WARNING: refcount bug in sctp_wfree

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 2c523b34 Linux 5.6-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cea71e...@syzkaller.appspotmail.com

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x231/0x770 net/sctp/socket.c:1512
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ef98
Code: Bad RIP value.
RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

[syzbot]

syzbot has bisected this bug to:

commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
Author: Will Deacon <wi...@kernel.org>
Date: Thu Nov 21 11:59:00 2019 +0000

locking/refcount: Consolidate implementations of refcount_t

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117e9e91e00000
start commit: 2c523b34 Linux 5.6-rc5
git tree: upstream
final crash: https://syzkaller.appspot.com/x/report.txt?x=137e9e91e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=157e9e91e00000

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000

Reported-by: syzbot+cea71e...@syzkaller.appspotmail.com
Fixes: fb041bb7c0a9 ("locking/refcount: Consolidate implementations of refcount_t")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

[Kees Cook]

On Tue, Mar 10, 2020 at 02:39:01AM -0700, syzbot wrote:
> syzbot has bisected this bug to:
>
> commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
> Author: Will Deacon <wi...@kernel.org>
> Date: Thu Nov 21 11:59:00 2019 +0000
>
> locking/refcount: Consolidate implementations of refcount_t

I suspect this is just bisecting to here because it made the refcount
checks more strict?

-Kees

>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=117e9e91e00000
> start commit: 2c523b34 Linux 5.6-rc5
> git tree: upstream
> final crash: https://syzkaller.appspot.com/x/report.txt?x=137e9e91e00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=157e9e91e00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>
> Reported-by: syzbot+cea71e...@syzkaller.appspotmail.com
> Fixes: fb041bb7c0a9 ("locking/refcount: Consolidate implementations of refcount_t")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

--
Kees Cook

[黄秋钧]

sctp_wfree
->refcount_sub_and_test(sizeof(struct sctp_chunk),
&sk->sk_wmem_alloc)
sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
we add the extra size for gso segment ?



--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
*head, struct sk_buff *skb)
head->truesize += skb->truesize;
head->data_len += skb->len;
head->len += skb->len;
- refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
+ refcount_add(skb->truesize + sizeof(struct sctp_chunk),
+ &head->sk->sk_wmem_alloc);

__skb_header_release(skb);

[Qiujun Huang]

sctp_wfree
->refcount_sub_and_test(sizeof(struct sctp_chunk),
&sk->sk_wmem_alloc)
sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
we add the extra size for gso segment ?



--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
*head, struct sk_buff *skb)
head->truesize += skb->truesize;
head->data_len += skb->len;
head->len += skb->len;
- refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
+ refcount_add(skb->truesize + sizeof(struct sctp_chunk),
+ &head->sk->sk_wmem_alloc);

__skb_header_release(skb);

On Tue, Mar 10, 2020 at 9:36 AM syzbot
<syzbot+cea71e...@syzkaller.appspotmail.com> wrote:
>

[Qiujun Huang]

For geo segment sob, we shouldn't subtract the sizeof(struct
scup_chunk) in scup_wfree.

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fed26a1e9518..e0cc5d7c88fb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9085,7 +9085,9 @@ static void sctp_wfree(struct sk_buff *skb)
sk_mem_uncharge(sk, skb->truesize);
sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
- WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
+
+ if (skb_is_gso(skb))
+ WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
&sk->sk_wmem_alloc));

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git scup_wfree

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree

[Qiujun Huang]

On Sat, Mar 14, 2020 at 10:51 AM Qiujun Huang <anen...@gmail.com> wrote:
>
> For geo segment sob, we shouldn't subtract the sizeof(struct
> scup_chunk) in scup_wfree.

For gso segment skb, we shouldn't subtract the sizeof(struct
sctp_chunk) in sctp_wfree.

Sorry about the typos. Thanks!

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo https://github.com/hqj/hqjagain_test.git/scup_wfree: failed to run ["git" "fetch" "https://github.com/hqj/hqjagain_test.git" "scup_wfree"]: exit status 128
fatal: couldn't find remote ref scup_wfree



Tested on:

commit: [unknown
git tree: https://github.com/hqj/hqjagain_test.git scup_wfree

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

/platform/chrome/cros_kbd_led_backlight.o
CC drivers/media/rc/keymaps/rc-msi-digivox-iii.o
CC drivers/hid/hid-a4tech.o
CC drivers/md/dm-mpath.o
CC drivers/md/dm-round-robin.o
CC drivers/infiniband/sw/rxe/rxe_qp.o
CC drivers/staging/exfat/exfat_nls.o
CC drivers/md/dm-queue-length.o
CC drivers/infiniband/hw/mlx4/alias_GUID.o
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/staging/exfat/exfat_upcase.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC net/netfilter/xt_multiport.o
AR drivers/mailbox/built-in.a
CC drivers/hid/hid-axff.o
CC drivers/infiniband/hw/mlx4/sysfs.o
CC drivers/hid/hid-apple.o
CC drivers/infiniband/sw/rxe/rxe_cq.o
CC drivers/infiniband/sw/siw/siw_verbs.o
CC drivers/soundwire/mipi_disco.o
CC drivers/infiniband/hw/usnic/usnic_ib_sysfs.o
CC drivers/md/dm-service-time.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere.o
CC drivers/hid/hid-belkin.o
CC drivers/infiniband/sw/rxe/rxe_mr.o
AR drivers/infiniband/ulp/opa_vnic/built-in.a
AR drivers/infiniband/ulp/built-in.a
CC drivers/platform/chrome/cros_ec_chardev.o
CC drivers/ras/ras.o
AR drivers/extcon/built-in.a
AR drivers/isdn/mISDN/built-in.a
CC drivers/crypto/qat/qat_common/qat_uclo.o
AR drivers/isdn/built-in.a
CC drivers/infiniband/core/fmr_pool.o
CC drivers/platform/chrome/cros_ec_lightbar.o
CC drivers/ras/debugfs.o
CC net/netfilter/xt_nfacct.o
CC drivers/crypto/qat/qat_common/qat_hal.o
CC drivers/infiniband/sw/rxe/rxe_opcode.o
CC drivers/soundwire/stream.o
CC drivers/crypto/qat/qat_common/adf_transport_debug.o
CC drivers/hid/hid-cherry.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/soundwire/debugfs.o
CC net/netfilter/xt_osf.o
CC drivers/infiniband/hw/usnic/usnic_ib_verbs.o
CC drivers/infiniband/core/cache.o
CC drivers/thunderbolt/nhi.o
CC drivers/infiniband/hw/usnic/usnic_debugfs.o
CC drivers/hid/hid-chicony.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
CC drivers/media/rc/keymaps/rc-nebula.o
AR drivers/hwtracing/intel_th/built-in.a
CC drivers/thunderbolt/nhi_ops.o
CC drivers/hid/hid-cypress.o
CC drivers/hid/hid-dr.o
CC drivers/infiniband/core/netlink.o
CC drivers/platform/chrome/cros_ec_debugfs.o
CC drivers/crypto/qat/qat_common/adf_sriov.o
CC drivers/platform/chrome/cros_ec_sysfs.o
CC drivers/infiniband/sw/rxe/rxe_mmap.o
CC drivers/android/binder.o
CC drivers/android/binder_alloc.o
CC drivers/hid/hid-emsff.o
CC drivers/infiniband/sw/rxe/rxe_icrc.o
CC drivers/hid/hid-elecom.o
CC drivers/hid/hid-ezkey.o
CC drivers/hid/hid-google-hammer.o
CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
CC drivers/md/dm-snap.o
CC net/netfilter/xt_owner.o
CC drivers/infiniband/core/roce_gid_mgmt.o
CC drivers/infiniband/core/mr_pool.o
CC drivers/hid/hid-gyration.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/hid/hid-holtek-mouse.o
CC net/netfilter/xt_cgroup.o
CC drivers/nvmem/core.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/crypto/qat/qat_common/adf_pf2vf_msg.o
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/counter/counter.o
CC drivers/crypto/qat/qat_common/adf_vf2pf_msg.o
CC drivers/thunderbolt/ctl.o
CC drivers/infiniband/sw/rxe/rxe_mcast.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/thunderbolt/tb.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/md/dm-exception-store.o
CC drivers/thunderbolt/switch.o
CC drivers/media/rc/keymaps/rc-norwood.o
CC drivers/infiniband/sw/rxe/rxe_task.o
CC drivers/infiniband/sw/rxe/rxe_net.o
CC drivers/infiniband/sw/rxe/rxe_sysfs.o
CC net/netfilter/xt_physdev.o
AR drivers/platform/chrome/built-in.a
CC drivers/crypto/qat/qat_common/adf_vf_isr.o
CC drivers/media/rc/keymaps/rc-npgtech.o
AR drivers/platform/built-in.a
CC drivers/media/rc/keymaps/rc-odroid.o
CC drivers/infiniband/core/sa_query.o
CC drivers/infiniband/core/addr.o
CC drivers/media/rc/keymaps/rc-pctv-sedna.o
CC drivers/infiniband/sw/rxe/rxe_hw_counters.o
CC drivers/media/rc/keymaps/rc-pinnacle-color.o
CC net/netfilter/xt_pkttype.o
CC net/netfilter/xt_policy.o
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC net/netfilter/xt_quota.o
CC drivers/hid/hid-holtekff.o
CC drivers/hid/hid-ite.o
CC drivers/thunderbolt/cap.o
CC net/netfilter/xt_rateest.o
CC drivers/thunderbolt/path.o
CC drivers/thunderbolt/tunnel.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC net/netfilter/xt_realm.o
AR drivers/vhost/built-in.a
CC drivers/thunderbolt/eeprom.o
AR drivers/ras/built-in.a
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/thunderbolt/domain.o
CC drivers/thunderbolt/dma_port.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/thunderbolt/icm.o
CC drivers/hid/hid-kensington.o
CC drivers/hid/hid-keytouch.o
AR drivers/soundwire/built-in.a
CC drivers/infiniband/core/multicast.o
AR drivers/staging/exfat/built-in.a
AR drivers/staging/built-in.a
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/md/dm-snap-transient.o
CC drivers/hid/hid-kye.o
CC drivers/md/dm-snap-persistent.o
AR drivers/infiniband/hw/usnic/built-in.a
CC drivers/md/dm-raid1.o
CC drivers/md/dm-log.o
AR drivers/infiniband/sw/siw/built-in.a
CC drivers/md/dm-region-hash.o
CC drivers/thunderbolt/property.o
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/thunderbolt/xdomain.o
CC drivers/hid/hid-lcpower.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC drivers/hid/hid-lg.o
CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/hid/hid-lgff.o
CC drivers/thunderbolt/lc.o
CC drivers/infiniband/core/mad.o
CC net/netfilter/xt_recent.o
CC drivers/infiniband/core/smi.o
CC drivers/md/dm-zero.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
CC net/netfilter/xt_sctp.o
CC drivers/infiniband/core/agent.o
CC net/netfilter/xt_socket.o
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
CC drivers/md/dm-raid.o
AR drivers/crypto/qat/qat_common/built-in.a
CC drivers/md/dm-thin.o
AR drivers/nvmem/built-in.a
AR drivers/crypto/qat/built-in.a
CC drivers/hid/hid-lg2ff.o
AR drivers/crypto/built-in.a
CC net/netfilter/xt_state.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC net/netfilter/xt_statistic.o
CC drivers/hid/hid-lg3ff.o
CC drivers/hid/hid-lg4ff.o
CC drivers/thunderbolt/tmu.o
CC drivers/hid/hid-lg-g15.o
CC net/netfilter/xt_string.o
CC drivers/thunderbolt/usb4.o
CC net/netfilter/xt_tcpmss.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/md/dm-thin-metadata.o
CC drivers/md/dm-verity-fec.o
CC drivers/md/dm-verity-target.o
CC drivers/hid/hid-logitech-dj.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
CC drivers/md/dm-cache-target.o
AR drivers/counter/built-in.a
CC drivers/md/dm-cache-metadata.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/hid/hid-magicmouse.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
AR drivers/infiniband/sw/rxe/built-in.a
CC drivers/infiniband/core/mad_rmpp.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/md/dm-cache-policy.o
CC drivers/infiniband/core/nldev.o
CC drivers/infiniband/core/restrack.o
CC net/netfilter/xt_time.o
CC net/netfilter/xt_u32.o
CC drivers/infiniband/core/counters.o
CC drivers/hid/hid-microsoft.o
CC drivers/hid/hid-monterey.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/hid/hid-multitouch.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
CC drivers/hid/hid-ntrig.o
AR drivers/infiniband/sw/rdmavt/built-in.a
AR drivers/infiniband/sw/built-in.a
CC drivers/hid/hid-ortek.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/infiniband/core/ib_core_uverbs.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/md/dm-cache-background-tracker.o
CC drivers/hid/hid-prodikeys.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/hid/hid-pl.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/hid/hid-petalynx.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/md/dm-clone-target.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/md/dm-clone-metadata.o
CC drivers/md/dm-integrity.o
CC drivers/md/dm-zoned-target.o
CC drivers/hid/hid-plantronics.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/md/dm-zoned-metadata.o
AR drivers/thunderbolt/built-in.a
CC drivers/hid/hid-primax.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/infiniband/core/trace.o
CC drivers/infiniband/core/security.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/md/dm-writecache.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/hid/hid-roccat.o
AR net/netfilter/built-in.a
CC drivers/infiniband/core/cgroup.o
Makefile:1683: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
AR drivers/infiniband/hw/mlx4/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
AR drivers/infiniband/hw/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/hid/hid-roccat-common.o
CC drivers/infiniband/core/cm.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/infiniband/core/iwcm.o
CC drivers/infiniband/core/iwpm_util.o
CC drivers/infiniband/core/iwpm_msg.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/infiniband/core/cma.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/infiniband/core/cma_trace.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/infiniband/core/cma_configfs.o
CC drivers/infiniband/core/user_mad.o
CC drivers/infiniband/core/uverbs_main.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/infiniband/core/uverbs_cmd.o
CC drivers/infiniband/core/uverbs_marshall.o
CC drivers/hid/hid-roccat-konepure.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/infiniband/core/rdma_core.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/infiniband/core/uverbs_std_types.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/infiniband/core/uverbs_ioctl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/hid/hid-rmi.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/hid/hid-saitek.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o
CC drivers/infiniband/core/uverbs_std_types_cq.o
CC drivers/infiniband/core/uverbs_std_types_flow_action.o
CC drivers/infiniband/core/uverbs_std_types_dm.o
CC drivers/infiniband/core/uverbs_std_types_mr.o
CC drivers/hid/hid-sony.o
CC drivers/infiniband/core/uverbs_std_types_counters.o
CC drivers/hid/hid-speedlink.o
CC drivers/infiniband/core/uverbs_uapi.o
CC drivers/infiniband/core/uverbs_std_types_device.o
CC drivers/infiniband/core/uverbs_std_types_async_fd.o
CC drivers/hid/hid-sunplus.o
CC drivers/infiniband/core/umem.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/hid/hid-gaff.o
CC drivers/infiniband/core/umem_odp.o
CC drivers/infiniband/core/ucma.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-tivo.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/hid/hid-topseed.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/hid-led.o
CC drivers/hid/wacom_wac.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/wacom_sys.o
CC drivers/hid/hid-waltop.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/hid/hid-wiimote-debug.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a
AR drivers/android/built-in.a
AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR drivers/md/built-in.a
AR drivers/hid/built-in.a
AR drivers/infiniband/core/built-in.a
AR drivers/infiniband/built-in.a
AR drivers/built-in.a


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1718bb81e00000


Tested on:

commit: 110ca3ce fix
git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

[Qiujun Huang]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 8581 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8581 Comm: syz-executor.3 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Code: c7 94 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 c0 00 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7
RSP: 0018:ffffc90002c978c8 EFLAGS: 00010246
RAX: b1721d41aaac4d00 RBX: 0000000000000003 RCX: ffff88809eb123c0

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d24592
R10: ffffed1015d24592 R11: 0000000000000000 R12: ffff8880a7b8c000
R13: dffffc0000000000 R14: ffff8880a81d4800 R15: ffff8880a81e0d00
sctp_wfree+0x4be/0x840 net/sctp/socket.c:9113

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x231/0x770 net/sctp/socket.c:1512
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fffbe2f3cc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff
R10: 00007fffbe2f3da0 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000012bfc R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..

Tested on:

commit: 1739e95e fix compile err

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1239a3dde00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 8761 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8761 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 94 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 c0 00 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc90004fe78a8 EFLAGS: 00010246
RAX: ce594aaef5a8c400 RBX: 0000000000000003 RCX: ffff88809eeb01c0

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d26618
R10: ffffed1015d26618 R11: 0000000000000000 R12: ffff88809201a580
R13: ffff8880a24f1040 R14: dffffc0000000000 R15: ffff8880a6728000
sctp_wfree+0x4c9/0x8b0 net/sctp/socket.c:9116

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x231/0x770 net/sctp/socket.c:1512
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007fffc9fa9a20 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007fffc9fa9b00 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000013016 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: d2a8e7e0 sctp: fix recount in sctp_wfree

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=10a4bb81e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

o
CC drivers/hid/hid-emsff.o
CC drivers/hid/hid-elecom.o
CC drivers/infiniband/sw/rxe/rxe_mr.o
AR drivers/infiniband/sw/siw/built-in.a
AR drivers/hwtracing/intel_th/built-in.a
CC drivers/thunderbolt/ctl.o
CC drivers/thunderbolt/tb.o
CC drivers/thunderbolt/cap.o
CC drivers/thunderbolt/switch.o
CC fs/eventpoll.o
CC drivers/crypto/qat/qat_c62x/adf_drv.o
CC drivers/infiniband/hw/mlx4/mcg.o
CC drivers/infiniband/hw/mlx4/cm.o
CC drivers/infiniband/sw/rxe/rxe_opcode.o
CC drivers/infiniband/sw/rxe/rxe_mmap.o
AR drivers/platform/chrome/built-in.a
CC drivers/infiniband/hw/mlx4/alias_GUID.o
AR drivers/platform/built-in.a
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC net/netfilter/xt_iprange.o
CC drivers/infiniband/sw/rxe/rxe_icrc.o
CC drivers/infiniband/sw/rxe/rxe_mcast.o
CC drivers/hid/hid-ezkey.o
CC drivers/infiniband/ulp/iser/iscsi_iser.o
CC drivers/infiniband/hw/mlx4/sysfs.o
CC fs/btrfs/discard.o
CC drivers/android/binder.o
CC drivers/android/binder_alloc.o
CC drivers/infiniband/core/ib_core_uverbs.o
CC drivers/crypto/qat/qat_dh895xccvf/adf_drv.o
CC drivers/infiniband/core/trace.o
CC drivers/infiniband/core/security.o
CC fs/btrfs/acl.o
CC drivers/thunderbolt/path.o
CC drivers/gpu/drm/i915/display/intel_hotplug.o
CC drivers/md/dm-thin.o
CC fs/xfs/xfs_mount.o

CC drivers/infiniband/sw/rxe/rxe_task.o
CC drivers/infiniband/sw/rxe/rxe_net.o
CC drivers/infiniband/sw/rxe/rxe_sysfs.o

CC drivers/hid/hid-google-hammer.o
AR drivers/crypto/qat/qat_common/built-in.a
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/infiniband/core/cgroup.o
CC drivers/infiniband/sw/rxe/rxe_hw_counters.o
CC drivers/thunderbolt/tunnel.o
CC net/netfilter/xt_ipvs.o
CC drivers/md/dm-thin-metadata.o
CC drivers/thunderbolt/eeprom.o
CC drivers/hid/hid-gyration.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/crypto/qat/qat_c62x/adf_c62x_hw_data.o
CC fs/xfs/xfs_mru_cache.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_drv.o
CC drivers/thunderbolt/domain.o
CC drivers/thunderbolt/dma_port.o
CC fs/anon_inodes.o
CC drivers/nvmem/core.o
AR drivers/extcon/built-in.a
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_vema_iface.o
CC drivers/gpu/drm/i915/display/intel_lpe_audio.o
CC drivers/infiniband/core/cm.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC drivers/md/dm-verity-fec.o
AR drivers/ras/built-in.a
CC net/netfilter/xt_l2tp.o
CC drivers/md/dm-verity-target.o
CC drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.o
CC fs/xfs/xfs_pwork.o
CC drivers/crypto/qat/qat_c62xvf/adf_drv.o
CC drivers/md/dm-cache-target.o
CC drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.o
AR drivers/soundwire/built-in.a
CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC drivers/thunderbolt/icm.o
CC fs/signalfd.o
CC drivers/infiniband/core/iwcm.o
CC net/netfilter/xt_length.o
CC drivers/hid/hid-holtek-mouse.o
CC drivers/md/dm-cache-metadata.o
CC net/netfilter/xt_limit.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.o
CC drivers/hid/hid-holtekff.o
CC fs/xfs/xfs_reflink.o
CC drivers/md/dm-cache-policy.o
AR drivers/crypto/qat/qat_c62x/built-in.a
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/counter/counter.o
CC drivers/gpu/drm/i915/display/intel_overlay.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC fs/xfs/xfs_stats.o
CC drivers/thunderbolt/property.o
AR drivers/infiniband/ulp/iser/built-in.a
CC drivers/infiniband/core/iwpm_util.o
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
CC drivers/thunderbolt/xdomain.o
CC drivers/infiniband/core/iwpm_msg.o
CC drivers/gpu/drm/i915/display/intel_tc.o
AR drivers/crypto/qat/qat_dh895xccvf/built-in.a
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
CC drivers/hid/hid-ite.o
CC drivers/hid/hid-kensington.o
CC fs/timerfd.o
CC drivers/hid/hid-keytouch.o
CC net/netfilter/xt_mac.o
CC fs/eventfd.o
CC drivers/hid/hid-kye.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
AR drivers/crypto/qat/qat_c62xvf/built-in.a
CC drivers/gpu/drm/i915/display/intel_vga.o
CC fs/xfs/xfs_super.o
CC drivers/md/dm-cache-background-tracker.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/gpu/drm/drm_panel_orientation_quirks.o
CC fs/userfaultfd.o
CC drivers/infiniband/core/cma.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC drivers/infiniband/core/cma_trace.o
CC fs/aio.o
AR drivers/infiniband/sw/rxe/built-in.a
AR drivers/infiniband/sw/built-in.a
AR drivers/crypto/qat/qat_c3xxxvf/built-in.a
AR drivers/crypto/qat/built-in.a
CC net/netfilter/xt_multiport.o
AR drivers/crypto/built-in.a
CC drivers/hid/hid-lcpower.o
CC drivers/infiniband/core/cma_configfs.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC fs/io_uring.o
CC drivers/infiniband/core/user_mad.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
AR drivers/nvmem/built-in.a
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC fs/xfs/xfs_symlink.o
AR drivers/infiniband/ulp/opa_vnic/built-in.a
AR drivers/infiniband/ulp/built-in.a
CC drivers/md/dm-clone-target.o
CC drivers/thunderbolt/lc.o
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC net/netfilter/xt_nfacct.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/infiniband/core/uverbs_main.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC fs/xfs/xfs_sysfs.o
CC drivers/infiniband/core/uverbs_cmd.o
CC net/netfilter/xt_osf.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/hid/hid-lg.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/md/dm-clone-metadata.o
CC drivers/md/dm-integrity.o
CC fs/xfs/xfs_trans.o
CC drivers/hid/hid-lgff.o
CC drivers/hid/hid-lg2ff.o
CC fs/io-wq.o
CC drivers/hid/hid-lg3ff.o
CC fs/dax.o
CC fs/xfs/xfs_xattr.o
CC fs/locks.o
CC drivers/infiniband/core/uverbs_marshall.o
CC drivers/infiniband/core/rdma_core.o
CC drivers/md/dm-zoned-target.o
CC drivers/md/dm-zoned-metadata.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC net/netfilter/xt_owner.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/gpu/drm/i915/display/intel_dp.o
AR drivers/counter/built-in.a
CC drivers/hid/hid-lg4ff.o
CC drivers/hid/hid-lg-g15.o
CC drivers/md/dm-zoned-reclaim.o
CC fs/xfs/kmem.o
CC net/netfilter/xt_cgroup.o
AR fs/btrfs/built-in.a
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/infiniband/core/uverbs_std_types.o
CC drivers/hid/hid-logitech-dj.o
CC drivers/infiniband/core/uverbs_ioctl.o
CC drivers/infiniband/core/uverbs_std_types_cq.o
CC drivers/md/dm-writecache.o
CC drivers/thunderbolt/tmu.o
CC fs/compat.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC fs/xfs/xfs_log.o
CC drivers/hid/hid-logitech-hidpp.o
CC fs/xfs/xfs_log_cil.o
CC fs/xfs/xfs_bmap_item.o
CC drivers/infiniband/core/uverbs_std_types_flow_action.o
CC drivers/thunderbolt/usb4.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC net/netfilter/xt_physdev.o
CC drivers/infiniband/core/uverbs_std_types_dm.o
CC net/netfilter/xt_pkttype.o
CC fs/binfmt_misc.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC fs/xfs/xfs_buf_item.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC fs/binfmt_script.o
CC fs/binfmt_elf.o
CC fs/compat_binfmt_elf.o
CC fs/mbcache.o
CC net/netfilter/xt_policy.o
CC drivers/infiniband/core/uverbs_std_types_mr.o
CC drivers/infiniband/core/uverbs_std_types_counters.o
CC drivers/hid/hid-magicmouse.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC fs/xfs/xfs_extfree_item.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/infiniband/core/uverbs_uapi.o
CC net/netfilter/xt_quota.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/hid/hid-microsoft.o
CC fs/xfs/xfs_icreate_item.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC fs/posix_acl.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC fs/xfs/xfs_inode_item.o
AR drivers/thunderbolt/built-in.a
CC drivers/hid/hid-monterey.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC net/netfilter/xt_rateest.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC fs/xfs/xfs_refcount_item.o
CC fs/coredump.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC fs/drop_caches.o
CC drivers/hid/hid-multitouch.o
CC fs/fhandle.o
CC net/netfilter/xt_realm.o
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC net/netfilter/xt_recent.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/hid/hid-ntrig.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/hid/hid-ortek.o
CC drivers/infiniband/core/uverbs_std_types_device.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC fs/xfs/xfs_rmap_item.o
AR drivers/infiniband/hw/mlx4/built-in.a
CC net/netfilter/xt_sctp.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/hid/hid-prodikeys.o
AR drivers/infiniband/hw/built-in.a
CC drivers/infiniband/core/uverbs_std_types_async_fd.o
CC drivers/hid/hid-pl.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC fs/dcookies.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
CC net/netfilter/xt_socket.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/infiniband/core/umem.o
CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
CC net/netfilter/xt_state.o
CC drivers/infiniband/core/umem_odp.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC fs/xfs/xfs_log_recover.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC net/netfilter/xt_statistic.o
CC fs/xfs/xfs_trans_ail.o
CC net/netfilter/xt_string.o
CC net/netfilter/xt_tcpmss.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC net/netfilter/xt_time.o
CC drivers/hid/hid-petalynx.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/infiniband/core/ucma.o
CC fs/xfs/xfs_trans_buf.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC net/netfilter/xt_u32.o
CC fs/xfs/xfs_dquot.o
CC fs/xfs/xfs_dquot_item.o
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/hid/hid-plantronics.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/hid/hid-primax.o
CC fs/xfs/xfs_trans_dquot.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC fs/xfs/xfs_qm_syscalls.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC fs/xfs/xfs_qm_bhv.o
CC fs/xfs/xfs_qm.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/hid/hid-roccat.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC fs/xfs/xfs_quotaops.o
CC fs/xfs/xfs_rtalloc.o
CC drivers/hid/hid-roccat-common.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC fs/xfs/xfs_acl.o
CC fs/xfs/xfs_sysctl.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/hid/hid-roccat-kone.o
CC fs/xfs/xfs_ioctl32.o
CC fs/xfs/xfs_pnfs.o
CC drivers/gpu/drm/i915/i915_vgpu.o
AR drivers/md/built-in.a
CC drivers/hid/hid-roccat-koneplus.o
AR drivers/android/built-in.a
CC drivers/hid/hid-roccat-konepure.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/hid/hid-rmi.o

CC drivers/hid/hid-saitek.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o

CC drivers/hid/hid-sony.o
AR net/netfilter/built-in.a

Makefile:1683: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....

CC drivers/hid/hid-speedlink.o
CC drivers/hid/hid-sunplus.o
CC drivers/hid/hid-gaff.o
CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-tivo.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-topseed.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/hid/hid-led.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/wacom_wac.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
CC drivers/hid/wacom_sys.o
AR drivers/media/built-in.a
CC drivers/hid/hid-waltop.o
CC drivers/hid/hid-wiimote-debug.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o

AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a

AR drivers/hid/built-in.a
AR drivers/infiniband/core/built-in.a
AR drivers/infiniband/built-in.a
AR drivers/built-in.a

AR fs/xfs/built-in.a
AR fs/built-in.a

Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=166ef753e00000


Tested on:

commit: 4155e28d add log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo https://github.com/hqj/hqjagain_test.git/scup_wfree: failed to run ["git" "fetch" "https://github.com/hqj/hqjagain_test.git" "scup_wfree"]: exit status 128
fatal: couldn't find remote ref scup_wfree



Tested on:

commit: [unknown
git tree: https://github.com/hqj/hqjagain_test.git scup_wfree

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 8938 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8938 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7
RSP: 0018:ffffc90002e178d0 EFLAGS: 00010246
RAX: 36615e29289cc300 RBX: 0000000000000003 RCX: ffff88809efa4540

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d26618

R10: ffffed1015d26618 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88809e1fc000 R15: ffff88809e1c87c0
sctp_wfree+0x463/0x7f0 net/sctp/socket.c:9112

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1513

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007ffdd080db40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007ffdd080dc20 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000013deb R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 1ee8411a log for gso

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1132e6b1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

WARNING: CPU: 1 PID: 8649 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8649 Comm: syz-executor.3 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900035c78c0 EFLAGS: 00010246
RAX: 7d12a702bedfca00 RBX: 0000000000000003 RCX: ffff888096c2c2c0

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: fffffbfff15dbb2e
R10: fffffbfff15dbb2e R11: 0000000000000000 R12: dffffc0000000000
R13: 1ffff110133b2970 R14: ffff88808ad9b800 R15: ffff8880a1d12000
sctp_wfree+0x493/0x870 net/sctp/socket.c:9121

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1519

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007ffee30d3670 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007ffee30d3750 R11: 0000000000000293 R12: 000000000076c920
R13: 000000000076c920 R14: 0000000000014e74 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 98f242b7 log in detail

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1265e765e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

s/hid/hid-chicony.o
CC drivers/media/platform/vivid/vivid-meta-cap.o
CC drivers/platform/chrome/cros_ec_sysfs.o
CC drivers/android/binder.o
CC drivers/android/binder_alloc.o
CC drivers/nvmem/core.o
CC drivers/counter/counter.o
CC drivers/hid/hid-cypress.o
CC drivers/infiniband/sw/rxe/rxe_srq.o
CC drivers/staging/exfat/exfat_cache.o
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_vema_iface.o
CC drivers/infiniband/sw/rdmavt/qp.o
CC drivers/infiniband/sw/rdmavt/rc.o
CC drivers/thunderbolt/nhi_ops.o
CC drivers/media/rc/keymaps/rc-imon-mce.o
CC drivers/media/rc/keymaps/rc-imon-pad.o
CC drivers/thunderbolt/ctl.o
CC drivers/infiniband/core/nldev.o
CC drivers/infiniband/sw/rdmavt/srq.o
AR drivers/ras/built-in.a
CC drivers/infiniband/sw/rdmavt/trace.o
CC drivers/media/rc/keymaps/rc-imon-rsc.o
AR drivers/media/platform/omap/built-in.a
CC drivers/infiniband/core/restrack.o
CC drivers/thunderbolt/tb.o
CC drivers/hid/hid-dr.o
CC drivers/staging/exfat/exfat_nls.o
CC drivers/nvmem/nvmem-sysfs.o
AR fs/xfs/built-in.a
CC drivers/hid/hid-emsff.o
AR fs/built-in.a
CC drivers/md/dm-clone-metadata.o
CC drivers/md/dm-integrity.o
CC drivers/soundwire/slave.o
CC drivers/gpu/drm/i915/display/intel_psr.o
CC drivers/hid/hid-elecom.o
CC drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.o
AR drivers/media/platform/meson/built-in.a
CC drivers/hid/hid-ezkey.o
AR drivers/platform/chrome/built-in.a
CC drivers/crypto/qat/qat_common/qat_hal.o
AR drivers/platform/built-in.a
CC drivers/gpu/drm/i915/display/intel_quirks.o
CC drivers/media/rc/keymaps/rc-iodata-bctv7e.o
CC drivers/infiniband/sw/rxe/rxe_qp.o
CC drivers/infiniband/sw/rxe/rxe_cq.o
AR drivers/media/platform/cros-ec-cec/built-in.a
CC drivers/infiniband/core/counters.o
AR drivers/infiniband/hw/mlx4/built-in.a
AR drivers/infiniband/hw/built-in.a
CC drivers/media/platform/vivid/vivid-meta-out.o
AR drivers/media/platform/sunxi/sun4i-csi/built-in.a
AR drivers/media/platform/sunxi/sun6i-csi/built-in.a
AR drivers/infiniband/ulp/iser/built-in.a
CC drivers/thunderbolt/switch.o
AR drivers/media/platform/sunxi/sun8i-di/built-in.a
AR drivers/media/platform/sunxi/built-in.a
CC drivers/infiniband/sw/rxe/rxe_mr.o
CC drivers/thunderbolt/cap.o
CC drivers/infiniband/core/ib_core_uverbs.o
CC drivers/media/platform/vivid/vivid-kthread-touch.o
CC drivers/crypto/qat/qat_common/adf_transport_debug.o
CC drivers/gpu/drm/i915/display/intel_sprite.o
CC drivers/media/platform/vivid/vivid-touch-cap.o
CC net/netfilter/xt_sctp.o
CC drivers/media/rc/keymaps/rc-it913x-v1.o
CC drivers/hid/hid-google-hammer.o
CC drivers/md/dm-zoned-target.o
CC drivers/infiniband/core/trace.o
CC drivers/media/rc/keymaps/rc-it913x-v2.o
CC drivers/soundwire/mipi_disco.o
CC drivers/soundwire/stream.o
CC drivers/hid/hid-gyration.o
CC drivers/media/platform/vim2m.o
CC drivers/thunderbolt/path.o
CC drivers/soundwire/debugfs.o
CC drivers/infiniband/sw/rxe/rxe_opcode.o
CC drivers/md/dm-zoned-metadata.o
CC drivers/gpu/drm/i915/display/intel_tc.o
CC drivers/infiniband/core/security.o
AR drivers/crypto/qat/qat_c62xvf/built-in.a
CC drivers/media/platform/vivid/vivid-cec.o
CC drivers/staging/exfat/exfat_upcase.o
AR drivers/crypto/qat/qat_c3xxxvf/built-in.a
CC drivers/gpu/drm/i915/display/intel_vga.o
CC drivers/infiniband/core/cgroup.o
CC drivers/media/rc/keymaps/rc-kaiomy.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/media/rc/keymaps/rc-khadas.o
CC drivers/thunderbolt/tunnel.o
AR drivers/vhost/built-in.a
CC drivers/hid/hid-holtek-mouse.o
AR drivers/nvmem/built-in.a
CC drivers/thunderbolt/eeprom.o
CC drivers/infiniband/core/cm.o
CC drivers/media/rc/keymaps/rc-kworld-315u.o
CC drivers/gpu/drm/i915/display/intel_acpi.o
CC drivers/infiniband/sw/rxe/rxe_mmap.o
CC drivers/infiniband/sw/rxe/rxe_icrc.o
CC drivers/infiniband/core/iwcm.o
CC drivers/infiniband/sw/rxe/rxe_mcast.o
CC drivers/infiniband/sw/rxe/rxe_task.o
AR drivers/infiniband/ulp/opa_vnic/built-in.a
CC drivers/hid/hid-ite.o
CC drivers/hid/hid-holtekff.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/md/dm-writecache.o
AR drivers/counter/built-in.a
CC drivers/gpu/drm/i915/display/intel_opregion.o
CC drivers/hid/hid-kensington.o
CC drivers/thunderbolt/domain.o
CC drivers/media/rc/keymaps/rc-kworld-pc150u.o
CC drivers/infiniband/core/iwpm_util.o
CC drivers/infiniband/core/iwpm_msg.o
CC drivers/infiniband/sw/rxe/rxe_net.o
CC drivers/media/rc/keymaps/rc-kworld-plus-tv-analog.o
CC drivers/infiniband/core/cma.o
CC drivers/gpu/drm/i915/display/intel_fbdev.o
AR drivers/staging/exfat/built-in.a
AR drivers/staging/built-in.a
CC drivers/gpu/drm/i915/display/dvo_ch7017.o
CC drivers/media/rc/keymaps/rc-leadtek-y04g0051.o
CC drivers/hid/hid-keytouch.o
CC net/netfilter/xt_socket.o
AR drivers/infiniband/sw/siw/built-in.a
CC drivers/thunderbolt/dma_port.o
CC net/netfilter/xt_state.o
AR drivers/infiniband/ulp/srp/built-in.a
CC drivers/gpu/drm/i915/display/dvo_ch7xxx.o
AR drivers/infiniband/ulp/built-in.a
CC drivers/thunderbolt/icm.o
CC drivers/infiniband/sw/rxe/rxe_sysfs.o
CC net/netfilter/xt_statistic.o
CC drivers/crypto/qat/qat_common/adf_sriov.o
CC drivers/hid/hid-kye.o
CC drivers/gpu/drm/i915/display/dvo_ivch.o
CC drivers/thunderbolt/property.o
CC drivers/thunderbolt/xdomain.o
CC drivers/crypto/qat/qat_common/adf_pf2vf_msg.o
CC drivers/hid/hid-lcpower.o
AR drivers/media/platform/vivid/built-in.a
CC drivers/thunderbolt/lc.o
CC drivers/media/rc/keymaps/rc-lme2510.o
CC drivers/media/rc/keymaps/rc-manli.o
CC drivers/gpu/drm/i915/display/dvo_ns2501.o
CC drivers/gpu/drm/i915/display/dvo_tfp410.o
CC drivers/gpu/drm/i915/display/dvo_sil164.o
CC drivers/infiniband/core/cma_trace.o
CC drivers/gpu/drm/i915/display/icl_dsi.o
CC drivers/gpu/drm/i915/display/intel_crt.o
CC drivers/media/rc/keymaps/rc-medion-x10.o
CC drivers/media/rc/keymaps/rc-medion-x10-digitainer.o
CC drivers/infiniband/sw/rxe/rxe_hw_counters.o
CC drivers/infiniband/core/cma_configfs.o
CC drivers/thunderbolt/tmu.o
AR drivers/media/platform/built-in.a
CC drivers/thunderbolt/usb4.o
CC drivers/gpu/drm/i915/display/intel_ddi.o
CC drivers/crypto/qat/qat_common/adf_vf2pf_msg.o
AR drivers/soundwire/built-in.a
CC drivers/infiniband/core/user_mad.o
CC drivers/gpu/drm/i915/display/intel_dp.o
CC drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
CC drivers/crypto/qat/qat_common/adf_vf_isr.o
CC net/netfilter/xt_string.o
CC drivers/media/rc/keymaps/rc-medion-x10-or2x.o
CC drivers/media/rc/keymaps/rc-msi-digivox-ii.o
CC drivers/infiniband/core/uverbs_main.o
CC net/netfilter/xt_tcpmss.o
CC drivers/media/rc/keymaps/rc-msi-digivox-iii.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere.o
CC drivers/hid/hid-lg.o
CC drivers/infiniband/core/uverbs_cmd.o
CC drivers/infiniband/core/uverbs_marshall.o
CC drivers/hid/hid-lgff.o
CC drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
CC net/netfilter/xt_time.o
CC net/netfilter/xt_u32.o
CC drivers/media/rc/keymaps/rc-nebula.o
CC drivers/infiniband/core/rdma_core.o
CC drivers/hid/hid-lg2ff.o
CC drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
CC drivers/infiniband/core/uverbs_std_types.o
CC drivers/infiniband/core/uverbs_ioctl.o
CC drivers/gpu/drm/i915/display/intel_dp_link_training.o
CC drivers/hid/hid-lg3ff.o
CC drivers/hid/hid-lg4ff.o
CC drivers/gpu/drm/i915/display/intel_dp_mst.o
CC drivers/infiniband/core/uverbs_std_types_cq.o
CC drivers/gpu/drm/i915/display/intel_dsi.o
CC drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
CC drivers/gpu/drm/i915/display/intel_dsi_vbt.o
CC drivers/media/rc/keymaps/rc-norwood.o
CC drivers/infiniband/core/uverbs_std_types_flow_action.o
CC drivers/gpu/drm/i915/display/intel_dvo.o
CC drivers/infiniband/core/uverbs_std_types_dm.o
CC drivers/infiniband/core/uverbs_std_types_mr.o
CC drivers/media/rc/keymaps/rc-npgtech.o
CC drivers/infiniband/core/uverbs_std_types_counters.o
CC drivers/infiniband/core/uverbs_uapi.o
CC drivers/infiniband/core/uverbs_std_types_device.o
CC drivers/media/rc/keymaps/rc-odroid.o
CC drivers/hid/hid-lg-g15.o
CC drivers/media/rc/keymaps/rc-pctv-sedna.o
CC drivers/infiniband/core/uverbs_std_types_async_fd.o
CC drivers/media/rc/keymaps/rc-pinnacle-color.o
CC drivers/media/rc/keymaps/rc-pinnacle-grey.o
CC drivers/gpu/drm/i915/display/intel_gmbus.o
CC drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
CC drivers/infiniband/core/umem.o
CC drivers/infiniband/core/umem_odp.o
CC drivers/infiniband/core/ucma.o
CC drivers/gpu/drm/i915/display/intel_hdmi.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/gpu/drm/i915/display/intel_panel.o
AR drivers/infiniband/sw/rxe/built-in.a
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/media/rc/keymaps/rc-pixelview.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC drivers/media/rc/keymaps/rc-pixelview-mk12.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/media/rc/keymaps/rc-pixelview-002t.o
CC drivers/media/rc/keymaps/rc-pixelview-new.o
AR drivers/crypto/qat/qat_common/built-in.a
AR drivers/crypto/qat/built-in.a
AR drivers/crypto/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/hid/hid-logitech-dj.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
CC drivers/hid/hid-magicmouse.o
CC drivers/hid/hid-microsoft.o
CC drivers/media/rc/keymaps/rc-powercolor-real-angel.o
AR drivers/thunderbolt/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
AR net/netfilter/built-in.a
CC drivers/hid/hid-monterey.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o

Makefile:1683: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....

CC drivers/hid/hid-multitouch.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC drivers/hid/hid-ntrig.o
CC drivers/media/rc/keymaps/rc-proteus-2309.o
CC drivers/hid/hid-ortek.o
CC drivers/media/rc/keymaps/rc-purpletv.o
CC drivers/media/rc/keymaps/rc-pv951.o
CC drivers/hid/hid-prodikeys.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/media/rc/keymaps/rc-hauppauge.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/hid/hid-pl.o
CC drivers/hid/hid-petalynx.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/media/rc/keymaps/rc-rc6-mce.o
CC drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
CC drivers/hid/hid-picolcd_debugfs.o
AR drivers/infiniband/sw/rdmavt/built-in.a
CC drivers/hid/hid-plantronics.o
AR drivers/infiniband/sw/built-in.a
CC drivers/hid/hid-primax.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/hid/hid-roccat.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/hid/hid-roccat-common.o
CC drivers/hid/hid-roccat-arvo.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/media/rc/keymaps/rc-reddo.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/hid/hid-roccat-konepure.o
AR drivers/md/built-in.a
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC drivers/hid/hid-rmi.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o

CC drivers/hid/hid-saitek.o
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-sjoy.o

CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/hid/hid-sony.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o

CC drivers/hid/hid-speedlink.o
CC drivers/hid/hid-sunplus.o
CC drivers/hid/hid-gaff.o

CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-tivo.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/hid/hid-topseed.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/hid/hid-twinhan.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o

CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o

CC drivers/hid/hid-uclogic-core.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/hid/hid-led.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/hid-zydacron.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/hid/wacom_wac.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/hid/wacom_sys.o
CC drivers/hid/hid-waltop.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o

CC drivers/hid/hid-wiimote-debug.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
AR drivers/media/built-in.a
AR drivers/android/built-in.a

AR drivers/gpu/drm/i915/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR drivers/hid/built-in.a
AR drivers/infiniband/core/built-in.a
AR drivers/infiniband/built-in.a
AR drivers/built-in.a

Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=13d79381e00000


Tested on:

commit: dc5b3581 add log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

skb 0xffff8880a27a15c0 0xffff88809802e7c0: truesize 33024, sk alloc 33025 sctp_wfree 9093
skb 0xffff8880a27a15c0 0xffff88809802e7c0: truesize 33024, sk alloc 32769 sctp_wfree 9099

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 0 PID: 15360 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 15360 Comm: syz-executor018 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900025277b0 EFLAGS: 00010246
RAX: e6ef09c15dffea00 RBX: 0000000000000003 RCX: ffff88808b6a8540

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: fffffbfff15dbb2e
R10: fffffbfff15dbb2e R11: 0000000000000000 R12: dffffc0000000000

R13: 1ffff11013f90fa0 R14: ffff88809802e7c0 R15: ffff8880a27a15c0
sctp_wfree+0x49a/0x880 net/sctp/socket.c:9121

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1519
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x43ebc8
Code: Bad RIP value.
RSP: 002b:00007ffcf53d3908 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ebc8

RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000

RBP: 00000000004be4a0 R08: 00000000000000e7 R09: ffffffffffffffd0

R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001

R13: 00000000006cc180 R14: 0000000000000000 R15: 0000000000000000

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: aba14c6f add log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=15dda753e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: d0386a2e get sk from skb

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Note: testing is done by a robot and is best-effort only.

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

KASAN: use-after-free Read in sctp_wfree

==================================================================
BUG: KASAN: use-after-free in sctp_write_space net/sctp/socket.c:9225 [inline]
BUG: KASAN: use-after-free in sctp_wake_up_waiters net/sctp/socket.c:9050 [inline]
BUG: KASAN: use-after-free in sctp_wfree+0x463/0x710 net/sctp/socket.c:9112
Read of size 8 at addr ffff8880a181f5a8 by task syz-executor.2/8661

CPU: 1 PID: 8661 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118

print_address_description+0x74/0x5c0 mm/kasan/report.c:374
__kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
kasan_report+0x25/0x50 mm/kasan/common.c:641
sctp_write_space net/sctp/socket.c:9225 [inline]
sctp_wake_up_waiters net/sctp/socket.c:9050 [inline]
sctp_wfree+0x463/0x710 net/sctp/socket.c:9112

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

sctp_datamsg_destroy net/sctp/chunk.c:107 [inline]
sctp_datamsg_put+0x438/0x570 net/sctp/chunk.c:128
sctp_chunk_free+0x46/0x60 net/sctp/sm_make_chunk.c:1466

__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x231/0x770 net/sctp/socket.c:1512

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007ffdc88e28b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007ffdc88e2990 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000012e64 R15: 000000000076bf2c

Allocated by task 8662:
save_stack mm/kasan/common.c:72 [inline]
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc mm/slab.c:3320 [inline]
kmem_cache_alloc+0x1f5/0x2d0 mm/slab.c:3484
sk_prot_alloc+0x58/0x2b0 net/core/sock.c:1597
sk_alloc+0x35/0x990 net/core/sock.c:1657
inet_create+0x576/0xc80 net/ipv4/af_inet.c:321
__sock_create+0x5c9/0x8d0 net/socket.c:1433
sock_create net/socket.c:1484 [inline]
__sys_socket+0xde/0x2d0 net/socket.c:1526
__do_sys_socket net/socket.c:1535 [inline]
__se_sys_socket net/socket.c:1533 [inline]
__x64_sys_socket+0x76/0x80 net/socket.c:1533
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8661:
save_stack mm/kasan/common.c:72 [inline]
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:337 [inline]
__kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
__cache_free mm/slab.c:3426 [inline]
kmem_cache_free+0x7e/0xf0 mm/slab.c:3694
sk_prot_free net/core/sock.c:1638 [inline]
__sk_destruct+0x60e/0x740 net/core/sock.c:1724
sctp_wfree+0x3af/0x710 net/sctp/socket.c:9111

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

sctp_datamsg_destroy net/sctp/chunk.c:107 [inline]
sctp_datamsg_put+0x438/0x570 net/sctp/chunk.c:128
sctp_chunk_free+0x46/0x60 net/sctp/sm_make_chunk.c:1466

__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x231/0x770 net/sctp/socket.c:1512

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a181f040
which belongs to the cache SCTP of size 1800
The buggy address is located 1384 bytes inside of
1800-byte region [ffff8880a181f040, ffff8880a181f748)
The buggy address belongs to the page:
page:ffffea00028607c0 refcount:1 mapcount:0 mapping:ffff888099725000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffff8880995ded48 ffff8880995ded48 ffff888099725000
raw: 0000000000000000 ffff8880a181f040 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8880a181f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a181f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a181f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a181f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a181f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 26395f8f sctp: fix refcount bug in sctp_wfree
git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug
console output: https://syzkaller.appspot.com/x/log.txt?x=14358a1de00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: a8a7ac16 sctp: fix refcount bug in sctp_wfree

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

[syzbot]

[Will Deacon]

On Tue, Mar 10, 2020 at 09:01:18AM -0700, Kees Cook wrote:
> On Tue, Mar 10, 2020 at 02:39:01AM -0700, syzbot wrote:
> > syzbot has bisected this bug to:
> >
> > commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
> > Author: Will Deacon <wi...@kernel.org>
> > Date: Thu Nov 21 11:59:00 2019 +0000
> >
> > locking/refcount: Consolidate implementations of refcount_t
>
> I suspect this is just bisecting to here because it made the refcount
> checks more strict?

Yes, this is the commit that enables full refcount checking for all
architectures unconditionally, so it's the canary in the coalmine rather
than the source of the problem.

Will

[Qiujun Huang]

Yes, I tracked it down. And sent out a fix:
https://lore.kernel.org/netdev/1584330804-18477-1-gi...@gmail.com

>
> Will

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING: refcount bug in sctp_wfree

skb 0xffff88809a5bae40 0xffff8880a001f7c0: truesize 33024, sk alloc 33025 sctp_wfree 9104
skb 0xffff88809a5bae40 0xffff8880a001f7c0: truesize 33024, sk alloc 32769 sctp_wfree 9110

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 14864 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 14864 Comm: syz-executor574 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118

panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc90001c177a0 EFLAGS: 00010246
RAX: 953f70d60acbb100 RBX: 0000000000000003 RCX: ffff8880a9706100

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: fffffbfff15dbb2e

R10: fffffbfff15dbb2e R11: 0000000000000000 R12: ffff88809a5bae40
R13: ffff88809b512000 R14: 1ffff110128344b0 R15: dffffc0000000000
sctp_wfree+0x4a0/0x870 net/sctp/socket.c:9132

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1529

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ebc8

Code: 41 29 c8 41 83 c0 30 44 88 46 09 44 0f b6 47 03 44 89 c0 41 c0 f8 07 f6 ea 66 c1 e8 08 89 c1 c0 f9 02 44 29 c1 89 c8 89 cb f6 <ea> c0 fb 07 41 89 d8 66 c1 e8 08 c0 f8 02 44 29 c0 8d 04 80 01 c0
RSP: 002b:00007ffed23143b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7

RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ebc8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be4a0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006cc180 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 479c1e39 back to dup

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=11c7d781e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

BUG: using smp_processor_id() in preemptible [ADDR] code: syz-executor

check_preemption_disabled: 3 callbacks suppressed
BUG: using smp_processor_id() in preemptible [00000000] code: syz-executor.2/8699
caller is sctp_set_owner_w+0xcf/0x4d0 net/sctp/socket.c:136
CPU: 0 PID: 8699 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118

check_preemption_disabled+0x1c9/0x240 lib/smp_processor_id.c:47
sctp_set_owner_w+0xcf/0x4d0 net/sctp/socket.c:136
sctp_sendmsg_to_asoc+0x874/0x10f0 net/sctp/socket.c:1868
sctp_sendmsg+0x170d/0x3440 net/sctp/socket.c:2030
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg net/socket.c:672 [inline]
__sys_sendto+0x3f3/0x590 net/socket.c:1998
__do_sys_sendto net/socket.c:2010 [inline]
__se_sys_sendto net/socket.c:2006 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2006
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fab5fcc1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fab5fcc26d4 RCX: 000000000045c4a9
RDX: 0000000000000001 RSI: 0000000020fa3fff RDI: 0000000000000004
RBP: 000000000076bf20 R08: 00000000206f7000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a03 R14: 00000000004cc7f0 R15: 000000000076bf2c
[0]skb 0xffff88809ab68780 0xffff88809f109040: truesize 768, sk alloc 769 sctp_set_owner_w 137


Tested on:

commit: 63d01a13 race log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=174970e5e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:

WARNING: refcount bug in sctp_wfree

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 8750 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 8750 Comm: syz-executor.3 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118

panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900031e7598 EFLAGS: 00010246
RAX: 09dab9309ccb3000 RBX: 0000000000000003 RCX: ffff8880a2fbc040

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d06618
R10: ffffed1015d06618 R11: 0000000000000000 R12: ffff88808bd759c0
R13: ffff88808efa0000 R14: 1ffff110117aeb38 R15: dffffc0000000000
sctp_wfree+0x436/0x7e0 net/sctp/socket.c:9127

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1526

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899

get_signal+0x13cf/0x1d60 kernel/signal.c:2739
do_signal+0x33/0x610 arch/x86/kernel/signal.c:813
exit_to_usermode_loop arch/x86/entry/common.c:160 [inline]
prepare_exit_to_usermode+0x32a/0x600 arch/x86/entry/common.c:195

entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007feca3c59c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: 0000000000000003 RBX: 00007feca3c5a6d4 RCX: 000000000045c4a9
RDX: 000000000000007a RSI: 0000000000000084 RDI: 0000000000000004
RBP: 000000000076bf20 R08: 000000002034f000 R09: 0000000000000000
R10: 000000002059aff8 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000001a4 R14: 00000000004d1fc0 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: adaebd22 add core log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=15197803e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 8846 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8846 Comm: syz-executor.4 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900039a7598 EFLAGS: 00010246
RAX: 353b8d265c78c300 RBX: 0000000000000003 RCX: ffff88809654c300

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: fffffbfff15dbb2e

R10: fffffbfff15dbb2e R11: 0000000000000000 R12: ffff8880a771c400
R13: ffff8880a35a0000 R14: 1ffff11014ee3880 R15: dffffc0000000000

RSP: 002b:00007fb1cfc2ac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
RAX: 0000000000000003 RBX: 00007fb1cfc2b6d4 RCX: 000000000045c4a9

RDX: 000000000000007a RSI: 0000000000000084 RDI: 0000000000000004

RBP: 000000000076c060 R08: 000000002034f000 R09: 0000000000000000

R10: 000000002059aff8 R11: 0000000000000246 R12: 00000000ffffffff

R13: 00000000000001a4 R14: 00000000004d1fc0 R15: 000000000076c06c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: adaebd22 add core log
git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=16d7ffdde00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

[1]skb 0xffff88809ef55a40 0xffff8880a3bb2800: truesize 33024, sk alloc 33025 sctp_wfree 9101 real sk 0xffff8880a3bb2800
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8811 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8811 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc90002f778b0 EFLAGS: 00010246
RAX: dcf57551ce0b1d00 RBX: 0000000000000003 RCX: ffff8880a7eee0c0

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d26618
R10: ffffed1015d26618 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888091dc8000 R14: 1ffff11014dd2840 R15: ffff8880a6e94200
sctp_wfree+0x449/0x7e0 net/sctp/socket.c:9127

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

__sctp_outq_teardown+0x5a9/0x980 net/sctp/outqueue.c:259

sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1526
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]

prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007ffe6e81ce90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007ffe6e81cf70 R11: 0000000000000293 R12: 000000000076c920
R13: 000000000076c920 R14: 00000000000152a1 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: a446ffe7 add teardown log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=10336d19e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 9548 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 9548 Comm: syz-executor.1 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc9000277f598 EFLAGS: 00010246
RAX: b9e210029d896c00 RBX: 0000000000000003 RCX: ffff88808c372140

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: fffffbfff15dbb2e
R10: fffffbfff15dbb2e R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880a458a000 R14: 1ffff11014fb0958 R15: ffff8880a7d84ac0
sctp_wfree+0x420/0x7e0 net/sctp/socket.c:9123

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0x5a9/0x980 net/sctp/outqueue.c:259
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1522

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
get_signal+0x13cf/0x1d60 kernel/signal.c:2739
do_signal+0x33/0x610 arch/x86/kernel/signal.c:813
exit_to_usermode_loop arch/x86/entry/common.c:160 [inline]

prepare_exit_to_usermode+0x32a/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: 24 28 48 8b 44 24 40 48 8b 4c 24 38 31 d2 eb 19 48 8b 5c 24 20 48 8d 53 01 48 8b 5c 24 40 48 8b 74 24 38 48 89 d8 48 89 f1 48 <83> fa 06 7d 4b 48 89 d3 48 c1 e2 04 48 8b 34 02 48 8b 7c 11 08 4c
RSP: 002b:00007fbe29552c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 0000000000034000 RBX: 00007fbe295536d4 RCX: 000000000045c4a9
RDX: 0000000000034000 RSI: 00000000203cef9f RDI: 0000000000000004
RBP: 000000000076c1a0 R08: 0000000020618000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a03 R14: 00000000004cc7f0 R15: 000000000076c1ac

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 0f7733a2 queue log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1048f32de00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

refcount_t: underflow; use-after-free.

WARNING: CPU: 1 PID: 11245 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 11245 Comm: syz-executor.0 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900026b7598 EFLAGS: 00010246
RAX: 773687cb0722c000 RBX: 0000000000000003 RCX: ffff8880a68d2440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d26618
R10: ffffed1015d26618 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888092294000 R14: 1ffff1101403a700 R15: ffff8880a01d3800
sctp_wfree+0x420/0x7e0 net/sctp/socket.c:9126

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

__sctp_outq_teardown+0x449/0x9c0 net/sctp/outqueue.c:261

sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1525

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899
get_signal+0x13cf/0x1d60 kernel/signal.c:2739
do_signal+0x33/0x610 arch/x86/kernel/signal.c:813
exit_to_usermode_loop arch/x86/entry/common.c:160 [inline]
prepare_exit_to_usermode+0x32a/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9
Code: 24 28 48 8b 44 24 40 48 8b 4c 24 38 31 d2 eb 19 48 8b 5c 24 20 48 8d 53 01 48 8b 5c 24 40 48 8b 74 24 38 48 89 d8 48 89 f1 48 <83> fa 06 7d 4b 48 89 d3 48 c1 e2 04 48 8b 34 02 48 8b 7c 11 08 4c

RSP: 002b:00007f84c1aaac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffea RBX: 00007f84c1aab6d4 RCX: 000000000045c4a9
RDX: 0000000000000064 RSI: 0000000000000084 RDI: 0000000000000004
RBP: 000000000076c240 R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020d6cff0 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000b04 R14: 00000000004d7298 R15: 000000000076c24c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: b62f73fc sacked queue log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1329b973e00000

[syzbot]

Hello,

syzbot tried to test the proposed patch but build/boot failed:

iband/core/agent.o
CC fs/btrfs/block-group.o
CC drivers/media/rc/keymaps/rc-snapstream-firefly.o
CC drivers/md/dm-path-selector.o
CC drivers/media/rc/keymaps/rc-streamzap.o
CC drivers/crypto/qat/qat_common/adf_hw_arbiter.o
CC drivers/media/rc/keymaps/rc-tango.o
CC drivers/crypto/qat/qat_c62x/adf_drv.o
CC fs/btrfs/discard.o
CC drivers/crypto/qat/qat_c62x/adf_c62x_hw_data.o
CC drivers/media/rc/keymaps/rc-tanix-tx3mini.o
AR drivers/infiniband/hw/usnic/built-in.a
CC drivers/media/rc/keymaps/rc-tanix-tx5max.o
CC drivers/crypto/qat/qat_common/qat_crypto.o
CC drivers/crypto/qat/qat_common/qat_algs.o
CC drivers/crypto/qat/qat_common/qat_asym_algs.o
CC fs/ocfs2/quota_local.o
CC drivers/hid/hid-quirks.o
CC drivers/gpu/drm/i915/display/intel_lspcon.o
AR drivers/hid/usbhid/built-in.a
CC drivers/md/dm-mpath.o
CC drivers/crypto/qat/qat_dh895xccvf/adf_drv.o
CC drivers/crypto/qat/qat_dh895xccvf/adf_dh895xccvf_hw_data.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_drv.o
CC drivers/infiniband/core/mad_rmpp.o
CC drivers/infiniband/core/nldev.o
AR drivers/staging/android/ion/built-in.a
AR drivers/staging/android/built-in.a
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_encap.o
CC fs/dcookies.o
CC drivers/vhost/vhost.o
CC drivers/staging/exfat/exfat_core.o
CC fs/btrfs/acl.o
CC drivers/staging/exfat/exfat_super.o
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_ethtool.o
AR drivers/infiniband/ulp/iser/built-in.a
CC drivers/infiniband/sw/rxe/rxe_pool.o
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_vema_iface.o
CC fs/xfs/xfs_rmap_item.o
CC drivers/infiniband/ulp/opa_vnic/opa_vnic_vema.o
CC fs/ocfs2/quota_global.o
CC fs/xfs/xfs_log_recover.o
CC drivers/crypto/qat/qat_common/qat_uclo.o
CC drivers/crypto/qat/qat_c62xvf/adf_drv.o
CC drivers/media/rc/keymaps/rc-technisat-ts35.o
CC drivers/media/rc/keymaps/rc-tbs-nec.o
CC fs/xfs/xfs_trans_ail.o
CC drivers/infiniband/ulp/ipoib/ipoib_fs.o
CC drivers/infiniband/core/restrack.o
CC drivers/crypto/qat/qat_common/qat_hal.o
CC drivers/crypto/qat/qat_common/adf_transport_debug.o
CC drivers/crypto/qat/qat_common/adf_sriov.o
CC drivers/md/dm-round-robin.o
AR drivers/crypto/qat/qat_c62x/built-in.a
CC fs/xfs/xfs_trans_buf.o
CC drivers/infiniband/sw/siw/siw_qp_tx.o
CC drivers/media/rc/keymaps/rc-technisat-usb2.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
CC fs/xfs/xfs_dquot_item.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
CC fs/xfs/xfs_dquot.o
CC drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
AR drivers/crypto/qat/qat_dh895xccvf/built-in.a
CC drivers/infiniband/core/counters.o
CC drivers/crypto/qat/qat_c3xxxvf/adf_c3xxxvf_hw_data.o
CC drivers/platform/x86/eeepc-laptop.o
CC drivers/platform/chrome/chromeos_laptop.o
CC drivers/platform/x86/intel_menlow.o
CC drivers/infiniband/sw/siw/siw_qp_rx.o
CC drivers/gpu/drm/i915/display/intel_lvds.o
CC drivers/infiniband/core/ib_core_uverbs.o
CC drivers/infiniband/core/trace.o
CC drivers/infiniband/core/security.o
CC drivers/infiniband/sw/rxe/rxe_queue.o
CC drivers/crypto/qat/qat_c62xvf/adf_c62xvf_hw_data.o
CC drivers/infiniband/sw/rxe/rxe_verbs.o
CC drivers/crypto/qat/qat_common/adf_pf2vf_msg.o
CC fs/xfs/xfs_trans_dquot.o
CC drivers/mailbox/mailbox.o
CC drivers/media/rc/keymaps/rc-terratec-slim.o
CC drivers/platform/x86/pmc_atom.o
CC drivers/hid/hid-debug.o
CC drivers/infiniband/sw/siw/siw_verbs.o
CC drivers/hid/hidraw.o
CC drivers/hid/uhid.o
CC drivers/hid/hid-generic.o
CC drivers/hid/hid-a4tech.o
CC drivers/gpu/drm/i915/display/intel_panel.o
CC drivers/gpu/drm/i915/display/intel_sdvo.o
CC drivers/infiniband/core/cgroup.o
CC drivers/hid/hid-axff.o
CC drivers/staging/exfat/exfat_blkdev.o
AR drivers/crypto/qat/qat_c3xxxvf/built-in.a
CC drivers/staging/exfat/exfat_cache.o
CC drivers/staging/exfat/exfat_nls.o
CC drivers/md/dm-queue-length.o
CC drivers/platform/x86/i2c-multi-instantiate.o
CC drivers/soundwire/bus_type.o
CC fs/ocfs2/xattr.o
CC drivers/soundwire/bus.o
AR drivers/infiniband/ulp/ipoib/built-in.a
CC drivers/soundwire/slave.o
CC drivers/media/rc/keymaps/rc-terratec-slim-2.o
CC drivers/platform/chrome/chromeos_pstore.o
CC drivers/infiniband/core/iwcm.o
CC drivers/infiniband/core/cm.o
CC drivers/soundwire/mipi_disco.o
CC drivers/soundwire/stream.o
CC fs/ocfs2/acl.o
AR drivers/infiniband/ulp/opa_vnic/built-in.a
AR drivers/infiniband/ulp/built-in.a
AR drivers/infiniband/sw/rdmavt/built-in.a
AR drivers/crypto/qat/qat_c62xvf/built-in.a
CC drivers/hid/hid-belkin.o
CC drivers/hid/hid-apple.o
CC drivers/mailbox/pcc.o
CC drivers/hid/hid-cherry.o
CC drivers/infiniband/sw/rxe/rxe_av.o
AR drivers/infiniband/hw/mlx4/built-in.a
AR drivers/infiniband/hw/built-in.a
CC fs/ocfs2/filecheck.o
CC drivers/hid/hid-chicony.o
CC drivers/media/rc/keymaps/rc-tevii-nec.o
CC drivers/platform/chrome/chromeos_tbmc.o
CC drivers/hid/hid-cypress.o
CC drivers/soundwire/debugfs.o
CC drivers/media/rc/keymaps/rc-tivo.o
CC fs/ocfs2/stackglue.o
CC fs/ocfs2/stack_o2cb.o
CC drivers/staging/exfat/exfat_upcase.o
CC drivers/extcon/extcon.o
CC fs/ocfs2/stack_user.o
CC drivers/platform/chrome/cros_ec.o
CC drivers/gpu/drm/i915/display/intel_tv.o
CC fs/xfs/xfs_qm_syscalls.o
CC drivers/platform/chrome/cros_ec_proto.o
CC drivers/crypto/qat/qat_common/adf_vf2pf_msg.o
CC drivers/infiniband/sw/rxe/rxe_srq.o
AR drivers/platform/x86/built-in.a
CC drivers/hid/hid-dr.o
CC drivers/hid/hid-emsff.o
CC drivers/extcon/devres.o
AR drivers/perf/built-in.a
CC drivers/hid/hid-elecom.o
CC drivers/md/dm-service-time.o
CC drivers/infiniband/sw/rxe/rxe_qp.o
CC drivers/infiniband/sw/rxe/rxe_cq.o
CC drivers/infiniband/sw/rxe/rxe_mr.o
CC drivers/crypto/qat/qat_common/adf_vf_isr.o
CC drivers/hid/hid-ezkey.o
CC drivers/hid/hid-google-hammer.o
CC fs/xfs/xfs_qm_bhv.o
CC drivers/platform/chrome/cros_ec_trace.o
CC drivers/infiniband/core/iwpm_util.o
CC drivers/platform/chrome/cros_kbd_led_backlight.o
CC drivers/gpu/drm/i915/display/intel_vdsc.o
CC drivers/platform/chrome/cros_ec_chardev.o
CC drivers/platform/chrome/cros_ec_lightbar.o
CC drivers/platform/chrome/cros_ec_debugfs.o
AR fs/btrfs/built-in.a
CC drivers/platform/chrome/cros_ec_sysfs.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand.o
CC drivers/infiniband/sw/rxe/rxe_opcode.o
CC drivers/infiniband/sw/rxe/rxe_mmap.o
CC drivers/hid/hid-gyration.o
CC drivers/gpu/drm/i915/display/vlv_dsi.o
CC drivers/infiniband/sw/rxe/rxe_icrc.o
AR drivers/staging/exfat/built-in.a
AR drivers/staging/built-in.a
CC drivers/gpu/drm/i915/display/vlv_dsi_pll.o
CC drivers/gpu/drm/i915/oa/i915_oa_bdw.o
CC drivers/gpu/drm/i915/oa/i915_oa_hsw.o
CC drivers/hid/hid-holtek-kbd.o
CC drivers/hid/hid-holtek-mouse.o
CC drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
CC drivers/hid/hid-holtekff.o
AR drivers/mailbox/built-in.a
CC drivers/hid/hid-ite.o
AR drivers/vhost/built-in.a
CC fs/xfs/xfs_qm.o

CC drivers/media/rc/keymaps/rc-trekstor.o
CC drivers/media/rc/keymaps/rc-tt-1500.o
CC drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o

CC drivers/hid/hid-kensington.o
CC fs/xfs/xfs_quotaops.o
CC drivers/gpu/drm/i915/oa/i915_oa_chv.o
AR drivers/infiniband/sw/siw/built-in.a
CC drivers/infiniband/core/iwpm_msg.o
CC drivers/infiniband/core/cma.o
CC drivers/infiniband/core/cma_trace.o
CC drivers/md/dm-snap.o
CC drivers/infiniband/core/cma_configfs.o
CC drivers/hid/hid-keytouch.o
CC drivers/md/dm-exception-store.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
AR drivers/soundwire/built-in.a
CC drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
CC drivers/hid/hid-kye.o
CC drivers/media/rc/keymaps/rc-twinhan1027.o
CC drivers/ras/ras.o
CC fs/xfs/xfs_rtalloc.o
CC fs/xfs/xfs_acl.o
CC drivers/hid/hid-lcpower.o
CC drivers/hid/hid-lg.o
CC fs/xfs/xfs_sysctl.o
CC fs/xfs/xfs_ioctl32.o
CC drivers/hid/hid-lgff.o
CC drivers/hid/hid-lg2ff.o
CC drivers/gpu/drm/i915/oa/i915_oa_bxt.o
CC fs/xfs/xfs_pnfs.o
CC drivers/ras/debugfs.o
CC drivers/infiniband/core/user_mad.o
CC drivers/hid/hid-lg3ff.o
AR drivers/extcon/built-in.a
CC drivers/hid/hid-lg4ff.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
CC drivers/infiniband/core/uverbs_main.o
CC drivers/infiniband/core/uverbs_cmd.o
CC drivers/media/rc/keymaps/rc-vega-s9x.o
CC drivers/infiniband/core/uverbs_marshall.o
CC drivers/md/dm-snap-transient.o
CC drivers/md/dm-snap-persistent.o

AR drivers/crypto/qat/qat_common/built-in.a
AR drivers/crypto/qat/built-in.a
AR drivers/crypto/built-in.a

AR drivers/platform/chrome/built-in.a
CC drivers/thunderbolt/nhi.o
AR drivers/platform/built-in.a
CC drivers/infiniband/sw/rxe/rxe_mcast.o
AR drivers/hwtracing/intel_th/built-in.a
CC drivers/hid/hid-lg-g15.o
CC drivers/media/rc/keymaps/rc-videomate-m1f.o
CC drivers/media/rc/keymaps/rc-videomate-s350.o
CC drivers/android/binder.o
CC drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
CC drivers/android/binder_alloc.o
CC drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
CC drivers/thunderbolt/nhi_ops.o
CC drivers/thunderbolt/ctl.o
CC drivers/thunderbolt/tb.o
CC drivers/infiniband/sw/rxe/rxe_task.o
CC drivers/thunderbolt/switch.o
CC drivers/hid/hid-logitech-dj.o
CC drivers/nvmem/core.o
CC drivers/gpu/drm/i915/oa/i915_oa_glk.o
CC drivers/thunderbolt/cap.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
CC drivers/counter/counter.o
CC drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
CC drivers/gpu/drm/i915/oa/i915_oa_cnl.o
CC drivers/hid/hid-logitech-hidpp.o
CC drivers/gpu/drm/i915/oa/i915_oa_icl.o
CC drivers/md/dm-raid1.o
CC drivers/infiniband/core/rdma_core.o
CC drivers/thunderbolt/path.o
CC drivers/infiniband/core/uverbs_std_types.o
CC drivers/nvmem/nvmem-sysfs.o
CC drivers/hid/hid-magicmouse.o
CC drivers/media/rc/keymaps/rc-wetek-hub.o
CC drivers/media/rc/keymaps/rc-wetek-play2.o
CC drivers/media/rc/keymaps/rc-winfast.o
CC drivers/thunderbolt/tunnel.o
CC drivers/gpu/drm/i915/oa/i915_oa_tgl.o
CC drivers/gpu/drm/i915/i915_perf.o
CC drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
CC drivers/hid/hid-microsoft.o
CC drivers/md/dm-log.o
CC drivers/hid/hid-monterey.o
CC drivers/md/dm-region-hash.o
CC drivers/gpu/drm/i915/i915_gpu_error.o
CC drivers/infiniband/sw/rxe/rxe_net.o
CC drivers/infiniband/sw/rxe/rxe_sysfs.o
CC drivers/infiniband/sw/rxe/rxe_hw_counters.o
CC drivers/infiniband/core/uverbs_ioctl.o
CC drivers/infiniband/core/uverbs_std_types_cq.o
CC drivers/gpu/drm/i915/i915_vgpu.o
CC drivers/md/dm-zero.o
CC drivers/media/rc/keymaps/rc-su3000.o
CC drivers/md/dm-raid.o
CC drivers/media/rc/keymaps/rc-xbox-dvd.o
CC drivers/media/rc/keymaps/rc-x96max.o
CC drivers/media/rc/keymaps/rc-zx-irdec.o
CC drivers/hid/hid-multitouch.o
CC drivers/hid/hid-ntrig.o
CC drivers/hid/hid-ortek.o
CC drivers/hid/hid-prodikeys.o
CC drivers/hid/hid-pl.o
AR drivers/ras/built-in.a
CC drivers/infiniband/core/uverbs_std_types_flow_action.o
CC drivers/thunderbolt/domain.o
CC drivers/thunderbolt/dma_port.o
CC drivers/thunderbolt/eeprom.o
CC drivers/md/dm-thin.o
CC drivers/md/dm-thin-metadata.o
CC drivers/infiniband/core/uverbs_std_types_mr.o
CC drivers/infiniband/core/uverbs_std_types_dm.o
CC drivers/infiniband/core/uverbs_std_types_counters.o
CC drivers/md/dm-verity-fec.o
CC drivers/infiniband/core/uverbs_uapi.o
CC drivers/hid/hid-petalynx.o
CC drivers/md/dm-verity-target.o
CC drivers/md/dm-cache-target.o
CC drivers/infiniband/core/uverbs_std_types_device.o
CC drivers/md/dm-cache-metadata.o
CC drivers/hid/hid-picolcd_core.o
CC drivers/infiniband/core/uverbs_std_types_async_fd.o
CC drivers/infiniband/core/umem.o
CC drivers/thunderbolt/property.o
CC drivers/thunderbolt/icm.o
AR drivers/media/rc/keymaps/built-in.a
AR drivers/media/rc/built-in.a
CC drivers/hid/hid-picolcd_debugfs.o
CC drivers/hid/hid-plantronics.o
AR drivers/media/built-in.a
CC drivers/hid/hid-primax.o
CC drivers/md/dm-cache-policy.o
CC drivers/infiniband/core/umem_odp.o
CC drivers/infiniband/core/ucma.o
CC drivers/hid/hid-roccat.o
AR drivers/nvmem/built-in.a
CC drivers/md/dm-cache-background-tracker.o
CC drivers/thunderbolt/xdomain.o
CC drivers/hid/hid-roccat-common.o
CC drivers/thunderbolt/tmu.o
CC drivers/thunderbolt/lc.o
AR drivers/counter/built-in.a
CC drivers/hid/hid-roccat-arvo.o
CC drivers/hid/hid-roccat-isku.o
CC drivers/thunderbolt/usb4.o
CC drivers/md/dm-clone-metadata.o
CC drivers/hid/hid-roccat-kone.o
CC drivers/md/dm-cache-policy-smq.o
CC drivers/md/dm-clone-target.o
CC drivers/md/dm-integrity.o
CC drivers/md/dm-zoned-target.o
CC drivers/md/dm-zoned-metadata.o
CC drivers/md/dm-zoned-reclaim.o
CC drivers/md/dm-writecache.o
CC drivers/hid/hid-roccat-koneplus.o
CC drivers/hid/hid-roccat-konepure.o
CC drivers/hid/hid-roccat-kovaplus.o
CC drivers/hid/hid-roccat-lua.o
CC drivers/hid/hid-roccat-pyra.o
CC drivers/hid/hid-roccat-ryos.o
CC drivers/hid/hid-roccat-savu.o
CC drivers/hid/hid-rmi.o
AR drivers/infiniband/sw/rxe/built-in.a
CC drivers/hid/hid-samsung.o
CC drivers/hid/hid-saitek.o
AR drivers/infiniband/sw/built-in.a
CC drivers/hid/hid-sjoy.o
CC drivers/hid/hid-sony.o

CC drivers/hid/hid-speedlink.o
CC drivers/hid/hid-sunplus.o
CC drivers/hid/hid-gaff.o

CC drivers/hid/hid-tmff.o
CC drivers/hid/hid-topseed.o
CC drivers/hid/hid-tivo.o
CC drivers/hid/hid-twinhan.o
CC drivers/hid/hid-uclogic-core.o
CC drivers/hid/hid-uclogic-rdesc.o
CC drivers/hid/hid-uclogic-params.o
CC drivers/hid/hid-led.o
CC drivers/hid/hid-zydacron.o
CC drivers/hid/hid-zpff.o
CC drivers/hid/wacom_wac.o
CC drivers/hid/wacom_sys.o
CC drivers/hid/hid-waltop.o
CC drivers/hid/hid-wiimote-core.o
CC drivers/hid/hid-wiimote-modules.o
CC drivers/hid/hid-wiimote-debug.o
AR drivers/gpu/drm/i915/built-in.a
AR drivers/thunderbolt/built-in.a
AR drivers/gpu/drm/built-in.a
AR drivers/gpu/built-in.a
AR fs/xfs/built-in.a
AR fs/ocfs2/built-in.a
AR fs/built-in.a
AR drivers/hid/built-in.a
AR drivers/md/built-in.a
AR drivers/android/built-in.a

AR drivers/infiniband/core/built-in.a
AR drivers/infiniband/built-in.a
AR drivers/built-in.a


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=168e18e5e00000


Tested on:

commit: 774b9eea skb log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

[0] 0xffff8880a7a0f280 0xffff8880a7a0f000 skb , -1998134457
[0]skb 0xffff88809fb33680 0xffff88809efa37c0 size 296449 sctp_wfree 9101 real sk 0xffff8880985de800
[0]skb 0xffff88809fb33a40 0xffff88809efa37c0 size 296193 sctp_wfree 9101 real sk 0xffff88809efa37c0
[0]skb 0xffff88809fb332c0 0xffff88809efa37c0 size 164609 sctp_wfree 9101 real sk 0xffff88809efa37c0
[0]skb 0xffff88809fb33b80 0xffff88809efa37c0 size 33025 sctp_wfree 9101 real sk 0xffff88809efa37c0
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 16726 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 16726 Comm: syz-executor100 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900022677a8 EFLAGS: 00010246
RAX: c8c12d9f69796100 RBX: 0000000000000003 RCX: ffff888093654300
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d06618
R10: ffffed1015d06618 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88808f06e000 R14: 1ffff11011ca9f70 R15: ffff88808e54fb80
sctp_wfree+0x420/0x7e0 net/sctp/socket.c:9127

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

__sctp_outq_teardown+0x6e5/0xab0 net/sctp/outqueue.c:262

sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1526

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899

__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908

do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x43ebc8
Code: Bad RIP value.

RSP: 002b:00007fff7865dd28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7

RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ebc8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be4a0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006cc180 R14: 0000000000000000 R15: 0000000000000000

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 1a1e045a log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1413a7c3e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

WARNING: CPU: 1 PID: 12329 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 12329 Comm: syz-executor.4 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc90004a17598 EFLAGS: 00010246
RAX: 4909c85ba9f5c300 RBX: 0000000000000003 RCX: ffff88808b0e0080

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d26618
R10: ffffed1015d26618 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88808d4ee000 R14: 1ffff1100f5aa238 R15: ffff88807ad511c0

sctp_wfree+0x420/0x7e0 net/sctp/socket.c:9127
skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

__sctp_outq_teardown+0xa43/0xc90 net/sctp/outqueue.c:267

sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1526
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899

get_signal+0x13cf/0x1d60 kernel/signal.c:2739
do_signal+0x33/0x610 arch/x86/kernel/signal.c:813
exit_to_usermode_loop arch/x86/entry/common.c:160 [inline]
prepare_exit_to_usermode+0x32a/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45c4a9

Code: Bad RIP value.
RSP: 002b:00007fd0accc1c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 0000000000034000 RBX: 00007fd0accc26d4 RCX: 000000000045c4a9

RDX: 0000000000034000 RSI: 00000000203cef9f RDI: 0000000000000004

RBP: 000000000076bfc0 R08: 0000000020618000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000a03 R14: 00000000004cc7f0 R15: 000000000076bfcc

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: e9c77cd3 tear log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=14707fc3e00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 8827 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 8827 Comm: syz-executor.1 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc90004277598 EFLAGS: 00010246
RAX: 627314890398c100 RBX: 0000000000000003 RCX: ffff888091116140

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d06618
R10: ffffed1015d06618 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88808eace000 R14: 1ffff110121a2730 R15: ffff888090d13980
sctp_wfree+0x46d/0x7f0 net/sctp/socket.c:9131

Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00

RSP: 002b:00007effd9d21c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 0000000000034000 RBX: 00007effd9d226d4 RCX: 000000000045c4a9
RDX: 0000000000034000 RSI: 00000000203cef9f RDI: 0000000000000005
RBP: 000000000076bf20 R08: 0000000020618000 R09: 0000000000000010

R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff

R13: 0000000000000a03 R14: 00000000004cc7f0 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 90991d97 catch trouble skb

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1694561de00000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

[1]skb 0xffff88809f59d400 0xffff8880a337d040 size 164609 sctp_wfree 9101 real sk 0xffff8880a337d040
[1]skb 0xffff88809f59d680 0xffff8880a337d040 size 33025 sctp_wfree 9101 real sk 0xffff8880a337d040
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8901 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8901 Comm: syz-executor.5 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900046c78b8 EFLAGS: 00010246
RAX: 079462d5159eed00 RBX: 0000000000000003 RCX: ffff888093f40400

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d24592
R10: ffffed1015d24592 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880a826c000 R14: 1ffff11015270d80 R15: ffff8880a9386c00

sctp_wfree+0x46d/0x7f0 net/sctp/socket.c:9131
skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
__sctp_outq_teardown+0xa43/0xc90 net/sctp/outqueue.c:267
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1526
inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]

prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
entry_SYSCALL_64_after_hwframe+0x49/0xbe

RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01

RSP: 002b:00007fff5cf8a9f0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003

RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff

R10: 00007fff5cf8aad0 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000014ae9 R15: 000000000076bf2c

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 3b15dd44 log

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=1471cbe3e00000

[Qiujun Huang]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: a8a7ac16 sctp: fix refcount bug in sctp_wfree
git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006cc180 R14: 0000000000000000 R15: 0000000000000000

------------[ cut here ]------------
refcount_t: underflow; use-after-free.

WARNING: CPU: 0 PID: 15722 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 15722 Comm: syz-executor962 Not tainted 5.6.0-rc5-syzkaller #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1e9/0x30e lib/dump_stack.c:118
panic+0x264/0x7a0 kernel/panic.c:221
__warn+0x209/0x210 kernel/panic.c:582
report_bug+0x1ac/0x2d0 lib/bug.c:195
fixup_bug arch/x86/kernel/traps.c:174 [inline]
do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 d4 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 00 01 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7

RSP: 0018:ffffc900045a7718 EFLAGS: 00010246
RAX: 46a1a9cbd49ecb00 RBX: 0000000000000003 RCX: ffff88808ef6e1c0

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d04592
R10: ffffed1015d04592 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff888092e50000 R14: ffff88808cf4a9b8 R15: ffff8880a87dc440
refcount_sub_and_test include/linux/refcount.h:261 [inline]
sctp_wfree+0x66f/0x7f0 net/sctp/socket.c:9127

skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
skb_release_all net/core/skbuff.c:662 [inline]
__kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

sctp_datamsg_destroy net/sctp/chunk.c:107 [inline]
sctp_datamsg_put+0x438/0x570 net/sctp/chunk.c:128
sctp_chunk_free+0x46/0x60 net/sctp/sm_make_chunk.c:1466

__sctp_outq_teardown+0xa43/0xc90 net/sctp/outqueue.c:267
sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

sctp_close+0x2aa/0x7d0 net/sctp/socket.c:1544

inet_release+0x135/0x180 net/ipv4/af_inet.c:427
__sock_release net/socket.c:605 [inline]
sock_close+0xd8/0x260 net/socket.c:1283
__fput+0x2d8/0x730 fs/file_table.c:280
task_work_run+0x176/0x1b0 kernel/task_work.c:113

exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x5ef/0x1f80 kernel/exit.c:801
do_group_exit+0x15e/0x2c0 kernel/exit.c:899

__do_sys_exit_group+0x13/0x20 kernel/exit.c:910
__se_sys_exit_group+0x10/0x10 kernel/exit.c:908
__x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ebc8

Code: Bad RIP value.
RSP: 002b:00007ffc20ac1f68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7

RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ebc8
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be4a0 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006cc180 R14: 0000000000000000 R15: 0000000000000000

Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit: 8428101f add datamsg

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

console output: https://syzkaller.appspot.com/x/log.txt?x=17524223e00000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: 26b6b5bb datamsg

git tree: https://github.com/hqj/hqjagain_test.git sctp_wfree

kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git sctp_for_each_tx_datachunk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: e76397e4 iterate datamsg list
git tree: https://github.com/hqj/hqjagain_test.git sctp_for_each_tx_datachunk
kernel config: https://syzkaller.appspot.com/x/.config?x=6dfa02302d6db985

[Qiujun Huang]

#syz test: https://github.com/hqj/hqjagain_test.git datamsg_list

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: 573a2520 datamsg_list
git tree: https://github.com/hqj/hqjagain_test.git datamsg_list

[syzbot]

> #syz test: upstream

want 2 args (repo, branch), got 10

>
> On Tue, Mar 10, 2020 at 9:36 AM syzbot
> <syzbot+cea71e...@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: 2c523b34 Linux 5.6-rc5
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82

>> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
>> compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+cea71e...@syzkaller.appspotmail.com

>>
>> ------------[ cut here ]------------
>> refcount_t: underflow; use-after-free.

>> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

>> Kernel panic - not syncing: panic_on_warn set ...

>> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0

>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>> panic+0x264/0x7a0 kernel/panic.c:221
>> __warn+0x209/0x210 kernel/panic.c:582
>> report_bug+0x1ac/0x2d0 lib/bug.c:195
>> fixup_bug arch/x86/kernel/traps.c:174 [inline]
>> do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>> do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>> invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
>> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28

>> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
>> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
>> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0

>> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

>> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
>> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
>> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>> sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111

>> skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>> skb_release_all net/core/skbuff.c:662 [inline]
>> __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>> sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>> sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481

>> __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257

>> sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>> sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>> sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>> sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>> sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>> sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104

>> sctp_close+0x231/0x770 net/sctp/socket.c:1512

>> inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>> __sock_release net/socket.c:605 [inline]
>> sock_close+0xd8/0x260 net/socket.c:1283
>> __fput+0x2d8/0x730 fs/file_table.c:280
>> task_work_run+0x176/0x1b0 kernel/task_work.c:113
>> exit_task_work include/linux/task_work.h:22 [inline]
>> do_exit+0x5ef/0x1f80 kernel/exit.c:801
>> do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>> __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>> __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>> __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>> do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>> entry_SYSCALL_64_after_hwframe+0x49/0xbe

>> RIP: 0033:0x43ef98
>> Code: Bad RIP value.
>> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98

>> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000

>> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0

>> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001

>> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000

>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>

>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzk...@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches

[Qiujun Huang]

#syz test: upstream

[syzbot]

> #syz test: upstream

want 2 args (repo, branch), got 10

>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CADG63jDCTdgSxDRsN_9e3fKCAv5VduS5NNKWmqjByZ%3D4sT%2BHLQ%40mail.gmail.com.

[Qiujun Huang]

#syz test: upstream, 2c523b34

[syzbot]

> #syz test: upstream, 2c523b34

"upstream," does not look like a valid git repo address.

[Qiujun Huang]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

sorry about the noise :p

On Thu, Mar 26, 2020 at 11:53 PM syzbot

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71e...@syzkaller.appspotmail.com

Tested on:

commit: 9420e8ad Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9

dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

patch: https://syzkaller.appspot.com/x/patch.diff?x=1670bfbbe00000