lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00000000000088b79e0568b75d2e@google.com>
Date:   Sat, 31 Mar 2018 08:54:01 -0700
From:   syzbot <syzbot+8362f345b3edaf37e986@...kaller.appspotmail.com>
To:     davem@...emloft.net, kuznet@....inr.ac.ru,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, yoshfuji@...ux-ipv6.org
Subject: WARNING: refcount bug in sk_alloc

Hello,

syzbot hit the following crash on upstream commit
c2a9838452a4d71f76103c18c926468a9ea05713 (Fri Mar 30 05:27:12 2018 +0000)
Merge tag 'for-4.16/dm-fixes-4' of  
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
syzbot dashboard link:  
https://syzkaller.appspot.com/bug?extid=8362f345b3edaf37e986

So far this crash happened 27 times on bpf-next, upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output:  
https://syzkaller.appspot.com/x/log.txt?id=5065618571132928
Kernel config:  
https://syzkaller.appspot.com/x/.config?id=-8440362230543204781
compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8362f345b3edaf37e986@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

device lo entered promiscuous mode
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 0 PID: 4461 at lib/refcount.c:153 refcount_inc+0x47/0x50  
lib/refcount.c:153
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4461 Comm: syz-executor3 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  panic+0x1e4/0x41c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x1f4/0x2b0 lib/bug.c:186
  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
  fixup_bug arch/x86/kernel/traps.c:247 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
  invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:refcount_inc+0x47/0x50 lib/refcount.c:153
RSP: 0018:ffff8801af79f860 EFLAGS: 00010286
RAX: dffffc0000000008 RBX: ffff8801d26bc104 RCX: ffffffff815b7bde
RDX: 0000000000000000 RSI: 1ffff10035ef3ebc RDI: 1ffff10035ef3e91
RBP: ffff8801af79f868 R08: ffffffff87b3b658 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801af79faf8
R13: ffff8801ba2f3513 R14: ffff8801d26bc100 R15: ffff8801ba2f3501
  get_net include/net/net_namespace.h:198 [inline]
  sk_alloc+0x3f9/0x1440 net/core/sock.c:1537
  inet_create+0x47c/0xf50 net/ipv4/af_inet.c:320
  __sock_create+0x4d4/0x850 net/socket.c:1285
  sock_create net/socket.c:1325 [inline]
  SYSC_socket net/socket.c:1355 [inline]
  SyS_socket+0xeb/0x1d0 net/socket.c:1335
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4573e7
RSP: 002b:00007fffdeb62308 EFLAGS: 00000206 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00000000000003f3 RCX: 00000000004573e7
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007fffdeb629b0 R08: 0000000000000000 R09: 0000000000000001
R10: 000000000000000a R11: 0000000000000206 R12: 0000000000000c1e
R13: 0000000000000c1e R14: 0000000000000015 R15: 000000000004415e
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ