linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: WARNING: refcount bug in should_fail
       [not found] <001a113f6736499d1c0566363863@google.com>
@ 2018-03-04  5:57 ` Tetsuo Handa
  2018-04-01 10:32   ` Dmitry Vyukov
  0 siblings, 1 reply; 16+ messages in thread
From: Tetsuo Handa @ 2018-03-04  5:57 UTC (permalink / raw)
  To: viro, ebiederm; +Cc: linux-fsdevel, netdev, linux-mm, syzkaller-bugs

Switching from mm to fsdevel, for this report says that put_net(net) in
rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
register_shrinker() failure.

Relevant commits will be
commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").

When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
deactivate_locked_super()).

----------
static struct dentry *
rpc_mount(struct file_system_type *fs_type,
                int flags, const char *dev_name, void *data)
{
        struct net *net = current->nsproxy->net_ns;
        return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
}
----------

syzbot wrote:
> Hello,
> 
> syzbot hit the following crash on bpf-next commit
> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
> Merge branch 'bpf-kselftest-improvements'
> 
> C reproducer is attached.
> syzkaller reproducer is attached.
> Raw console output is attached.
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached.
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
> It will help syzbot understand when the bug is fixed. See footer for  
> details.
> If you forward the report, please keep this part and the footer.
> 
> ------------[ cut here ]------------
> FAULT_INJECTION: forcing a failure.
> name failslab, interval 1, probability 0, space 0, times 0
> refcount_t: underflow; use-after-free.
> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187  
> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
> Kernel panic - not syncing: panic_on_warn set ...
> 
>   __dump_stack lib/dump_stack.c:17 [inline]
>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>   fail_dump lib/fault-inject.c:51 [inline]
>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>   should_failslab+0xec/0x120 mm/failslab.c:32
>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>   slab_alloc mm/slab.c:3365 [inline]
>   __do_kmalloc mm/slab.c:3703 [inline]
>   __kmalloc+0x63/0x760 mm/slab.c:3714
>   kmalloc include/linux/slab.h:517 [inline]
>   kzalloc include/linux/slab.h:701 [inline]
>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>   sget_userns+0xbbf/0xe40 fs/super.c:520
>   mount_ns+0x6d/0x190 fs/super.c:1029
>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>   mount_fs+0x66/0x2d0 fs/super.c:1222
>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>   vfs_kern_mount fs/namespace.c:2509 [inline]
>   do_new_mount fs/namespace.c:2512 [inline]
>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>   SYSC_mount fs/namespace.c:3058 [inline]
>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x4460f9
> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:17 [inline]
>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>   panic+0x1e4/0x41c kernel/panic.c:183
>   __warn+0x1dc/0x200 kernel/panic.c:547
>   report_bug+0x211/0x2d0 lib/bug.c:184
>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>   put_net include/net/net_namespace.h:220 [inline]
>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>   sget_userns+0xbda/0xe40 fs/super.c:522
>   mount_ns+0x6d/0x190 fs/super.c:1029
>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>   mount_fs+0x66/0x2d0 fs/super.c:1222
>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>   vfs_kern_mount fs/namespace.c:2509 [inline]
>   do_new_mount fs/namespace.c:2512 [inline]
>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>   SYSC_mount fs/namespace.c:3058 [inline]
>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
> RIP: 0033:0x4460f9
> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
> Dumping ftrace buffer:
>     (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> 
> ---
> This bug is generated by a dumb bot. It may contain errors.
> See https://goo.gl/tpsmEJ for details.
> Direct all questions to syzkaller@googlegroups.com.
> 
> syzbot will keep track of this bug report.
> If you forgot to add the Reported-by tag, once the fix for this bug is  
> merged
> into any tree, please reply to this email with:
> #syz fix: exact-commit-title
> If you want to test a patch for this bug, please reply with:
> #syz test: git://repo/address.git branch
> and provide the patch inline or as an attachment.
> To mark this as a duplicate of another syzbot report, please reply with:
> #syz dup: exact-subject-of-another-report
> If it's a one-off invalid bug report, please reply with:
> #syz invalid
> Note: if the crash happens again, it will cause creation of a new bug  
> report.
> Note: all commands must start from beginning of the line in the email body.
> 

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-03-04  5:57 ` WARNING: refcount bug in should_fail Tetsuo Handa
@ 2018-04-01 10:32   ` Dmitry Vyukov
  2018-04-01 10:32     ` syzbot
  2018-04-01 10:37     ` Dmitry Vyukov
  0 siblings, 2 replies; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-01 10:32 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Al Viro, Eric W. Biederman, linux-fsdevel, netdev, Linux-MM,
	syzkaller-bugs

On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> Switching from mm to fsdevel, for this report says that put_net(net) in
> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
> register_shrinker() failure.
>
> Relevant commits will be
> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
>
> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
> deactivate_locked_super()).
>
> ----------
> static struct dentry *
> rpc_mount(struct file_system_type *fs_type,
>                 int flags, const char *dev_name, void *data)
> {
>         struct net *net = current->nsproxy->net_ns;
>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
> }
> ----------

Messed kernel output, this is definitely not in should_fail.

#syz dup: WARNING: refcount bug in sk_alloc


> syzbot wrote:
>> Hello,
>>
>> syzbot hit the following crash on bpf-next commit
>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
>> Merge branch 'bpf-kselftest-improvements'
>>
>> C reproducer is attached.
>> syzkaller reproducer is attached.
>> Raw console output is attached.
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>> It will help syzbot understand when the bug is fixed. See footer for
>> details.
>> If you forward the report, please keep this part and the footer.
>>
>> ------------[ cut here ]------------
>> FAULT_INJECTION: forcing a failure.
>> name failslab, interval 1, probability 0, space 0, times 0
>> refcount_t: underflow; use-after-free.
>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>> Kernel panic - not syncing: panic_on_warn set ...
>>
>>   __dump_stack lib/dump_stack.c:17 [inline]
>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>   fail_dump lib/fault-inject.c:51 [inline]
>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>>   should_failslab+0xec/0x120 mm/failslab.c:32
>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>>   slab_alloc mm/slab.c:3365 [inline]
>>   __do_kmalloc mm/slab.c:3703 [inline]
>>   __kmalloc+0x63/0x760 mm/slab.c:3714
>>   kmalloc include/linux/slab.h:517 [inline]
>>   kzalloc include/linux/slab.h:701 [inline]
>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>>   sget_userns+0xbbf/0xe40 fs/super.c:520
>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>   do_new_mount fs/namespace.c:2512 [inline]
>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>   SYSC_mount fs/namespace.c:3058 [inline]
>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> RIP: 0033:0x4460f9
>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>   __dump_stack lib/dump_stack.c:17 [inline]
>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>   panic+0x1e4/0x41c kernel/panic.c:183
>>   __warn+0x1dc/0x200 kernel/panic.c:547
>>   report_bug+0x211/0x2d0 lib/bug.c:184
>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>>   put_net include/net/net_namespace.h:220 [inline]
>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>>   sget_userns+0xbda/0xe40 fs/super.c:522
>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>   do_new_mount fs/namespace.c:2512 [inline]
>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>   SYSC_mount fs/namespace.c:3058 [inline]
>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> RIP: 0033:0x4460f9
>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>> Dumping ftrace buffer:
>>     (ftrace buffer empty)
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report.
>> If you forgot to add the Reported-by tag, once the fix for this bug is
>> merged
>> into any tree, please reply to this email with:
>> #syz fix: exact-commit-title
>> If you want to test a patch for this bug, please reply with:
>> #syz test: git://repo/address.git branch
>> and provide the patch inline or as an attachment.
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>> Note: all commands must start from beginning of the line in the email body.
>>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: Re: WARNING: refcount bug in should_fail
  2018-04-01 10:32   ` Dmitry Vyukov
@ 2018-04-01 10:32     ` syzbot
  2018-04-01 10:41       ` Tetsuo Handa
  2018-04-01 10:37     ` Dmitry Vyukov
  1 sibling, 1 reply; 16+ messages in thread
From: syzbot @ 2018-04-01 10:32 UTC (permalink / raw)
  To: 'Dmitry Vyukov' via syzkaller-bugs
  Cc: ebiederm, linux-fsdevel, linux-mm, netdev, penguin-kernel,
	syzkaller-bugs, viro

> On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Switching from mm to fsdevel, for this report says that put_net(net) in
>> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>> register_shrinker() failure.

>> Relevant commits will be
>> commit 9ee332d99e4d5a97 ("sget(): handle failures of  
>> register_shrinker()") and
>> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to  
>> mount_ns.").

>> When sget_userns() in mount_ns() failed, mount_ns() returns an error  
>> code to
>> the caller without calling fill_super(). That is, get_net(sb->s_fs_info)  
>> was
>> not called by rpc_fill_super() (via fill_super callback passed to  
>> mount_ns())
>> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb()  
>> from
>> deactivate_locked_super()).

>> ----------
>> static struct dentry *
>> rpc_mount(struct file_system_type *fs_type,
>>                  int flags, const char *dev_name, void *data)
>> {
>>          struct net *net = current->nsproxy->net_ns;
>>          return mount_ns(fs_type, flags, data, net, net->user_ns,  
>> rpc_fill_super);
>> }
>> ----------

> Messed kernel output, this is definitely not in should_fail.

> #syz dup: WARNING: refcount bug in sk_alloc

Can't find the corresponding bug.



>> syzbot wrote:
>>> Hello,

>>> syzbot hit the following crash on bpf-next commit
>>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018  
>>> +0000)
>>> Merge branch 'bpf-kselftest-improvements'

>>> C reproducer is attached.
>>> syzkaller reproducer is attached.
>>> Raw console output is attached.
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached.

>>> IMPORTANT: if you fix the bug, please add the following tag to the  
>>> commit:
>>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>>> It will help syzbot understand when the bug is fixed. See footer for
>>> details.
>>> If you forward the report, please keep this part and the footer.

>>> ------------[ cut here ]------------
>>> FAULT_INJECTION: forcing a failure.
>>> name failslab, interval 1, probability 0, space 0, times 0
>>> refcount_t: underflow; use-after-free.
>>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>> Kernel panic - not syncing: panic_on_warn set ...

>>>    __dump_stack lib/dump_stack.c:17 [inline]
>>>    dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>    fail_dump lib/fault-inject.c:51 [inline]
>>>    should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>>>    should_failslab+0xec/0x120 mm/failslab.c:32
>>>    slab_pre_alloc_hook mm/slab.h:422 [inline]
>>>    slab_alloc mm/slab.c:3365 [inline]
>>>    __do_kmalloc mm/slab.c:3703 [inline]
>>>    __kmalloc+0x63/0x760 mm/slab.c:3714
>>>    kmalloc include/linux/slab.h:517 [inline]
>>>    kzalloc include/linux/slab.h:701 [inline]
>>>    register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>>>    sget_userns+0xbbf/0xe40 fs/super.c:520
>>>    mount_ns+0x6d/0x190 fs/super.c:1029
>>>    rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>    mount_fs+0x66/0x2d0 fs/super.c:1222
>>>    vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>    vfs_kern_mount fs/namespace.c:2509 [inline]
>>>    do_new_mount fs/namespace.c:2512 [inline]
>>>    do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>    SYSC_mount fs/namespace.c:3058 [inline]
>>>    SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>    do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>    entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> RIP: 0033:0x4460f9
>>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>    __dump_stack lib/dump_stack.c:17 [inline]
>>>    dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>    panic+0x1e4/0x41c kernel/panic.c:183
>>>    __warn+0x1dc/0x200 kernel/panic.c:547
>>>    report_bug+0x211/0x2d0 lib/bug.c:184
>>>    fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>>>    fixup_bug arch/x86/kernel/traps.c:247 [inline]
>>>    do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>>>    do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>>>    invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>>>    refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>>>    put_net include/net/net_namespace.h:220 [inline]
>>>    rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>>>    deactivate_locked_super+0x88/0xd0 fs/super.c:312
>>>    sget_userns+0xbda/0xe40 fs/super.c:522
>>>    mount_ns+0x6d/0x190 fs/super.c:1029
>>>    rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>    mount_fs+0x66/0x2d0 fs/super.c:1222
>>>    vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>    vfs_kern_mount fs/namespace.c:2509 [inline]
>>>    do_new_mount fs/namespace.c:2512 [inline]
>>>    do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>    SYSC_mount fs/namespace.c:3058 [inline]
>>>    SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>    do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>    entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> RIP: 0033:0x4460f9
>>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>>> Dumping ftrace buffer:
>>>      (ftrace buffer empty)
>>> Kernel Offset: disabled
>>> Rebooting in 86400 seconds..


>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to syzkaller@googlegroups.com.

>>> syzbot will keep track of this bug report.
>>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>> merged
>>> into any tree, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> If you want to test a patch for this bug, please reply with:
>>> #syz test: git://repo/address.git branch
>>> and provide the patch inline or as an attachment.
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email  
>>> body.


>> --
>> You received this message because you are subscribed to the Google  
>> Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send  
>> an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit  
>> https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
>> For more options, visit https://groups.google.com/d/optout.

> --
> You received this message because you are subscribed to the Google  
> Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an  
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit  
> https://groups.google.com/d/msgid/syzkaller-bugs/CACT4Y%2BaSEsoS60A0O0Ypg%3DkwRZV10SzUELbcG7KEkaTV7aMU5Q%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 10:32   ` Dmitry Vyukov
  2018-04-01 10:32     ` syzbot
@ 2018-04-01 10:37     ` Dmitry Vyukov
  2018-04-01 11:11       ` Tetsuo Handa
  1 sibling, 1 reply; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-01 10:37 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Al Viro, Eric W. Biederman, linux-fsdevel, netdev, Linux-MM,
	syzkaller-bugs, syzbot+84371b6062cb639d797e

On Sun, Apr 1, 2018 at 12:32 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Switching from mm to fsdevel, for this report says that put_net(net) in
>> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>> register_shrinker() failure.
>>
>> Relevant commits will be
>> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
>> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
>>
>> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
>> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
>> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
>> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
>> deactivate_locked_super()).
>>
>> ----------
>> static struct dentry *
>> rpc_mount(struct file_system_type *fs_type,
>>                 int flags, const char *dev_name, void *data)
>> {
>>         struct net *net = current->nsproxy->net_ns;
>>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
>> }
>> ----------
>
> Messed kernel output, this is definitely not in should_fail.
>
> #syz dup: WARNING: refcount bug in sk_alloc

Please don't drop reporter (syzbot) email from CC.

#syz dup: WARNING: refcount bug in sk_alloc


>> syzbot wrote:
>>> Hello,
>>>
>>> syzbot hit the following crash on bpf-next commit
>>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
>>> Merge branch 'bpf-kselftest-improvements'
>>>
>>> C reproducer is attached.
>>> syzkaller reproducer is attached.
>>> Raw console output is attached.
>>> compiler: gcc (GCC) 7.1.1 20170620
>>> .config is attached.
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>>> It will help syzbot understand when the bug is fixed. See footer for
>>> details.
>>> If you forward the report, please keep this part and the footer.
>>>
>>> ------------[ cut here ]------------
>>> FAULT_INJECTION: forcing a failure.
>>> name failslab, interval 1, probability 0, space 0, times 0
>>> refcount_t: underflow; use-after-free.
>>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>> Kernel panic - not syncing: panic_on_warn set ...
>>>
>>>   __dump_stack lib/dump_stack.c:17 [inline]
>>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>   fail_dump lib/fault-inject.c:51 [inline]
>>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>>>   should_failslab+0xec/0x120 mm/failslab.c:32
>>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>>>   slab_alloc mm/slab.c:3365 [inline]
>>>   __do_kmalloc mm/slab.c:3703 [inline]
>>>   __kmalloc+0x63/0x760 mm/slab.c:3714
>>>   kmalloc include/linux/slab.h:517 [inline]
>>>   kzalloc include/linux/slab.h:701 [inline]
>>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>>>   sget_userns+0xbbf/0xe40 fs/super.c:520
>>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>>   do_new_mount fs/namespace.c:2512 [inline]
>>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>   SYSC_mount fs/namespace.c:3058 [inline]
>>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> RIP: 0033:0x4460f9
>>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> Google 01/01/2011
>>> Call Trace:
>>>   __dump_stack lib/dump_stack.c:17 [inline]
>>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>   panic+0x1e4/0x41c kernel/panic.c:183
>>>   __warn+0x1dc/0x200 kernel/panic.c:547
>>>   report_bug+0x211/0x2d0 lib/bug.c:184
>>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>>>   put_net include/net/net_namespace.h:220 [inline]
>>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>>>   sget_userns+0xbda/0xe40 fs/super.c:522
>>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>>   do_new_mount fs/namespace.c:2512 [inline]
>>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>   SYSC_mount fs/namespace.c:3058 [inline]
>>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> RIP: 0033:0x4460f9
>>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>>> Dumping ftrace buffer:
>>>     (ftrace buffer empty)
>>> Kernel Offset: disabled
>>> Rebooting in 86400 seconds..
>>>
>>>
>>> ---
>>> This bug is generated by a dumb bot. It may contain errors.
>>> See https://goo.gl/tpsmEJ for details.
>>> Direct all questions to syzkaller@googlegroups.com.
>>>
>>> syzbot will keep track of this bug report.
>>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>> merged
>>> into any tree, please reply to this email with:
>>> #syz fix: exact-commit-title
>>> If you want to test a patch for this bug, please reply with:
>>> #syz test: git://repo/address.git branch
>>> and provide the patch inline or as an attachment.
>>> To mark this as a duplicate of another syzbot report, please reply with:
>>> #syz dup: exact-subject-of-another-report
>>> If it's a one-off invalid bug report, please reply with:
>>> #syz invalid
>>> Note: if the crash happens again, it will cause creation of a new bug
>>> report.
>>> Note: all commands must start from beginning of the line in the email body.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
>> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 10:32     ` syzbot
@ 2018-04-01 10:41       ` Tetsuo Handa
  2018-04-02 20:30         ` Eric W. Biederman
  0 siblings, 1 reply; 16+ messages in thread
From: Tetsuo Handa @ 2018-04-01 10:41 UTC (permalink / raw)
  To: syzbot+, syzkaller-bugs, dvyukov
  Cc: ebiederm, linux-fsdevel, linux-mm, netdev, viro

syzbot wrote:
> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >> Switching from mm to fsdevel, for this report says that put_net(net) in
> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
> >> register_shrinker() failure.
> 
> >> Relevant commits will be
> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of  
> >> register_shrinker()") and
> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to  
> >> mount_ns.").
> 
> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error  
> >> code to
> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info)  
> >> was
> >> not called by rpc_fill_super() (via fill_super callback passed to  
> >> mount_ns())
> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb()  
> >> from
> >> deactivate_locked_super()).
> 
> >> ----------
> >> static struct dentry *
> >> rpc_mount(struct file_system_type *fs_type,
> >>                  int flags, const char *dev_name, void *data)
> >> {
> >>          struct net *net = current->nsproxy->net_ns;
> >>          return mount_ns(fs_type, flags, data, net, net->user_ns,  
> >> rpc_fill_super);
> >> }
> >> ----------
> 
> > Messed kernel output, this is definitely not in should_fail.
> 
> > #syz dup: WARNING: refcount bug in sk_alloc
> 
> Can't find the corresponding bug.
> 
I don't think this is a dup of existing bug.
We need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 10:37     ` Dmitry Vyukov
@ 2018-04-01 11:11       ` Tetsuo Handa
  2018-04-01 11:30         ` Dmitry Vyukov
  0 siblings, 1 reply; 16+ messages in thread
From: Tetsuo Handa @ 2018-04-01 11:11 UTC (permalink / raw)
  To: dvyukov
  Cc: viro, ebiederm, linux-fsdevel, netdev, linux-mm, syzkaller-bugs,
	syzbot+84371b6062cb639d797e

Dmitry Vyukov wrote:
> On Sun, Apr 1, 2018 at 12:32 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
> >> Switching from mm to fsdevel, for this report says that put_net(net) in
> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
> >> register_shrinker() failure.
> >>
> >> Relevant commits will be
> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
> >>
> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
> >> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
> >> deactivate_locked_super()).
> >>
> >> ----------
> >> static struct dentry *
> >> rpc_mount(struct file_system_type *fs_type,
> >>                 int flags, const char *dev_name, void *data)
> >> {
> >>         struct net *net = current->nsproxy->net_ns;
> >>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
> >> }
> >> ----------
> >
> > Messed kernel output, this is definitely not in should_fail.
> >
> > #syz dup: WARNING: refcount bug in sk_alloc
> 
> Please don't drop reporter (syzbot) email from CC.
> 
> #syz dup: WARNING: refcount bug in sk_alloc
> 

Excuse me? This "refcount bug in should_fail" is talking about sget_userns() versus rpc_fill_super().
I think we need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.

> 
> >> syzbot wrote:
> >>> Hello,
> >>>
> >>> syzbot hit the following crash on bpf-next commit
> >>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
> >>> Merge branch 'bpf-kselftest-improvements'
> >>>
> >>> C reproducer is attached.
> >>> syzkaller reproducer is attached.
> >>> Raw console output is attached.
> >>> compiler: gcc (GCC) 7.1.1 20170620
> >>> .config is attached.
> >>>
> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
> >>> It will help syzbot understand when the bug is fixed. See footer for
> >>> details.
> >>> If you forward the report, please keep this part and the footer.
> >>>
> >>> ------------[ cut here ]------------
> >>> FAULT_INJECTION: forcing a failure.
> >>> name failslab, interval 1, probability 0, space 0, times 0
> >>> refcount_t: underflow; use-after-free.
> >>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
> >>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
> >>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >>> Google 01/01/2011
> >>> Call Trace:
> >>> Kernel panic - not syncing: panic_on_warn set ...
> >>>
> >>>   __dump_stack lib/dump_stack.c:17 [inline]
> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
> >>>   fail_dump lib/fault-inject.c:51 [inline]
> >>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
> >>>   should_failslab+0xec/0x120 mm/failslab.c:32
> >>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
> >>>   slab_alloc mm/slab.c:3365 [inline]
> >>>   __do_kmalloc mm/slab.c:3703 [inline]
> >>>   __kmalloc+0x63/0x760 mm/slab.c:3714
> >>>   kmalloc include/linux/slab.h:517 [inline]
> >>>   kzalloc include/linux/slab.h:701 [inline]
> >>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
> >>>   sget_userns+0xbbf/0xe40 fs/super.c:520
> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
> >>>   do_new_mount fs/namespace.c:2512 [inline]
> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
> >>>   SYSC_mount fs/namespace.c:3058 [inline]
> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
> >>> RIP: 0033:0x4460f9
> >>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> >>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
> >>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
> >>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
> >>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >>> Google 01/01/2011
> >>> Call Trace:
> >>>   __dump_stack lib/dump_stack.c:17 [inline]
> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
> >>>   panic+0x1e4/0x41c kernel/panic.c:183
> >>>   __warn+0x1dc/0x200 kernel/panic.c:547
> >>>   report_bug+0x211/0x2d0 lib/bug.c:184
> >>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
> >>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
> >>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
> >>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
> >>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
> >>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
> >>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
> >>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
> >>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
> >>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
> >>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
> >>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
> >>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
> >>>   put_net include/net/net_namespace.h:220 [inline]
> >>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
> >>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
> >>>   sget_userns+0xbda/0xe40 fs/super.c:522
> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
> >>>   do_new_mount fs/namespace.c:2512 [inline]
> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
> >>>   SYSC_mount fs/namespace.c:3058 [inline]
> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
> >>> RIP: 0033:0x4460f9
> >>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
> >>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
> >>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
> >>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
> >>> Dumping ftrace buffer:
> >>>     (ftrace buffer empty)
> >>> Kernel Offset: disabled
> >>> Rebooting in 86400 seconds..
> >>>
> >>>
> >>> ---
> >>> This bug is generated by a dumb bot. It may contain errors.
> >>> See https://goo.gl/tpsmEJ for details.
> >>> Direct all questions to syzkaller@googlegroups.com.
> >>>
> >>> syzbot will keep track of this bug report.
> >>> If you forgot to add the Reported-by tag, once the fix for this bug is
> >>> merged
> >>> into any tree, please reply to this email with:
> >>> #syz fix: exact-commit-title
> >>> If you want to test a patch for this bug, please reply with:
> >>> #syz test: git://repo/address.git branch
> >>> and provide the patch inline or as an attachment.
> >>> To mark this as a duplicate of another syzbot report, please reply with:
> >>> #syz dup: exact-subject-of-another-report
> >>> If it's a one-off invalid bug report, please reply with:
> >>> #syz invalid
> >>> Note: if the crash happens again, it will cause creation of a new bug
> >>> report.
> >>> Note: all commands must start from beginning of the line in the email body.
> >>>
> >>
> >> --
> >> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> >> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
> >> For more options, visit https://groups.google.com/d/optout.
> 

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 11:11       ` Tetsuo Handa
@ 2018-04-01 11:30         ` Dmitry Vyukov
  2018-04-01 11:46           ` Dmitry Vyukov
  0 siblings, 1 reply; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-01 11:30 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Al Viro, Eric W. Biederman, linux-fsdevel, netdev, Linux-MM,
	syzkaller-bugs, syzbot+84371b6062cb639d797e

On Sun, Apr 1, 2018 at 1:11 PM, Tetsuo Handa
<penguin-kernel@i-love.sakura.ne.jp> wrote:
> Dmitry Vyukov wrote:
>> On Sun, Apr 1, 2018 at 12:32 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
>> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> >> Switching from mm to fsdevel, for this report says that put_net(net) in
>> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>> >> register_shrinker() failure.
>> >>
>> >> Relevant commits will be
>> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
>> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
>> >>
>> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
>> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
>> >> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
>> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
>> >> deactivate_locked_super()).
>> >>
>> >> ----------
>> >> static struct dentry *
>> >> rpc_mount(struct file_system_type *fs_type,
>> >>                 int flags, const char *dev_name, void *data)
>> >> {
>> >>         struct net *net = current->nsproxy->net_ns;
>> >>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
>> >> }
>> >> ----------
>> >
>> > Messed kernel output, this is definitely not in should_fail.
>> >
>> > #syz dup: WARNING: refcount bug in sk_alloc
>>
>> Please don't drop reporter (syzbot) email from CC.
>>
>> #syz dup: WARNING: refcount bug in sk_alloc
>>
>
> Excuse me? This "refcount bug in should_fail" is talking about sget_userns() versus rpc_fill_super().
> I think we need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.

Hi,

I think I was looking at this incarnation of this bug before marking it as dup:
https://syzkaller.appspot.com/text?tag=CrashReport&id=5246446760624128
that report in fact includes sk_alloc frame. Kernel turning crash
reports into untangleable mess is not really helpful.

I will undup this into an independent bug.
It's just that we don't have such functionality yet, so I need to
implement it first.





>> >> syzbot wrote:
>> >>> Hello,
>> >>>
>> >>> syzbot hit the following crash on bpf-next commit
>> >>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
>> >>> Merge branch 'bpf-kselftest-improvements'
>> >>>
>> >>> C reproducer is attached.
>> >>> syzkaller reproducer is attached.
>> >>> Raw console output is attached.
>> >>> compiler: gcc (GCC) 7.1.1 20170620
>> >>> .config is attached.
>> >>>
>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> >>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>> >>> It will help syzbot understand when the bug is fixed. See footer for
>> >>> details.
>> >>> If you forward the report, please keep this part and the footer.
>> >>>
>> >>> ------------[ cut here ]------------
>> >>> FAULT_INJECTION: forcing a failure.
>> >>> name failslab, interval 1, probability 0, space 0, times 0
>> >>> refcount_t: underflow; use-after-free.
>> >>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>> >>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>> >>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> >>> Google 01/01/2011
>> >>> Call Trace:
>> >>> Kernel panic - not syncing: panic_on_warn set ...
>> >>>
>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>> >>>   fail_dump lib/fault-inject.c:51 [inline]
>> >>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>> >>>   should_failslab+0xec/0x120 mm/failslab.c:32
>> >>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>> >>>   slab_alloc mm/slab.c:3365 [inline]
>> >>>   __do_kmalloc mm/slab.c:3703 [inline]
>> >>>   __kmalloc+0x63/0x760 mm/slab.c:3714
>> >>>   kmalloc include/linux/slab.h:517 [inline]
>> >>>   kzalloc include/linux/slab.h:701 [inline]
>> >>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>> >>>   sget_userns+0xbbf/0xe40 fs/super.c:520
>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> >>> RIP: 0033:0x4460f9
>> >>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>> >>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>> >>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>> >>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> >>> Google 01/01/2011
>> >>> Call Trace:
>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>> >>>   panic+0x1e4/0x41c kernel/panic.c:183
>> >>>   __warn+0x1dc/0x200 kernel/panic.c:547
>> >>>   report_bug+0x211/0x2d0 lib/bug.c:184
>> >>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>> >>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>> >>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>> >>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>> >>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>> >>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>> >>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>> >>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>> >>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>> >>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>> >>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>> >>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>> >>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>> >>>   put_net include/net/net_namespace.h:220 [inline]
>> >>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>> >>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>> >>>   sget_userns+0xbda/0xe40 fs/super.c:522
>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>> >>> RIP: 0033:0x4460f9
>> >>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>> >>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>> >>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>> >>> Dumping ftrace buffer:
>> >>>     (ftrace buffer empty)
>> >>> Kernel Offset: disabled
>> >>> Rebooting in 86400 seconds..
>> >>>
>> >>>
>> >>> ---
>> >>> This bug is generated by a dumb bot. It may contain errors.
>> >>> See https://goo.gl/tpsmEJ for details.
>> >>> Direct all questions to syzkaller@googlegroups.com.
>> >>>
>> >>> syzbot will keep track of this bug report.
>> >>> If you forgot to add the Reported-by tag, once the fix for this bug is
>> >>> merged
>> >>> into any tree, please reply to this email with:
>> >>> #syz fix: exact-commit-title
>> >>> If you want to test a patch for this bug, please reply with:
>> >>> #syz test: git://repo/address.git branch
>> >>> and provide the patch inline or as an attachment.
>> >>> To mark this as a duplicate of another syzbot report, please reply with:
>> >>> #syz dup: exact-subject-of-another-report
>> >>> If it's a one-off invalid bug report, please reply with:
>> >>> #syz invalid
>> >>> Note: if the crash happens again, it will cause creation of a new bug
>> >>> report.
>> >>> Note: all commands must start from beginning of the line in the email body.
>> >>>
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> >> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
>> >> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201804012011.ABI74044.MJtOFVSHFQFOOL%40I-love.SAKURA.ne.jp.
> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 11:30         ` Dmitry Vyukov
@ 2018-04-01 11:46           ` Dmitry Vyukov
  2018-04-01 11:50             ` Dmitry Vyukov
  0 siblings, 1 reply; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-01 11:46 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Al Viro, Eric W. Biederman, linux-fsdevel, netdev, Linux-MM,
	syzkaller-bugs, syzbot+84371b6062cb639d797e

On Sun, Apr 1, 2018 at 1:30 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Apr 1, 2018 at 1:11 PM, Tetsuo Handa
> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> Dmitry Vyukov wrote:
>>> On Sun, Apr 1, 2018 at 12:32 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
>>> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>> >> Switching from mm to fsdevel, for this report says that put_net(net) in
>>> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>>> >> register_shrinker() failure.
>>> >>
>>> >> Relevant commits will be
>>> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
>>> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
>>> >>
>>> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
>>> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
>>> >> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
>>> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
>>> >> deactivate_locked_super()).
>>> >>
>>> >> ----------
>>> >> static struct dentry *
>>> >> rpc_mount(struct file_system_type *fs_type,
>>> >>                 int flags, const char *dev_name, void *data)
>>> >> {
>>> >>         struct net *net = current->nsproxy->net_ns;
>>> >>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
>>> >> }
>>> >> ----------
>>> >
>>> > Messed kernel output, this is definitely not in should_fail.
>>> >
>>> > #syz dup: WARNING: refcount bug in sk_alloc
>>>
>>> Please don't drop reporter (syzbot) email from CC.
>>>
>>> #syz dup: WARNING: refcount bug in sk_alloc
>>>
>>
>> Excuse me? This "refcount bug in should_fail" is talking about sget_userns() versus rpc_fill_super().
>> I think we need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.
>
> Hi,
>
> I think I was looking at this incarnation of this bug before marking it as dup:
> https://syzkaller.appspot.com/text?tag=CrashReport&id=5246446760624128
> that report in fact includes sk_alloc frame. Kernel turning crash
> reports into untangleable mess is not really helpful.
>
> I will undup this into an independent bug.
> It's just that we don't have such functionality yet, so I need to
> implement it first.

This is now implemented:
https://github.com/google/syzkaller/commit/0a78e248b7b6537ccdf66dc8806d76e0a97efe21
Let's try it:

#syz undup



>>> >> syzbot wrote:
>>> >>> Hello,
>>> >>>
>>> >>> syzbot hit the following crash on bpf-next commit
>>> >>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
>>> >>> Merge branch 'bpf-kselftest-improvements'
>>> >>>
>>> >>> C reproducer is attached.
>>> >>> syzkaller reproducer is attached.
>>> >>> Raw console output is attached.
>>> >>> compiler: gcc (GCC) 7.1.1 20170620
>>> >>> .config is attached.
>>> >>>
>>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> >>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>>> >>> It will help syzbot understand when the bug is fixed. See footer for
>>> >>> details.
>>> >>> If you forward the report, please keep this part and the footer.
>>> >>>
>>> >>> ------------[ cut here ]------------
>>> >>> FAULT_INJECTION: forcing a failure.
>>> >>> name failslab, interval 1, probability 0, space 0, times 0
>>> >>> refcount_t: underflow; use-after-free.
>>> >>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> >>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>>> >>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> >>> Google 01/01/2011
>>> >>> Call Trace:
>>> >>> Kernel panic - not syncing: panic_on_warn set ...
>>> >>>
>>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>> >>>   fail_dump lib/fault-inject.c:51 [inline]
>>> >>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>>> >>>   should_failslab+0xec/0x120 mm/failslab.c:32
>>> >>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>>> >>>   slab_alloc mm/slab.c:3365 [inline]
>>> >>>   __do_kmalloc mm/slab.c:3703 [inline]
>>> >>>   __kmalloc+0x63/0x760 mm/slab.c:3714
>>> >>>   kmalloc include/linux/slab.h:517 [inline]
>>> >>>   kzalloc include/linux/slab.h:701 [inline]
>>> >>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>>> >>>   sget_userns+0xbbf/0xe40 fs/super.c:520
>>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> >>> RIP: 0033:0x4460f9
>>> >>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> >>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>>> >>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>>> >>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>> >>> Google 01/01/2011
>>> >>> Call Trace:
>>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>> >>>   panic+0x1e4/0x41c kernel/panic.c:183
>>> >>>   __warn+0x1dc/0x200 kernel/panic.c:547
>>> >>>   report_bug+0x211/0x2d0 lib/bug.c:184
>>> >>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>>> >>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>>> >>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>>> >>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>>> >>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>>> >>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>> >>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>>> >>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>>> >>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>>> >>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>>> >>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>>> >>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>>> >>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>>> >>>   put_net include/net/net_namespace.h:220 [inline]
>>> >>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>>> >>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>>> >>>   sget_userns+0xbda/0xe40 fs/super.c:522
>>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>> >>> RIP: 0033:0x4460f9
>>> >>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>> >>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>>> >>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>>> >>> Dumping ftrace buffer:
>>> >>>     (ftrace buffer empty)
>>> >>> Kernel Offset: disabled
>>> >>> Rebooting in 86400 seconds..
>>> >>>
>>> >>>
>>> >>> ---
>>> >>> This bug is generated by a dumb bot. It may contain errors.
>>> >>> See https://goo.gl/tpsmEJ for details.
>>> >>> Direct all questions to syzkaller@googlegroups.com.
>>> >>>
>>> >>> syzbot will keep track of this bug report.
>>> >>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>> >>> merged
>>> >>> into any tree, please reply to this email with:
>>> >>> #syz fix: exact-commit-title
>>> >>> If you want to test a patch for this bug, please reply with:
>>> >>> #syz test: git://repo/address.git branch
>>> >>> and provide the patch inline or as an attachment.
>>> >>> To mark this as a duplicate of another syzbot report, please reply with:
>>> >>> #syz dup: exact-subject-of-another-report
>>> >>> If it's a one-off invalid bug report, please reply with:
>>> >>> #syz invalid
>>> >>> Note: if the crash happens again, it will cause creation of a new bug
>>> >>> report.
>>> >>> Note: all commands must start from beginning of the line in the email body.
>>> >>>
>>> >>
>>> >> --
>>> >> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
>>> >> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201804012011.ABI74044.MJtOFVSHFQFOOL%40I-love.SAKURA.ne.jp.
>> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 11:46           ` Dmitry Vyukov
@ 2018-04-01 11:50             ` Dmitry Vyukov
  0 siblings, 0 replies; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-01 11:50 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: Al Viro, Eric W. Biederman, linux-fsdevel, netdev, Linux-MM,
	syzkaller-bugs, syzbot+84371b6062cb639d797e

On Sun, Apr 1, 2018 at 1:46 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Apr 1, 2018 at 1:30 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> On Sun, Apr 1, 2018 at 1:11 PM, Tetsuo Handa
>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>> Dmitry Vyukov wrote:
>>>> On Sun, Apr 1, 2018 at 12:32 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>>> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
>>>> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>>> >> Switching from mm to fsdevel, for this report says that put_net(net) in
>>>> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>>>> >> register_shrinker() failure.
>>>> >>
>>>> >> Relevant commits will be
>>>> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of register_shrinker()") and
>>>> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to mount_ns.").
>>>> >>
>>>> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error code to
>>>> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info) was
>>>> >> not called by rpc_fill_super() (via fill_super callback passed to mount_ns())
>>>> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb() from
>>>> >> deactivate_locked_super()).
>>>> >>
>>>> >> ----------
>>>> >> static struct dentry *
>>>> >> rpc_mount(struct file_system_type *fs_type,
>>>> >>                 int flags, const char *dev_name, void *data)
>>>> >> {
>>>> >>         struct net *net = current->nsproxy->net_ns;
>>>> >>         return mount_ns(fs_type, flags, data, net, net->user_ns, rpc_fill_super);
>>>> >> }
>>>> >> ----------
>>>> >
>>>> > Messed kernel output, this is definitely not in should_fail.
>>>> >
>>>> > #syz dup: WARNING: refcount bug in sk_alloc
>>>>
>>>> Please don't drop reporter (syzbot) email from CC.
>>>>
>>>> #syz dup: WARNING: refcount bug in sk_alloc
>>>>
>>>
>>> Excuse me? This "refcount bug in should_fail" is talking about sget_userns() versus rpc_fill_super().
>>> I think we need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.
>>
>> Hi,
>>
>> I think I was looking at this incarnation of this bug before marking it as dup:
>> https://syzkaller.appspot.com/text?tag=CrashReport&id=5246446760624128
>> that report in fact includes sk_alloc frame. Kernel turning crash
>> reports into untangleable mess is not really helpful.
>>
>> I will undup this into an independent bug.
>> It's just that we don't have such functionality yet, so I need to
>> implement it first.
>
> This is now implemented:
> https://github.com/google/syzkaller/commit/0a78e248b7b6537ccdf66dc8806d76e0a97efe21
> Let's try it:
>
> #syz undup

OK, this is now a separate bug again:
https://syzkaller.appspot.com/bug?id=55c7257f74dd17f65a9d057b316c46d156b0fba4

The last step is that somebody needs to actually fix it (until too
many different bugs pile up under "WARNING: refcount bug in
should_fail") ;)

>>>> >> syzbot wrote:
>>>> >>> Hello,
>>>> >>>
>>>> >>> syzbot hit the following crash on bpf-next commit
>>>> >>> 6f1b5a2b58d8470e5a8b25ab29f5fdb4616ffff8 (Tue Feb 27 04:11:23 2018 +0000)
>>>> >>> Merge branch 'bpf-kselftest-improvements'
>>>> >>>
>>>> >>> C reproducer is attached.
>>>> >>> syzkaller reproducer is attached.
>>>> >>> Raw console output is attached.
>>>> >>> compiler: gcc (GCC) 7.1.1 20170620
>>>> >>> .config is attached.
>>>> >>>
>>>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>>> >>> Reported-by: syzbot+84371b6062cb639d797e@syzkaller.appspotmail.com
>>>> >>> It will help syzbot understand when the bug is fixed. See footer for
>>>> >>> details.
>>>> >>> If you forward the report, please keep this part and the footer.
>>>> >>>
>>>> >>> ------------[ cut here ]------------
>>>> >>> FAULT_INJECTION: forcing a failure.
>>>> >>> name failslab, interval 1, probability 0, space 0, times 0
>>>> >>> refcount_t: underflow; use-after-free.
>>>> >>> CPU: 1 PID: 4239 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>>> >>> WARNING: CPU: 0 PID: 4237 at lib/refcount.c:187
>>>> >>> refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>>> >>> Google 01/01/2011
>>>> >>> Call Trace:
>>>> >>> Kernel panic - not syncing: panic_on_warn set ...
>>>> >>>
>>>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>>>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>> >>>   fail_dump lib/fault-inject.c:51 [inline]
>>>> >>>   should_fail+0x8c0/0xa40 lib/fault-inject.c:149
>>>> >>>   should_failslab+0xec/0x120 mm/failslab.c:32
>>>> >>>   slab_pre_alloc_hook mm/slab.h:422 [inline]
>>>> >>>   slab_alloc mm/slab.c:3365 [inline]
>>>> >>>   __do_kmalloc mm/slab.c:3703 [inline]
>>>> >>>   __kmalloc+0x63/0x760 mm/slab.c:3714
>>>> >>>   kmalloc include/linux/slab.h:517 [inline]
>>>> >>>   kzalloc include/linux/slab.h:701 [inline]
>>>> >>>   register_shrinker+0x10e/0x2d0 mm/vmscan.c:268
>>>> >>>   sget_userns+0xbbf/0xe40 fs/super.c:520
>>>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>>>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>>>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>>> >>> RIP: 0033:0x4460f9
>>>> >>> RSP: 002b:00007fbcd769ad78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc6c RCX: 00000000004460f9
>>>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>>> >>> RBP: 00007fbcd769ad80 R08: 00000000200000c0 R09: 0000000000003131
>>>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc68
>>>> >>> R13: ffffffffffffffff R14: 0000000000000037 R15: 0030656c69662f2e
>>>> >>> CPU: 0 PID: 4237 Comm: syzkaller149381 Not tainted 4.16.0-rc2+ #20
>>>> >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>>>> >>> Google 01/01/2011
>>>> >>> Call Trace:
>>>> >>>   __dump_stack lib/dump_stack.c:17 [inline]
>>>> >>>   dump_stack+0x194/0x24d lib/dump_stack.c:53
>>>> >>>   panic+0x1e4/0x41c kernel/panic.c:183
>>>> >>>   __warn+0x1dc/0x200 kernel/panic.c:547
>>>> >>>   report_bug+0x211/0x2d0 lib/bug.c:184
>>>> >>>   fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
>>>> >>>   fixup_bug arch/x86/kernel/traps.c:247 [inline]
>>>> >>>   do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
>>>> >>>   do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
>>>> >>>   invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
>>>> >>> RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187
>>>> >>> RSP: 0018:ffff8801b164f6d8 EFLAGS: 00010286
>>>> >>> RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ac30e
>>>> >>> RDX: 0000000000000000 RSI: 1ffff100362c9e8b RDI: 1ffff100362c9e60
>>>> >>> RBP: ffff8801b164f768 R08: 0000000000000000 R09: 0000000000000000
>>>> >>> R10: ffff8801b164f610 R11: 0000000000000000 R12: 1ffff100362c9edc
>>>> >>> R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801ae924044
>>>> >>>   refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212
>>>> >>>   put_net include/net/net_namespace.h:220 [inline]
>>>> >>>   rpc_kill_sb+0x253/0x3c0 net/sunrpc/rpc_pipe.c:1473
>>>> >>>   deactivate_locked_super+0x88/0xd0 fs/super.c:312
>>>> >>>   sget_userns+0xbda/0xe40 fs/super.c:522
>>>> >>>   mount_ns+0x6d/0x190 fs/super.c:1029
>>>> >>>   rpc_mount+0x9e/0xd0 net/sunrpc/rpc_pipe.c:1451
>>>> >>>   mount_fs+0x66/0x2d0 fs/super.c:1222
>>>> >>>   vfs_kern_mount.part.26+0xc6/0x4a0 fs/namespace.c:1037
>>>> >>>   vfs_kern_mount fs/namespace.c:2509 [inline]
>>>> >>>   do_new_mount fs/namespace.c:2512 [inline]
>>>> >>>   do_mount+0xea4/0x2bb0 fs/namespace.c:2842
>>>> >>>   SYSC_mount fs/namespace.c:3058 [inline]
>>>> >>>   SyS_mount+0xab/0x120 fs/namespace.c:3035
>>>> >>>   do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
>>>> >>>   entry_SYSCALL_64_after_hwframe+0x42/0xb7
>>>> >>> RIP: 0033:0x4460f9
>>>> >>> RSP: 002b:00007fbcd76dcd78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
>>>> >>> RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 00000000004460f9
>>>> >>> RDX: 0000000020000080 RSI: 0000000020000040 RDI: 0000000020000000
>>>> >>> RBP: 00007fbcd76dcd80 R08: 00000000200000c0 R09: 0000000000003131
>>>> >>> R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc38
>>>> >>> R13: ffffffffffffffff R14: 0000000000000028 R15: 0030656c69662f2e
>>>> >>> Dumping ftrace buffer:
>>>> >>>     (ftrace buffer empty)
>>>> >>> Kernel Offset: disabled
>>>> >>> Rebooting in 86400 seconds..
>>>> >>>
>>>> >>>
>>>> >>> ---
>>>> >>> This bug is generated by a dumb bot. It may contain errors.
>>>> >>> See https://goo.gl/tpsmEJ for details.
>>>> >>> Direct all questions to syzkaller@googlegroups.com.
>>>> >>>
>>>> >>> syzbot will keep track of this bug report.
>>>> >>> If you forgot to add the Reported-by tag, once the fix for this bug is
>>>> >>> merged
>>>> >>> into any tree, please reply to this email with:
>>>> >>> #syz fix: exact-commit-title
>>>> >>> If you want to test a patch for this bug, please reply with:
>>>> >>> #syz test: git://repo/address.git branch
>>>> >>> and provide the patch inline or as an attachment.
>>>> >>> To mark this as a duplicate of another syzbot report, please reply with:
>>>> >>> #syz dup: exact-subject-of-another-report
>>>> >>> If it's a one-off invalid bug report, please reply with:
>>>> >>> #syz invalid
>>>> >>> Note: if the crash happens again, it will cause creation of a new bug
>>>> >>> report.
>>>> >>> Note: all commands must start from beginning of the line in the email body.
>>>> >>>
>>>> >>
>>>> >> --
>>>> >> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>>>> >> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201803041457.GBJ69774.OVOSOLFHQMJFFt%40I-love.SAKURA.ne.jp.
>>>> >> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>>> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/201804012011.ABI74044.MJtOFVSHFQFOOL%40I-love.SAKURA.ne.jp.
>>> For more options, visit https://groups.google.com/d/optout.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-01 10:41       ` Tetsuo Handa
@ 2018-04-02 20:30         ` Eric W. Biederman
  2018-04-02 21:52           ` Al Viro
  0 siblings, 1 reply; 16+ messages in thread
From: Eric W. Biederman @ 2018-04-02 20:30 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: syzbot+, syzkaller-bugs, dvyukov, linux-fsdevel, linux-mm, netdev, viro

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:

> syzbot wrote:
>> > On Sun, Mar 4, 2018 at 6:57 AM, Tetsuo Handa
>> > <penguin-kernel@i-love.sakura.ne.jp> wrote:
>> >> Switching from mm to fsdevel, for this report says that put_net(net) in
>> >> rpc_kill_sb() made net->count < 0 when mount_ns() failed due to
>> >> register_shrinker() failure.
>> 
>> >> Relevant commits will be
>> >> commit 9ee332d99e4d5a97 ("sget(): handle failures of  
>> >> register_shrinker()") and
>> >> commit d91ee87d8d85a080 ("vfs: Pass data, ns, and ns->userns to  
>> >> mount_ns.").
>> 
>> >> When sget_userns() in mount_ns() failed, mount_ns() returns an error  
>> >> code to
>> >> the caller without calling fill_super(). That is, get_net(sb->s_fs_info)  
>> >> was
>> >> not called by rpc_fill_super() (via fill_super callback passed to  
>> >> mount_ns())
>> >> but put_net(sb->s_fs_info) is called by rpc_kill_sb() (via fs->kill_sb()  
>> >> from
>> >> deactivate_locked_super()).
>> 
>> >> ----------
>> >> static struct dentry *
>> >> rpc_mount(struct file_system_type *fs_type,
>> >>                  int flags, const char *dev_name, void *data)
>> >> {
>> >>          struct net *net = current->nsproxy->net_ns;
>> >>          return mount_ns(fs_type, flags, data, net, net->user_ns,  
>> >> rpc_fill_super);
>> >> }
>> >> ----------
>> 
>> > Messed kernel output, this is definitely not in should_fail.
>> 
>> > #syz dup: WARNING: refcount bug in sk_alloc
>> 
>> Can't find the corresponding bug.
>> 
> I don't think this is a dup of existing bug.
> We need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.

Even if expanding mount_ns to more filesystems was magically fixed,
proc would still have this issue with the pid namespace rather than
the net namespace.

This is a mess.  I will take a look and see if I can see a a fix.

Eric

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-02 20:30         ` Eric W. Biederman
@ 2018-04-02 21:52           ` Al Viro
  2018-04-02 21:59             ` Al Viro
  0 siblings, 1 reply; 16+ messages in thread
From: Al Viro @ 2018-04-02 21:52 UTC (permalink / raw)
  To: Eric W. Biederman
  Cc: Tetsuo Handa, syzbot+,
	syzkaller-bugs, dvyukov, linux-fsdevel, linux-mm, netdev

On Mon, Apr 02, 2018 at 03:30:56PM -0500, Eric W. Biederman wrote:
> Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:

> > I don't think this is a dup of existing bug.
> > We need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.
> 
> Even if expanding mount_ns to more filesystems was magically fixed,
> proc would still have this issue with the pid namespace rather than
> the net namespace.
> 
> This is a mess.  I will take a look and see if I can see a a fix.

It's trivially fixable, and there's no need to modify mount_ns() at
all.

All we need is for rpc_kill_sb() to recognize whether we are already
through the point in rpc_fill_super() where the refcount is bumped.
That's it.

The most trivial way to do that is to move
	net = get_net(sb->s_fs_info);
past
        if (!root)
                return -ENOMEM;
in the latter and have
out:
	if (!sb->s_root)
		net = NULL;
        kill_litter_super(sb);
	if (net)
		put_net(net);
in the end of the former.  And similar changes in other affected
instances.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-02 21:52           ` Al Viro
@ 2018-04-02 21:59             ` Al Viro
  2018-04-03  5:20               ` Al Viro
  0 siblings, 1 reply; 16+ messages in thread
From: Al Viro @ 2018-04-02 21:59 UTC (permalink / raw)
  To: Eric W. Biederman
  Cc: Tetsuo Handa, syzbot+,
	syzkaller-bugs, dvyukov, linux-fsdevel, linux-mm, netdev

On Mon, Apr 02, 2018 at 10:52:12PM +0100, Al Viro wrote:
> On Mon, Apr 02, 2018 at 03:30:56PM -0500, Eric W. Biederman wrote:
> > Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> 
> > > I don't think this is a dup of existing bug.
> > > We need to fix either 9ee332d99e4d5a97 or d91ee87d8d85a080.
> > 
> > Even if expanding mount_ns to more filesystems was magically fixed,
> > proc would still have this issue with the pid namespace rather than
> > the net namespace.
> > 
> > This is a mess.  I will take a look and see if I can see a a fix.
> 
> It's trivially fixable, and there's no need to modify mount_ns() at
> all.
> 
> All we need is for rpc_kill_sb() to recognize whether we are already
> through the point in rpc_fill_super() where the refcount is bumped.
> That's it.
> 
> The most trivial way to do that is to move
> 	net = get_net(sb->s_fs_info);
> past
>         if (!root)
>                 return -ENOMEM;
> in the latter and have
> out:
> 	if (!sb->s_root)
> 		net = NULL;
>         kill_litter_super(sb);
> 	if (net)
> 		put_net(net);
> in the end of the former.  And similar changes in other affected
> instances.

FWIW, I'm going through the ->kill_sb() instances, fixing that sort
of bugs (most of them preexisting, but I should've checked instead
of assuming that everything's fine).  Will push out later tonight.

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-02 21:59             ` Al Viro
@ 2018-04-03  5:20               ` Al Viro
  2018-04-03 11:27                 ` Dmitry Vyukov
  2018-04-04 15:54                 ` Eric W. Biederman
  0 siblings, 2 replies; 16+ messages in thread
From: Al Viro @ 2018-04-03  5:20 UTC (permalink / raw)
  To: Eric W. Biederman
  Cc: Tetsuo Handa, syzbot+,
	syzkaller-bugs, dvyukov, linux-fsdevel, linux-mm, netdev

On Mon, Apr 02, 2018 at 10:59:34PM +0100, Al Viro wrote:

> FWIW, I'm going through the ->kill_sb() instances, fixing that sort
> of bugs (most of them preexisting, but I should've checked instead
> of assuming that everything's fine).  Will push out later tonight.

OK, see vfs.git#for-linus.  Caught: 4 old bugs (allocation failure
in fill_super oopses ->kill_sb() in hypfs, jffs2 and orangefs resp.
and double-dput in late failure exit in rpc_fill_super())
and 5 regressions from register_shrinker() failure recovery.  

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-03  5:20               ` Al Viro
@ 2018-04-03 11:27                 ` Dmitry Vyukov
  2018-04-04 15:54                 ` Eric W. Biederman
  1 sibling, 0 replies; 16+ messages in thread
From: Dmitry Vyukov @ 2018-04-03 11:27 UTC (permalink / raw)
  To: Al Viro
  Cc: Eric W. Biederman, Tetsuo Handa, syzbot, syzkaller-bugs,
	linux-fsdevel, Linux-MM, netdev

On Tue, Apr 3, 2018 at 7:20 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Mon, Apr 02, 2018 at 10:59:34PM +0100, Al Viro wrote:
>
>> FWIW, I'm going through the ->kill_sb() instances, fixing that sort
>> of bugs (most of them preexisting, but I should've checked instead
>> of assuming that everything's fine).  Will push out later tonight.
>
> OK, see vfs.git#for-linus.  Caught: 4 old bugs (allocation failure
> in fill_super oopses ->kill_sb() in hypfs, jffs2 and orangefs resp.
> and double-dput in late failure exit in rpc_fill_super())
> and 5 regressions from register_shrinker() failure recovery.

Nice!

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-03  5:20               ` Al Viro
  2018-04-03 11:27                 ` Dmitry Vyukov
@ 2018-04-04 15:54                 ` Eric W. Biederman
  2018-04-21 10:26                   ` Tetsuo Handa
  1 sibling, 1 reply; 16+ messages in thread
From: Eric W. Biederman @ 2018-04-04 15:54 UTC (permalink / raw)
  To: Al Viro
  Cc: Tetsuo Handa, syzbot+,
	syzkaller-bugs, dvyukov, linux-fsdevel, linux-mm, netdev

Al Viro <viro@ZenIV.linux.org.uk> writes:

> On Mon, Apr 02, 2018 at 10:59:34PM +0100, Al Viro wrote:
>
>> FWIW, I'm going through the ->kill_sb() instances, fixing that sort
>> of bugs (most of them preexisting, but I should've checked instead
>> of assuming that everything's fine).  Will push out later tonight.
>
> OK, see vfs.git#for-linus.  Caught: 4 old bugs (allocation failure
> in fill_super oopses ->kill_sb() in hypfs, jffs2 and orangefs resp.
> and double-dput in late failure exit in rpc_fill_super())
> and 5 regressions from register_shrinker() failure recovery.

One issue with your vfs.git#for-linus branch.

It is missing Fixes tags and  Cc: stable on those patches.
As the bug came in v4.15 those tags would really help the stable
maintainers get the recent regression fixes applied.

Eric

^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: WARNING: refcount bug in should_fail
  2018-04-04 15:54                 ` Eric W. Biederman
@ 2018-04-21 10:26                   ` Tetsuo Handa
  0 siblings, 0 replies; 16+ messages in thread
From: Tetsuo Handa @ 2018-04-21 10:26 UTC (permalink / raw)
  To: ebiederm, dvyukov
  Cc: syzbot+84371b6062cb639d797e, syzkaller-bugs, viro, linux-fsdevel,
	linux-mm, netdev

Eric W. Biederman wrote:
> Al Viro <viro@ZenIV.linux.org.uk> writes:
> 
> > On Mon, Apr 02, 2018 at 10:59:34PM +0100, Al Viro wrote:
> >
> >> FWIW, I'm going through the ->kill_sb() instances, fixing that sort
> >> of bugs (most of them preexisting, but I should've checked instead
> >> of assuming that everything's fine).  Will push out later tonight.
> >
> > OK, see vfs.git#for-linus.  Caught: 4 old bugs (allocation failure
> > in fill_super oopses ->kill_sb() in hypfs, jffs2 and orangefs resp.
> > and double-dput in late failure exit in rpc_fill_super())
> > and 5 regressions from register_shrinker() failure recovery.
> 
> One issue with your vfs.git#for-linus branch.
> 
> It is missing Fixes tags and  Cc: stable on those patches.
> As the bug came in v4.15 those tags would really help the stable
> maintainers get the recent regression fixes applied.

OK. The patch was sent to linux.git as commit 8e04944f0ea8b838.

#syz fix: mm,vmscan: Allow preallocating memory for register_shrinker().

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2018-04-21 10:26 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <001a113f6736499d1c0566363863@google.com>
2018-03-04  5:57 ` WARNING: refcount bug in should_fail Tetsuo Handa
2018-04-01 10:32   ` Dmitry Vyukov
2018-04-01 10:32     ` syzbot
2018-04-01 10:41       ` Tetsuo Handa
2018-04-02 20:30         ` Eric W. Biederman
2018-04-02 21:52           ` Al Viro
2018-04-02 21:59             ` Al Viro
2018-04-03  5:20               ` Al Viro
2018-04-03 11:27                 ` Dmitry Vyukov
2018-04-04 15:54                 ` Eric W. Biederman
2018-04-21 10:26                   ` Tetsuo Handa
2018-04-01 10:37     ` Dmitry Vyukov
2018-04-01 11:11       ` Tetsuo Handa
2018-04-01 11:30         ` Dmitry Vyukov
2018-04-01 11:46           ` Dmitry Vyukov
2018-04-01 11:50             ` Dmitry Vyukov

This is a public inbox, see mirroring instructions
on how to clone and mirror all data and code used for this inbox