[syzbot] KASAN: use-after-free Read in netdev_core_pick_tx

[syzbot] KASAN: use-after-free Read in netdev_core_pick_tx

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    42226c989789 Linux 5.18-rc7
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13edd495f00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ed1369f00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166b22cef00000

Bisection is inconclusive: the issue happens on the oldest tested release.

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14305359f00000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=16305359f00000
console output: https://syzkaller.appspot.com/x/log.txt?x=12305359f00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+10a7a8ca6e94600110ec@syzkaller.appspotmail.com

ieee802154 phy1 wpan1: encryption failed: -22
xfrm0 selects TX queue 0, but real number of TX queues is 0
==================================================================
BUG: KASAN: use-after-free in netdev_get_tx_queue include/linux/netdevice.h:2367 [inline]
BUG: KASAN: use-after-free in netdev_core_pick_tx+0x1ba/0x2f0 net/core/dev.c:4061
Read of size 8 at addr ffff8880802f4440 by task aoe_tx0/1226

CPU: 1 PID: 1226 Comm: aoe_tx0 Not tainted 5.18.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 print_address_description+0x65/0x4b0 mm/kasan/report.c:313
 print_report+0xf4/0x210 mm/kasan/report.c:429
 kasan_report+0xfb/0x130 mm/kasan/report.c:491
 netdev_get_tx_queue include/linux/netdevice.h:2367 [inline]
 netdev_core_pick_tx+0x1ba/0x2f0 net/core/dev.c:4061
 __dev_queue_xmit+0x8bd/0x3640 net/core/dev.c:4136
 tx+0x6f/0x110 drivers/block/aoe/aoenet.c:63
 kthread+0x241/0x450 drivers/block/aoe/aoecmd.c:1229
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 12330:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:515
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __kmalloc_node+0x262/0x400 mm/slub.c:4462
 kmalloc_node include/linux/slab.h:604 [inline]
 kvmalloc_node+0x6e/0x160 mm/util.c:580
 kvmalloc include/linux/slab.h:731 [inline]
 kvzalloc include/linux/slab.h:739 [inline]
 alloc_netdev_mqs+0x85/0xe10 net/core/dev.c:10491
 rtnl_create_link+0x2db/0x9e0 net/core/rtnetlink.c:3204
 __rtnl_newlink net/core/rtnetlink.c:3473 [inline]
 rtnl_newlink+0x13b7/0x2070 net/core/rtnetlink.c:3531
 rtnetlink_rcv_msg+0x92f/0xe80 net/core/rtnetlink.c:5993
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x7e7/0x9c0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x9b3/0xcd0 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2413
 ___sys_sendmsg net/socket.c:2467 [inline]
 __sys_sendmsg+0x27e/0x370 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 12330:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0xd8/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:200 [inline]
 slab_free_hook mm/slub.c:1728 [inline]
 slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1754
 slab_free mm/slub.c:3510 [inline]
 kfree+0xc6/0x210 mm/slub.c:4552
 device_release+0x98/0x1c0
 kobject_cleanup+0x235/0x470 lib/kobject.c:673
 netdev_run_todo+0xf7c/0x1070 net/core/dev.c:10274
 rtnl_unlock net/core/rtnetlink.c:112 [inline]
 rtnetlink_rcv_msg+0x936/0xe80 net/core/rtnetlink.c:5994
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x7e7/0x9c0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x9b3/0xcd0 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg net/socket.c:725 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2413
 ___sys_sendmsg net/socket.c:2467 [inline]
 __sys_sendmsg+0x27e/0x370 net/socket.c:2496
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880802f4000
 which belongs to the cache kmalloc-cg-4k of size 4096
The buggy address is located 1088 bytes inside of
 4096-byte region [ffff8880802f4000, ffff8880802f5000)

The buggy address belongs to the physical page:
page:ffffea000200bc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x802f0
head:ffffea000200bc00 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88801144c280
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3660, tgid 3660 (udevd), ts 992725721470, free_ts 992688446020
 prep_new_page mm/page_alloc.c:2441 [inline]
 get_page_from_freelist+0x72e/0x7a0 mm/page_alloc.c:4182
 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5408
 alloc_slab_page+0x70/0xf0 mm/slub.c:1799
 allocate_slab+0x5e/0x560 mm/slub.c:1944
 new_slab mm/slub.c:2004 [inline]
 ___slab_alloc+0x41e/0xcd0 mm/slub.c:3005
 __slab_alloc mm/slub.c:3092 [inline]
 slab_alloc_node mm/slub.c:3183 [inline]
 __kmalloc_node+0x2c0/0x400 mm/slub.c:4458
 kmalloc_node include/linux/slab.h:604 [inline]
 kvmalloc_node+0x6e/0x160 mm/util.c:580
 kvmalloc include/linux/slab.h:731 [inline]
 seq_buf_alloc fs/seq_file.c:38 [inline]
 seq_read_iter+0x1f6/0xd30 fs/seq_file.c:210
 call_read_iter include/linux/fs.h:2044 [inline]
 new_sync_read fs/read_write.c:401 [inline]
 vfs_read+0xa01/0xd10 fs/read_write.c:482
 ksys_read+0x19b/0x2c0 fs/read_write.c:620
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1356 [inline]
 free_pcp_prepare+0x812/0x900 mm/page_alloc.c:1406
 free_unref_page_prepare mm/page_alloc.c:3328 [inline]
 free_unref_page+0x7d/0x390 mm/page_alloc.c:3423
 free_slab mm/slub.c:2043 [inline]
 discard_slab mm/slub.c:2049 [inline]
 __unfreeze_partials+0x1ab/0x200 mm/slub.c:2523
 put_cpu_partial+0x116/0x180 mm/slub.c:2599
 do_slab_free mm/slub.c:3498 [inline]
 ___cache_free+0x118/0x1a0 mm/slub.c:3517
 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x169/0x180 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x2f/0xe0 mm/kasan/common.c:446
 kasan_slab_alloc include/linux/kasan.h:224 [inline]
 slab_post_alloc_hook mm/slab.h:749 [inline]
 slab_alloc_node mm/slub.c:3217 [inline]
 kmem_cache_alloc_node+0x1cd/0x340 mm/slub.c:3267
 __alloc_skb+0xd2/0x590 net/core/skbuff.c:414
 alloc_skb include/linux/skbuff.h:1300 [inline]
 nlmsg_new include/net/netlink.h:953 [inline]
 rtmsg_ifinfo_build_skb+0x81/0x180 net/core/rtnetlink.c:3844
 rtmsg_ifinfo_event net/core/rtnetlink.c:3880 [inline]
 rtnetlink_event+0xea/0x1b0 net/core/rtnetlink.c:6044
 notifier_call_chain kernel/notifier.c:84 [inline]
 raw_notifier_call_chain+0xe7/0x170 kernel/notifier.c:392
 call_netdevice_notifiers_info net/core/dev.c:1938 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:1976 [inline]
 call_netdevice_notifiers+0x14e/0x1d0 net/core/dev.c:1990
 bond_set_dev_addr+0xd4/0x170 drivers/net/bonding/bond_main.c:931
 bond_enslave+0xab9/0x3f20 drivers/net/bonding/bond_main.c:1888

Memory state around the buggy address:
 ffff8880802f4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880802f4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880802f4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8880802f4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880802f4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] [block?] KASAN: use-after-free Read in netdev_core_pick_tx

[syzbot]

syzbot suspects this issue was fixed by commit:

commit f038f3917baf04835ba2b7bcf2a04ac93fbf8a9c
Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Date:   Fri Mar 17 06:43:37 2023 +0000

    octeontx2-vf: Add missing free for alloc_percpu

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=133a3d2ec80000
start commit:   42226c989789 Linux 5.18-rc7
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ed1369f00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166b22cef00000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: octeontx2-vf: Add missing free for alloc_percpu

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [block?] KASAN: use-after-free Read in netdev_core_pick_tx

[Aleksandr Nogikh]

On Fri, Mar 31, 2023 at 5:42 PM syzbot
<syzbot+10a7a8ca6e94600110ec@syzkaller.appspotmail.com> wrote:
>
> syzbot suspects this issue was fixed by commit:
>
> commit f038f3917baf04835ba2b7bcf2a04ac93fbf8a9c
> Author: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> Date:   Fri Mar 17 06:43:37 2023 +0000
>
>     octeontx2-vf: Add missing free for alloc_percpu
>
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=133a3d2ec80000
> start commit:   42226c989789 Linux 5.18-rc7
> git tree:       upstream
> kernel config:  https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
> dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11ed1369f00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166b22cef00000
>
> If the result looks correct, please mark the issue as fixed by replying with:

No, the commit is unfortunately unrelated.

>
> #syz fix: octeontx2-vf: Add missing free for alloc_percpu
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/00000000000020d46805f8340e6b%40google.com.

Re: [syzbot] KASAN: use-after-free Read in netdev_core_pick_tx

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in default_device_exit_batch

device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
bond6 (unregistering): Released all slaves
------------[ cut here ]------------
WARNING: CPU: 0 PID: 45 at net/core/dev.c:10770 unregister_netdevice_many+0x1421/0x1950
Modules linked in:
CPU: 1 PID: 45 Comm: kworker/u4:2 Not tainted 5.18.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: netns cleanup_net
RIP: 0010:unregister_netdevice_many+0x1421/0x1950 net/core/dev.c:10770
Code: 74 08 48 89 df e8 7f 68 ae f9 48 8b 1b 48 89 5c 24 40 4c 39 fb 0f 84 0c 01 00 00 e8 a9 80 5d f9 e9 64 f6 ff ff e8 9f 80 5d f9 <0f> 0b e9 2a ff ff ff e8 93 80 5d f9 0f 0b e9 7a ff ff ff e8 87 80
RSP: 0018:ffffc90000b678e0 EFLAGS: 00010293
RAX: ffffffff88289461 RBX: ffff888016ea00a0 RCX: ffff888017138000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90000b67a50 R08: ffffffff88289345 R09: fffffbfff1b74a89
R10: fffffbfff1b74a89 R11: 1ffffffff1b74a88 R12: ffff888023fb8e80
R13: 0000000000000002 R14: dffffc0000000000 R15: ffffc90000b67ae0
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc044717a70 CR3: 0000000074978000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 default_device_exit_batch+0x660/0x6d0 net/core/dev.c:11241
 ops_exit_list net/core/net_namespace.c:167 [inline]
 cleanup_net+0x80c/0xc50 net/core/net_namespace.c:594
 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
 kthread+0x266/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30
 </TASK>


Tested on:

commit:         42226c98 Linux 5.18-rc7
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16c9e702880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=134b9a95880000

Re: [syzbot] KASAN: use-after-free Read in netdev_core_pick_tx

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ice registered as radio22
[    9.280484][    T1] vivid-011: V4L2 transmitter device registered as radio23
[    9.281637][    T1] vivid-011: V4L2 metadata capture device registered as video53
[    9.282665][    T1] vivid-011: V4L2 metadata output device registered as video54
[    9.283695][    T1] vivid-011: V4L2 touch capture device registered as v4l-touch11
[    9.284749][    T1] vivid-012: using single planar format API
[    9.313834][    T1] vivid-012: CEC adapter cec24 registered for HDMI input 0
[    9.314750][    T1] vivid-012: V4L2 capture device registered as video55
[    9.315693][    T1] vivid-012: CEC adapter cec25 registered for HDMI output 0
[    9.316677][    T1] vivid-012: V4L2 output device registered as video56
[    9.317646][    T1] vivid-012: V4L2 capture device registered as vbi24, supports raw and sliced VBI
[    9.318291][    T1] vivid-012: V4L2 output device registered as vbi25, supports raw and sliced VBI
[    9.320037][    T1] vivid-012: V4L2 capture device registered as swradio12
[    9.321192][    T1] vivid-012: V4L2 receiver device registered as radio24
[    9.322138][    T1] vivid-012: V4L2 transmitter device registered as radio25
[    9.323120][    T1] vivid-012: V4L2 metadata capture device registered as video57
[    9.324128][    T1] vivid-012: V4L2 metadata output device registered as video58
[    9.325064][    T1] vivid-012: V4L2 touch capture device registered as v4l-touch12
[    9.326045][    T1] vivid-013: using multiplanar format API
[    9.353487][    T1] vivid-013: CEC adapter cec26 registered for HDMI input 0
[    9.354582][    T1] vivid-013: V4L2 capture device registered as video59
[    9.355753][    T1] vivid-013: CEC adapter cec27 registered for HDMI output 0
[    9.357436][    T1] vivid-013: V4L2 output device registered as video60
[    9.358424][    T1] vivid-013: V4L2 capture device registered as vbi26, supports raw and sliced VBI
[    9.359083][    T1] vivid-013: V4L2 output device registered as vbi27, supports raw and sliced VBI
[    9.359853][    T1] vivid-013: V4L2 capture device registered as swradio13
[    9.362214][    T1] vivid-013: V4L2 receiver device registered as radio26
[    9.363251][    T1] vivid-013: V4L2 transmitter device registered as radio27
[    9.364242][    T1] vivid-013: V4L2 metadata capture device registered as video61
[    9.365221][    T1] vivid-013: V4L2 metadata output device registered as video62
[    9.366272][    T1] vivid-013: V4L2 touch capture device registered as v4l-touch13
[    9.367776][    T1] vivid-014: using single planar format API
[    9.395970][    T1] vivid-014: CEC adapter cec28 registered for HDMI input 0
[    9.397055][    T1] vivid-014: V4L2 capture device registered as video63
[    9.398170][    T1] vivid-014: CEC adapter cec29 registered for HDMI output 0
[    9.399246][    T1] vivid-014: V4L2 output device registered as video64
[    9.400190][    T1] vivid-014: V4L2 capture device registered as vbi28, supports raw and sliced VBI
[    9.400893][    T1] vivid-014: V4L2 output device registered as vbi29, supports raw and sliced VBI
[    9.402605][    T1] vivid-014: V4L2 capture device registered as swradio14
[    9.403517][    T1] vivid-014: V4L2 receiver device registered as radio28
[    9.404644][    T1] vivid-014: V4L2 transmitter device registered as radio29
[    9.406460][    T1] vivid-014: V4L2 metadata capture device registered as video65
[    9.407559][    T1] vivid-014: V4L2 metadata output device registered as video66
[    9.408605][    T1] vivid-014: V4L2 touch capture device registered as v4l-touch14
[    9.409611][    T1] vivid-015: using multiplanar format API
[    9.438655][    T1] vivid-015: CEC adapter cec30 registered for HDMI input 0
[    9.439767][    T1] vivid-015: V4L2 capture device registered as video67
[    9.440915][    T1] vivid-015: CEC adapter cec31 registered for HDMI output 0
[    9.442045][    T1] vivid-015: V4L2 output device registered as video68
[    9.443006][    T1] vivid-015: V4L2 capture device registered as vbi30, supports raw and sliced VBI
[    9.443770][    T1] vivid-015: V4L2 output device registered as vbi31, supports raw and sliced VBI
[    9.445343][    T1] vivid-015: V4L2 capture device registered as swradio15
[    9.446659][    T1] vivid-015: V4L2 receiver device registered as radio30
[    9.447727][    T1] vivid-015: V4L2 transmitter device registered as radio31
[    9.449013][    T1] vivid-015: V4L2 metadata capture device registered as video69
[    9.450180][    T1] vivid-015: V4L2 metadata output device registered as video70
[    9.451250][    T1] vivid-015: V4L2 touch capture device registered as v4l-touch15
[    9.453925][    T1] usbcore: registered new interface driver radioshark2
[    9.454577][    T1] usbcore: registered new interface driver radioshark
[    9.455355][    T1] usbcore: registered new interface driver radio-si470x
[    9.456610][    T1] usbcore: registered new interface driver radio-usb-si4713
[    9.457292][    T1] usbcore: registered new interface driver dsbr100
[    9.462150][    T8] floppy0: no floppy controllers found
[    9.462792][    T8] work still pending
[    9.463392][  T983] floppy0: floppy_shutdown: timeout handler died.  
[    9.475753][    T1] usbcore: registered new interface driver radio-keene
[    9.476503][    T1] usbcore: registered new interface driver radio-ma901
[    9.477112][    T1] usbcore: registered new interface driver radio-mr800
[    9.477798][    T1] usbcore: registered new interface driver radio-raremono
[    9.481027][    T1] usbcore: registered new interface driver pcwd_usb
[    9.494826][    T1] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[    9.495376][    T1] device-mapper: uevent: version 1.0.3
[    9.497645][    T1] device-mapper: ioctl: 4.46.0-ioctl (2022-02-22) initialised: dm-devel@redhat.com
[    9.501149][    T1] device-mapper: multipath round-robin: version 1.2.0 loaded
[    9.501167][    T1] device-mapper: multipath queue-length: version 0.2.0 loaded
[    9.501181][    T1] device-mapper: multipath service-time: version 0.3.0 loaded
[    9.502267][    T1] device-mapper: raid: Loading target version 1.15.1
[    9.505124][    T1] Bluetooth: HCI UART driver ver 2.3
[    9.505144][    T1] Bluetooth: HCI UART protocol H4 registered
[    9.505152][    T1] Bluetooth: HCI UART protocol BCSP registered
[    9.505633][    T1] Bluetooth: HCI UART protocol LL registered
[    9.506139][    T1] Bluetooth: HCI UART protocol Three-wire (H5) registered
[    9.506647][    T1] Bluetooth: HCI UART protocol QCA registered
[    9.506658][    T1] Bluetooth: HCI UART protocol AG6XX registered
[    9.507116][    T1] Bluetooth: HCI UART protocol Marvell registered
[    9.507954][    T1] usbcore: registered new interface driver bcm203x
[    9.508662][    T1] usbcore: registered new interface driver bpa10x
[    9.509399][    T1] usbcore: registered new interface driver bfusb
[    9.510131][    T1] usbcore: registered new interface driver btusb
[    9.511709][    T1] usbcore: registered new interface driver ath3k
[    9.513851][    T1] CAPI 2.0 started up with major 68 (middleware)
[    9.513866][    T1] Modular ISDN core version 1.1.29
[    9.515537][    T1] NET: Registered PF_ISDN protocol family
[    9.515549][    T1] DSP module 2.0
[    9.515556][    T1] mISDN_dsp: DSP clocks every 80 samples. This equals 1 jiffies.
[    9.522655][    T1] mISDN: Layer-1-over-IP driver Rev. 2.00
[    9.523481][    T1] 0 virtual devices registered
[    9.524502][    T1] usbcore: registered new interface driver HFC-S_USB
[    9.524519][    T1] intel_pstate: CPU model not supported
[    9.524530][    T1] VUB300 Driver rom wait states = 1C irqpoll timeout = 0400
[    9.537137][    T1] usbcore: registered new interface driver vub300
[    9.537472][    T1] usbcore: registered new interface driver ushc
[    9.552092][    T1] iscsi: registered transport (iser)
[    9.555962][    T1] SoftiWARP attached
[    9.556710][    T1] Driver 'memconsole' was unable to register with bus_type 'coreboot' because the bus was not initialized.
[    9.556724][    T1] Driver 'vpd' was unable to register with bus_type 'coreboot' because the bus was not initialized.
[    9.577857][    T1] hid: raw HID events driver (C) Jiri Kosina
[    9.659663][    T1] usbcore: registered new interface driver usbhid
[    9.659678][    T1] usbhid: USB HID core driver
[    9.670996][    T1] usbcore: registered new interface driver es2_ap_driver
[    9.671013][    T1] comedi: version 0.7.76 - http://www.comedi.org
[    9.672407][    T1] usbcore: registered new interface driver dt9812
[    9.673045][    T1] usbcore: registered new interface driver ni6501
[    9.673705][    T1] usbcore: registered new interface driver usbdux
[    9.674341][    T1] usbcore: registered new interface driver usbduxfast
[    9.675032][    T1] usbcore: registered new interface driver usbduxsigma
[    9.675723][    T1] usbcore: registered new interface driver vmk80xx
[    9.676478][    T1] usbcore: registered new interface driver prism2_usb
[    9.677979][    T1] usbcore: registered new interface driver r8712u
[    9.678861][    T1] greybus: registered new driver hid
[    9.679716][    T1] greybus: registered new driver gbphy
[    9.681416][    T1] gb_gbphy: registered new driver usb
[    9.681426][    T1] asus_wmi: ASUS WMI generic driver loaded
[    9.810733][ T1233] CPU: 0 PID: 1233 Comm: aoe_tx0 Not tainted 5.18.0-rc7-syzkaller-dirty #0
[    9.810733][ T1233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[    9.810733][ T1233] Call Trace:
[    9.810733][ T1233]  <TASK>
[    9.810733][ T1233]  dump_stack_lvl+0x1e3/0x2cb
[    9.810733][ T1233]  ? bfq_pos_tree_add_move+0x436/0x436
[    9.810733][ T1233]  ? panic+0x76e/0x76e
[    9.810733][ T1233]  ? vscnprintf+0x59/0x80
[    9.810733][ T1233]  ? refcount_warn_saturate+0x120/0x1a0
[    9.810733][ T1233]  panic+0x312/0x76e
[    9.810733][ T1233]  ? __warn+0x131/0x220
[    9.810733][ T1233]  ? fb_is_primary_device+0xcc/0xcc
[    9.810733][ T1233]  ? ret_from_fork+0x1f/0x30
[    9.810733][ T1233]  ? refcount_warn_saturate+0x17c/0x1a0
[    9.810733][ T1233]  __warn+0x1fa/0x220
[    9.810733][ T1233]  ? refcount_warn_saturate+0x17c/0x1a0
[    9.845860][    T1] usbcore: registered new interface driver snd-usb-audio
[    9.846654][    T1] usbcore: registered new interface driver snd-ua101
[    9.847409][    T1] usbcore: registered new interface driver snd-usb-usx2y
[    9.848855][    T1] usbcore: registered new interface driver snd-usb-us122l
[    9.853684][    T1] usbcore: registered new interface driver snd-usb-caiaq
[    9.856046][    T1] usbcore: registered new interface driver snd-usb-6fire
[    9.860384][    T1] usbcore: registered new interface driver snd-usb-hiface
[    9.863557][    T1] usbcore: registered new interface driver snd-bcd2000
[    9.864161][    T1] usbcore: registered new interface driver snd_usb_pod
[    9.864962][    T1] usbcore: registered new interface driver snd_usb_podhd
[    9.865647][    T1] usbcore: registered new interface driver snd_usb_toneport
[    9.866260][    T1] usbcore: registered new interface driver snd_usb_variax
[    9.867610][    T1] drop_monitor: Initializing network drop monitor service
[    9.868126][    T1] NET: Registered PF_LLC protocol family
[    9.868421][    T1] GACT probability on
[    9.868478][    T1] Mirror/redirect action on
[    9.868814][    T1] Simple TC action Loaded
[    9.860705][ T1233]  report_bug+0x1b1/0x2e0
[    9.860705][ T1233]  handle_bug+0x3d/0x70
[    9.860705][ T1233]  exc_invalid_op+0x16/0x40
[    9.860705][ T1233]  asm_exc_invalid_op+0x12/0x20
[    9.860705][ T1233] RIP: 0010:refcount_warn_saturate+0x17c/0x1a0
[    9.860705][ T1233] Code: e8 8a 31 c0 e8 65 80 26 fd 0f 0b e9 64 ff ff ff e8 b9 14 5d fd c6 05 bc 02 c5 09 01 48 c7 c7 80 4b e8 8a 31 c0 e8 44 80 26 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff
[    9.860705][ T1233] RSP: 0000:ffffc900050afc28 EFLAGS: 00010246
[    9.860705][ T1233] RAX: f57a10d46fd60000 RBX: 0000000000000004 RCX: ffff88801e663b00
[    9.860705][ T1233] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
[    9.860705][ T1233] RBP: 0000000000000004 R08: ffffffff816ad552 R09: fffff52000a15ed5
[    9.860705][ T1233] R10: fffff52000a15ed5 R11: 1ffff92000a15ed4 R12: ffff8881459f05b8
[    9.860705][ T1233] R13: 1ffff92000a15f8c R14: ffff8881459f0600 R15: dffffc0000000000
[    9.860705][ T1233]  ? wake_up_klogd+0xb2/0xf0
[    9.860705][ T1233]  ? refcount_warn_saturate+0x17c/0x1a0
[    9.860705][ T1233]  ref_tracker_free+0x659/0x7a0
[    9.860705][ T1233]  ? refcount_inc+0x80/0x80
[    9.860705][ T1233]  ? do_raw_spin_unlock+0x134/0x8a0
[    9.860705][ T1233]  ? _raw_spin_unlock_irq+0x1f/0x40
[    9.860705][ T1233]  ? lockdep_hardirqs_on+0x95/0x140
[    9.860705][ T1233]  tx+0xc9/0x190
[    9.860705][ T1233]  ? aoenet_xmit+0x1a0/0x1a0
[    9.860705][ T1233]  kthread+0x241/0x450
[    9.860705][ T1233]  ? aoe_ktstart+0x130/0x130
[    9.860705][ T1233]  ? do_task_dead+0xc0/0xc0
[    9.860705][ T1233]  ? _raw_spin_unlock+0x40/0x40
[    9.860705][ T1233]  ? lockdep_hardirqs_on_prepare+0x448/0x7b0
[    9.860705][ T1233]  ? __kthread_parkme+0x166/0x1c0
[    9.860705][ T1233]  kthread+0x266/0x300
[    9.860705][ T1233]  ? aoe_ktstart+0x130/0x130
[    9.860705][ T1233]  ? kthread_blkcg+0xd0/0xd0
[    9.860705][ T1233]  ret_from_fork+0x1f/0x30
[    9.860705][ T1233]  </TASK>
[    9.860705][ T1233] Kernel Offset: disabled
[    9.860705][ T1233] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/syzkaller/.cache/go-build"
GOENV="/syzkaller/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/syzkaller/jobs/linux/gopath"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3020494642=/tmp/go-build -gno-record-gcc-switches"

git status (err=<nil>)
HEAD detached at 744a39e22
nothing to commit, working tree clean


go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=744a39e220cece33e207035facce6c5ae161b775 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20220514-093120'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress
mkdir -p ./bin/linux_amd64
gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"744a39e220cece33e207035facce6c5ae161b775\"


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=125fadbe880000


Tested on:

commit:         42226c98 Linux 5.18-rc7
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config:  https://syzkaller.appspot.com/x/.config?x=d84df8e1a4c4d5a4
dashboard link: https://syzkaller.appspot.com/bug?extid=10a7a8ca6e94600110ec
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch:          https://syzkaller.appspot.com/x/patch.diff?x=161ac065880000