From: syzbot <syzbot+6455648abc28dbdd1e7f@syzkaller.appspotmail.com> To: dhowells@redhat.com, jarkko.sakkinen@linux.intel.com, jmorris@namei.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, serge@hallyn.com, syzkaller-bugs@googlegroups.com Subject: WARNING: refcount bug in find_key_to_update Date: Thu, 17 Oct 2019 01:42:11 +0000 [thread overview] Message-ID: <000000000000830fe50595115344@google.com> (raw) Hello, syzbot found the following crash on: HEAD commit: bc88f85c kthread: make __kthread_queue_delayed_work static git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x\x1730584b600000 kernel config: https://syzkaller.appspot.com/x/.config?xàac4d9b35046343 dashboard link: https://syzkaller.appspot.com/bug?extidd55648abc28dbdd1e7f compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x\x11c8adab600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6455648abc28dbdd1e7f@syzkaller.appspotmail.com ------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. WARNING: CPU: 1 PID: 9064 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline] WARNING: CPU: 1 PID: 9064 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 9064 Comm: syz-executor.5 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2e3/0x75c kernel/panic.c:221 __warn.cold+0x2f/0x35 kernel/panic.c:582 report_bug+0x289/0x300 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline] RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154 Code: 1d 58 46 7e 06 31 ff 89 de e8 0b cb 2e fe 84 db 75 dd e8 c2 c9 2e fe 48 c7 c7 40 ad e6 87 c6 05 38 46 7e 06 01 e8 67 0c 00 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 RSP: 0018:ffff888081447c68 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff815cb646 RDI: ffffed1010288f7f RBP: ffff888081447c78 R08: ffff8880a231a080 R09: ffffed1015d26159 R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a4518940 R13: 0000000000000000 R14: ffff888081447e10 R15: ffff8880a4518c40 __key_get include/linux/key.h:281 [inline] find_key_to_update+0x8b/0xc0 security/keys/keyring.c:1127 key_create_or_update+0x588/0xbe0 security/keys/key.c:905 __do_sys_add_key security/keys/keyctl.c:132 [inline] __se_sys_add_key security/keys/keyctl.c:72 [inline] __x64_sys_add_key+0x2bd/0x4f0 security/keys/keyctl.c:72 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f22e3171c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459a59 RDX: 0000000020000440 RSI: 0000000020000000 RDI: 0000000020000040 RBP: 000000000075bf20 R08: fffffffffffffffe R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 00007f22e31726d4 R13: 00000000004bfab8 R14: 00000000004d1ad8 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+6455648abc28dbdd1e7f@syzkaller.appspotmail.com> To: dhowells@redhat.com, jarkko.sakkinen@linux.intel.com, jmorris@namei.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, serge@hallyn.com, syzkaller-bugs@googlegroups.com Subject: WARNING: refcount bug in find_key_to_update Date: Wed, 16 Oct 2019 18:42:11 -0700 [thread overview] Message-ID: <000000000000830fe50595115344@google.com> (raw) Hello, syzbot found the following crash on: HEAD commit: bc88f85c kthread: make __kthread_queue_delayed_work static git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1730584b600000 kernel config: https://syzkaller.appspot.com/x/.config?x=e0ac4d9b35046343 dashboard link: https://syzkaller.appspot.com/bug?extid=6455648abc28dbdd1e7f compiler: gcc (GCC) 9.0.0 20181231 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11c8adab600000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+6455648abc28dbdd1e7f@syzkaller.appspotmail.com ------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. WARNING: CPU: 1 PID: 9064 at lib/refcount.c:156 refcount_inc_checked lib/refcount.c:156 [inline] WARNING: CPU: 1 PID: 9064 at lib/refcount.c:156 refcount_inc_checked+0x61/0x70 lib/refcount.c:154 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 9064 Comm: syz-executor.5 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 panic+0x2e3/0x75c kernel/panic.c:221 __warn.cold+0x2f/0x35 kernel/panic.c:582 report_bug+0x289/0x300 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:179 [inline] fixup_bug arch/x86/kernel/traps.c:174 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:272 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:291 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1028 RIP: 0010:refcount_inc_checked lib/refcount.c:156 [inline] RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:154 Code: 1d 58 46 7e 06 31 ff 89 de e8 0b cb 2e fe 84 db 75 dd e8 c2 c9 2e fe 48 c7 c7 40 ad e6 87 c6 05 38 46 7e 06 01 e8 67 0c 00 fe <0f> 0b eb c1 90 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 RSP: 0018:ffff888081447c68 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff815cb646 RDI: ffffed1010288f7f RBP: ffff888081447c78 R08: ffff8880a231a080 R09: ffffed1015d26159 R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a4518940 R13: 0000000000000000 R14: ffff888081447e10 R15: ffff8880a4518c40 __key_get include/linux/key.h:281 [inline] find_key_to_update+0x8b/0xc0 security/keys/keyring.c:1127 key_create_or_update+0x588/0xbe0 security/keys/key.c:905 __do_sys_add_key security/keys/keyctl.c:132 [inline] __se_sys_add_key security/keys/keyctl.c:72 [inline] __x64_sys_add_key+0x2bd/0x4f0 security/keys/keyctl.c:72 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459a59 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f22e3171c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459a59 RDX: 0000000020000440 RSI: 0000000020000000 RDI: 0000000020000040 RBP: 000000000075bf20 R08: fffffffffffffffe R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 00007f22e31726d4 R13: 00000000004bfab8 R14: 00000000004d1ad8 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2019-10-17 1:42 UTC|newest] Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-10-17 1:42 syzbot [this message] 2019-10-17 1:42 ` WARNING: refcount bug in find_key_to_update syzbot 2019-10-17 2:42 ` syzbot 2019-10-17 2:42 ` syzbot 2019-10-17 2:42 ` syzbot 2019-10-17 15:53 ` Linus Torvalds 2019-10-17 15:53 ` Linus Torvalds 2019-10-17 15:53 ` Linus Torvalds 2019-10-17 16:00 ` Eric Biggers 2019-10-17 16:00 ` Eric Biggers 2019-10-17 16:00 ` Eric Biggers 2019-10-18 10:54 ` Tetsuo Handa 2019-10-18 10:54 ` Tetsuo Handa 2019-10-18 16:45 ` David Howells 2019-10-18 16:45 ` David Howells 2019-10-18 16:38 ` David Howells 2019-10-18 16:38 ` David Howells 2019-10-18 16:38 ` David Howells 2019-10-22 10:35 ` David Howells 2019-10-22 10:35 ` David Howells 2019-10-22 10:35 ` David Howells 2019-10-22 13:17 ` David Howells 2019-10-22 13:17 ` David Howells 2019-10-22 13:17 ` David Howells 2019-10-21 15:59 ` David Howells 2019-10-21 15:59 ` David Howells 2019-10-21 16:05 ` Dmitry Vyukov 2019-10-21 16:05 ` Dmitry Vyukov [not found] <20191017092428.7336-1-hdanton@sina.com> 2019-10-18 16:46 ` David Howells 2019-10-18 16:46 ` David Howells
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=000000000000830fe50595115344@google.com \ --to=syzbot+6455648abc28dbdd1e7f@syzkaller.appspotmail.com \ --cc=dhowells@redhat.com \ --cc=jarkko.sakkinen@linux.intel.com \ --cc=jmorris@namei.org \ --cc=keyrings@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=serge@hallyn.com \ --cc=syzkaller-bugs@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.