syzbot

 sign-in | mailing list | source | docs
🐞 Open [950] 🐞 Fixed [4020] 🐞 Invalid [8931] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

WARNING: refcount bug in qrtr_node_lookup

Status: upstream: reported C repro on 2020/09/07 21:18
Reported-by: syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com
First crash: 752d, last: 426d

Cause bisection: introduced by (bisect log) :
commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date: Thu May 7 12:53:06 2020 +0000

  net: qrtr: Do not depend on ARCH_QCOM

Crash: WARNING: refcount bug in qrtr_node_lookup (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
Date: Thu Aug 19 19:50:34 2021 +0000

  net: qrtr: fix another OOB Read in qrtr_endpoint_post

duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
WARNING: refcount bug in qrtr_recvmsg C error 76 409d 750d 0/24 closed as dup on 2021/01/20 14:30
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/28 17:30 19m upstream OK log
2021/09/03 04:28 21m hdanton@sina.com patch upstream report log
2021/09/02 00:53 12m hdanton@sina.com patch git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b91db6a0b52e report log
2021/09/01 03:06 6m hdanton@sina.com patch upstream error
2020/09/08 20:06 17m anant.thazhemadam@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2020/09/08 19:58 17m dragonjetli@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2020/09/08 19:58 18m dragonjetli@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK
2020/09/08 10:26 17m dragonjetli@gmail.com patch https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master OK

Sample crash report:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 21 at lib/refcount.c:25 refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: qrtr_ns_handler qrtr_ns_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 panic+0x2c0/0x800 kernel/panic.c:231
 __warn+0x227/0x250 kernel/panic.c:600
 report_bug+0x1b1/0x2e0 lib/bug.c:198
 handle_bug+0x42/0x80 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Code: c7 83 96 15 89 31 c0 e8 b1 34 a6 fd 0f 0b eb a3 e8 a8 94 d4 fd c6 05 04 8e ea 05 01 48 c7 c7 ba 96 15 89 31 c0 e8 93 34 a6 fd <0f> 0b eb 85 e8 8a 94 d4 fd c6 05 e7 8d ea 05 01 48 c7 c7 e6 96 15
RSP: 0018:ffffc90000dd79c0 EFLAGS: 00010046
RAX: eb7b51afe96d3100 RBX: 0000000000000002 RCX: ffff8880a9bf6580
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffffff815e27d0 R09: ffffed1015d241c3
R10: ffffed1015d241c3 R11: 0000000000000000 R12: ffff8880a761a898
R13: 1ffff1101517fa56 R14: 0000000000000286 R15: ffff8880a761a800
 refcount_add include/linux/refcount.h:206 [inline]
 refcount_inc include/linux/refcount.h:241 [inline]
 kref_get include/linux/kref.h:45 [inline]
 qrtr_node_acquire net/qrtr/qrtr.c:196 [inline]
 qrtr_node_lookup+0xc0/0xd0 net/qrtr/qrtr.c:388
 qrtr_send_resume_tx net/qrtr/qrtr.c:980 [inline]
 qrtr_recvmsg+0x429/0xa80 net/qrtr/qrtr.c:1043
 qrtr_ns_worker+0x176/0x45f0 net/qrtr/ns.c:624
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (16):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2020/09/06 04:04 upstream 9322c47b21b9 abf9ba4f .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/09/21 18:28 upstream ba4f184e126b 9e1fa68e .config log report syz C
ci-upstream-kasan-gce-smack-root 2021/07/28 21:20 upstream 4010a528219e 9a4781d4 .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/07/22 03:19 upstream 7b6ae471e541 29c3f20f .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/05/22 06:21 upstream 45af60e7ced0 3c7fef33 .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/04/25 07:39 upstream 2a1d7946fa53 36c88236 .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/04/13 20:05 upstream 89698becf06d a184b83e .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/03/28 07:24 upstream 0f4498cef9f5 a8529b82 .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2021/01/22 22:50 upstream 83d09ad4b950 4080af96 .config log report info WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root 2020/12/11 08:10 upstream 33dc9614dc20 f900b48c .config log report info
ci-upstream-kasan-gce-smack-root 2020/12/08 19:36 upstream cd796ed33450 a7f7f4a4 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/14 06:02 upstream f01c30de86f1 1bf9a662 .config log report info
ci-upstream-kasan-gce-smack-root 2020/11/07 13:20 upstream 659caaf65dc9 64069d48 .config log report info
ci-upstream-kasan-gce-smack-root 2020/10/05 06:37 upstream 549738f15da0 5ef9c291 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/26 06:29 upstream 7c7ec3226f5f 4a006f63 .config log report info
ci-upstream-kasan-gce-smack-root 2020/09/20 01:42 upstream eb5f95f1593f 53ce8104 .config log report info
* Struck through repros no longer work on HEAD.