Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com>
To: bjorn.andersson@linaro.org, dan.carpenter@oracle.com,
	eric.dumazet@gmail.com, hdanton@sina.com,
	linux-kernel@vger.kernel.org, manivannan.sadhasivam@linaro.org,
	netdev@vger.kernel.org, paul@paul-moore.com,
	syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING: refcount bug in qrtr_node_lookup
Date: Fri, 03 Sep 2021 04:04:08 -0700	[thread overview]
Message-ID: <0000000000002f1da805cb154204@google.com> (raw)
In-Reply-To: <20210903042820.2733-1-hdanton@sina.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
UBSAN: object-size-mismatch in wg_xmit

================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2048:28
member access within address 0000000096a277f4 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 3568 Comm: kworker/0:5 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:151 [inline]
 handle_object_size_mismatch lib/ubsan.c:232 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:245
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:274
 __skb_queue_before include/linux/skbuff.h:2048 [inline]
 __skb_queue_tail include/linux/skbuff.h:2081 [inline]
 wg_xmit+0x4da/0xa60 drivers/net/wireguard/device.c:182
 __netdev_start_xmit include/linux/netdevice.h:4970 [inline]
 netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:4984
 xmit_one net/core/dev.c:3576 [inline]
 dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
 __dev_queue_xmit+0x13b0/0x21a0 net/core/dev.c:4202
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0xc51/0x11b0 net/ipv6/ip6_output.c:126
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x835/0xcf0 net/ipv6/ndisc.c:508
 addrconf_dad_completed+0x6c5/0xa70 net/ipv6/addrconf.c:4203
 addrconf_dad_work+0xba5/0x1510 net/ipv6/addrconf.c:3970
 process_one_work+0x4b5/0x8d0 kernel/workqueue.c:2297
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2444
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================
================================================================================
UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1941:2
member access within address 0000000096a277f4 with insufficient space
for an object of type 'struct sk_buff'
CPU: 0 PID: 3568 Comm: kworker/0:5 Not tainted 5.14.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x15e/0x1d3 lib/dump_stack.c:105
 ubsan_epilogue lib/ubsan.c:151 [inline]
 handle_object_size_mismatch lib/ubsan.c:232 [inline]
 ubsan_type_mismatch_common+0x1de/0x390 lib/ubsan.c:245
 __ubsan_handle_type_mismatch_v1+0x41/0x50 lib/ubsan.c:274
 __skb_insert include/linux/skbuff.h:1941 [inline]
 __skb_queue_before include/linux/skbuff.h:2048 [inline]
 __skb_queue_tail include/linux/skbuff.h:2081 [inline]
 wg_xmit+0x53c/0xa60 drivers/net/wireguard/device.c:182
 __netdev_start_xmit include/linux/netdevice.h:4970 [inline]
 netdev_start_xmit+0x7b/0x140 include/linux/netdevice.h:4984
 xmit_one net/core/dev.c:3576 [inline]
 dev_hard_start_xmit+0x182/0x2e0 net/core/dev.c:3592
 __dev_queue_xmit+0x13b0/0x21a0 net/core/dev.c:4202
 neigh_output include/net/neighbour.h:510 [inline]
 ip6_finish_output2+0xc51/0x11b0 net/ipv6/ip6_output.c:126
 dst_output include/net/dst.h:450 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ndisc_send_skb+0x835/0xcf0 net/ipv6/ndisc.c:508
 addrconf_dad_completed+0x6c5/0xa70 net/ipv6/addrconf.c:4203
 addrconf_dad_work+0xba5/0x1510 net/ipv6/addrconf.c:3970
 process_one_work+0x4b5/0x8d0 kernel/workqueue.c:2297
 worker_thread+0x686/0x9e0 kernel/workqueue.c:2444
 kthread+0x3ca/0x3f0 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
================================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready


Tested on:

commit:         a9c9a6f7 Merge tag 'scsi-misc' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=134c5b6d300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5f845e3d82a95a0e
dashboard link: https://syzkaller.appspot.com/bug?extid=c613e88b3093ebf3686e
compiler:       Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.1
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14673df5300000

next      parent reply	other threads:[~2021-09-03 11:04 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210903042820.2733-1-hdanton@sina.com>
2021-09-03 11:04 ` syzbot [this message]
     [not found] <20210902005238.2413-1-hdanton@sina.com>
2021-09-02  2:32 ` [syzbot] WARNING: refcount bug in qrtr_node_lookup syzbot
     [not found]   ` <20210902041238.2559-1-hdanton@sina.com>
2021-09-02 13:58     ` Paul Moore
2021-09-03  2:40       ` Paul Moore
     [not found] <20210901030636.2336-1-hdanton@sina.com>
2021-09-01  3:41 ` syzbot
2021-09-01  4:26   ` Eric Dumazet
2020-09-07 21:18 syzbot
2021-08-28 18:32 ` [syzbot] " syzbot
2021-08-28 18:32   ` syzbot
2021-08-30  8:39   ` Dmitry Vyukov
2021-08-30  8:39     ` Dmitry Vyukov via Linux-kernel-mentees

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000002f1da805cb154204@google.com \
    --to=syzbot+c613e88b3093ebf3686e@syzkaller.appspotmail.com \
    --cc=bjorn.andersson@linaro.org \
    --cc=dan.carpenter@oracle.com \
    --cc=eric.dumazet@gmail.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manivannan.sadhasivam@linaro.org \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.