[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CANn89iLs5Pb0jqq-+vFK4+obYgcWa=7SjXyLLLQr3hV87VsnNg@mail.gmail.com>
Date: Thu, 24 Oct 2024 09:53:17 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Xia Chu <jiangmo9@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller@...glegroups.com
Subject: Re: WARNING: refcount bug in sk_skb_reason_drop
On Thu, Oct 24, 2024 at 5:40 AM Xia Chu <jiangmo9@...il.com> wrote:
>
> We would like to extend our sincere apologies for the oversight. In our previous email, we neglected to attach the kernel compilation configuration file, which we understand is essential for your review.
>
> Enclosed in this email, you will find the kernel configuration file that was missing.
>
> Once again, we apologize for any inconvenience this may have caused. If you require any further information or additional files, please do not hesitate to let us know.
>
It would be nice you do not duplicate existing reports.
https://lore.kernel.org/lkml/66ff39a0.050a0220.49194.03f5.GAE@google.com/T/
Thank you
> Best regards,
> Ditto
>
> Xia Chu <jiangmo9@...il.com> 于2024年10月24日周四 11:24写道:
>>
>> Hi,
>>
>> We would like to report the following bug which has been found by our modified version of syzkaller.
>>
>> ======================================================
>> description: WARNING: refcount bug in sk_skb_reason_drop
>> affected file: net/core/skbuff.c
>> kernel version: 6.12.0-rc3
>> kernel commit: 6efbea77b390604a7be7364583e19cd2d6a1291b
>> git tree: upstream
>> kernel config: attached
>> crash reproducer: unattached
>> ======================================================
>> Crash log:
>> refcount_t: underflow; use-after-free.
>> WARNING: CPU: 1 PID: 8778 at lib/refcount.c:28 refcount_warn_saturate+0x10a/0x1a0
>> Modules linked in:
>> CPU: 1 UID: 0 PID: 8778 Comm: syz-executor.4 Not tainted 6.12.0-rc3-00183-g6efbea77b390 #1
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>> RIP: 0010:refcount_warn_saturate+0x10a/0x1a0
>> Code: 00 e6 1f 88 e8 87 50 e4 fd 90 0f 0b 90 90 eb d6 e8 1b c8 0d fe c6 05 56 47 6f 08 01 90 48 c7 c7 60 e6 1f 88 e8 67 50 e4 fd 90 <0f> 0b 90 90 eb b6 e8 fb c7 0d fe c6 05 33 47 6f 08 01 90 48 c7 c7
>> RSP: 0018:ffffc900004d8850 EFLAGS: 00010246
>> RAX: 1e2ad9b498ce2e00 RBX: 0000000000000003 RCX: ffff88804acaa500
>> RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
>> RBP: ffffc900004d8860 R08: ffff88807ee28cd3 R09: 1ffff1100fdc519a
>> R10: dffffc0000000000 R11: ffffed100fdc519b R12: ffff88805167c0e4
>> R13: 0000000000000000 R14: ffff88805167c0e4 R15: 0000000000000000
>> FS: 000000003c279940(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 000000002000f000 CR3: 000000002aff8000 CR4: 0000000000752ef0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> PKRU: 55555554
>> Call Trace:
>> <IRQ>
>> sk_skb_reason_drop+0x141/0x150
>> j1939_xtp_rx_cts+0x3fe/0x790
>> j1939_tp_recv+0x65a/0xa40
>> j1939_can_recv+0x527/0x650
>> can_rcv_filter+0x22b/0x4d0
>> can_receive+0x239/0x330
>> can_rcv+0xf6/0x180
>> __netif_receive_skb+0x119/0x280
>> process_backlog+0x4b0/0xe90
>> __napi_poll+0x7b/0x300
>> net_rx_action+0x4df/0x930
>> handle_softirqs+0x21f/0x6c0
>> __do_softirq+0xf/0x16
>> do_softirq+0xed/0x190
>> </IRQ>
>> <TASK>
>> __local_bh_enable_ip+0x173/0x190
>> _raw_spin_unlock_bh+0x33/0x40
>> igmpv3_del_delrec+0x3c8/0x400
>> ip_mc_up+0x171/0x260
>> inetdev_event+0xa5d/0xea0
>> notifier_call_chain+0x158/0x350
>> raw_notifier_call_chain+0x31/0x40
>> call_netdevice_notifiers_info+0xb5/0x100
>> __dev_notify_flags+0x161/0x240
>> dev_change_flags+0xb5/0xe0
>> do_setlink+0x9e2/0x2900
>> rtnl_newlink+0x1316/0x18d0
>> rtnetlink_rcv_msg+0x637/0x970
>> netlink_rcv_skb+0x187/0x2c0
>> rtnetlink_rcv+0x20/0x30
>> netlink_unicast+0x52a/0x600
>> netlink_sendmsg+0x6c7/0x800
>> __sock_sendmsg+0x14a/0x180
>> __sys_sendto+0x33f/0x430
>> __x64_sys_sendto+0x7e/0xa0
>> x64_sys_call+0x2c2c/0x2ee0
>> do_syscall_64+0xf6/0x230
>> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>> RIP: 0033:0x41778a
>> Code: 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c
>> RSP: 002b:00007ffc3ce57768 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 0000000000a82200 RCX: 000000000041778a
>> RDX: 000000000000002c RSI: 0000000000a82250 RDI: 0000000000000003
>> RBP: 0000000000000000 R08: 00007ffc3ce5777c R09: 000000000000000c
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
>> R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000a82250
>> </TASK>
>>
>> We found similar bugs in the syzkaller-bugs mailing list (https://groups.google.com/g/syzkaller-bugs/c/rrilY4Y0KVQ/m/1Gj749LnAQAJ) and the kernel mailing list (https://lore.kernel.org/lkml/66fec2e2.050a0220.9ec68.0046.GAE@google.com/), but they were all discovered on previous kernel versions (v6.11.0). We are continuing our efforts to generate a reproducer.
>>
>> Wishing you a nice day!
>>
>> Best regards,
>> Ditto
Powered by blists - more mailing lists