[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+nYHL-zekOQ-HWc0+7+y6nZi-_6=0mN_KLHfyGw-OJt0c3SyA@mail.gmail.com>
Date: Thu, 24 Oct 2024 11:40:11 +0800
From: Xia Chu <jiangmo9@...il.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: WARNING: refcount bug in sk_skb_reason_drop
We would like to extend our sincere apologies for the oversight. In our
previous email, we neglected to attach the kernel compilation configuration
file, which we understand is essential for your review.
Enclosed in this email, you will find the kernel configuration file that
was missing.
Once again, we apologize for any inconvenience this may have caused. If you
require any further information or additional files, please do not hesitate
to let us know.
Best regards,
Ditto
Xia Chu <jiangmo9@...il.com> 于2024年10月24日周四 11:24写道:
> Hi,
>
> We would like to report the following bug which has been found by our modified
> version of syzkaller.
>
> ======================================================
> description: WARNING: refcount bug in sk_skb_reason_drop
> affected file: net/core/skbuff.c
> kernel version: 6.12.0-rc3
> kernel commit: 6efbea77b390604a7be7364583e19cd2d6a1291b
> git tree: upstream
> kernel config: attached
> crash reproducer: unattached
> ======================================================
> Crash log:
> refcount_t: underflow; use-after-free.
> WARNING: CPU: 1 PID: 8778 at lib/refcount.c:28
> refcount_warn_saturate+0x10a/0x1a0
> Modules linked in:
> CPU: 1 UID: 0 PID: 8778 Comm: syz-executor.4 Not tainted
> 6.12.0-rc3-00183-g6efbea77b390 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:refcount_warn_saturate+0x10a/0x1a0
> Code: 00 e6 1f 88 e8 87 50 e4 fd 90 0f 0b 90 90 eb d6 e8 1b c8 0d fe c6 05
> 56 47 6f 08 01 90 48 c7 c7 60 e6 1f 88 e8 67 50 e4 fd 90 <0f> 0b 90 90 eb
> b6 e8 fb c7 0d fe c6 05 33 47 6f 08 01 90 48 c7 c7
> RSP: 0018:ffffc900004d8850 EFLAGS: 00010246
> RAX: 1e2ad9b498ce2e00 RBX: 0000000000000003 RCX: ffff88804acaa500
> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: ffffc900004d8860 R08: ffff88807ee28cd3 R09: 1ffff1100fdc519a
> R10: dffffc0000000000 R11: ffffed100fdc519b R12: ffff88805167c0e4
> R13: 0000000000000000 R14: ffff88805167c0e4 R15: 0000000000000000
> FS: 000000003c279940(0000) GS:ffff88807ee00000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000002000f000 CR3: 000000002aff8000 CR4: 0000000000752ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <IRQ>
> sk_skb_reason_drop+0x141/0x150
> j1939_xtp_rx_cts+0x3fe/0x790
> j1939_tp_recv+0x65a/0xa40
> j1939_can_recv+0x527/0x650
> can_rcv_filter+0x22b/0x4d0
> can_receive+0x239/0x330
> can_rcv+0xf6/0x180
> __netif_receive_skb+0x119/0x280
> process_backlog+0x4b0/0xe90
> __napi_poll+0x7b/0x300
> net_rx_action+0x4df/0x930
> handle_softirqs+0x21f/0x6c0
> __do_softirq+0xf/0x16
> do_softirq+0xed/0x190
> </IRQ>
> <TASK>
> __local_bh_enable_ip+0x173/0x190
> _raw_spin_unlock_bh+0x33/0x40
> igmpv3_del_delrec+0x3c8/0x400
> ip_mc_up+0x171/0x260
> inetdev_event+0xa5d/0xea0
> notifier_call_chain+0x158/0x350
> raw_notifier_call_chain+0x31/0x40
> call_netdevice_notifiers_info+0xb5/0x100
> __dev_notify_flags+0x161/0x240
> dev_change_flags+0xb5/0xe0
> do_setlink+0x9e2/0x2900
> rtnl_newlink+0x1316/0x18d0
> rtnetlink_rcv_msg+0x637/0x970
> netlink_rcv_skb+0x187/0x2c0
> rtnetlink_rcv+0x20/0x30
> netlink_unicast+0x52a/0x600
> netlink_sendmsg+0x6c7/0x800
> __sock_sendmsg+0x14a/0x180
> __sys_sendto+0x33f/0x430
> __x64_sys_sendto+0x7e/0xa0
> x64_sys_call+0x2c2c/0x2ee0
> do_syscall_64+0xf6/0x230
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x41778a
> Code: 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca
> 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff
> ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c
> RSP: 002b:00007ffc3ce57768 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 0000000000a82200 RCX: 000000000041778a
> RDX: 000000000000002c RSI: 0000000000a82250 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 00007ffc3ce5777c R09: 000000000000000c
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000a82250
> </TASK>
>
> We found similar bugs in the syzkaller-bugs mailing list (
> https://groups.google.com/g/syzkaller-bugs/c/rrilY4Y0KVQ/m/1Gj749LnAQAJ)
> and the kernel mailing list (
> https://lore.kernel.org/lkml/66fec2e2.050a0220.9ec68.0046.GAE@google.com/),
> but they were all discovered on previous kernel versions (v6.11.0). We are
> continuing our efforts to generate a reproducer.
>
> Wishing you a nice day!
>
> Best regards,
> Ditto
>
Content of type "text/html" skipped
Download attachment "fuzz_config" of type "application/octet-stream" (263882 bytes)
Powered by blists - more mailing lists