WARNING: refcount bug in qrtr_node

WARNING: refcount bug in qrtr_node_lookup
Status: upstream: reported C repro on 2020/09/07 21:18
Reported-by: syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com
First crash: 23d, last: 2d22h

Cause bisection: introduced by (bisect log):

commit e42671084361302141a09284fde9bbc14fdd16bf
Author: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Date: Thu May 7 12:53:06 2020 +0000

net: qrtr: Do not depend on ARCH_QCOM

Crash: WARNING: refcount bug in qrtr_node_lookup (log)
Repro: C syz .config

Patch testing requests:
Created	Duration	User	Patch	Repo	Result
2020/09/08 20:06	17m	anant.thazhemadam@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 19:58	17m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 19:58	18m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK
2020/09/08 10:26	17m	dragonjetli@gmail.com	patch	https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master	OK

Sample crash report:

------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 4133 at lib/refcount.c:25 refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 4133 Comm: kworker/u4:8 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: qrtr_ns_handler qrtr_ns_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 panic+0x2c0/0x800 kernel/panic.c:231
 __warn+0x227/0x250 kernel/panic.c:600
 report_bug+0x1b1/0x2e0 lib/bug.c:198
 handle_bug+0x42/0x80 arch/x86/kernel/traps.c:234
 exc_invalid_op+0x16/0x40 arch/x86/kernel/traps.c:254
 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
RIP: 0010:refcount_warn_saturate+0x13d/0x1a0 lib/refcount.c:25
Code: c7 03 f4 37 89 31 c0 e8 01 5f 88 fd 0f 0b eb a3 e8 c8 bf b6 fd c6 05 1a 33 ed 05 01 48 c7 c7 3a f4 37 89 31 c0 e8 e3 5e 88 fd <0f> 0b eb 85 e8 aa bf b6 fd c6 05 fd 32 ed 05 01 48 c7 c7 66 f4 37
RSP: 0018:ffffc900072f79c0 EFLAGS: 00010046
RAX: 1ceabb8756dc6c00 RBX: 0000000000000002 RCX: ffff8880a3208300
RDX: 0000000000000000 RSI: 0000000080000001 RDI: 0000000000000000
RBP: 0000000000000002 R08: ffffffff815e37c0 R09: ffffed1015d241c3
R10: ffffed1015d241c3 R11: 0000000000000000 R12: ffff888096c23098
R13: 1ffff1101454b39e R14: 0000000000000282 R15: ffff888096c23000
 refcount_add include/linux/refcount.h:206 [inline]
 refcount_inc include/linux/refcount.h:241 [inline]
 kref_get include/linux/kref.h:45 [inline]
 qrtr_node_acquire net/qrtr/qrtr.c:196 [inline]
 qrtr_node_lookup+0xc0/0xd0 net/qrtr/qrtr.c:388
 qrtr_send_resume_tx net/qrtr/qrtr.c:980 [inline]
 qrtr_recvmsg+0x429/0xa80 net/qrtr/qrtr.c:1043
 qrtr_ns_worker+0x176/0x45f0 net/qrtr/ns.c:624
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Shutting down cpus with NMI
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (4):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-kasan-gce-smack-root	2020/09/21 18:28	upstream	ba4f184e	9e1fa68e	.config	log	report	syz	C		bjorn.andersson@linaro.org, davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, manivannan.sadhasivam@linaro.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/09/06 04:04	upstream	9322c47b	abf9ba4f	.config	log	report	syz	C		bjorn.andersson@linaro.org, davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, manivannan.sadhasivam@linaro.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/09/26 06:29	upstream	7c7ec322	4a006f63	.config	log	report			info	bjorn.andersson@linaro.org, davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, manivannan.sadhasivam@linaro.org, netdev@vger.kernel.org
ci-upstream-kasan-gce-smack-root	2020/09/20 01:42	upstream	eb5f95f1	53ce8104	.config	log	report			info	bjorn.andersson@linaro.org, davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, manivannan.sadhasivam@linaro.org, netdev@vger.kernel.org