Hello,
syzbot found the following issue on:
HEAD commit: 4cece7649650 Linux 6.9-rc1
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=12eea546180000
kernel config: https://syzkaller.appspot.com/x/.config?x=a2bfc1e92b3816d2
dashboard link: https://syzkaller.appspot.com/bug?extid=73c1dfb19c10b7e49777
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7f5e2f772df3/disk-4cece764.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bf6c631b116f/vmlinux-4cece764.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bd864ac23a04/bzImage-4cece764.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
ACPI: PCI: Interrupt link LNKB configured for IRQ 10
ACPI: PCI: Interrupt link LNKC configured for IRQ 11
ACPI: PCI: Interrupt link LNKD configured for IRQ 11
ACPI: PCI: Interrupt link LNKS configured for IRQ 9
iommu: Default domain type: Translated
iommu: DMA domain TLB invalidation policy: lazy mode
SCSI subsystem initialized
ACPI: bus type USB registered
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
mc: Linux media interface: v0.10
videodev: Linux video capture interface: v2.00
pps_core: LinuxPPS API ver. 1 registered
pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <[email protected]>
PTP clock support registered
EDAC MC: Ver: 3.0.0
Advanced Linux Sound Architecture Driver Initialized.
Bluetooth: Core ver 2.22
NET: Registered PF_BLUETOOTH protocol family
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
Bluetooth: L2CAP socket layer initialized
Bluetooth: SCO socket layer initialized
NET: Registered PF_ATMPVC protocol family
NET: Registered PF_ATMSVC protocol family
NetLabel: Initializing
NetLabel: domain hash size = 128
NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
NetLabel: unlabeled traffic allowed by default
nfc: nfc_init: NFC Core ver 0.1
NET: Registered PF_NFC protocol family
PCI: Using ACPI for IRQ routing
pci 0000:00:05.0: vgaarb: setting as boot VGA device
pci 0000:00:05.0: vgaarb: bridge control possible
pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
vgaarb: loaded
clocksource: Switched to clocksource kvm-clock
VFS: Disk quotas dquot_6.6.0
VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
TOMOYO: 2.6.0
Mandatory Access Control activated.
AppArmor: AppArmor Filesystem Enabled
pnp: PnP ACPI init
pnp: PnP ACPI: found 7 devices
clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
NET: Registered PF_INET protocol family
IP idents hash table entries: 131072 (order: 8, 1048576 bytes, linear)
------------[ cut here ]------------
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
Code: 86 e8 57 23 ca fe 90 0f 0b 90 90 e9 c3 fe ff ff e8 18 fb 03 ff c6 05 33 52 3d 07 01 90 48 c7 c7 00 29 e7 86 e8 34 23 ca fe 90 <0f> 0b 90 90 e9 a0 fe ff ff 48 89 ef e8 b2 d4 55 ff e9 44 fe ff ff
RSP: 0000:ffffc9000001fba0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8118c199
RDX: ffff8881012b0000 RSI: ffffffff8118c1a6 RDI: 0000000000000001
RBP: ffff888106eecb6c R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888106eecb6c
R13: 0000000000000000 R14: 00000000016a005a R15: ffff888106885f28
FS: 0000000000000000(0000) GS:ffff8881f6400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000829e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_dec include/linux/refcount.h:336 [inline]
refcount_dec include/linux/refcount.h:351 [inline]
dec_stack_record_count mm/page_owner.c:215 [inline]
__reset_page_owner+0x2ea/0x370 mm/page_owner.c:253
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1141 [inline]
__free_pages_ok+0x5d0/0xbd0 mm/page_alloc.c:1270
make_alloc_exact+0x165/0x260 mm/page_alloc.c:4829
alloc_large_system_hash+0x4e0/0x640 mm/mm_init.c:2530
inet_hashinfo2_init+0x4b/0xd0 net/ipv4/inet_hashtables.c:1193
tcp_init+0xba/0x9f0 net/ipv4/tcp.c:4708
inet_init+0x419/0x6f0 net/ipv4/af_inet.c:2029
do_one_initcall+0x128/0x700 init/main.c:1238
do_initcall_level init/main.c:1300 [inline]
do_initcalls init/main.c:1316 [inline]
do_basic_setup init/main.c:1335 [inline]
kernel_init_freeable+0x69d/0xca0 init/main.c:1548
kernel_init+0x1c/0x2b0 init/main.c:1437
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
On Tue, Mar 26, 2024 at 01:25:40AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
..
> ------------[ cut here ]------------
> refcount_t: decrement hit 0; leaking memory.
> WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
This is fixed by [1]
[1] https://lore.kernel.org/linux-mm/[email protected]/
On 2024/03/26 18:16, Oscar Salvador wrote:
> On Tue, Mar 26, 2024 at 01:25:40AM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
> ...
>> ------------[ cut here ]------------
>> refcount_t: decrement hit 0; leaking memory.
>> WARNING: CPU: 0 PID: 1 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
>
> This is fixed by [1]
>
> [1] https://lore.kernel.org/linux-mm/[email protected]/
>
>
The correct format is shown below.
#syz fix: mm,page_owner: Fix refcount imbalance
#syz fix: mm,page_owner: fix refcount imbalance