syzbot

 sign-in | mailing list | source | docs
🐞 Open [1646]
Subsystems
🐞 Fixed [6010]
🐞 Invalid [14806]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

WARNING: refcount bug in compat_SyS_x86_clone

Status: closed as invalid on 2018/04/05 17:01
Subsystems: mm
[Documentation on labels]
First crash: 2490d, last: 2490d

Sample crash report:
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x914/0xae0 lib/fault-inject.c:149
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 4479 at lib/refcount.c:187 refcount_sub_and_test+0x242/0x280 lib/refcount.c:187
Kernel panic - not syncing: panic_on_warn set ...

 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3366 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3540
 anon_vma_chain_alloc mm/rmap.c:128 [inline]
 __anon_vma_prepare+0xbc/0x6e0 mm/rmap.c:182
 anon_vma_prepare include/linux/rmap.h:153 [inline]
 do_huge_pmd_anonymous_page+0x1099/0x1a80 mm/huge_memory.c:679
 create_huge_pmd mm/memory.c:3870 [inline]
 __handle_mm_fault+0x17ac/0x38e0 mm/memory.c:4074
 handle_mm_fault+0x44a/0xb20 mm/memory.c:4140
 __do_page_fault+0x560/0xbe0 arch/x86/mm/fault.c:1399
 do_page_fault+0xee/0x730 arch/x86/mm/fault.c:1474
 page_fault+0x25/0x50 arch/x86/entry/entry_64.S:1156
RIP: 0010:__put_user_4+0x1c/0x30 arch/x86/lib/putuser.S:68
RSP: 0018:ffff8801acc87b40 EFLAGS: 00010297
RAX: 0000000000000004 RBX: 00007fffffffeffd RCX: 000000002006fffc
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8801acc87d78 R08: 0000000000000000 R09: 1ffff10035990f45
R10: ffff8801acc879f0 R11: 0000000000000000 R12: 00000000201043f9
R13: ffff8801ac748080 R14: 0000000000000000 R15: 0000000000000004
 C_SYSC_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline]
 compat_SyS_x86_clone+0x3b/0x50 arch/x86/ia32/sys_ia32.c:236
 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f04c99
RSP: 002b:00000000f7f000ac EFLAGS: 00000282 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 00000000201043f9 RCX: 0000000020e02000
RDX: 000000002006fffc RSI: 0000000020000180 RDI: 0000000020000080
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
CPU: 1 PID: 4479 Comm: syz-executor0 Not tainted 4.16.0+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
IPVS: ftp: loaded support on port[0] = 21
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1a7/0x27d lib/dump_stack.c:53
 panic+0x1f8/0x42c kernel/panic.c:183
IPVS: ftp: loaded support on port[0] = 21
 __warn+0x1dc/0x200 kernel/panic.c:547
 report_bug+0x1f4/0x2b0 lib/bug.c:186
 fixup_bug.part.10+0x37/0x80 arch/x86/kernel/traps.c:178
 fixup_bug arch/x86/kernel/traps.c:247 [inline]
 do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
IPVS: ftp: loaded support on port[0] = 21
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:991
RIP: 0010:refcount_sub_and_test+0x242/0x280 lib/refcount.c:187
RSP: 0018:ffff8801ad647070 EFLAGS: 00010282
RAX: dffffc0000000008 RBX: 00000000ffffffff RCX: ffffffff815b324e
IPVS: ftp: loaded support on port[0] = 21
RDX: 0000000000000000 RSI: 1ffff10035ac8dbe RDI: 1ffff10035ac8d93
RBP: ffff8801ad647148 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff8801d9a53850
R13: 1ffff10035ac8e10 R14: ffff8801ad6470a0 R15: ffff8801ad647120
FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
 refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
 kref_put include/linux/kref.h:69 [inline]
 put_pid_ns+0x9d/0xc0 kernel/pid_namespace.c:192
 free_nsproxy+0xfa/0x1f0 kernel/nsproxy.c:182
 switch_task_namespaces+0xaa/0xc0 kernel/nsproxy.c:229
 exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:234
 copy_process.part.38+0x415b/0x6140 kernel/fork.c:1988
 copy_process kernel/fork.c:1606 [inline]
 _do_fork+0x1f7/0xfa0 kernel/fork.c:2087
 C_SYSC_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline]
 compat_SyS_x86_clone+0x3b/0x50 arch/x86/ia32/sys_ia32.c:236
 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f3ac99
RSP: 002b:00000000f7f360ac EFLAGS: 00000282 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 00000000201043f9 RCX: 0000000020e02000
RDX: 000000002006fffc RSI: 0000000020000180 RDI: 0000000020000080
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
CPU: 0 PID: 4487 Comm: syz-executor7 Not tainted 4.16.0+ #288
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1a7/0x27d lib/dump_stack.c:53
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail+0x914/0xae0 lib/fault-inject.c:149
 should_failslab+0xec/0x120 mm/failslab.c:32
 slab_pre_alloc_hook mm/slab.h:422 [inline]
 slab_alloc mm/slab.c:3366 [inline]
 kmem_cache_alloc+0x47/0x760 mm/slab.c:3540
 proc_alloc_inode+0x1b/0x190 fs/proc/inode.c:63
 alloc_inode+0x65/0x180 fs/inode.c:209
 new_inode_pseudo+0x69/0x190 fs/inode.c:890
 proc_setup_thread_self+0xd9/0x390 fs/proc/thread_self.c:45
 proc_fill_super+0x250/0x310 fs/proc/inode.c:518
 mount_ns+0xc4/0x190 fs/super.c:1036
 proc_mount+0x7a/0x90 fs/proc/root.c:101
 mount_fs+0x66/0x2d0 fs/super.c:1222
 vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
 vfs_kern_mount fs/namespace.c:3303 [inline]
 kern_mount_data+0x50/0xb0 fs/namespace.c:3303
 pid_ns_prepare_proc+0x1e/0x80 fs/proc/root.c:222
 alloc_pid+0x88e/0xa10 kernel/pid.c:208
 copy_process.part.38+0x274c/0x6140 kernel/fork.c:1807
 copy_process kernel/fork.c:1606 [inline]
 _do_fork+0x1f7/0xfa0 kernel/fork.c:2087
 C_SYSC_x86_clone arch/x86/ia32/sys_ia32.c:240 [inline]
 compat_SyS_x86_clone+0x3b/0x50 arch/x86/ia32/sys_ia32.c:236
 do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f04c99
RSP: 002b:00000000f7f000ac EFLAGS: 00000282 ORIG_RAX: 0000000000000078
RAX: ffffffffffffffda RBX: 00000000201043f9 RCX: 0000000020e02000
RDX: 000000002006fffc RSI: 0000000020000180 RDI: 0000000020000080
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/05 15:41 upstream f2d285669aae 5e1ccffc .config console log report syz ci-upstream-kasan-gce-386
* Struck through repros no longer work on HEAD.