syzbot

 sign-in | mailing list | source | docs
🐞 Open [41]
🐞 Fixed [469]
🐞 Invalid [348]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

panic: Incrementing non-positive count ADDR on stack.PacketBuffer

Status: fixed on 2022/02/01 22:27
Fix commit: 6d15b0ee64f1 Fix packet buffer reference counting in IP fragmentation/reassembly.
First crash: 1039d, last: 1039d

Sample crash report:
panic: Incrementing non-positive count 0xc00033f180 on stack.PacketBuffer

goroutine 13 [running]:
panic(0x1212980, 0xc000800540)
	GOROOT/src/runtime/panic.go:1065 +0x565 fp=0xc00072b490 sp=0xc00072b3c8 pc=0x437c65
gvisor.dev/gvisor/pkg/tcpip/stack.(*packetBufferRefs).IncRef(0xc00033f180)
	bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/pkg/tcpip/stack/packet_buffer_refs.go:90 +0x18c fp=0xc00072b508 sp=0xc00072b490 pc=0x9e928c
gvisor.dev/gvisor/pkg/tcpip/transport/udp.(*endpoint).HandlePacket(0xc000132900, 0x4e21, 0xc0006f8bc0, 0x10, 0x4e21, 0xc0006f8bb0, 0x10, 0xc00033f180)
	pkg/tcpip/transport/udp/endpoint.go:1113 +0x565 fp=0xc00072e6c8 sp=0xc00072b508 pc=0xc327e5
gvisor.dev/gvisor/pkg/tcpip/stack.(*endpointsByNIC).handlePacket(0xc0005dc090, 0x4e21, 0xc0006f8bc0, 0x10, 0x4e21, 0xc0006f8bb0, 0x10, 0xc00033f180, 0xc0006f8bc0)
	pkg/tcpip/stack/transport_demuxer.go:223 +0x28a fp=0xc00072e750 sp=0xc00072e6c8 pc=0x9fb0aa
gvisor.dev/gvisor/pkg/tcpip/stack.(*transportDemuxer).deliverPacket(0xc0005c42e8, 0xc000000011, 0xc00033f180, 0x4e21, 0xc0006f8bc0, 0x10, 0x4e21, 0xc0006f8bb0, 0x10, 0xc000520858)
	pkg/tcpip/stack/transport_demuxer.go:736 +0x2cb fp=0xc00072e7f0 sp=0xc00072e750 pc=0x9fdeeb
gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).DeliverTransportPacket(0xc00000a1e0, 0xc000000011, 0xc00033f180, 0x0)
	pkg/tcpip/stack/nic.go:1040 +0x305 fp=0xc00072e8f8 sp=0xc00072e7f0 pc=0x9e33c5
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).processExtensionHeaders(0xc0005d8800, 0xc00009230e, 0x30, 0x30, 0xc00033f880, 0x15f9a00, 0xc0007f2200, 0x1ff800c0)
	pkg/tcpip/network/ipv6/ipv6.go:1760 +0x19ff fp=0xc00072f250 sp=0xc00072e8f8 pc=0xc1819f
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handleValidatedPacket(0xc0005d8800, 0xc00009230e, 0x30, 0x30, 0xc00033f880, 0x142b5ca, 0x2)
	pkg/tcpip/network/ipv6/ipv6.go:1319 +0x365 fp=0xc00072f4b0 sp=0xc00072f250 pc=0xc16345
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).HandlePacket(0xc0005d8800, 0xc00033f880)
	pkg/tcpip/network/ipv6/ipv6.go:1209 +0x1a5 fp=0xc00072f710 sp=0xc00072f4b0 pc=0xc158c5
gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).DeliverNetworkPacket(0xc00000a1e0, 0xc0006f8b18, 0x6, 0xc0006f8b20, 0x6, 0x86dd, 0xc00033f880)
	pkg/tcpip/stack/nic.go:938 +0x3ae fp=0xc00072f7c8 sp=0xc00072f710 pc=0x9e2c6e
gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).DeliverNetworkPacket(0xc0005c61e0, 0xc0006f8b18, 0x6, 0xc0006f8b20, 0x6, 0x86dd, 0xc00033f880)
	pkg/tcpip/link/nested/nested.go:63 +0x104 fp=0xc00072f828 sp=0xc00072f7c8 pc=0xcb90c4
gvisor.dev/gvisor/pkg/tcpip/link/ethernet.(*Endpoint).DeliverNetworkPacket(0xc0005c61e0, 0x0, 0x0, 0x0, 0x0, 0x86dd, 0xc00033f880)
	pkg/tcpip/link/ethernet/ethernet.go:82 +0x1bb fp=0xc00072f898 sp=0xc00072f828 pc=0xf9d1fb
gvisor.dev/gvisor/pkg/tcpip/link/loopback.(*endpoint).WriteRawPacket(0xc000800430, 0xc00033f500, 0x0, 0x0)
	pkg/tcpip/link/loopback/loopback.go:125 +0x12f fp=0xc00072f908 sp=0xc00072f898 pc=0xf9ddcf
gvisor.dev/gvisor/pkg/tcpip/link/loopback.(*endpoint).WritePackets(0xc000800430, 0xc00033f500, 0xc00033f500, 0x0, 0x0, 0xc0000086dd)
	pkg/tcpip/link/loopback/loopback.go:91 +0x90 fp=0xc00072f948 sp=0xc00072f908 pc=0xf9dbf0
gvisor.dev/gvisor/pkg/tcpip/link/nested.(*Endpoint).WritePackets(...)
	pkg/tcpip/link/nested/nested.go:120
gvisor.dev/gvisor/pkg/tcpip/link/ethernet.(*Endpoint).WritePackets(0xc0005c61e0, 0xc00033f500, 0xc00033f500, 0x0, 0x0, 0x0)
	pkg/tcpip/link/ethernet/ethernet.go:108 +0x10e fp=0xc00072f9a8 sp=0xc00072f948 pc=0xf9d40e
gvisor.dev/gvisor/pkg/tcpip/stack.(*delegatingQueueingDiscipline).WritePacket(0xc000800440, 0xc00033f500, 0x0, 0xc00033f500)
	pkg/tcpip/stack/nic.go:166 +0x75 fp=0xc00072f9f8 sp=0xc00072f9a8 pc=0x9df275
gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).writePacket(0xc00000a1e0, 0xc00033f500, 0xc0006f8a80, 0x10)
	pkg/tcpip/stack/nic.go:448 +0xbf fp=0xc00072fa40 sp=0xc00072f9f8 pc=0x9e0b3f
gvisor.dev/gvisor/pkg/tcpip/stack.(*nic).WritePacket(0xc00000a1e0, 0xc00015a500, 0xc00033f500, 0x0, 0x0)
	pkg/tcpip/stack/nic.go:407 +0x229 fp=0xc00072fb80 sp=0xc00072fa40 pc=0x9e08e9
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).writePacket.func1(0xc00033f500, 0xc00009228e, 0x28)
	pkg/tcpip/network/ipv6/ipv6.go:947 +0x52 fp=0xc00072fbb8 sp=0xc00072fb80 pc=0xc29172
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).handleFragments(0xc0005d8800, 0xc00015a500, 0xc00000ffca, 0xc00033ea80, 0x11, 0xc00072fd68, 0x2, 0x1, 0x0, 0x0)
	pkg/tcpip/network/ipv6/ipv6.go:837 +0x270 fp=0xc00072fcf0 sp=0xc00072fbb8 pc=0xc13a30
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).writePacket(0xc0005d8800, 0xc00015a500, 0xc00033ea80, 0x11, 0x10, 0x4000000001)
	pkg/tcpip/network/ipv6/ipv6.go:941 +0x2ec fp=0xc00072ff40 sp=0xc00072fcf0 pc=0xc1432c
gvisor.dev/gvisor/pkg/tcpip/network/ipv6.(*endpoint).WritePacket(0xc0005d8800, 0xc00015a500, 0x4000000011, 0xc00033ea80, 0x9e590e, 0x15ebb28)
	pkg/tcpip/network/ipv6/ipv6.go:892 +0x2fd fp=0xc00072ffe0 sp=0xc00072ff40 pc=0xc13f1d
gvisor.dev/gvisor/pkg/tcpip/stack.(*Route).WritePacket(0xc00015a500, 0x4000000011, 0xc00033ea80, 0xc000522110, 0xc00033ea80)
	pkg/tcpip/stack/route.go:572 +0xd7 fp=0xc000730020 sp=0xc00072ffe0 pc=0x9ed7f7
gvisor.dev/gvisor/pkg/tcpip/transport/internal/network.(*WriteContext).WritePacket(0xc000522188, 0xc00033ea80, 0x0, 0xc0005220f8, 0x8)
	pkg/tcpip/transport/internal/network/endpoint.go:295 +0xd6 fp=0xc000730058 sp=0xc000730020 pc=0xba2cd6
gvisor.dev/gvisor/pkg/tcpip/transport/udp.(*endpoint).write(0xc000132900, 0x15dd108, 0xc0005c6280, 0xc0007fc2e0, 0x0, 0x0, 0x0, 0x0)
	pkg/tcpip/transport/udp/endpoint.go:563 +0x4b5 fp=0xc000731608 sp=0xc000730058 pc=0xc2fd15
gvisor.dev/gvisor/pkg/tcpip/transport/udp.(*endpoint).Write(0xc000132900, 0x15dd108, 0xc0005c6280, 0xc0007fc2e0, 0xc000000000, 0x10, 0x4e21, 0xa8000a)
	pkg/tcpip/transport/udp/endpoint.go:392 +0x72 fp=0xc000731658 sp=0xc000731608 pc=0xc2ec92
gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).SendMsg(0xc0004625b0, 0xc000552a80, 0x15f6b80, 0xc000939000, 0xc0002b8100, 0x8, 0x0, 0xfff1, 0x100, 0xc0007fe060, ...)
	pkg/sentry/socket/netstack/netstack.go:3915 +0x243 fp=0xc0007317b8 sp=0xc000731658 pc=0xc4f623
gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.sendSingleMsg(0xc000552a80, 0x3f5b59ba23c8, 0xc000462540, 0xc000462540, 0x20000040, 0x0, 0x0, 0x0, 0x0)
	pkg/sentry/syscalls/linux/vfs2/socket.go:1437 +0x555 fp=0xc000731b18 sp=0xc0007317b8 pc=0xf777b5
gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.SendMsg(0xc000552a80, 0x3, 0x20000040, 0x0, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x0, 0x0, 0x0, ...)
	pkg/sentry/syscalls/linux/vfs2/socket.go:1263 +0x23c fp=0xc000731bb8 sp=0xc000731b18 pc=0xf7681c
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall(0xc000552a80, 0x2e, 0x3, 0x20000040, 0x0, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40, 0xc000001fa0, 0x14266c0, ...)
	pkg/sentry/kernel/task_syscall.go:115 +0x199 fp=0xc000731c78 sp=0xc000731bb8 pc=0xa84959
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke(0xc000552a80, 0x2e, 0x3, 0x20000040, 0x0, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40)
	pkg/sentry/kernel/task_syscall.go:290 +0x70 fp=0xc000731d00 sp=0xc000731c78 pc=0xa85c30
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter(0xc000552a80, 0x2e, 0x3, 0x20000040, 0x0, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x55ccb19c9e40, 0x0, 0x0)
	pkg/sentry/kernel/task_syscall.go:237 +0xb4 fp=0xc000731d60 sp=0xc000731d00 pc=0xa85714
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall(0xc000552a80, 0x2, 0xc000552a80)
	pkg/sentry/kernel/task_syscall.go:204 +0x198 fp=0xc000731e30 sp=0xc000731d60 pc=0xa84ff8
gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute(0x0, 0xc000552a80, 0x15cf340, 0x0)
	pkg/sentry/kernel/task_run.go:294 +0xd9a fp=0xc000731f68 sp=0xc000731e30 pc=0xa77f1a
gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run(0xc000552a80, 0xc)
	pkg/sentry/kernel/task_run.go:98 +0x1b9 fp=0xc000731fd0 sp=0xc000731f68 pc=0xa76cd9
runtime.goexit()
	src/runtime/asm_amd64.s:1371 +0x1 fp=0xc000731fd8 sp=0xc000731fd0 pc=0x472861
created by gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).Start
	pkg/sentry/kernel/task_start.go:398 +0x116

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/01/21 16:23 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-kvm-cover panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:23 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-kvm panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:19 gvisor 3d578afc8da9 214351e1 .config console log report syz C ci-gvisor-ptrace-1-race panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:18 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-ptrace-1 panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:15 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-ptrace-2 panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:14 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-ptrace-2-cover panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 15:55 gvisor 65a26689cb04 214351e1 .config console log report syz C ci-gvisor-ptrace-1-cover panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 16:18 gvisor 3d578afc8da9 214351e1 .config console log report syz ci-gvisor-ptrace-2-race panic: Incrementing non-positive count ADDR on stack.PacketBuffer
2022/01/21 15:40 gvisor 65a26689cb04 214351e1 .config console log report info ci-gvisor-ptrace-1-cover panic: Incrementing non-positive count ADDR on stack.PacketBuffer
* Struck through repros no longer work on HEAD.