arm64 2022/11/22 22:01 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 65762d97e6fa 9da37ae8 .config log report syz C WARNING: refcount bug in p9_client_walk
ci-upstream-gce-arm64 2022/11/20 09:40 git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci 9500fc6e9e60 5bb70014 .config log report syz C WARNING: refcount bug in p9_client_walk
* Struck through repros no longer work on HEAD.