Hello,
syzbot found the following issue on:
HEAD commit: d90b0276af8f Merge tag 'hardening-v6.6-rc3' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c4675c680000
kernel config: https://syzkaller.appspot.com/x/.config?x=d594086f139d167
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d90b0276.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c6997ebf3cf3/vmlinux-d90b0276.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d893c5c3f98f/bzImage-d90b0276.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1093 at lib/ref_tracker.c:179 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
WARNING: CPU: 1 PID: 1093 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x3e2/0x680 lib/ref_tracker.c:178
Modules linked in:
CPU: 1 PID: 1093 Comm: kworker/u16:7 Not tainted 6.6.0-rc2-syzkaller-00337-gd90b0276af8f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x3e2/0x680 lib/ref_tracker.c:179
Code: 85 07 02 00 00 4d 39 f5 49 8b 06 4d 89 f7 0f 85 0e ff ff ff 48 8b 2c 24 e8 4b 7b 32 fd 48 8b 74 24 18 48 89 ef e8 ce d8 ec 05 <0f> 0b e8 37 7b 32 fd 48 8d 5d 44 be 04 00 00 00 48 89 df e8 b6 34
RSP: 0018:ffffc90006ee7b78 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffffff8a8cab20 RDI: 0000000000000001
RBP: ffff8880591981e0 R08: 0000000000000001 R09: fffffbfff233dff7
R10: ffffffff919effbf R11: 0000000000000114 R12: ffff888059198230
R13: ffff888059198230 R14: ffff888059198230 R15: ffff888059198230
FS: 0000000000000000(0000) GS:ffff88802c700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000057ab404c CR3: 0000000070f05000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 00000000ffff00f1 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
net_free net/core/net_namespace.c:448 [inline]
net_free net/core/net_namespace.c:442 [inline]
cleanup_net+0x8d4/0xb20 net/core/net_namespace.c:635
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot has found a reproducer for the following issue on:
HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11fdccc5180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
------------[ cut here ]------------
WARNING: CPU: 1 PID: 5236 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Modules linked in:
CPU: 1 PID: 5236 Comm: kworker/u8:6 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 88 e7 9f 06 eb 1a e8 71 d2 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 70 e7 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 db 23 19 fd 48 89
RSP: 0018:ffffc9000905f9e0 EFLAGS: 00010246
RAX: 717a74f119e84f00 RBX: ffff888021ec9e98 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
RBP: ffffc9000905fab0 R08: ffffffff92ce55ff R09: 1ffffffff259cabf
R10: dffffc0000000000 R11: fffffbfff259cac0 R12: 1ffff1100df19ef8
R13: dead000000000100 R14: ffff888021ec9ee8 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5c604d35c0 CR3: 0000000029078000 CR4: 0000000000350ef0
Call Trace:
<TASK>
net_free net/core/net_namespace.c:462 [inline]
cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f2/0x390 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,7 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
- get_net(net);
+ refcount_inc(&net->passive);
netns_tracker_alloc(net, tracker, gfp);
return net;
}
@@ -361,7 +361,7 @@ static inline struct net *get_net_track(
static inline void put_net_track(struct net *net, netns_tracker *tracker)
{
__netns_tracker_free(net, tracker, true);
- put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--
On Fri, Apr 5, 2024 at 5:00 AM syzbot
<[email protected]> wrote:
>
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11fdccc5180000
> kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/0f7abe4afac7/disk-fe46a7dd.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/82598d09246c/vmlinux-fe46a7dd.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/efa23788c875/bzImage-fe46a7dd.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 5236 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
> Modules linked in:
> CPU: 1 PID: 5236 Comm: kworker/u8:6 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
> Workqueue: netns cleanup_net
> RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
> Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 88 e7 9f 06 eb 1a e8 71 d2 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 70 e7 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 db 23 19 fd 48 89
> RSP: 0018:ffffc9000905f9e0 EFLAGS: 00010246
> RAX: 717a74f119e84f00 RBX: ffff888021ec9e98 RCX: 0000000000000001
> RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
> RBP: ffffc9000905fab0 R08: ffffffff92ce55ff R09: 1ffffffff259cabf
> R10: dffffc0000000000 R11: fffffbfff259cac0 R12: 1ffff1100df19ef8
> R13: dead000000000100 R14: ffff888021ec9ee8 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f5c604d35c0 CR3: 0000000029078000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> net_free net/core/net_namespace.c:462 [inline]
> cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
> process_one_work kernel/workqueue.c:3254 [inline]
> process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
> worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
> kthread+0x2f2/0x390 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
> </TASK>
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
#syz fix: rds: tcp: Fix use-after-free of net in reqsk_timer_handler().
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
74.666060][ T5073] team0: Port device team_slave_1 added
[ 74.696681][ T5073] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 74.703624][ T5073] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 74.729664][ T5073] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 74.742982][ T5073] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 74.750067][ T5073] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 74.776113][ T5073] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 74.826626][ T5073] hsr_slave_0: entered promiscuous mode
[ 74.833774][ T5073] hsr_slave_1: entered promiscuous mode
[ 74.986810][ T5073] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 74.998682][ T5073] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 75.010024][ T5073] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 75.020591][ T5073] netdevsim netdevsim0 netdevsim3: renamed from eth3
executing program
[ 75.057449][ T5073] bridge0: port 2(bridge_slave_1) entered blocking state
[ 75.064909][ T5073] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 75.072881][ T5073] bridge0: port 1(bridge_slave_0) entered blocking state
[ 75.080104][ T5073] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 75.156591][ T5073] 8021q: adding VLAN 0 to HW filter on device bond0
[ 75.178956][ T8] bridge0: port 1(bridge_slave_0) entered disabled state
[ 75.188008][ T8] bridge0: port 2(bridge_slave_1) entered disabled state
[ 75.206302][ T5073] 8021q: adding VLAN 0 to HW filter on device team0
[ 75.220345][ T49] bridge0: port 1(bridge_slave_0) entered blocking state
[ 75.227507][ T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 75.246459][ T7] bridge0: port 2(bridge_slave_1) entered blocking state
[ 75.253719][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 75.441809][ T5073] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 75.493643][ T5073] veth0_vlan: entered promiscuous mode
[ 75.511542][ T5073] veth1_vlan: entered promiscuous mode
[ 75.548734][ T5073] veth0_macvtap: entered promiscuous mode
[ 75.558643][ T5073] veth1_macvtap: entered promiscuous mode
[ 75.580898][ T5073] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 75.597516][ T5073] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 75.612147][ T5073] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.622705][ T5073] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.633004][ T5073] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.642196][ T5073] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 75.720798][ T1089] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.729210][ T1089] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 75.761384][ T1028] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 75.770152][ T1028] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2024/04/06 15:18:47 building call list...
[ 75.905861][ T5073] ref_tracker: net refcnt@ffff8880222c0148 has 1/1 users at
[ 75.905861][ T5073] sk_alloc+0x1af/0x350
[ 75.905861][ T5073] tun_chr_open+0x7a/0x510
[ 75.905861][ T5073] misc_open+0x315/0x390
[ 75.905861][ T5073] chrdev_open+0x5b2/0x630
[ 75.905861][ T5073] do_dentry_open+0x909/0x15a0
[ 75.905861][ T5073] path_openat+0x2860/0x3240
[ 75.905861][ T5073] do_filp_open+0x235/0x490
[ 75.905861][ T5073] do_sys_openat2+0x13e/0x1d0
[ 75.905861][ T5073] __x64_sys_openat+0x247/0x2a0
[ 75.905861][ T5073] do_syscall_64+0xfd/0x240
[ 75.905861][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 75.905861][ T5073]
[ 75.979496][ T5073] ------------[ cut here ]------------
[ 75.985963][ T5073] WARNING: CPU: 0 PID: 5073 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550
[ 75.995634][ T5073] Modules linked in:
[ 75.999559][ T5073] CPU: 0 PID: 5073 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 76.010206][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 76.020324][ T5073] RIP: 0010:ref_tracker_dir_exit+0x411/0x550
[ 76.026442][ T5073] Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 48 e8 9f 06 eb 1a e8 31 d3 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 30 e8 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 9b 24 19 fd 48 89
[ 76.046525][ T5073] RSP: 0018:ffffc900044a79a0 EFLAGS: 00010246
[ 76.052621][ T5073] RAX: 07ca3c5e6899b200 RBX: ffff8880222c0148 RCX: 0000000000000001
[ 76.061276][ T5073] RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
[ 76.069472][ T5073] RBP: ffffc900044a7a70 R08: ffffffff8f873a6f R09: 1ffffffff1f0e74d
[ 76.077665][ T5073] R10: dffffc0000000000 R11: fffffbfff1f0e74e R12: 1ffff110049d72f8
[ 76.085764][ T5073] R13: dead000000000100 R14: ffff8880222c0198 R15: dffffc0000000000
[ 76.093785][ T5073] FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
[ 76.102832][ T5073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 76.109499][ T5073] CR2: 00007ffe64587f58 CR3: 000000002af48000 CR4: 0000000000350ef0
[ 76.117552][ T5073] Call Trace:
[ 76.120893][ T5073] <TASK>
[ 76.123846][ T5073] ? __warn+0x163/0x4b0
[ 76.128285][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.133708][ T5073] ? report_bug+0x2b3/0x500
[ 76.138632][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.144061][ T5073] ? handle_bug+0x3e/0x70
[ 76.148725][ T5073] ? exc_invalid_op+0x1a/0x50
[ 76.153433][ T5073] ? asm_exc_invalid_op+0x1a/0x20
[ 76.158555][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.163983][ T5073] ? __pfx_ref_tracker_dir_exit+0x10/0x10
[ 76.169829][ T5073] ? free_nsproxy+0x28f/0x3b0
[ 76.174590][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.179476][ T5073] ? kfree+0x14a/0x380
[ 76.183575][ T5073] __put_net+0x19/0x60
[ 76.187755][ T5073] free_nsproxy+0x30a/0x3b0
[ 76.192315][ T5073] do_exit+0xa16/0x27e0
[ 76.196611][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.201489][ T5073] ? __pfx_do_exit+0x10/0x10
[ 76.206461][ T5073] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.211883][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.216829][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.222856][ T5073] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 76.229291][ T5073] ? _raw_spin_lock_irq+0xdf/0x120
[ 76.234528][ T5073] do_group_exit+0x207/0x2c0
[ 76.239390][ T5073] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.244928][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.249814][ T5073] ? lockdep_hardirqs_on+0x99/0x150
[ 76.255099][ T5073] get_signal+0x176e/0x1850
[ 76.259655][ T5073] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.266119][ T5073] ? __pfx_get_signal+0x10/0x10
[ 76.271013][ T5073] ? debug_check_no_obj_freed+0x561/0x580
[ 76.277008][ T5073] arch_do_signal_or_restart+0x96/0x860
[ 76.282599][ T5073] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 76.289844][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.294843][ T4465] Bluetooth: hci0: command tx timeout
[ 76.295900][ T5073] ? syscall_exit_to_user_mode+0xa3/0x360
[ 76.307083][ T5073] syscall_exit_to_user_mode+0xc9/0x360
[ 76.312673][ T5073] do_syscall_64+0x10a/0x240
[ 76.317377][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 76.323305][ T5073] RIP: 0033:0x7faaf287cd5a
[ 76.327851][ T5073] Code: Unable to access opcode bytes at 0x7faaf287cd30.
[ 76.334934][ T5073] RSP: 002b:00007ffe645897e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 76.343712][ T5073] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007faaf287cd5a
[ 76.351985][ T5073] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 76.360059][ T5073] RBP: 00007ffe6458985c R08: 0000000000000000 R09: 00007ffe64589547
[ 76.368276][ T5073] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
[ 76.376330][ T5073] R13: 000000000001282f R14: 000000000001281f R15: 0000000000000003
[ 76.384447][ T5073] </TASK>
[ 76.387492][ T5073] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 76.394807][ T5073] CPU: 0 PID: 5073 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 76.405345][ T5073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 76.415414][ T5073] Call Trace:
[ 76.418704][ T5073] <TASK>
[ 76.421647][ T5073] dump_stack_lvl+0x241/0x360
[ 76.426366][ T5073] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.431623][ T5073] ? __pfx__printk+0x10/0x10
[ 76.436256][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.441133][ T5073] ? vscnprintf+0x5d/0x90
[ 76.445501][ T5073] panic+0x349/0x860
[ 76.449437][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.454321][ T5073] ? __warn+0x172/0x4b0
[ 76.458513][ T5073] ? __pfx_panic+0x10/0x10
[ 76.463004][ T5073] __warn+0x31e/0x4b0
[ 76.467040][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.472466][ T5073] report_bug+0x2b3/0x500
[ 76.476832][ T5073] ? ref_tracker_dir_exit+0x411/0x550
[ 76.482254][ T5073] handle_bug+0x3e/0x70
[ 76.486444][ T5073] exc_invalid_op+0x1a/0x50
[ 76.491411][ T5073] asm_exc_invalid_op+0x1a/0x20
[ 76.496283][ T5073] RIP: 0010:ref_tracker_dir_exit+0x411/0x550
[ 76.502653][ T5073] Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 48 e8 9f 06 eb 1a e8 31 d3 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 30 e8 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 9b 24 19 fd 48 89
[ 76.522277][ T5073] RSP: 0018:ffffc900044a79a0 EFLAGS: 00010246
[ 76.528381][ T5073] RAX: 07ca3c5e6899b200 RBX: ffff8880222c0148 RCX: 0000000000000001
[ 76.536367][ T5073] RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
[ 76.544448][ T5073] RBP: ffffc900044a7a70 R08: ffffffff8f873a6f R09: 1ffffffff1f0e74d
[ 76.552431][ T5073] R10: dffffc0000000000 R11: fffffbfff1f0e74e R12: 1ffff110049d72f8
[ 76.560413][ T5073] R13: dead000000000100 R14: ffff8880222c0198 R15: dffffc0000000000
[ 76.568441][ T5073] ? __pfx_ref_tracker_dir_exit+0x10/0x10
[ 76.574191][ T5073] ? free_nsproxy+0x28f/0x3b0
[ 76.578889][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.583751][ T5073] ? kfree+0x14a/0x380
[ 76.588098][ T5073] __put_net+0x19/0x60
[ 76.592182][ T5073] free_nsproxy+0x30a/0x3b0
[ 76.596712][ T5073] do_exit+0xa16/0x27e0
[ 76.600909][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.605863][ T5073] ? __pfx_do_exit+0x10/0x10
[ 76.610470][ T5073] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.615867][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.620727][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.626722][ T5073] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 76.633061][ T5073] ? _raw_spin_lock_irq+0xdf/0x120
[ 76.638194][ T5073] do_group_exit+0x207/0x2c0
[ 76.642805][ T5073] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.648021][ T5073] ? srso_return_thunk+0x5/0x5f
[ 76.652912][ T5073] ? lockdep_hardirqs_on+0x99/0x150
[ 76.658135][ T5073] get_signal+0x176e/0x1850
[ 76.662661][ T5073] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 76.669017][ T5073] ? __pfx_get_signal+0x10/0x10
[ 76.673885][ T5073] ? debug_check_no_obj_freed+0x561/0x580
[ 76.679630][ T5073] arch_do_signal_or_restart+0x96/0x860
[ 76.685205][ T5073] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 76.691376][ T5073] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 76.697377][ T5073] ? syscall_exit_to_user_mode+0xa3/0x360
[ 76.703118][ T5073] syscall_exit_to_user_mode+0xc9/0x360
[ 76.708688][ T5073] do_syscall_64+0x10a/0x240
[ 76.713304][ T5073] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 76.719212][ T5073] RIP: 0033:0x7faaf287cd5a
[ 76.723630][ T5073] Code: Unable to access opcode bytes at 0x7faaf287cd30.
[ 76.730651][ T5073] RSP: 002b:00007ffe645897e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 76.739077][ T5073] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007faaf287cd5a
[ 76.747051][ T5073] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 76.755026][ T5073] RBP: 00007ffe6458985c R08: 0000000000000000 R09: 00007ffe64589547
[ 76.763004][ T5073] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
[ 76.770980][ T5073] R13: 000000000001282f R14: 000000000001281f R15: 0000000000000003
[ 76.778969][ T5073] </TASK>
[ 76.782215][ T5073] Kernel Offset: disabled
[ 76.786567][ T5073] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4023541434=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0ee3535ea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0ee3535ea8ff21d50e44372bb1cfd147e299ab5b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1440efc5180000
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=15954d8d180000
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,6 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
+ refcount_inc(&net->passive);
get_net(net);
netns_tracker_alloc(net, tracker, gfp);
return net;
@@ -362,6 +363,7 @@ static inline void put_net_track(struct
{
__netns_tracker_free(net, tracker, true);
put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
are+0x38/0x40
[ 77.597915][ T5085] do_syscall_64+0xfd/0x240
[ 77.597915][ T5085] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 77.597915][ T5085]
[ 77.673058][ T5085] ref_tracker: net notrefcnt@ffff8880226f01d8 skipped reports about 9/30 users.
[ 77.701239][ T61] ==================================================================
[ 77.709356][ T61] BUG: KASAN: slab-use-after-free in net_generic+0x137/0x240
[ 77.716805][ T61] Read of size 8 at addr ffff88802a43e828 by task kworker/u8:4/61
[ 77.724631][ T61]
[ 77.726967][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 77.737146][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 77.747221][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 77.753246][ T61] Call Trace:
[ 77.756539][ T61] <TASK>
[ 77.759487][ T61] dump_stack_lvl+0x241/0x360
[ 77.764202][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 77.769440][ T61] ? __pfx__printk+0x10/0x10
[ 77.774072][ T61] ? _printk+0xd5/0x120
[ 77.778297][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.783446][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.788325][ T61] print_report+0x169/0x550
[ 77.792863][ T61] ? __virt_addr_valid+0x183/0x520
[ 77.798012][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.802893][ T61] ? __virt_addr_valid+0x44e/0x520
[ 77.808045][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.812923][ T61] ? __phys_addr+0xba/0x170
[ 77.817639][ T61] ? net_generic+0x137/0x240
[ 77.822251][ T61] kasan_report+0x143/0x180
[ 77.826801][ T61] ? net_generic+0x137/0x240
[ 77.831422][ T61] ? net_generic+0x1f/0x240
[ 77.835957][ T61] net_generic+0x137/0x240
[ 77.840395][ T61] call_fib_notifiers+0x23/0x60
[ 77.845304][ T61] fib6_add+0x1bd5/0x4430
[ 77.849707][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 77.856103][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 77.861152][ T61] ? __pfx_fib6_add+0x10/0x10
[ 77.865864][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.870742][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 77.875798][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 77.881630][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.887037][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.891919][ T61] ? ip6_ins_rt+0xf0/0x170
[ 77.896369][ T61] ip6_ins_rt+0x106/0x170
[ 77.900730][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 77.905616][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.910489][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 77.915196][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 77.920243][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 77.925724][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.930599][ T61] ? mark_lock+0x9a/0x350
[ 77.934959][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.939842][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 77.945852][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.952210][ T61] ? __cancel_work+0x26a/0x390
[ 77.957001][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.961878][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 77.967113][ T61] ? srso_return_thunk+0x5/0x5f
[ 77.971989][ T61] ? __cancel_work+0x2ef/0x390
[ 77.976790][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 77.983154][ T61] addrconf_dad_completed+0x181/0xcd0
[ 77.988570][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 77.994527][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 77.999783][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.004876][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.009767][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.015276][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.021642][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.027395][ T61] process_scheduled_works+0xa02/0x1770
[ 78.032992][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.039006][ T61] ? assign_work+0x364/0x3d0
[ 78.043622][ T61] worker_thread+0x86d/0xd70
[ 78.048241][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.054174][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.059229][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.064420][ T61] kthread+0x2f2/0x390
[ 78.068528][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.073668][ T61] ? __pfx_kthread+0x10/0x10
[ 78.078288][ T61] ret_from_fork+0x4d/0x80
[ 78.082745][ T61] ? __pfx_kthread+0x10/0x10
[ 78.087372][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.092213][ T61] </TASK>
[ 78.095242][ T61]
[ 78.097572][ T61] Allocated by task 5073:
[ 78.101905][ T61] kasan_save_track+0x3f/0x80
[ 78.106607][ T61] __kasan_kmalloc+0x98/0xb0
[ 78.111229][ T61] __kmalloc+0x233/0x4a0
[ 78.115490][ T61] copy_net_ns+0x10e/0x7b0
[ 78.119929][ T61] create_new_namespaces+0x425/0x7b0
[ 78.125249][ T61] unshare_nsproxy_namespaces+0x124/0x180
[ 78.130996][ T61] ksys_unshare+0x619/0xc10
[ 78.135525][ T61] __x64_sys_unshare+0x38/0x40
[ 78.140320][ T61] do_syscall_64+0xfd/0x240
[ 78.144846][ T61] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 78.150767][ T61]
[ 78.153098][ T61] Freed by task 5085:
[ 78.157087][ T61] kasan_save_track+0x3f/0x80
[ 78.161793][ T61] kasan_save_free_info+0x40/0x50
[ 78.166858][ T61] poison_slab_object+0xa6/0xe0
[ 78.171748][ T61] __kasan_slab_free+0x37/0x60
[ 78.176539][ T61] kfree+0x14a/0x380
[ 78.180452][ T61] net_drop_ns+0x6e/0xc0
[ 78.184724][ T61] iterate_cleanup_work+0x1d2/0x260
[ 78.189945][ T61] process_scheduled_works+0xa02/0x1770
[ 78.195511][ T61] worker_thread+0x86d/0xd70
[ 78.200123][ T61] kthread+0x2f2/0x390
[ 78.204225][ T61] ret_from_fork+0x4d/0x80
[ 78.208678][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.213470][ T61]
[ 78.215805][ T61] The buggy address belongs to the object at ffff88802a43e800
[ 78.215805][ T61] which belongs to the cache kmalloc-1k of size 1024
[ 78.229884][ T61] The buggy address is located 40 bytes inside of
[ 78.229884][ T61] freed 1024-byte region [ffff88802a43e800, ffff88802a43ec00)
[ 78.243716][ T61]
[ 78.246057][ T61] The buggy address belongs to the physical page:
executing program
[ 78.252475][ T61] page:ffffea0000a90e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a438
[ 78.262645][ T61] head:ffffea0000a90e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.271623][ T61] anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 78.280054][ T61] page_type: 0xffffffff()
[ 78.284404][ T61] raw: 00fff00000000840 ffff888014c41dc0 0000000000000000 dead000000000001
[ 78.293008][ T61] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 78.301607][ T61] page dumped because: kasan: bad access detected
[ 78.308035][ T61] page_owner tracks the page as allocated
[ 78.313762][ T61] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 17639541498, free_ts 0
[ 78.333517][ T61] post_alloc_hook+0x1ea/0x210
[ 78.338325][ T61] get_page_from_freelist+0x33ea/0x3580
[ 78.343899][ T61] __alloc_pages+0x256/0x680
[ 78.348509][ T61] alloc_slab_page+0x5f/0x160
[ 78.353214][ T61] new_slab+0x84/0x2f0
[ 78.357310][ T61] ___slab_alloc+0xc73/0x1260
[ 78.362015][ T61] __kmalloc+0x2e5/0x4a0
[ 78.366275][ T61] ops_init+0x203/0x610
[ 78.370463][ T61] register_pernet_operations+0x2cb/0x660
[ 78.376214][ T61] register_pernet_subsys+0x28/0x40
[ 78.381450][ T61] ip6table_nat_init+0x39/0x80
[ 78.386249][ T61] do_one_initcall+0x23a/0x830
[ 78.391039][ T61] do_initcall_level+0x157/0x210
[ 78.395998][ T61] do_initcalls+0x3f/0x80
[ 78.400347][ T61] kernel_init_freeable+0x435/0x5d0
[ 78.405573][ T61] kernel_init+0x1d/0x2a0
[ 78.409923][ T61] page_owner free stack trace missing
[ 78.415297][ T61]
[ 78.417632][ T61] Memory state around the buggy address:
[ 78.423274][ T61] ffff88802a43e700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.431349][ T61] ffff88802a43e780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.439423][ T61] >ffff88802a43e800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.447489][ T61] ^
[ 78.452872][ T61] ffff88802a43e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.460943][ T61] ffff88802a43e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.469270][ T61] ==================================================================
[ 78.477394][ T61] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 78.485047][ T61] CPU: 0 PID: 61 Comm: kworker/u8:4 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
[ 78.495225][ T61] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
[ 78.505310][ T61] Workqueue: ipv6_addrconf addrconf_dad_work
[ 78.511434][ T61] Call Trace:
[ 78.514731][ T61] <TASK>
[ 78.517685][ T61] dump_stack_lvl+0x241/0x360
[ 78.522408][ T61] ? __pfx_dump_stack_lvl+0x10/0x10
[ 78.527653][ T61] ? __pfx__printk+0x10/0x10
[ 78.532296][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.537188][ T61] ? vscnprintf+0x5d/0x90
[ 78.541544][ T61] panic+0x349/0x860
[ 78.545472][ T61] ? check_panic_on_warn+0x21/0xb0
[ 78.550616][ T61] ? __pfx_panic+0x10/0x10
[ 78.555063][ T61] ? mark_lock+0x9a/0x350
[ 78.559419][ T61] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 78.565358][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.570235][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.576165][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.582538][ T61] ? print_report+0x502/0x550
[ 78.587259][ T61] check_panic_on_warn+0x86/0xb0
[ 78.592247][ T61] ? net_generic+0x137/0x240
[ 78.596863][ T61] end_report+0x6e/0x140
[ 78.601143][ T61] kasan_report+0x154/0x180
[ 78.605683][ T61] ? net_generic+0x137/0x240
[ 78.610299][ T61] ? net_generic+0x1f/0x240
[ 78.614828][ T61] net_generic+0x137/0x240
[ 78.619269][ T61] call_fib_notifiers+0x23/0x60
[ 78.624143][ T61] fib6_add+0x1bd5/0x4430
[ 78.628522][ T61] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 78.634889][ T61] ? __pfx_lock_acquire+0x10/0x10
[ 78.639942][ T61] ? __pfx_fib6_add+0x10/0x10
[ 78.644649][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.649561][ T61] ? do_raw_spin_lock+0x14f/0x370
[ 78.654627][ T61] ? __pfx___local_bh_disable_ip+0x10/0x10
[ 78.660470][ T61] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 78.665884][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.670772][ T61] ? ip6_ins_rt+0xf0/0x170
[ 78.675223][ T61] ip6_ins_rt+0x106/0x170
[ 78.679588][ T61] ? __pfx_ip6_ins_rt+0x10/0x10
[ 78.684474][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.689354][ T61] ? nlmsg_notify+0x15a/0x1c0
[ 78.694064][ T61] __ipv6_ifa_notify+0x5ca/0x11f0
[ 78.699112][ T61] ? __pfx___ipv6_ifa_notify+0x10/0x10
[ 78.704684][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.709561][ T61] ? mark_lock+0x9a/0x350
[ 78.713916][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.718789][ T61] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 78.724967][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.731325][ T61] ? __cancel_work+0x26a/0x390
[ 78.736127][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.741007][ T61] ? lockdep_hardirqs_on+0x99/0x150
[ 78.746238][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.751121][ T61] ? __cancel_work+0x2ef/0x390
[ 78.755923][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.762290][ T61] addrconf_dad_completed+0x181/0xcd0
[ 78.767717][ T61] ? __pfx_addrconf_dad_completed+0x10/0x10
[ 78.773655][ T61] ? addrconf_dad_work+0x58a/0x16f0
[ 78.778900][ T61] addrconf_dad_work+0xdc2/0x16f0
[ 78.783967][ T61] ? srso_return_thunk+0x5/0x5f
[ 78.788852][ T61] ? __pfx_addrconf_dad_work+0x10/0x10
[ 78.794358][ T61] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 78.800727][ T61] ? process_scheduled_works+0x91b/0x1770
[ 78.806474][ T61] process_scheduled_works+0xa02/0x1770
[ 78.812067][ T61] ? __pfx_process_scheduled_works+0x10/0x10
[ 78.818082][ T61] ? assign_work+0x364/0x3d0
[ 78.822754][ T61] worker_thread+0x86d/0xd70
[ 78.827425][ T61] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 78.833368][ T61] ? __kthread_parkme+0x169/0x1d0
[ 78.838514][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.843673][ T61] kthread+0x2f2/0x390
[ 78.847789][ T61] ? __pfx_worker_thread+0x10/0x10
[ 78.852931][ T61] ? __pfx_kthread+0x10/0x10
[ 78.857554][ T61] ret_from_fork+0x4d/0x80
[ 78.862007][ T61] ? __pfx_kthread+0x10/0x10
[ 78.866628][ T61] ret_from_fork_asm+0x1a/0x30
[ 78.871440][ T61] </TASK>
[ 78.874677][ T61] Kernel Offset: disabled
[ 78.878995][ T61] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1837125112=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 0ee3535ea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=0ee3535ea8ff21d50e44372bb1cfd147e299ab5b -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240404-085507'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"0ee3535ea8ff21d50e44372bb1cfd147e299ab5b\"
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16af0699180000
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=148bd8f3180000
On Thu, 04 Apr 2024 20:00:30 -0700
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: fe46a7dd189e Merge tag 'sound-6.9-rc1' of git://git.kernel..
> git tree: upstream
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16696223180000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git fe46a7dd189e
--- x/include/net/net_namespace.h
+++ y/include/net/net_namespace.h
@@ -318,7 +318,7 @@ static inline int check_net(const struct
return 1;
}
-#define net_drop_ns NULL
+static void net_drop_ns(void *p) {}
#endif
@@ -353,6 +353,7 @@ static inline void __netns_tracker_free(
static inline struct net *get_net_track(struct net *net,
netns_tracker *tracker, gfp_t gfp)
{
+ refcount_inc(&net->passive);
get_net(net);
netns_tracker_alloc(net, tracker, gfp);
return net;
@@ -362,6 +363,7 @@ static inline void put_net_track(struct
{
__netns_tracker_free(net, tracker, true);
put_net(net);
+ net_drop_ns(net);
}
typedef struct {
--- x/net/netfilter/nf_nat_masquerade.c
+++ y/net/netfilter/nf_nat_masquerade.c
@@ -123,11 +123,12 @@ static void nf_nat_masq_schedule(struct
INIT_WORK(&w->work, iterate_cleanup_work);
w->ifindex = ifindex;
w->net = net;
- netns_tracker_alloc(net, &w->ns_tracker, gfp_flags);
+ get_net_track(net, &w->ns_tracker, gfp_flags);
w->iter = iter;
if (addr)
w->addr = *addr;
schedule_work(&w->work);
+ put_net(net);
return;
}
--
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in cleanup_net
__do_sys_unshare kernel/fork.c:3393 [inline]
__se_sys_unshare kernel/fork.c:3391 [inline]
__x64_sys_unshare+0x38/0x40 kernel/fork.c:3391
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1057 at lib/ref_tracker.c:179 ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Modules linked in:
CPU: 1 PID: 1057 Comm: kworker/u8:7 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: netns cleanup_net
RIP: 0010:ref_tracker_dir_exit+0x411/0x550 lib/ref_tracker.c:179
Code: 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 08 e7 9f 06 eb 1a e8 f1 d1 b5 fc 48 8b 1c 24 48 89 df 48 8b 74 24 20 e8 f0 e6 9f 06 90 <0f> 0b 90 48 83 c3 44 48 89 df be 04 00 00 00 e8 5b 23 19 fd 48 89
RSP: 0018:ffffc90003c579e0 EFLAGS: 00010246
RAX: 75214a9c4e67f100 RBX: ffff88807a2b01d8 RCX: 0000000000000001
RDX: dffffc0000000000 RSI: ffffffff8baac1e0 RDI: 0000000000000001
RBP: ffffc90003c57ab0 R08: ffffffff92ce55ef R09: 1ffffffff259cabd
R10: dffffc0000000000 R11: fffffbfff259cabe R12: 1ffff1100fc58348
R13: dead000000000100 R14: ffff88807a2b0228 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f71ec36bfe4 CR3: 000000002dd64000 CR4: 0000000000350ef0
Call Trace:
<TASK>
net_free net/core/net_namespace.c:462 [inline]
cleanup_net+0xbf3/0xcc0 net/core/net_namespace.c:658
process_one_work kernel/workqueue.c:3254 [inline]
process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
kthread+0x2f2/0x390 kernel/kthread.c:388
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
Tested on:
commit: fe46a7dd Merge tag 'sound-6.9-rc1' of git://git.kernel..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16ad098d180000
kernel config: https://syzkaller.appspot.com/x/.config?x=fe78468a74fdc3b7
dashboard link: https://syzkaller.appspot.com/bug?extid=9ada62e1dc03fdc41982
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=165c53d3180000