WARNING: refcount bug in qrtr_node

WARNING: refcount bug in qrtr_node_lookup
Status: upstream: reported C repro on 2020/09/07 21:18
Reported-by: syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com
First crash: 406d, last: 80d

Cause bisection: introduced by (bisect log) :
commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date: Thu May 7 12:53:06 2020 +0000

net: qrtr: Do not depend on ARCH_QCOM

Crash: WARNING: refcount bug in qrtr_node_lookup (log)
Repro: C syz .config

Fix bisection: fixed by (bisect log) :
commit 7e78c597c3ebfd0cb329aa09a838734147e4f117
Author: Xiaolong Huang <butterflyhuangxx@gmail.com>
Date: Thu Aug 19 19:50:34 2021 +0000

net: qrtr: fix another OOB Read in qrtr_endpoint_post

duplicates (1):
Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
WARNING: refcount bug in qrtr_recvmsg	C	error		76	62d	404d	0/22	closed as dup on 2021/01/20 14:30

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2021/09/03 04:28	21m	hdanton@sina.com	patch	upstream	report log
2021/09/02 00:53	12m	hdanton@sina.com	patch	git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b91db6a0b52e	report log
2021/09/01 03:06	6m	hdanton@sina.com	patch	upstream	error
2020/09/08 20:06	17m	anant.thazhemadam@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 19:58	17m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 19:58	18m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 10:26	17m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK

Sample crash report:

------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 4133 at lib/refcount.c:25 refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4133 Comm: kworker/u4:8 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: qrtr_ns_handler qrtr_ns_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 panic+0x2c0/0x800 kernel/panic.c:231
 __warn+0x227/0x250 kernel/panic.c:600
 report_bug+0x1b1/0x2e0 lib/bug.c:198
 handle_bug+0x42/0x80 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Code: c7 03 f4 37 89 31 c0 e8 01 5f 88 fd 0f 0b eb a3 e8 c8 bf b6 fd c6 05 1a 33 ed 05 01 48 c7 c7 3a f4 37 89 31 c0 e8 e3 5e 88 fd <0f> 0b eb 85 e8 aa bf b6 fd c6 05 fd 32 ed 05 01 48 c7 c7 66 f4 37
RSP: 0018:ffffc900072f79c0 EFLAGS: 00010046
RAX: 1ceabb8756dc6c00 RBX: 0000000000000002 RCX: ffff8880a3208300
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffffff815e37c0 R09: ffffed1015d241c3
R10: ffffed1015d241c3 R11: 0000000000000000 R12: ffff888096c23098
R13: 1ffff1101454b39e R14: 0000000000000282 R15: ffff888096c23000
 refcount_add include/linux/refcount.h:206 [inline]
 refcount_inc include/linux/refcount.h:241 [inline]
 kref_get include/linux/kref.h:45 [inline]
 qrtr_node_acquire net/qrtr/qrtr.c:196 [inline]
 qrtr_node_lookup+0xc0/0xd0 net/qrtr/qrtr.c:388
 qrtr_send_resume_tx net/qrtr/qrtr.c:980 [inline]
 qrtr_recvmsg+0x429/0xa80 net/qrtr/qrtr.c:1043
 qrtr_ns_worker+0x176/0x45f0 net/qrtr/ns.c:624
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (16):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce-smack-root	2020/09/21 18:28	upstream	ba4f184e126b	9e1fa68e	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2020/09/06 04:04	upstream	9322c47b21b9	abf9ba4f	.config	log	report	syz	C
ci-upstream-kasan-gce-smack-root	2021/07/28 21:20	upstream	4010a528219e	9a4781d4	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/07/22 03:19	upstream	7b6ae471e541	29c3f20f	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/05/22 06:21	upstream	45af60e7ced0	3c7fef33	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/04/25 07:39	upstream	2a1d7946fa53	36c88236	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/04/13 20:05	upstream	89698becf06d	a184b83e	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/03/28 07:24	upstream	0f4498cef9f5	a8529b82	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2021/01/22 22:50	upstream	83d09ad4b950	4080af96	.config	log	report			info	WARNING: refcount bug in qrtr_node_lookup
ci-upstream-kasan-gce-smack-root	2020/12/11 08:10	upstream	33dc9614dc20	f900b48c	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/12/08 19:36	upstream	cd796ed33450	a7f7f4a4	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/11/14 06:02	upstream	f01c30de86f1	1bf9a662	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/11/07 13:20	upstream	659caaf65dc9	64069d48	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/10/05 06:37	upstream	549738f15da0	5ef9c291	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/09/26 06:29	upstream	7c7ec3226f5f	4a006f63	.config	log	report			info
ci-upstream-kasan-gce-smack-root	2020/09/20 01:42	upstream	eb5f95f1593f	53ce8104	.config	log	report			info