syzbot


WARNING: refcount bug in p9_req_put

Status: fixed on 2020/11/16 12:12
Subsystems: v9fs
[Documentation on labels]
Reported-by: syzbot+edec7868af5997928fe9@syzkaller.appspotmail.com
Fix commit: a39c46067c84 net/9p: validate fds in p9_fd_open
First crash: 1977d, last: 1422d
Cause bisection: the cause commit could be any of (bisect log):
  cbce4f444798 net/mlx5e: Enable adaptive-TX moderation
  623ad755226c net/dim: Support adaptive TX moderation
  8399743a5a67 Merge branch 'net-DIM-tx'
  026a807c2de3 net/dim: Rename *_get_profile() functions to *_get_rx_moderation()
  a06ac0d67d9f Revert "net: init sk_cookie for inet socket"
  8c2320e84c19 tcp: md5: only call tp->af_specific->md5_lookup() for md5 sockets
  db688c24eada vhost_net: use packet weight for rx handler, too
  0c6f69a5e364 rhashtable: remove outdated comments about grow_decision etc
  9c20b9372fba net: fib_rules: fix l3mdev netlink attr processing
  82266e98dd4d rhashtable: Revise incorrect comment on r{hl, hash}table_walk_enter()
  b300fcf883ac selftests: net: update .gitignore with missing test
  064223c1231c dca: make function dca_common_get_tag static
  b41cc04b662a rhashtable: reset iter when rhashtable_walk_start sees new table
  5d240a8936f6 rhashtable: improve rhashtable_walk stability when stop/start used.
  f7c3b12cec09 Merge branch 'ipv6-couple-of-fixes-for-rcu-change-to-from'
  5cb5ce336338 Merge branch 'rhash-cleanups'
  8a14e46f1402 net/ipv6: Fix missing rcu dereferences on from
  660de409e25b ipconfig: Document setting of NIS domain name
  c3c14da0288d net/ipv6: add rcu locking to ip6_negative_advice
  40cde8249a82 Merge branch 'qed-debug-data'
  e18bdc83aec4 ipconfig: Tidy up reporting of name servers
  1ac4329a1cff qed: Add configuration information to register dump and debug data
  4e1a8af28d56 ipconfig: BOOTP: Don't request IEN-116 name servers
  b60bfdfec5b8 qed: Delete unused parameter p_ptt from mcp APIs
  de1fa15b6642 ipconfig: BOOTP: Request CONF_NAMESERVERS_MAX name servers
  5f0456b43140 net: stmmac: Implement logic to automatically select HW Interface
  8b0b37c5644e ipconfig: Document /proc/net/pnp
  22148df0d0bd r8169: don't use netif_info et al before net_device has been registered
  300eec7c0a24 ipconfig: Correctly initialise ic_nameservers
  4d019b3f80dc ipconfig: Create /proc/net/ipconfig directory
  c6849a3ac17e net: init sk_cookie for inet socket
  c04d2cb2009f ipconfig: Write NTP server IPs to /proc/net/ipconfig/ntp_servers
  ec8c360a6ecd Merge branch 'fib-rules-extack-support'
  b16fb418b1bf net: fib_rules: add extack support
  bc0fbc66ad1b Merge branch 'ipconfig-NTP-server-support-bug-fixes-documentation-improvements'
  c7d852e301d8 qed: Fix copying 2 strings
  f9d4b0c1e969 fib_rules: move common handling of newrule delrule msgs into fib_nl2rule
  080aaddae5b3 fsl/fman_port: remove redundant check on port->rev_info.major
  a56e6bcd34b5 tc-testing: updated ife test cases
  6163849d289b net: introduce a new tracepoint for tcp_rcv_space_adjust
  95ad7544ad3f net/tls: remove redundant second null check on sgout
  091311debcf0 net/ipv6: fix LOCKDEP issue in rt6_remove_exception_rt()
  48d7a07ba355 hv_netvsc: select needed ucs2_string routine
  16f4faa4f06f liquidio: Swap VF representor Tx and Rx statistics
  e0ada51db907 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
  c749fa181bd5 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
  
Fix bisection: fixed by (bisect log) :
commit a39c46067c845a8a2d7144836e9468b7f072343e
Author: Christoph Hellwig <hch@lst.de>
Date: Fri Jul 10 08:57:22 2020 +0000

  net/9p: validate fds in p9_fd_open

  
Discussions (3)
Title Replies (including bot) Last reply
WARNING: refcount bug in p9_req_put 2 (5) 2020/11/11 13:54
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/24 01:46
Reminder: 18 open syzbot bugs in "fs/9p" subsystem 1 (1) 2019/07/02 06:29
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 WARNING: refcount bug in p9_req_put 2 1625d 1666d 0/1 auto-closed as invalid on 2020/02/28 21:29
upstream WARNING: refcount bug in p9_req_put (3) v9fs 3 41d 77d 0/26 upstream: reported on 2024/01/26 09:05
upstream WARNING: refcount bug in p9_req_put (2) v9fs 9 225d 571d 0/26 auto-obsoleted due to no activity on 2023/12/09 05:29
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2020/08/15 00:48 4h33m bisect fix upstream job log (1)
2020/05/21 09:31 31m bisect fix upstream job log (0) log
2020/04/21 08:59 31m bisect fix upstream job log (0) log
2020/03/22 08:28 30m bisect fix upstream job log (0) log
2020/01/28 00:58 32m bisect fix upstream job log (0) log
2019/12/18 21:24 30m bisect fix upstream job log (0) log
2019/11/09 19:30 32m bisect fix upstream job log (0) log
2019/08/22 22:41 31m bisect fix upstream job log (0) log

Sample crash report:
WARNING: CPU: 1 PID: 7959 at lib/refcount.c:190 refcount_sub_and_test_checked lib/refcount.c:190 [inline]
WARNING: CPU: 1 PID: 7959 at lib/refcount.c:190 refcount_sub_and_test_checked+0x1d0/0x200 lib/refcount.c:180
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7959 Comm: syz-executor.1 Not tainted 5.1.0-rc7+ #96
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 panic+0x2cb/0x65c kernel/panic.c:214
 __warn.cold+0x20/0x45 kernel/panic.c:571
 report_bug+0x263/0x2b0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:179 [inline]
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:refcount_sub_and_test_checked lib/refcount.c:190 [inline]
RIP: 0010:refcount_sub_and_test_checked+0x1d0/0x200 lib/refcount.c:180
Code: 1d c8 30 2a 06 31 ff 89 de e8 0c 32 40 fe 84 db 75 94 e8 c3 30 40 fe 48 c7 c7 60 79 a1 87 c6 05 a8 30 2a 06 01 e8 ae de 12 fe <0f> 0b e9 75 ff ff ff e8 a4 30 40 fe e9 6e ff ff ff 48 89 df e8 37
RSP: 0018:ffff888089ce7860 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff815afcb6 RDI: ffffed101139cefe
RBP: ffff888089ce78f8 R08: ffff8880a4c584c0 R09: ffffed1015d25011
R10: ffffed1015d25010 R11: ffff8880ae928087 R12: 00000000ffffffff
R13: 0000000000000001 R14: ffff888089ce78d0 R15: 0000000000000000
 refcount_dec_and_test_checked+0x1b/0x20 lib/refcount.c:220
 kref_put include/linux/kref.h:66 [inline]
 p9_req_put+0x20/0x60 net/9p/client.c:401
 p9_conn_destroy net/9p/trans_fd.c:880 [inline]
 p9_fd_close+0x2ee/0x570 net/9p/trans_fd.c:913
 p9_client_create+0x998/0x1400 net/9p/client.c:1083
 v9fs_session_init+0x1e7/0x1960 fs/9p/v9fs.c:421
 v9fs_mount+0x7d/0x920 fs/9p/vfs_super.c:135
 legacy_get_tree+0xf2/0x200 fs/fs_context.c:584
 vfs_get_tree+0x123/0x450 fs/super.c:1481
 do_new_mount fs/namespace.c:2622 [inline]
 do_mount+0x1436/0x2c40 fs/namespace.c:2942
 ksys_mount+0xdb/0x150 fs/namespace.c:3151
 __do_sys_mount fs/namespace.c:3165 [inline]
 __se_sys_mount fs/namespace.c:3162 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3162
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458da9
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f2e68c68c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f2e68c68c90 RCX: 0000000000458da9
RDX: 0000000020000100 RSI: 00000000200000c0 RDI: 0000000000000000
RBP: 000000000073bf00 R08: 00000000200013c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f2e68c696d4
R13: 00000000004c4da7 R14: 00000000004d8a20 R15: 0000000000000005
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/05/02 02:37 upstream 459e3a21535a 7516d9fa .config console log report syz ci-upstream-kasan-gce-root
2019/07/02 00:50 upstream 6fbc7275c7a9 cccc4302 .config console log report ci-upstream-kasan-gce-root
2019/06/21 02:17 upstream abf02e2964b3 34bf9440 .config console log report ci-upstream-kasan-gce-root
2019/05/02 01:47 upstream 459e3a21535a 7516d9fa .config console log report ci-upstream-kasan-gce-root
2018/11/14 00:53 upstream ccda4af0f4b9 5f5f6d14 .config console log report ci-upstream-kasan-gce-selinux-root
2019/03/09 03:36 linux-next cf08baa29613 12365b99 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.