From: syzbot <syzbot+edec7868af5997928fe9@syzkaller.appspotmail.com>
To: asmadeus@codewreck.org, davem@davemloft.net, ericvh@gmail.com,
linux-kernel@vger.kernel.org, lucho@ionkov.net,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
v9fs-developer@lists.sourceforge.net
Subject: WARNING: refcount bug in p9_req_put
Date: Thu, 15 Nov 2018 09:46:04 -0800 [thread overview]
Message-ID: <000000000000eb6a8e057ab79f82@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: ccda4af0f4b9 Linux 4.20-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=166b66a3400000
kernel config: https://syzkaller.appspot.com/x/.config?x=4a0a89f12ca9b0f5
dashboard link: https://syzkaller.appspot.com/bug?extid=edec7868af5997928fe9
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+edec7868af5997928fe9@syzkaller.appspotmail.com
audit: type=1400 audit(1542156774.207:23570): avc: denied { map } for
pid=3935 comm="blkid" path="/sbin/blkid" dev="sda1" ino=16128
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file permissive=1
XFS (loop1): device supports 512 byte sectors (not 0)
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 3966 at lib/refcount.c:187
refcount_sub_and_test_checked+0x2c9/0x310 lib/refcount.c:187
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 3966 Comm: syz-executor0 Not tainted 4.20.0-rc2+ #112
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
panic+0x2ad/0x55c kernel/panic.c:188
__warn.cold.8+0x20/0x45 kernel/panic.c:540
report_bug+0x254/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
RIP: 0010:refcount_sub_and_test_checked+0x2c9/0x310 lib/refcount.c:187
Code: 89 de e8 ea 1a ed fd 84 db 74 07 31 db e9 4d ff ff ff e8 0a 1a ed fd
48 c7 c7 20 ae 60 88 c6 05 7b fd 7e 06 01 e8 67 7d b6 fd <0f> 0b 31 db e9
2c ff ff ff 48 89 cf e8 a6 67 30 fe e9 41 fe ff ff
RSP: 0018:ffff88817e87f330 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90005e51000
RDX: 00000000000222c2 RSI: ffffffff8165e7e5 RDI: 0000000000000005
RBP: ffff88817e87f418 R08: ffff8881866ba640 R09: ffffed103b5c5020
R10: ffffed103b5c5020 R11: ffff8881dae28107 R12: ffff88817c7a7008
R13: 00000000ffffffff R14: ffff88817e87f3f0 R15: ffff8881c1dc9d68
refcount_dec_and_test_checked+0x1a/0x20 lib/refcount.c:212
kref_put include/linux/kref.h:69 [inline]
p9_req_put+0x20/0x60 net/9p/client.c:395
p9_conn_destroy net/9p/trans_fd.c:880 [inline]
p9_fd_close+0x39f/0x6b0 net/9p/trans_fd.c:913
p9_client_create+0xbd0/0x1674 net/9p/client.c:1062
v9fs_session_init+0x217/0x1bb0 fs/9p/v9fs.c:421
v9fs_mount+0x7c/0x8f0 fs/9p/vfs_super.c:135
mount_fs+0xae/0x31d fs/super.c:1261
vfs_kern_mount.part.35+0xdc/0x4f0 fs/namespace.c:961
vfs_kern_mount fs/namespace.c:951 [inline]
do_new_mount fs/namespace.c:2469 [inline]
do_mount+0x581/0x31f0 fs/namespace.c:2801
ksys_mount+0x12d/0x140 fs/namespace.c:3017
__do_sys_mount fs/namespace.c:3031 [inline]
__se_sys_mount fs/namespace.c:3028 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3028
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f1d0faf5c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
RDX: 0000000020000600 RSI: 00000000200005c0 RDI: 0000000000000000
RBP: 000000000072bf00 R08: 0000000020000240 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1d0faf66d4
R13: 00000000004c2b12 R14: 00000000004d4278 R15: 00000000ffffffff
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
next reply other threads:[~2018-11-15 17:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-15 17:46 syzbot [this message]
2018-11-17 8:55 ` WARNING: refcount bug in p9_req_put Dominique Martinet
2019-05-02 2:38 ` syzbot
2020-08-15 5:23 ` syzbot
2020-11-11 13:54 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000eb6a8e057ab79f82@google.com \
--to=syzbot+edec7868af5997928fe9@syzkaller.appspotmail.com \
--cc=asmadeus@codewreck.org \
--cc=davem@davemloft.net \
--cc=ericvh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=v9fs-developer@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.