syzbot


WARNING: refcount bug in j1939_netdev_start (2)
Status: fixed on 2022/03/08 16:11
Reported-by: syzbot+85d9878b19c94f9019ad@syzkaller.appspotmail.com
Fix commit: d9d52a3ebd28 can: j1939: j1939_netdev_start(): fix UAF for rx_kref of j1939_priv
First crash: 864d, last: 217d

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: refcount bug in j1939_netdev_start syz done 6 910d 931d 15/22 fixed on 2019/11/29 15:48
Patch testing requests:
Created Duration User Patch Repo Result
2021/08/29 10:06 15m phind.uet@gmail.com linux-next report log

Sample crash report:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 20874 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0 lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 20874 Comm: syz-executor.0 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0x169/0x1e0 lib/refcount.c:25
Code: 09 31 ff 89 de e8 77 37 9f fd 84 db 0f 85 36 ff ff ff e8 2a 31 9f fd 48 c7 c7 a0 76 e3 89 c6 05 a8 9e 81 09 01 e8 95 b8 11 05 <0f> 0b e9 17 ff ff ff e8 0b 31 9f fd 0f b6 1d 8d 9e 81 09 31 ff 89
RSP: 0018:ffffc9000a697d20 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802e710000 RSI: ffffffff815d8625 RDI: fffff520014d2f96
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815d245e R11: 0000000000000000 R12: ffff88803d1f8000
R13: ffffc9000a697e34 R14: ffffc9000a697e40 R15: 0000000000000001
FS:  00007f67dc2a5700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe3cf7e3000 CR3: 0000000012bfe000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_add include/linux/refcount.h:199 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 kref_get include/linux/kref.h:45 [inline]
 j1939_netdev_start+0x68b/0x920 net/can/j1939/main.c:254
 j1939_sk_bind+0x426/0xeb0 net/can/j1939/socket.c:482
 __sys_bind+0x1e9/0x250 net/socket.c:1679
 __do_sys_bind net/socket.c:1690 [inline]
 __se_sys_bind net/socket.c:1688 [inline]
 __x64_sys_bind+0x6f/0xb0 net/socket.c:1688
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f67dc2a5188 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9
RDX: 0000000000000018 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffdf3844b0f R14: 00007f67dc2a5300 R15: 0000000000022000

Crashes (51):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/08/31 02:22 upstream 7d2a07b76933 8f58a0ef .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-kasan-gce-386 2021/09/09 13:04 upstream 0f4b9289bad3 e2776ee4 .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/08/14 23:54 net 5f7735196390 2489ab88 .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/07/25 04:09 net 89bc7f456cd4 4d1b57d4 .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/05/24 12:39 net 5eff1461a6de 3c7fef33 .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-kasan-gce 2021/08/21 14:40 net-next 4af14dbaeae0 b599f2fc .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-kasan-gce 2021/08/15 01:52 net-next fda4e19d505d 2489ab88 .config log report syz WARNING: refcount bug in j1939_netdev_start
ci-upstream-kasan-gce-smack-root 2020/02/26 19:18 upstream f8788d86ab28 59b57593 .config log report syz
ci-upstream-kasan-gce-root 2021/09/27 15:34 upstream 5816b3e6577e 78494d16 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-kasan-gce 2021/07/28 01:16 upstream 7d549995d4e0 17d6ab15 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu-upstream 2021/07/16 03:21 upstream dd9c7df94c1b f115ae98 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu-upstream 2021/04/18 23:52 upstream bf05bf16c76b 7e2b734b .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu-upstream 2021/03/20 01:34 upstream d626c692aaeb 3d01c4de .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu-upstream 2021/03/10 16:50 upstream 280d542f6ffa 764067f3 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/10/20 19:58 upstream bf152b0b41dc 418a00eb .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/09/27 08:06 upstream bf152b0b41dc 78494d16 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/09/21 07:03 upstream bf152b0b41dc af796c18 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/09/05 14:28 upstream 49624efa65ac d236a457 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-mte 2021/07/30 14:51 upstream 764a5bc89b12 c585c7b0 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-mte 2021/07/20 09:38 upstream 2734d6c1b1a0 bc48c9ab .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/07/16 05:39 upstream bf152b0b41dc f115ae98 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/07/04 07:38 upstream 3dbdb38e2869 55aa55c2 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/06/26 12:15 upstream b7050b242430 9d2ab5df .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/06/23 04:58 upstream bf152b0b41dc aba2b2fb .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/06/22 18:48 upstream bf152b0b41dc aba2b2fb .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/06/10 06:55 upstream bf152b0b41dc 1ba81399 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64 2021/05/10 09:02 upstream 9819f682e48c bc5434be .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/05/08 07:06 upstream bf152b0b41dc bc5434be .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/05/06 12:14 upstream d72cd4ad4174 06c27ff5 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/04/30 18:15 upstream d72cd4ad4174 77e2b668 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/04/24 21:22 upstream bf152b0b41dc 17f0b706 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/03/30 05:47 upstream 1e43c377a79f 6a81331a .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm32 2021/03/29 14:13 upstream bf152b0b41dc a8529b82 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64 2021/03/25 19:25 upstream e138138003eb 6a383ecf .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/03/24 08:41 upstream 7acac4b3196c e613994b .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64 2021/03/16 14:13 upstream 1a4431a5db2b fdb2bb2c .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-compat 2021/02/28 12:46 upstream 5695e5161974 4c37c133 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64-mte 2021/02/28 07:43 upstream 5695e5161974 4c37c133 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-arm64 2021/02/27 08:36 upstream 8b83369ddcb3 4c37c133 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/08/26 22:21 net 733c99ee8be9 b318694d .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/08/14 23:14 net 5f7735196390 2489ab88 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-this-kasan-gce 2021/05/24 10:54 net 5eff1461a6de 3c7fef33 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-net-kasan-gce 2021/08/21 11:48 net-next 4af14dbaeae0 b599f2fc .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-linux-next-kasan-gce-root 2021/08/10 07:59 linux-next da454ebf578f 6972b106 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-riscv64 2021/06/01 21:42 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 18a3c5f7abfd 032639db .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-riscv64 2021/04/21 01:29 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 7ae11635ec90 c0ced557 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-qemu2-riscv64 2021/04/12 12:19 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 79c338ab575e bfeda1b1 .config log report info WARNING: refcount bug in j1939_netdev_start
ci-upstream-kasan-gce 2020/10/08 13:56 upstream c85fb28b6f99 1880b4a9 .config log report info
ci-upstream-kasan-gce 2020/01/12 21:11 upstream 6327edceb62b 31290a45 .config log report
ci-upstream-net-this-kasan-gce 2020/10/19 17:56 net 0e8b8d6a2d85 ff4a3345 .config log report info
ci-upstream-net-this-kasan-gce 2020/06/09 07:30 net 4d3da2d8d91f 0d60b78a .config log report