linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* WARNING: refcount bug in sctp_wfree
@ 2020-03-10  1:35 syzbot
  2020-03-10  9:39 ` syzbot
                   ` (8 more replies)
  0 siblings, 9 replies; 30+ messages in thread
From: syzbot @ 2020-03-10  1:35 UTC (permalink / raw)
  To: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot found the following crash on:

HEAD commit:    2c523b34 Linux 5.6-rc5
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 panic+0x264/0x7a0 kernel/panic.c:221
 __warn+0x209/0x210 kernel/panic.c:582
 report_bug+0x1ac/0x2d0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
 sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
 skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
 skb_release_all net/core/skbuff.c:662 [inline]
 __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
 sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
 __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
 sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
 sctp_close+0x231/0x770 net/sctp/socket.c:1512
 inet_release+0x135/0x180 net/ipv4/af_inet.c:427
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1283
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x5ef/0x1f80 kernel/exit.c:801
 do_group_exit+0x15e/0x2c0 kernel/exit.c:899
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
 __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ef98
Code: Bad RIP value.
RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
@ 2020-03-10  9:39 ` syzbot
  2020-03-10 16:01   ` Kees Cook
  2020-03-10 16:45 ` 黄秋钧
                   ` (7 subsequent siblings)
  8 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2020-03-10  9:39 UTC (permalink / raw)
  To: ardb, davem, guohanjun, keescook, kuba, linux-kernel, linux-sctp,
	marcelo.leitner, mingo, netdev, nhorman, syzkaller-bugs,
	vyasevich, will

syzbot has bisected this bug to:

commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
Author: Will Deacon <will@kernel.org>
Date:   Thu Nov 21 11:59:00 2019 +0000

    locking/refcount: Consolidate implementations of refcount_t

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=117e9e91e00000
start commit:   2c523b34 Linux 5.6-rc5
git tree:       upstream
final crash:    https://syzkaller.appspot.com/x/report.txt?x=137e9e91e00000
console output: https://syzkaller.appspot.com/x/log.txt?x=157e9e91e00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000

Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Fixes: fb041bb7c0a9 ("locking/refcount: Consolidate implementations of refcount_t")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  9:39 ` syzbot
@ 2020-03-10 16:01   ` Kees Cook
  2020-03-16 15:51     ` Will Deacon
  0 siblings, 1 reply; 30+ messages in thread
From: Kees Cook @ 2020-03-10 16:01 UTC (permalink / raw)
  To: syzbot
  Cc: ardb, davem, guohanjun, kuba, linux-kernel, linux-sctp,
	marcelo.leitner, mingo, netdev, nhorman, syzkaller-bugs,
	vyasevich, will

On Tue, Mar 10, 2020 at 02:39:01AM -0700, syzbot wrote:
> syzbot has bisected this bug to:
> 
> commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
> Author: Will Deacon <will@kernel.org>
> Date:   Thu Nov 21 11:59:00 2019 +0000
> 
>     locking/refcount: Consolidate implementations of refcount_t

I suspect this is just bisecting to here because it made the refcount
checks more strict?

-Kees

> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=117e9e91e00000
> start commit:   2c523b34 Linux 5.6-rc5
> git tree:       upstream
> final crash:    https://syzkaller.appspot.com/x/report.txt?x=137e9e91e00000
> console output: https://syzkaller.appspot.com/x/log.txt?x=157e9e91e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
> 
> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
> Fixes: fb041bb7c0a9 ("locking/refcount: Consolidate implementations of refcount_t")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
  2020-03-10  9:39 ` syzbot
@ 2020-03-10 16:45 ` 黄秋钧
  2020-03-11 15:00 ` Qiujun Huang
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 30+ messages in thread
From: 黄秋钧 @ 2020-03-10 16:45 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

sctp_wfree
    ->refcount_sub_and_test(sizeof(struct sctp_chunk),
                                      &sk->sk_wmem_alloc)
sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
we add the extra size for gso segment ?



--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
*head, struct sk_buff *skb)
        head->truesize += skb->truesize;
        head->data_len += skb->len;
        head->len += skb->len;
-       refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
+       refcount_add(skb->truesize + sizeof(struct sctp_chunk),
+                               &head->sk->sk_wmem_alloc);

        __skb_header_release(skb);

On Tue, Mar 10, 2020 at 9:36 AM syzbot
<syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    2c523b34 Linux 5.6-rc5
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> refcount_t: underflow; use-after-free.
> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>  panic+0x264/0x7a0 kernel/panic.c:221
>  __warn+0x209/0x210 kernel/panic.c:582
>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>  skb_release_all net/core/skbuff.c:662 [inline]
>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>  __sock_release net/socket.c:605 [inline]
>  sock_close+0xd8/0x260 net/socket.c:1283
>  __fput+0x2d8/0x730 fs/file_table.c:280
>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>  exit_task_work include/linux/task_work.h:22 [inline]
>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x43ef98
> Code: Bad RIP value.
> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
  2020-03-10  9:39 ` syzbot
  2020-03-10 16:45 ` 黄秋钧
@ 2020-03-11 15:00 ` Qiujun Huang
  2020-03-14  2:51   ` Qiujun Huang
  2020-03-14  2:54 ` Qiujun Huang
                   ` (5 subsequent siblings)
  8 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-11 15:00 UTC (permalink / raw)
  To: syzbot, vyasevich
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs

sctp_wfree
    ->refcount_sub_and_test(sizeof(struct sctp_chunk),
                                      &sk->sk_wmem_alloc)
sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
we add the extra size for gso segment ?



--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
*head, struct sk_buff *skb)
        head->truesize += skb->truesize;
        head->data_len += skb->len;
        head->len += skb->len;
-       refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
+       refcount_add(skb->truesize + sizeof(struct sctp_chunk),
+                               &head->sk->sk_wmem_alloc);

        __skb_header_release(skb);

On Tue, Mar 10, 2020 at 9:36 AM syzbot
<syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    2c523b34 Linux 5.6-rc5
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> refcount_t: underflow; use-after-free.
> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>  panic+0x264/0x7a0 kernel/panic.c:221
>  __warn+0x209/0x210 kernel/panic.c:582
>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>  skb_release_all net/core/skbuff.c:662 [inline]
>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>  __sock_release net/socket.c:605 [inline]
>  sock_close+0xd8/0x260 net/socket.c:1283
>  __fput+0x2d8/0x730 fs/file_table.c:280
>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>  exit_task_work include/linux/task_work.h:22 [inline]
>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x43ef98
> Code: Bad RIP value.
> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-11 15:00 ` Qiujun Huang
@ 2020-03-14  2:51   ` Qiujun Huang
  2020-03-14  2:59     ` Qiujun Huang
  0 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-14  2:51 UTC (permalink / raw)
  To: syzbot, vyasevich
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs

For geo segment sob, we shouldn't subtract the sizeof(struct
scup_chunk) in scup_wfree.

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fed26a1e9518..e0cc5d7c88fb 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9085,7 +9085,9 @@ static void sctp_wfree(struct sk_buff *skb)
        sk_mem_uncharge(sk, skb->truesize);
        sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
        asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
-       WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
+
+       if (skb_is_gso(skb))
+               WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
                                      &sk->sk_wmem_alloc));

On Wed, Mar 11, 2020 at 11:00 PM Qiujun Huang <anenbupt@gmail.com> wrote:
>
> sctp_wfree
>     ->refcount_sub_and_test(sizeof(struct sctp_chunk),
>                                       &sk->sk_wmem_alloc)
> sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
> we add the extra size for gso segment ?
>
>
>
> --- a/net/sctp/output.c
> +++ b/net/sctp/output.c
> @@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
> *head, struct sk_buff *skb)
>         head->truesize += skb->truesize;
>         head->data_len += skb->len;
>         head->len += skb->len;
> -       refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
> +       refcount_add(skb->truesize + sizeof(struct sctp_chunk),
> +                               &head->sk->sk_wmem_alloc);
>
>         __skb_header_release(skb);
>
> On Tue, Mar 10, 2020 at 9:36 AM syzbot
> <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    2c523b34 Linux 5.6-rc5
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> > dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
> >
> > ------------[ cut here ]------------
> > refcount_t: underflow; use-after-free.
> > WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> > Kernel panic - not syncing: panic_on_warn set ...
> > CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> >  panic+0x264/0x7a0 kernel/panic.c:221
> >  __warn+0x209/0x210 kernel/panic.c:582
> >  report_bug+0x1ac/0x2d0 lib/bug.c:195
> >  fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
> >  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
> >  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> > RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> > Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> > RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> > RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> > RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> > R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> > R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
> >  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
> >  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
> >  skb_release_all net/core/skbuff.c:662 [inline]
> >  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
> >  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
> >  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
> >  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
> >  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
> >  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
> >  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
> >  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
> >  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
> >  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
> >  sctp_close+0x231/0x770 net/sctp/socket.c:1512
> >  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
> >  __sock_release net/socket.c:605 [inline]
> >  sock_close+0xd8/0x260 net/socket.c:1283
> >  __fput+0x2d8/0x730 fs/file_table.c:280
> >  task_work_run+0x176/0x1b0 kernel/task_work.c:113
> >  exit_task_work include/linux/task_work.h:22 [inline]
> >  do_exit+0x5ef/0x1f80 kernel/exit.c:801
> >  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> >  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> >  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> >  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> >  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x43ef98
> > Code: Bad RIP value.
> > RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> > RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> > RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> > R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> > R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
> >
> >
> > ---
> > This bug is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > syzbot can test patches for this bug, for details see:
> > https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply related	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (2 preceding siblings ...)
  2020-03-11 15:00 ` Qiujun Huang
@ 2020-03-14  2:54 ` Qiujun Huang
  2020-03-14  2:55   ` Qiujun Huang
  2020-03-14  4:04   ` syzbot
  2020-03-14  5:10 ` Qiujun Huang
                   ` (4 subsequent siblings)
  8 siblings, 2 replies; 30+ messages in thread
From: Qiujun Huang @ 2020-03-14  2:54 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git scup_wfree

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-14  2:54 ` Qiujun Huang
@ 2020-03-14  2:55   ` Qiujun Huang
  2020-03-14  4:08     ` syzbot
  2020-03-14  4:04   ` syzbot
  1 sibling, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-14  2:55 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-14  2:51   ` Qiujun Huang
@ 2020-03-14  2:59     ` Qiujun Huang
  0 siblings, 0 replies; 30+ messages in thread
From: Qiujun Huang @ 2020-03-14  2:59 UTC (permalink / raw)
  To: syzbot, vyasevich
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs

On Sat, Mar 14, 2020 at 10:51 AM Qiujun Huang <anenbupt@gmail.com> wrote:
>
> For geo segment sob, we shouldn't subtract the sizeof(struct
> scup_chunk) in scup_wfree.

For gso segment skb, we shouldn't subtract the sizeof(struct
sctp_chunk) in sctp_wfree.

Sorry about the typos. Thanks!

>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index fed26a1e9518..e0cc5d7c88fb 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -9085,7 +9085,9 @@ static void sctp_wfree(struct sk_buff *skb)
>         sk_mem_uncharge(sk, skb->truesize);
>         sk->sk_wmem_queued -= skb->truesize + sizeof(struct sctp_chunk);
>         asoc->sndbuf_used -= skb->truesize + sizeof(struct sctp_chunk);
> -       WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
> +
> +       if (skb_is_gso(skb))
> +               WARN_ON(refcount_sub_and_test(sizeof(struct sctp_chunk),
>                                       &sk->sk_wmem_alloc));
>
> On Wed, Mar 11, 2020 at 11:00 PM Qiujun Huang <anenbupt@gmail.com> wrote:
> >
> > sctp_wfree
> >     ->refcount_sub_and_test(sizeof(struct sctp_chunk),
> >                                       &sk->sk_wmem_alloc)
> > sctp_wfree will sub sizeof(struct sctp_chunk) for every skb. So could
> > we add the extra size for gso segment ?
> >
> >
> >
> > --- a/net/sctp/output.c
> > +++ b/net/sctp/output.c
> > @@ -398,7 +398,8 @@ static void sctp_packet_gso_append(struct sk_buff
> > *head, struct sk_buff *skb)
> >         head->truesize += skb->truesize;
> >         head->data_len += skb->len;
> >         head->len += skb->len;
> > -       refcount_add(skb->truesize, &head->sk->sk_wmem_alloc);
> > +       refcount_add(skb->truesize + sizeof(struct sctp_chunk),
> > +                               &head->sk->sk_wmem_alloc);
> >
> >         __skb_header_release(skb);
> >
> > On Tue, Mar 10, 2020 at 9:36 AM syzbot
> > <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following crash on:
> > >
> > > HEAD commit:    2c523b34 Linux 5.6-rc5
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> > > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
> > >
> > > ------------[ cut here ]------------
> > > refcount_t: underflow; use-after-free.
> > > WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> > > Kernel panic - not syncing: panic_on_warn set ...
> > > CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Call Trace:
> > >  __dump_stack lib/dump_stack.c:77 [inline]
> > >  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> > >  panic+0x264/0x7a0 kernel/panic.c:221
> > >  __warn+0x209/0x210 kernel/panic.c:582
> > >  report_bug+0x1ac/0x2d0 lib/bug.c:195
> > >  fixup_bug arch/x86/kernel/traps.c:174 [inline]
> > >  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
> > >  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
> > >  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> > > RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> > > Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> > > RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> > > RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> > > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> > > RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> > > R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> > > R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
> > >  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
> > >  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
> > >  skb_release_all net/core/skbuff.c:662 [inline]
> > >  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
> > >  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
> > >  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
> > >  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
> > >  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
> > >  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
> > >  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
> > >  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
> > >  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
> > >  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
> > >  sctp_close+0x231/0x770 net/sctp/socket.c:1512
> > >  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
> > >  __sock_release net/socket.c:605 [inline]
> > >  sock_close+0xd8/0x260 net/socket.c:1283
> > >  __fput+0x2d8/0x730 fs/file_table.c:280
> > >  task_work_run+0x176/0x1b0 kernel/task_work.c:113
> > >  exit_task_work include/linux/task_work.h:22 [inline]
> > >  do_exit+0x5ef/0x1f80 kernel/exit.c:801
> > >  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> > >  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> > >  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> > >  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> > >  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> > >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > > RIP: 0033:0x43ef98
> > > Code: Bad RIP value.
> > > RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> > > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> > > RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> > > RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> > > R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> > > R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> > > Kernel Offset: disabled
> > > Rebooting in 86400 seconds..
> > >
> > >
> > > ---
> > > This bug is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this bug report. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > > syzbot can test patches for this bug, for details see:
> > > https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-14  2:54 ` Qiujun Huang
  2020-03-14  2:55   ` Qiujun Huang
@ 2020-03-14  4:04   ` syzbot
  1 sibling, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-14  4:04 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot tried to test the proposed patch but build/boot failed:

failed to checkout kernel repo https://github.com/hqj/hqjagain_test.git/scup_wfree: failed to run ["git" "fetch" "https://github.com/hqj/hqjagain_test.git" "scup_wfree"]: exit status 128
fatal: couldn't find remote ref scup_wfree



Tested on:

commit:         [unknown 
git tree:       https://github.com/hqj/hqjagain_test.git scup_wfree
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)


^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-14  2:55   ` Qiujun Huang
@ 2020-03-14  4:08     ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-14  4:08 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot tried to test the proposed patch but build/boot failed:

/platform/chrome/cros_kbd_led_backlight.o
  CC      drivers/media/rc/keymaps/rc-msi-digivox-iii.o
  CC      drivers/hid/hid-a4tech.o
  CC      drivers/md/dm-mpath.o
  CC      drivers/md/dm-round-robin.o
  CC      drivers/infiniband/sw/rxe/rxe_qp.o
  CC      drivers/staging/exfat/exfat_nls.o
  CC      drivers/md/dm-queue-length.o
  CC      drivers/infiniband/hw/mlx4/alias_GUID.o
  CC      drivers/gpu/drm/i915/display/dvo_ch7017.o
  CC      drivers/gpu/drm/i915/display/dvo_ch7xxx.o
  CC      drivers/staging/exfat/exfat_upcase.o
  CC      drivers/gpu/drm/i915/display/dvo_ivch.o
  CC      net/netfilter/xt_multiport.o
  AR      drivers/mailbox/built-in.a
  CC      drivers/hid/hid-axff.o
  CC      drivers/infiniband/hw/mlx4/sysfs.o
  CC      drivers/hid/hid-apple.o
  CC      drivers/infiniband/sw/rxe/rxe_cq.o
  CC      drivers/infiniband/sw/siw/siw_verbs.o
  CC      drivers/soundwire/mipi_disco.o
  CC      drivers/infiniband/hw/usnic/usnic_ib_sysfs.o
  CC      drivers/md/dm-service-time.o
  CC      drivers/media/rc/keymaps/rc-msi-tvanywhere.o
  CC      drivers/hid/hid-belkin.o
  CC      drivers/infiniband/sw/rxe/rxe_mr.o
  AR      drivers/infiniband/ulp/opa_vnic/built-in.a
  AR      drivers/infiniband/ulp/built-in.a
  CC      drivers/platform/chrome/cros_ec_chardev.o
  CC      drivers/ras/ras.o
  AR      drivers/extcon/built-in.a
  AR      drivers/isdn/mISDN/built-in.a
  CC      drivers/crypto/qat/qat_common/qat_uclo.o
  AR      drivers/isdn/built-in.a
  CC      drivers/infiniband/core/fmr_pool.o
  CC      drivers/platform/chrome/cros_ec_lightbar.o
  CC      drivers/ras/debugfs.o
  CC      net/netfilter/xt_nfacct.o
  CC      drivers/crypto/qat/qat_common/qat_hal.o
  CC      drivers/infiniband/sw/rxe/rxe_opcode.o
  CC      drivers/soundwire/stream.o
  CC      drivers/crypto/qat/qat_common/adf_transport_debug.o
  CC      drivers/hid/hid-cherry.o
  CC      drivers/gpu/drm/i915/display/dvo_ns2501.o
  CC      drivers/soundwire/debugfs.o
  CC      net/netfilter/xt_osf.o
  CC      drivers/infiniband/hw/usnic/usnic_ib_verbs.o
  CC      drivers/infiniband/core/cache.o
  CC      drivers/thunderbolt/nhi.o
  CC      drivers/infiniband/hw/usnic/usnic_debugfs.o
  CC      drivers/hid/hid-chicony.o
  CC      drivers/media/rc/keymaps/rc-msi-tvanywhere-plus.o
  CC      drivers/media/rc/keymaps/rc-nebula.o
  AR      drivers/hwtracing/intel_th/built-in.a
  CC      drivers/thunderbolt/nhi_ops.o
  CC      drivers/hid/hid-cypress.o
  CC      drivers/hid/hid-dr.o
  CC      drivers/infiniband/core/netlink.o
  CC      drivers/platform/chrome/cros_ec_debugfs.o
  CC      drivers/crypto/qat/qat_common/adf_sriov.o
  CC      drivers/platform/chrome/cros_ec_sysfs.o
  CC      drivers/infiniband/sw/rxe/rxe_mmap.o
  CC      drivers/android/binder.o
  CC      drivers/android/binder_alloc.o
  CC      drivers/hid/hid-emsff.o
  CC      drivers/infiniband/sw/rxe/rxe_icrc.o
  CC      drivers/hid/hid-elecom.o
  CC      drivers/hid/hid-ezkey.o
  CC      drivers/hid/hid-google-hammer.o
  CC      drivers/media/rc/keymaps/rc-nec-terratec-cinergy-xs.o
  CC      drivers/md/dm-snap.o
  CC      net/netfilter/xt_owner.o
  CC      drivers/infiniband/core/roce_gid_mgmt.o
  CC      drivers/infiniband/core/mr_pool.o
  CC      drivers/hid/hid-gyration.o
  CC      drivers/hid/hid-holtek-kbd.o
  CC      drivers/hid/hid-holtek-mouse.o
  CC      net/netfilter/xt_cgroup.o
  CC      drivers/nvmem/core.o
  CC      drivers/gpu/drm/i915/display/dvo_sil164.o
  CC      drivers/gpu/drm/i915/display/dvo_tfp410.o
  CC      drivers/crypto/qat/qat_common/adf_pf2vf_msg.o
  CC      drivers/nvmem/nvmem-sysfs.o
  CC      drivers/counter/counter.o
  CC      drivers/crypto/qat/qat_common/adf_vf2pf_msg.o
  CC      drivers/thunderbolt/ctl.o
  CC      drivers/infiniband/sw/rxe/rxe_mcast.o
  CC      drivers/gpu/drm/i915/display/icl_dsi.o
  CC      drivers/thunderbolt/tb.o
  CC      drivers/gpu/drm/i915/display/intel_crt.o
  CC      drivers/md/dm-exception-store.o
  CC      drivers/thunderbolt/switch.o
  CC      drivers/media/rc/keymaps/rc-norwood.o
  CC      drivers/infiniband/sw/rxe/rxe_task.o
  CC      drivers/infiniband/sw/rxe/rxe_net.o
  CC      drivers/infiniband/sw/rxe/rxe_sysfs.o
  CC      net/netfilter/xt_physdev.o
  AR      drivers/platform/chrome/built-in.a
  CC      drivers/crypto/qat/qat_common/adf_vf_isr.o
  CC      drivers/media/rc/keymaps/rc-npgtech.o
  AR      drivers/platform/built-in.a
  CC      drivers/media/rc/keymaps/rc-odroid.o
  CC      drivers/infiniband/core/sa_query.o
  CC      drivers/infiniband/core/addr.o
  CC      drivers/media/rc/keymaps/rc-pctv-sedna.o
  CC      drivers/infiniband/sw/rxe/rxe_hw_counters.o
  CC      drivers/media/rc/keymaps/rc-pinnacle-color.o
  CC      net/netfilter/xt_pkttype.o
  CC      net/netfilter/xt_policy.o
  CC      drivers/media/rc/keymaps/rc-pinnacle-grey.o
  CC      net/netfilter/xt_quota.o
  CC      drivers/hid/hid-holtekff.o
  CC      drivers/hid/hid-ite.o
  CC      drivers/thunderbolt/cap.o
  CC      net/netfilter/xt_rateest.o
  CC      drivers/thunderbolt/path.o
  CC      drivers/thunderbolt/tunnel.o
  CC      drivers/gpu/drm/i915/display/intel_ddi.o
  CC      net/netfilter/xt_realm.o
  AR      drivers/vhost/built-in.a
  CC      drivers/thunderbolt/eeprom.o
  AR      drivers/ras/built-in.a
  CC      drivers/gpu/drm/i915/display/intel_dp.o
  CC      drivers/gpu/drm/i915/display/intel_dp_aux_backlight.o
  CC      drivers/thunderbolt/domain.o
  CC      drivers/thunderbolt/dma_port.o
  CC      drivers/gpu/drm/i915/display/intel_dp_link_training.o
  CC      drivers/thunderbolt/icm.o
  CC      drivers/hid/hid-kensington.o
  CC      drivers/hid/hid-keytouch.o
  AR      drivers/soundwire/built-in.a
  CC      drivers/infiniband/core/multicast.o
  AR      drivers/staging/exfat/built-in.a
  AR      drivers/staging/built-in.a
  CC      drivers/gpu/drm/i915/display/intel_dp_mst.o
  CC      drivers/md/dm-snap-transient.o
  CC      drivers/hid/hid-kye.o
  CC      drivers/md/dm-snap-persistent.o
  AR      drivers/infiniband/hw/usnic/built-in.a
  CC      drivers/md/dm-raid1.o
  CC      drivers/md/dm-log.o
  AR      drivers/infiniband/sw/siw/built-in.a
  CC      drivers/md/dm-region-hash.o
  CC      drivers/thunderbolt/property.o
  CC      drivers/media/rc/keymaps/rc-pinnacle-pctv-hd.o
  CC      drivers/thunderbolt/xdomain.o
  CC      drivers/hid/hid-lcpower.o
  CC      drivers/gpu/drm/i915/display/intel_dsi.o
  CC      drivers/media/rc/keymaps/rc-pixelview.o
  CC      drivers/hid/hid-lg.o
  CC      drivers/media/rc/keymaps/rc-pixelview-mk12.o
  CC      drivers/media/rc/keymaps/rc-pixelview-002t.o
  CC      drivers/hid/hid-lgff.o
  CC      drivers/thunderbolt/lc.o
  CC      drivers/infiniband/core/mad.o
  CC      net/netfilter/xt_recent.o
  CC      drivers/infiniband/core/smi.o
  CC      drivers/md/dm-zero.o
  CC      drivers/media/rc/keymaps/rc-pixelview-new.o
  CC      net/netfilter/xt_sctp.o
  CC      drivers/infiniband/core/agent.o
  CC      net/netfilter/xt_socket.o
  CC      drivers/media/rc/keymaps/rc-powercolor-real-angel.o
  CC      drivers/md/dm-raid.o
  AR      drivers/crypto/qat/qat_common/built-in.a
  CC      drivers/md/dm-thin.o
  AR      drivers/nvmem/built-in.a
  AR      drivers/crypto/qat/built-in.a
  CC      drivers/hid/hid-lg2ff.o
  AR      drivers/crypto/built-in.a
  CC      net/netfilter/xt_state.o
  CC      drivers/gpu/drm/i915/display/intel_dsi_dcs_backlight.o
  CC      net/netfilter/xt_statistic.o
  CC      drivers/hid/hid-lg3ff.o
  CC      drivers/hid/hid-lg4ff.o
  CC      drivers/thunderbolt/tmu.o
  CC      drivers/hid/hid-lg-g15.o
  CC      net/netfilter/xt_string.o
  CC      drivers/thunderbolt/usb4.o
  CC      net/netfilter/xt_tcpmss.o
  CC      drivers/gpu/drm/i915/display/intel_dsi_vbt.o
  CC      drivers/gpu/drm/i915/display/intel_dvo.o
  CC      drivers/md/dm-thin-metadata.o
  CC      drivers/md/dm-verity-fec.o
  CC      drivers/md/dm-verity-target.o
  CC      drivers/hid/hid-logitech-dj.o
  CC      drivers/media/rc/keymaps/rc-proteus-2309.o
  CC      drivers/md/dm-cache-target.o
  AR      drivers/counter/built-in.a
  CC      drivers/md/dm-cache-metadata.o
  CC      drivers/gpu/drm/i915/display/intel_gmbus.o
  CC      drivers/hid/hid-logitech-hidpp.o
  CC      drivers/hid/hid-magicmouse.o
  CC      drivers/gpu/drm/i915/display/intel_hdmi.o
  CC      drivers/gpu/drm/i915/display/intel_lspcon.o
  AR      drivers/infiniband/sw/rxe/built-in.a
  CC      drivers/infiniband/core/mad_rmpp.o
  CC      drivers/media/rc/keymaps/rc-purpletv.o
  CC      drivers/gpu/drm/i915/display/intel_lvds.o
  CC      drivers/md/dm-cache-policy.o
  CC      drivers/infiniband/core/nldev.o
  CC      drivers/infiniband/core/restrack.o
  CC      net/netfilter/xt_time.o
  CC      net/netfilter/xt_u32.o
  CC      drivers/infiniband/core/counters.o
  CC      drivers/hid/hid-microsoft.o
  CC      drivers/hid/hid-monterey.o
  CC      drivers/media/rc/keymaps/rc-pv951.o
  CC      drivers/hid/hid-multitouch.o
  CC      drivers/media/rc/keymaps/rc-hauppauge.o
  CC      drivers/hid/hid-ntrig.o
  AR      drivers/infiniband/sw/rdmavt/built-in.a
  AR      drivers/infiniband/sw/built-in.a
  CC      drivers/hid/hid-ortek.o
  CC      drivers/gpu/drm/i915/display/intel_panel.o
  CC      drivers/infiniband/core/ib_core_uverbs.o
  CC      drivers/media/rc/keymaps/rc-real-audio-220-32-keys.o
  CC      drivers/media/rc/keymaps/rc-rc6-mce.o
  CC      drivers/gpu/drm/i915/display/intel_sdvo.o
  CC      drivers/md/dm-cache-background-tracker.o
  CC      drivers/hid/hid-prodikeys.o
  CC      drivers/gpu/drm/i915/display/intel_tv.o
  CC      drivers/media/rc/keymaps/rc-reddo.o
  CC      drivers/media/rc/keymaps/rc-snapstream-firefly.o
  CC      drivers/media/rc/keymaps/rc-streamzap.o
  CC      drivers/md/dm-cache-policy-smq.o
  CC      drivers/hid/hid-pl.o
  CC      drivers/gpu/drm/i915/display/intel_vdsc.o
  CC      drivers/gpu/drm/i915/display/vlv_dsi.o
  CC      drivers/hid/hid-petalynx.o
  CC      drivers/hid/hid-picolcd_core.o
  CC      drivers/media/rc/keymaps/rc-tango.o
  CC      drivers/md/dm-clone-target.o
  CC      drivers/media/rc/keymaps/rc-tanix-tx3mini.o
  CC      drivers/hid/hid-picolcd_debugfs.o
  CC      drivers/md/dm-clone-metadata.o
  CC      drivers/md/dm-integrity.o
  CC      drivers/md/dm-zoned-target.o
  CC      drivers/hid/hid-plantronics.o
  CC      drivers/gpu/drm/i915/display/vlv_dsi_pll.o
  CC      drivers/md/dm-zoned-metadata.o
  AR      drivers/thunderbolt/built-in.a
  CC      drivers/hid/hid-primax.o
  CC      drivers/media/rc/keymaps/rc-tanix-tx5max.o
  CC      drivers/infiniband/core/trace.o
  CC      drivers/infiniband/core/security.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_hsw.o
  CC      drivers/md/dm-zoned-reclaim.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_bdw.o
  CC      drivers/media/rc/keymaps/rc-tbs-nec.o
  CC      drivers/media/rc/keymaps/rc-technisat-ts35.o
  CC      drivers/md/dm-writecache.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_chv.o
  CC      drivers/hid/hid-roccat.o
  AR      net/netfilter/built-in.a
  CC      drivers/infiniband/core/cgroup.o
Makefile:1683: recipe for target 'net' failed
make: *** [net] Error 2
make: *** Waiting for unfinished jobs....
  CC      drivers/media/rc/keymaps/rc-technisat-usb2.o
  CC      drivers/media/rc/keymaps/rc-terratec-cinergy-c-pci.o
  AR      drivers/infiniband/hw/mlx4/built-in.a
  CC      drivers/gpu/drm/i915/oa/i915_oa_sklgt2.o
  AR      drivers/infiniband/hw/built-in.a
  CC      drivers/gpu/drm/i915/oa/i915_oa_sklgt3.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_sklgt4.o
  CC      drivers/hid/hid-roccat-common.o
  CC      drivers/infiniband/core/cm.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_bxt.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_kblgt2.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_kblgt3.o
  CC      drivers/media/rc/keymaps/rc-terratec-cinergy-s2-hd.o
  CC      drivers/media/rc/keymaps/rc-terratec-cinergy-xs.o
  CC      drivers/media/rc/keymaps/rc-terratec-slim.o
  CC      drivers/media/rc/keymaps/rc-terratec-slim-2.o
  CC      drivers/infiniband/core/iwcm.o
  CC      drivers/infiniband/core/iwpm_util.o
  CC      drivers/infiniband/core/iwpm_msg.o
  CC      drivers/media/rc/keymaps/rc-tevii-nec.o
  CC      drivers/media/rc/keymaps/rc-tivo.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_glk.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_cflgt2.o
  CC      drivers/hid/hid-roccat-arvo.o
  CC      drivers/infiniband/core/cma.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_cflgt3.o
  CC      drivers/hid/hid-roccat-isku.o
  CC      drivers/infiniband/core/cma_trace.o
  CC      drivers/media/rc/keymaps/rc-total-media-in-hand.o
  CC      drivers/media/rc/keymaps/rc-total-media-in-hand-02.o
  CC      drivers/hid/hid-roccat-kone.o
  CC      drivers/media/rc/keymaps/rc-trekstor.o
  CC      drivers/infiniband/core/cma_configfs.o
  CC      drivers/infiniband/core/user_mad.o
  CC      drivers/infiniband/core/uverbs_main.o
  CC      drivers/hid/hid-roccat-koneplus.o
  CC      drivers/media/rc/keymaps/rc-tt-1500.o
  CC      drivers/infiniband/core/uverbs_cmd.o
  CC      drivers/infiniband/core/uverbs_marshall.o
  CC      drivers/hid/hid-roccat-konepure.o
  CC      drivers/hid/hid-roccat-kovaplus.o
  CC      drivers/media/rc/keymaps/rc-twinhan-dtv-cab-ci.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_cnl.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_icl.o
  CC      drivers/infiniband/core/rdma_core.o
  CC      drivers/hid/hid-roccat-lua.o
  CC      drivers/hid/hid-roccat-pyra.o
  CC      drivers/hid/hid-roccat-ryos.o
  CC      drivers/infiniband/core/uverbs_std_types.o
  CC      drivers/media/rc/keymaps/rc-twinhan1027.o
  CC      drivers/gpu/drm/i915/oa/i915_oa_tgl.o
  CC      drivers/infiniband/core/uverbs_ioctl.o
  CC      drivers/gpu/drm/i915/i915_perf.o
  CC      drivers/gpu/drm/i915/i915_gpu_error.o
  CC      drivers/media/rc/keymaps/rc-vega-s9x.o
  CC      drivers/gpu/drm/i915/i915_vgpu.o
  CC      drivers/hid/hid-roccat-savu.o
  CC      drivers/hid/hid-rmi.o
  CC      drivers/media/rc/keymaps/rc-videomate-m1f.o
  CC      drivers/hid/hid-saitek.o
  CC      drivers/hid/hid-samsung.o
  CC      drivers/hid/hid-sjoy.o
  CC      drivers/infiniband/core/uverbs_std_types_cq.o
  CC      drivers/infiniband/core/uverbs_std_types_flow_action.o
  CC      drivers/infiniband/core/uverbs_std_types_dm.o
  CC      drivers/infiniband/core/uverbs_std_types_mr.o
  CC      drivers/hid/hid-sony.o
  CC      drivers/infiniband/core/uverbs_std_types_counters.o
  CC      drivers/hid/hid-speedlink.o
  CC      drivers/infiniband/core/uverbs_uapi.o
  CC      drivers/infiniband/core/uverbs_std_types_device.o
  CC      drivers/infiniband/core/uverbs_std_types_async_fd.o
  CC      drivers/hid/hid-sunplus.o
  CC      drivers/infiniband/core/umem.o
  CC      drivers/media/rc/keymaps/rc-videomate-s350.o
  CC      drivers/hid/hid-gaff.o
  CC      drivers/infiniband/core/umem_odp.o
  CC      drivers/infiniband/core/ucma.o
  CC      drivers/media/rc/keymaps/rc-videomate-tv-pvr.o
  CC      drivers/hid/hid-tmff.o
  CC      drivers/hid/hid-tivo.o
  CC      drivers/media/rc/keymaps/rc-wetek-hub.o
  CC      drivers/media/rc/keymaps/rc-wetek-play2.o
  CC      drivers/hid/hid-topseed.o
  CC      drivers/media/rc/keymaps/rc-winfast.o
  CC      drivers/media/rc/keymaps/rc-winfast-usbii-deluxe.o
  CC      drivers/media/rc/keymaps/rc-su3000.o
  CC      drivers/hid/hid-twinhan.o
  CC      drivers/hid/hid-uclogic-core.o
  CC      drivers/hid/hid-uclogic-rdesc.o
  CC      drivers/hid/hid-uclogic-params.o
  CC      drivers/media/rc/keymaps/rc-xbox-dvd.o
  CC      drivers/media/rc/keymaps/rc-x96max.o
  CC      drivers/media/rc/keymaps/rc-zx-irdec.o
  CC      drivers/hid/hid-zpff.o
  CC      drivers/hid/hid-led.o
  CC      drivers/hid/wacom_wac.o
  CC      drivers/hid/hid-zydacron.o
  CC      drivers/hid/wacom_sys.o
  CC      drivers/hid/hid-waltop.o
  CC      drivers/hid/hid-wiimote-core.o
  CC      drivers/hid/hid-wiimote-modules.o
  CC      drivers/hid/hid-wiimote-debug.o
  AR      drivers/media/rc/keymaps/built-in.a
  AR      drivers/media/rc/built-in.a
  AR      drivers/media/built-in.a
  AR      drivers/android/built-in.a
  AR      drivers/gpu/drm/i915/built-in.a
  AR      drivers/gpu/drm/built-in.a
  AR      drivers/gpu/built-in.a
  AR      drivers/md/built-in.a
  AR      drivers/hid/built-in.a
  AR      drivers/infiniband/core/built-in.a
  AR      drivers/infiniband/built-in.a
  AR      drivers/built-in.a


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=1718bb81e00000


Tested on:

commit:         110ca3ce fix
git tree:       https://github.com/hqj/hqjagain_test.git sctp_wfree
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)


^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (3 preceding siblings ...)
  2020-03-14  2:54 ` Qiujun Huang
@ 2020-03-14  5:10 ` Qiujun Huang
  2020-03-14  9:03   ` syzbot
  2020-03-15  7:59 ` Qiujun Huang
                   ` (3 subsequent siblings)
  8 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-14  5:10 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-14  5:10 ` Qiujun Huang
@ 2020-03-14  9:03   ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-14  9:03 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
WARNING: refcount bug in sctp_wfree

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8581 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 8581 Comm: syz-executor.3 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 panic+0x264/0x7a0 kernel/panic.c:221
 __warn+0x209/0x210 kernel/panic.c:582
 report_bug+0x1ac/0x2d0 lib/bug.c:195
 fixup_bug arch/x86/kernel/traps.c:174 [inline]
 do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
Code: c7 94 00 d1 88 31 c0 e8 33 1f b3 fd 0f 0b eb 85 e8 2a 4a e0 fd c6 05 4e 70 b1 05 01 48 c7 c7 c0 00 d1 88 31 c0 e8 15 1f b3 fd <0f> 0b e9 64 ff ff ff e8 09 4a e0 fd c6 05 2e 70 b1 05 01 48 c7 c7
RSP: 0018:ffffc90002c978c8 EFLAGS: 00010246
RAX: b1721d41aaac4d00 RBX: 0000000000000003 RCX: ffff88809eb123c0
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: ffffffff815e16d6 R09: ffffed1015d24592
R10: ffffed1015d24592 R11: 0000000000000000 R12: ffff8880a7b8c000
R13: dffffc0000000000 R14: ffff8880a81d4800 R15: ffff8880a81e0d00
 sctp_wfree+0x4be/0x840 net/sctp/socket.c:9113
 skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
 skb_release_all net/core/skbuff.c:662 [inline]
 __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
 sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
 __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
 sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
 sctp_close+0x231/0x770 net/sctp/socket.c:1512
 inet_release+0x135/0x180 net/ipv4/af_inet.c:427
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1283
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007fffbe2f3cc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff
R10: 00007fffbe2f3da0 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000012bfc R15: 000000000076bf2c
Kernel Offset: disabled
Rebooting in 86400 seconds..


Tested on:

commit:         1739e95e fix compile err
git tree:       https://github.com/hqj/hqjagain_test.git sctp_wfree
console output: https://syzkaller.appspot.com/x/log.txt?x=1239a3dde00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)


^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (4 preceding siblings ...)
  2020-03-14  5:10 ` Qiujun Huang
@ 2020-03-15  7:59 ` Qiujun Huang
  2020-03-15  8:12   ` syzbot
  2020-03-20 11:11 ` Qiujun Huang
                   ` (2 subsequent siblings)
  8 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-15  7:59 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-15  7:59 ` Qiujun Huang
@ 2020-03-15  8:12   ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-15  8:12 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch but the reproducer still triggered crash:
KASAN: use-after-free Read in sctp_wfree

==================================================================
BUG: KASAN: use-after-free in sctp_write_space net/sctp/socket.c:9225 [inline]
BUG: KASAN: use-after-free in sctp_wake_up_waiters net/sctp/socket.c:9050 [inline]
BUG: KASAN: use-after-free in sctp_wfree+0x463/0x710 net/sctp/socket.c:9112
Read of size 8 at addr ffff8880a181f5a8 by task syz-executor.2/8661

CPU: 1 PID: 8661 Comm: syz-executor.2 Not tainted 5.6.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1e9/0x30e lib/dump_stack.c:118
 print_address_description+0x74/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x25/0x50 mm/kasan/common.c:641
 sctp_write_space net/sctp/socket.c:9225 [inline]
 sctp_wake_up_waiters net/sctp/socket.c:9050 [inline]
 sctp_wfree+0x463/0x710 net/sctp/socket.c:9112
 skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
 skb_release_all net/core/skbuff.c:662 [inline]
 __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
 sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
 sctp_datamsg_destroy net/sctp/chunk.c:107 [inline]
 sctp_datamsg_put+0x438/0x570 net/sctp/chunk.c:128
 sctp_chunk_free+0x46/0x60 net/sctp/sm_make_chunk.c:1466
 __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
 sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
 sctp_close+0x231/0x770 net/sctp/socket.c:1512
 inet_release+0x135/0x180 net/ipv4/af_inet.c:427
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1283
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x416041
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffdc88e28b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000416041
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff
R10: 00007ffdc88e2990 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770850 R14: 0000000000012e64 R15: 000000000076bf2c

Allocated by task 8662:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc+0x118/0x1c0 mm/kasan/common.c:515
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3320 [inline]
 kmem_cache_alloc+0x1f5/0x2d0 mm/slab.c:3484
 sk_prot_alloc+0x58/0x2b0 net/core/sock.c:1597
 sk_alloc+0x35/0x990 net/core/sock.c:1657
 inet_create+0x576/0xc80 net/ipv4/af_inet.c:321
 __sock_create+0x5c9/0x8d0 net/socket.c:1433
 sock_create net/socket.c:1484 [inline]
 __sys_socket+0xde/0x2d0 net/socket.c:1526
 __do_sys_socket net/socket.c:1535 [inline]
 __se_sys_socket net/socket.c:1533 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1533
 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8661:
 save_stack mm/kasan/common.c:72 [inline]
 set_track mm/kasan/common.c:80 [inline]
 kasan_set_free_info mm/kasan/common.c:337 [inline]
 __kasan_slab_free+0x12e/0x1e0 mm/kasan/common.c:476
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x7e/0xf0 mm/slab.c:3694
 sk_prot_free net/core/sock.c:1638 [inline]
 __sk_destruct+0x60e/0x740 net/core/sock.c:1724
 sctp_wfree+0x3af/0x710 net/sctp/socket.c:9111
 skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
 skb_release_all net/core/skbuff.c:662 [inline]
 __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
 sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
 sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
 sctp_datamsg_destroy net/sctp/chunk.c:107 [inline]
 sctp_datamsg_put+0x438/0x570 net/sctp/chunk.c:128
 sctp_chunk_free+0x46/0x60 net/sctp/sm_make_chunk.c:1466
 __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
 sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
 sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
 sctp_close+0x231/0x770 net/sctp/socket.c:1512
 inet_release+0x135/0x180 net/ipv4/af_inet.c:427
 __sock_release net/socket.c:605 [inline]
 sock_close+0xd8/0x260 net/socket.c:1283
 __fput+0x2d8/0x730 fs/file_table.c:280
 task_work_run+0x176/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:164 [inline]
 prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:195
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a181f040
 which belongs to the cache SCTP of size 1800
The buggy address is located 1384 bytes inside of
 1800-byte region [ffff8880a181f040, ffff8880a181f748)
The buggy address belongs to the page:
page:ffffea00028607c0 refcount:1 mapcount:0 mapping:ffff888099725000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffff8880995ded48 ffff8880995ded48 ffff888099725000
raw: 0000000000000000 ffff8880a181f040 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a181f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a181f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a181f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8880a181f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a181f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         26395f8f sctp: fix refcount bug in sctp_wfree
git tree:       https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug
console output: https://syzkaller.appspot.com/x/log.txt?x=14358a1de00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)


^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10 16:01   ` Kees Cook
@ 2020-03-16 15:51     ` Will Deacon
  2020-03-16 16:25       ` Qiujun Huang
  0 siblings, 1 reply; 30+ messages in thread
From: Will Deacon @ 2020-03-16 15:51 UTC (permalink / raw)
  To: Kees Cook
  Cc: syzbot, ardb, davem, guohanjun, kuba, linux-kernel, linux-sctp,
	marcelo.leitner, mingo, netdev, nhorman, syzkaller-bugs,
	vyasevich

On Tue, Mar 10, 2020 at 09:01:18AM -0700, Kees Cook wrote:
> On Tue, Mar 10, 2020 at 02:39:01AM -0700, syzbot wrote:
> > syzbot has bisected this bug to:
> > 
> > commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
> > Author: Will Deacon <will@kernel.org>
> > Date:   Thu Nov 21 11:59:00 2019 +0000
> > 
> >     locking/refcount: Consolidate implementations of refcount_t
> 
> I suspect this is just bisecting to here because it made the refcount
> checks more strict?

Yes, this is the commit that enables full refcount checking for all
architectures unconditionally, so it's the canary in the coalmine rather
than the source of the problem.

Will

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-16 15:51     ` Will Deacon
@ 2020-03-16 16:25       ` Qiujun Huang
  0 siblings, 0 replies; 30+ messages in thread
From: Qiujun Huang @ 2020-03-16 16:25 UTC (permalink / raw)
  To: Will Deacon
  Cc: Kees Cook, syzbot, ardb, davem, guohanjun, kuba, linux-kernel,
	linux-sctp, marcelo.leitner, mingo, netdev, nhorman,
	syzkaller-bugs, vyasevich

On Mon, Mar 16, 2020 at 11:52 PM Will Deacon <will@kernel.org> wrote:
>
> On Tue, Mar 10, 2020 at 09:01:18AM -0700, Kees Cook wrote:
> > On Tue, Mar 10, 2020 at 02:39:01AM -0700, syzbot wrote:
> > > syzbot has bisected this bug to:
> > >
> > > commit fb041bb7c0a918b95c6889fc965cdc4a75b4c0ca
> > > Author: Will Deacon <will@kernel.org>
> > > Date:   Thu Nov 21 11:59:00 2019 +0000
> > >
> > >     locking/refcount: Consolidate implementations of refcount_t
> >
> > I suspect this is just bisecting to here because it made the refcount
> > checks more strict?
>
> Yes, this is the commit that enables full refcount checking for all
> architectures unconditionally, so it's the canary in the coalmine rather
> than the source of the problem.

Yes, I tracked it down. And sent out a fix:
https://lore.kernel.org/netdev/1584330804-18477-1-git-send-email-hqjagain@gmail.com

>
> Will

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (5 preceding siblings ...)
  2020-03-15  7:59 ` Qiujun Huang
@ 2020-03-20 11:11 ` Qiujun Huang
  2020-03-20 14:28   ` syzbot
  2020-03-22  4:11 ` Qiujun Huang
  2020-03-26 15:38 ` Qiujun Huang
  8 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-20 11:11 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-20 11:11 ` Qiujun Huang
@ 2020-03-20 14:28   ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-20 14:28 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com

Tested on:

commit:         a8a7ac16 sctp: fix refcount bug in sctp_wfree
git tree:       https://github.com/hqj/hqjagain_test.git sctp_wfree_refcount_bug
kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (6 preceding siblings ...)
  2020-03-20 11:11 ` Qiujun Huang
@ 2020-03-22  4:11 ` Qiujun Huang
  2020-03-22  4:39   ` syzbot
  2020-03-26 15:38 ` Qiujun Huang
  8 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-22  4:11 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git sctp_for_each_tx_datachunk

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-22  4:11 ` Qiujun Huang
@ 2020-03-22  4:39   ` syzbot
  2020-03-22  6:41     ` Qiujun Huang
  0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2020-03-22  4:39 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com

Tested on:

commit:         e76397e4 iterate datamsg list
git tree:       https://github.com/hqj/hqjagain_test.git sctp_for_each_tx_datachunk
kernel config:  https://syzkaller.appspot.com/x/.config?x=6dfa02302d6db985
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-22  4:39   ` syzbot
@ 2020-03-22  6:41     ` Qiujun Huang
  2020-03-22  7:18       ` syzbot
  0 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-22  6:41 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, linux-kernel, linux-sctp, marcelo.leitner, netdev,
	nhorman, syzkaller-bugs, vyasevich

#syz test: https://github.com/hqj/hqjagain_test.git datamsg_list

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-22  6:41     ` Qiujun Huang
@ 2020-03-22  7:18       ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-22  7:18 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com

Tested on:

commit:         573a2520 datamsg_list
git tree:       https://github.com/hqj/hqjagain_test.git datamsg_list
kernel config:  https://syzkaller.appspot.com/x/.config?x=6dfa02302d6db985
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
                   ` (7 preceding siblings ...)
  2020-03-22  4:11 ` Qiujun Huang
@ 2020-03-26 15:38 ` Qiujun Huang
  2020-03-26 15:38   ` syzbot
  2020-03-26 15:38   ` syzbot
  8 siblings, 2 replies; 30+ messages in thread
From: Qiujun Huang @ 2020-03-26 15:38 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, LKML, linux-sctp, marcelo.leitner, netdev, nhorman,
	syzkaller-bugs, vyasevich

[-- Attachment #1: Type: text/plain, Size: 4751 bytes --]

#syz test: upstream

On Tue, Mar 10, 2020 at 9:36 AM syzbot
<syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    2c523b34 Linux 5.6-rc5
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>
> ------------[ cut here ]------------
> refcount_t: underflow; use-after-free.
> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>  panic+0x264/0x7a0 kernel/panic.c:221
>  __warn+0x209/0x210 kernel/panic.c:582
>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>  skb_release_all net/core/skbuff.c:662 [inline]
>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>  __sock_release net/socket.c:605 [inline]
>  sock_close+0xd8/0x260 net/socket.c:1283
>  __fput+0x2d8/0x730 fs/file_table.c:280
>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>  exit_task_work include/linux/task_work.h:22 [inline]
>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x43ef98
> Code: Bad RIP value.
> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

[-- Attachment #2: 0001-sctp-fix-refcount-bug-in-sctp_wfree.patch --]
[-- Type: application/octet-stream, Size: 3516 bytes --]

From 65f600e85a8dc6e6bcbab69e4111e83041f22c32 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Thu, 26 Mar 2020 23:22:38 +0800
Subject: [PATCH] sctp: fix refcount bug in sctp_wfree

We should iterate over the datamsgs to modify
all chunks(skbs) to newsk.

The following case cause the bug:
for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
        sctp_check_transmitted
                SKB was moved to outq->sacked list
        then throw away the sack queue
                SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

        sctp_for_each_tx_datachunk(
        sctp_clear_owner_w);
        sctp_assoc_migrate();
        sctp_for_each_tx_datachunk(
        sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
        sctp_chunk_put (for another skb)
                sctp_datamsg_put
                        __kfree_skb(msg->frag_list)
                                sctp_wfree (for SKB)
	SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by:syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
 net/sctp/socket.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 1b56fc440606..75acbd5d4597 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -147,29 +147,43 @@ static void sctp_clear_owner_w(struct sctp_chunk *chunk)
 	skb_orphan(chunk->skb);
 }
 
+#define traverse_and_process()	\
+do {				\
+	msg = chunk->msg;	\
+	if (msg == prev_msg)	\
+		continue;	\
+	list_for_each_entry(c, &msg->chunks, frag_list) {	\
+		if ((clear && asoc->base.sk == c->skb->sk) ||	\
+		    (!clear && asoc->base.sk != c->skb->sk))	\
+		    cb(c);	\
+	}			\
+} while (0)
+
 static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
+				       bool clear,
 				       void (*cb)(struct sctp_chunk *))
 
 {
+	struct sctp_datamsg *msg, *prev_msg = NULL;
 	struct sctp_outq *q = &asoc->outqueue;
+	struct sctp_chunk *chunk, *c;
 	struct sctp_transport *t;
-	struct sctp_chunk *chunk;
 
 	list_for_each_entry(t, &asoc->peer.transport_addr_list, transports)
 		list_for_each_entry(chunk, &t->transmitted, transmitted_list)
-			cb(chunk);
+			traverse_and_process();
 
 	list_for_each_entry(chunk, &q->retransmit, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->sacked, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->abandoned, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->out_chunk_list, list)
-		cb(chunk);
+		traverse_and_process();
 }
 
 static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk,
@@ -9574,9 +9588,9 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
 	 * paths won't try to lock it and then oldsk.
 	 */
 	lock_sock_nested(newsk, SINGLE_DEPTH_NESTING);
-	sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w);
+	sctp_for_each_tx_datachunk(assoc, true, sctp_clear_owner_w);
 	sctp_assoc_migrate(assoc, newsk);
-	sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w);
+	sctp_for_each_tx_datachunk(assoc, false, sctp_set_owner_w);
 
 	/* If the association on the newsk is already closed before accept()
 	 * is called, set RCV_SHUTDOWN flag.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 30+ messages in thread

* Re: Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 15:38 ` Qiujun Huang
@ 2020-03-26 15:38   ` syzbot
  2020-03-26 15:38   ` syzbot
  1 sibling, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-26 15:38 UTC (permalink / raw)
  To: Qiujun Huang
  Cc: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

> #syz test: upstream

want 2 args (repo, branch), got 10

>
> On Tue, Mar 10, 2020 at 9:36 AM syzbot
> <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    2c523b34 Linux 5.6-rc5
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
>> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
>> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>>
>> ------------[ cut here ]------------
>> refcount_t: underflow; use-after-free.
>> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> Kernel panic - not syncing: panic_on_warn set ...
>> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:77 [inline]
>>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>>  panic+0x264/0x7a0 kernel/panic.c:221
>>  __warn+0x209/0x210 kernel/panic.c:582
>>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
>> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
>> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
>> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
>> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
>> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
>> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
>> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>>  skb_release_all net/core/skbuff.c:662 [inline]
>>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>>  __sock_release net/socket.c:605 [inline]
>>  sock_close+0xd8/0x260 net/socket.c:1283
>>  __fput+0x2d8/0x730 fs/file_table.c:280
>>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>>  exit_task_work include/linux/task_work.h:22 [inline]
>>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x43ef98
>> Code: Bad RIP value.
>> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
>> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
>> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
>> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
>> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 15:38 ` Qiujun Huang
  2020-03-26 15:38   ` syzbot
@ 2020-03-26 15:38   ` syzbot
  2020-03-26 15:53     ` Qiujun Huang
  1 sibling, 1 reply; 30+ messages in thread
From: syzbot @ 2020-03-26 15:38 UTC (permalink / raw)
  To: Qiujun Huang
  Cc: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

> #syz test: upstream

want 2 args (repo, branch), got 10

>
> On Tue, Mar 10, 2020 at 9:36 AM syzbot
> <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit:    2c523b34 Linux 5.6-rc5
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
>> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
>> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>>
>> ------------[ cut here ]------------
>> refcount_t: underflow; use-after-free.
>> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> Kernel panic - not syncing: panic_on_warn set ...
>> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:77 [inline]
>>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>>  panic+0x264/0x7a0 kernel/panic.c:221
>>  __warn+0x209/0x210 kernel/panic.c:582
>>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
>> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
>> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
>> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
>> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
>> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
>> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
>> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>>  skb_release_all net/core/skbuff.c:662 [inline]
>>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>>  __sock_release net/socket.c:605 [inline]
>>  sock_close+0xd8/0x260 net/socket.c:1283
>>  __fput+0x2d8/0x730 fs/file_table.c:280
>>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>>  exit_task_work include/linux/task_work.h:22 [inline]
>>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> RIP: 0033:0x43ef98
>> Code: Bad RIP value.
>> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
>> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
>> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
>> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
>> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
>> Kernel Offset: disabled
>> Rebooting in 86400 seconds..
>>
>>
>> ---
>> This bug is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this bug report. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this bug, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>
> -- 
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CADG63jDCTdgSxDRsN_9e3fKCAv5VduS5NNKWmqjByZ%3D4sT%2BHLQ%40mail.gmail.com.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 15:38   ` syzbot
@ 2020-03-26 15:53     ` Qiujun Huang
  2020-03-26 15:53       ` syzbot
  0 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-26 15:53 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, LKML, linux-sctp, marcelo.leitner, netdev, nhorman,
	syzkaller-bugs, vyasevich

[-- Attachment #1: Type: text/plain, Size: 5623 bytes --]

#syz test: upstream, 2c523b34

On Thu, Mar 26, 2020 at 11:38 PM syzbot
<syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>
> > #syz test: upstream
>
> want 2 args (repo, branch), got 10
>
> >
> > On Tue, Mar 10, 2020 at 9:36 AM syzbot
> > <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
> >>
> >> Hello,
> >>
> >> syzbot found the following crash on:
> >>
> >> HEAD commit:    2c523b34 Linux 5.6-rc5
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> >> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
> >>
> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
> >>
> >> ------------[ cut here ]------------
> >> refcount_t: underflow; use-after-free.
> >> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> >> Kernel panic - not syncing: panic_on_warn set ...
> >> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> Call Trace:
> >>  __dump_stack lib/dump_stack.c:77 [inline]
> >>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> >>  panic+0x264/0x7a0 kernel/panic.c:221
> >>  __warn+0x209/0x210 kernel/panic.c:582
> >>  report_bug+0x1ac/0x2d0 lib/bug.c:195
> >>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
> >>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
> >>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> >> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> >> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> >> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> >> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> >> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> >> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> >> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> >> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
> >>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
> >>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
> >>  skb_release_all net/core/skbuff.c:662 [inline]
> >>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
> >>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
> >>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
> >>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
> >>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
> >>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
> >>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
> >>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
> >>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
> >>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
> >>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
> >>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
> >>  __sock_release net/socket.c:605 [inline]
> >>  sock_close+0xd8/0x260 net/socket.c:1283
> >>  __fput+0x2d8/0x730 fs/file_table.c:280
> >>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
> >>  exit_task_work include/linux/task_work.h:22 [inline]
> >>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
> >>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> >>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> >>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> >>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> >>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >> RIP: 0033:0x43ef98
> >> Code: Bad RIP value.
> >> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> >> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> >> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> >> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> >> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> >> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> >> Kernel Offset: disabled
> >> Rebooting in 86400 seconds..
> >>
> >>
> >> ---
> >> This bug is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >>
> >> syzbot will keep track of this bug report. See:
> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >> syzbot can test patches for this bug, for details see:
> >> https://goo.gl/tpsmEJ#testing-patches
> >
> > --
> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CADG63jDCTdgSxDRsN_9e3fKCAv5VduS5NNKWmqjByZ%3D4sT%2BHLQ%40mail.gmail.com.

[-- Attachment #2: 0001-sctp-fix-refcount-bug-in-sctp_wfree.patch --]
[-- Type: application/octet-stream, Size: 3516 bytes --]

From 65f600e85a8dc6e6bcbab69e4111e83041f22c32 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Thu, 26 Mar 2020 23:22:38 +0800
Subject: [PATCH] sctp: fix refcount bug in sctp_wfree

We should iterate over the datamsgs to modify
all chunks(skbs) to newsk.

The following case cause the bug:
for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
        sctp_check_transmitted
                SKB was moved to outq->sacked list
        then throw away the sack queue
                SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

        sctp_for_each_tx_datachunk(
        sctp_clear_owner_w);
        sctp_assoc_migrate();
        sctp_for_each_tx_datachunk(
        sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
        sctp_chunk_put (for another skb)
                sctp_datamsg_put
                        __kfree_skb(msg->frag_list)
                                sctp_wfree (for SKB)
	SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by:syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
 net/sctp/socket.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 1b56fc440606..75acbd5d4597 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -147,29 +147,43 @@ static void sctp_clear_owner_w(struct sctp_chunk *chunk)
 	skb_orphan(chunk->skb);
 }
 
+#define traverse_and_process()	\
+do {				\
+	msg = chunk->msg;	\
+	if (msg == prev_msg)	\
+		continue;	\
+	list_for_each_entry(c, &msg->chunks, frag_list) {	\
+		if ((clear && asoc->base.sk == c->skb->sk) ||	\
+		    (!clear && asoc->base.sk != c->skb->sk))	\
+		    cb(c);	\
+	}			\
+} while (0)
+
 static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
+				       bool clear,
 				       void (*cb)(struct sctp_chunk *))
 
 {
+	struct sctp_datamsg *msg, *prev_msg = NULL;
 	struct sctp_outq *q = &asoc->outqueue;
+	struct sctp_chunk *chunk, *c;
 	struct sctp_transport *t;
-	struct sctp_chunk *chunk;
 
 	list_for_each_entry(t, &asoc->peer.transport_addr_list, transports)
 		list_for_each_entry(chunk, &t->transmitted, transmitted_list)
-			cb(chunk);
+			traverse_and_process();
 
 	list_for_each_entry(chunk, &q->retransmit, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->sacked, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->abandoned, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->out_chunk_list, list)
-		cb(chunk);
+		traverse_and_process();
 }
 
 static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk,
@@ -9574,9 +9588,9 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
 	 * paths won't try to lock it and then oldsk.
 	 */
 	lock_sock_nested(newsk, SINGLE_DEPTH_NESTING);
-	sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w);
+	sctp_for_each_tx_datachunk(assoc, true, sctp_clear_owner_w);
 	sctp_assoc_migrate(assoc, newsk);
-	sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w);
+	sctp_for_each_tx_datachunk(assoc, false, sctp_set_owner_w);
 
 	/* If the association on the newsk is already closed before accept()
 	 * is called, set RCV_SHUTDOWN flag.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 30+ messages in thread

* Re: Re: Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 15:53     ` Qiujun Huang
@ 2020-03-26 15:53       ` syzbot
  2020-03-26 16:17         ` Qiujun Huang
  0 siblings, 1 reply; 30+ messages in thread
From: syzbot @ 2020-03-26 15:53 UTC (permalink / raw)
  To: Qiujun Huang
  Cc: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

> #syz test: upstream, 2c523b34

"upstream," does not look like a valid git repo address.

>
> On Thu, Mar 26, 2020 at 11:38 PM syzbot
> <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>>
>> > #syz test: upstream
>>
>> want 2 args (repo, branch), got 10
>>
>> >
>> > On Tue, Mar 10, 2020 at 9:36 AM syzbot
>> > <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> syzbot found the following crash on:
>> >>
>> >> HEAD commit:    2c523b34 Linux 5.6-rc5
>> >> git tree:       upstream
>> >> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
>> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
>> >> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
>> >> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
>> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
>> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
>> >>
>> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> >> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
>> >>
>> >> ------------[ cut here ]------------
>> >> refcount_t: underflow; use-after-free.
>> >> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> >> Kernel panic - not syncing: panic_on_warn set ...
>> >> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
>> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> >> Call Trace:
>> >>  __dump_stack lib/dump_stack.c:77 [inline]
>> >>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
>> >>  panic+0x264/0x7a0 kernel/panic.c:221
>> >>  __warn+0x209/0x210 kernel/panic.c:582
>> >>  report_bug+0x1ac/0x2d0 lib/bug.c:195
>> >>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
>> >>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
>> >>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
>> >>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
>> >> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
>> >> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
>> >> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
>> >> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
>> >> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
>> >> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
>> >> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
>> >> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
>> >>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
>> >>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
>> >>  skb_release_all net/core/skbuff.c:662 [inline]
>> >>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
>> >>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
>> >>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
>> >>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
>> >>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
>> >>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
>> >>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
>> >>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
>> >>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
>> >>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
>> >>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
>> >>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
>> >>  __sock_release net/socket.c:605 [inline]
>> >>  sock_close+0xd8/0x260 net/socket.c:1283
>> >>  __fput+0x2d8/0x730 fs/file_table.c:280
>> >>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
>> >>  exit_task_work include/linux/task_work.h:22 [inline]
>> >>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
>> >>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
>> >>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
>> >>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
>> >>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
>> >>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
>> >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>> >> RIP: 0033:0x43ef98
>> >> Code: Bad RIP value.
>> >> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
>> >> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
>> >> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
>> >> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
>> >> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
>> >> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
>> >> Kernel Offset: disabled
>> >> Rebooting in 86400 seconds..
>> >>
>> >>
>> >> ---
>> >> This bug is generated by a bot. It may contain errors.
>> >> See https://goo.gl/tpsmEJ for more information about syzbot.
>> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
>> >>
>> >> syzbot will keep track of this bug report. See:
>> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> >> syzbot can test patches for this bug, for details see:
>> >> https://goo.gl/tpsmEJ#testing-patches
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CADG63jDCTdgSxDRsN_9e3fKCAv5VduS5NNKWmqjByZ%3D4sT%2BHLQ%40mail.gmail.com.

^ permalink raw reply	[flat|nested] 30+ messages in thread

* Re: Re: Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 15:53       ` syzbot
@ 2020-03-26 16:17         ` Qiujun Huang
  2020-03-26 21:25           ` syzbot
  0 siblings, 1 reply; 30+ messages in thread
From: Qiujun Huang @ 2020-03-26 16:17 UTC (permalink / raw)
  To: syzbot
  Cc: davem, kuba, LKML, linux-sctp, marcelo.leitner, netdev, nhorman,
	syzkaller-bugs, vyasevich

[-- Attachment #1: Type: text/plain, Size: 6222 bytes --]

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master

sorry about the noise :p

On Thu, Mar 26, 2020 at 11:53 PM syzbot
<syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
>
> > #syz test: upstream, 2c523b34
>
> "upstream," does not look like a valid git repo address.
>
> >
> > On Thu, Mar 26, 2020 at 11:38 PM syzbot
> > <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
> >>
> >> > #syz test: upstream
> >>
> >> want 2 args (repo, branch), got 10
> >>
> >> >
> >> > On Tue, Mar 10, 2020 at 9:36 AM syzbot
> >> > <syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com> wrote:
> >> >>
> >> >> Hello,
> >> >>
> >> >> syzbot found the following crash on:
> >> >>
> >> >> HEAD commit:    2c523b34 Linux 5.6-rc5
> >> >> git tree:       upstream
> >> >> console output: https://syzkaller.appspot.com/x/log.txt?x=155a5f29e00000
> >> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=a5295e161cd85b82
> >> >> dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
> >> >> compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> >> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164b5181e00000
> >> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=166dd70de00000
> >> >>
> >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> >> >> Reported-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
> >> >>
> >> >> ------------[ cut here ]------------
> >> >> refcount_t: underflow; use-after-free.
> >> >> WARNING: CPU: 1 PID: 8668 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> >> >> Kernel panic - not syncing: panic_on_warn set ...
> >> >> CPU: 1 PID: 8668 Comm: syz-executor779 Not tainted 5.6.0-rc5-syzkaller #0
> >> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> >> >> Call Trace:
> >> >>  __dump_stack lib/dump_stack.c:77 [inline]
> >> >>  dump_stack+0x1e9/0x30e lib/dump_stack.c:118
> >> >>  panic+0x264/0x7a0 kernel/panic.c:221
> >> >>  __warn+0x209/0x210 kernel/panic.c:582
> >> >>  report_bug+0x1ac/0x2d0 lib/bug.c:195
> >> >>  fixup_bug arch/x86/kernel/traps.c:174 [inline]
> >> >>  do_error_trap+0xca/0x1c0 arch/x86/kernel/traps.c:267
> >> >>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286
> >> >>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> >> >> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> >> >> Code: c7 e4 ff d0 88 31 c0 e8 23 20 b3 fd 0f 0b eb 85 e8 8a 4a e0 fd c6 05 ff 70 b1 05 01 48 c7 c7 10 00 d1 88 31 c0 e8 05 20 b3 fd <0f> 0b e9 64 ff ff ff e8 69 4a e0 fd c6 05 df 70 b1 05 01 48 c7 c7
> >> >> RSP: 0018:ffffc90001f577d0 EFLAGS: 00010246
> >> >> RAX: 8c9c9070bbb4e500 RBX: 0000000000000003 RCX: ffff8880938a63c0
> >> >> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
> >> >> RBP: 0000000000000003 R08: ffffffff815e16e6 R09: fffffbfff15db92a
> >> >> R10: fffffbfff15db92a R11: 0000000000000000 R12: dffffc0000000000
> >> >> R13: ffff88809de82000 R14: ffff8880a89237c0 R15: 1ffff11013be52b0
> >> >>  sctp_wfree+0x3b1/0x710 net/sctp/socket.c:9111
> >> >>  skb_release_head_state+0xfb/0x210 net/core/skbuff.c:651
> >> >>  skb_release_all net/core/skbuff.c:662 [inline]
> >> >>  __kfree_skb+0x22/0x1c0 net/core/skbuff.c:678
> >> >>  sctp_chunk_destroy net/sctp/sm_make_chunk.c:1454 [inline]
> >> >>  sctp_chunk_put+0x17b/0x200 net/sctp/sm_make_chunk.c:1481
> >> >>  __sctp_outq_teardown+0x80a/0x9d0 net/sctp/outqueue.c:257
> >> >>  sctp_association_free+0x21e/0x7c0 net/sctp/associola.c:339
> >> >>  sctp_cmd_delete_tcb net/sctp/sm_sideeffect.c:930 [inline]
> >> >>  sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1318 [inline]
> >> >>  sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
> >> >>  sctp_do_sm+0x3c01/0x5560 net/sctp/sm_sideeffect.c:1156
> >> >>  sctp_primitive_ABORT+0x93/0xc0 net/sctp/primitive.c:104
> >> >>  sctp_close+0x231/0x770 net/sctp/socket.c:1512
> >> >>  inet_release+0x135/0x180 net/ipv4/af_inet.c:427
> >> >>  __sock_release net/socket.c:605 [inline]
> >> >>  sock_close+0xd8/0x260 net/socket.c:1283
> >> >>  __fput+0x2d8/0x730 fs/file_table.c:280
> >> >>  task_work_run+0x176/0x1b0 kernel/task_work.c:113
> >> >>  exit_task_work include/linux/task_work.h:22 [inline]
> >> >>  do_exit+0x5ef/0x1f80 kernel/exit.c:801
> >> >>  do_group_exit+0x15e/0x2c0 kernel/exit.c:899
> >> >>  __do_sys_exit_group+0x13/0x20 kernel/exit.c:910
> >> >>  __se_sys_exit_group+0x10/0x10 kernel/exit.c:908
> >> >>  __x64_sys_exit_group+0x37/0x40 kernel/exit.c:908
> >> >>  do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:294
> >> >>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >> >> RIP: 0033:0x43ef98
> >> >> Code: Bad RIP value.
> >> >> RSP: 002b:00007ffcc7e7c398 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
> >> >> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043ef98
> >> >> RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
> >> >> RBP: 00000000004be7a8 R08: 00000000000000e7 R09: ffffffffffffffd0
> >> >> R10: 000000002059aff8 R11: 0000000000000246 R12: 0000000000000001
> >> >> R13: 00000000006d01a0 R14: 0000000000000000 R15: 0000000000000000
> >> >> Kernel Offset: disabled
> >> >> Rebooting in 86400 seconds..
> >> >>
> >> >>
> >> >> ---
> >> >> This bug is generated by a bot. It may contain errors.
> >> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >> >>
> >> >> syzbot will keep track of this bug report. See:
> >> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >> >> syzbot can test patches for this bug, for details see:
> >> >> https://goo.gl/tpsmEJ#testing-patches
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> >> > To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CADG63jDCTdgSxDRsN_9e3fKCAv5VduS5NNKWmqjByZ%3D4sT%2BHLQ%40mail.gmail.com.

[-- Attachment #2: 0001-sctp-fix-refcount-bug-in-sctp_wfree.patch --]
[-- Type: application/octet-stream, Size: 3516 bytes --]

From 65f600e85a8dc6e6bcbab69e4111e83041f22c32 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Thu, 26 Mar 2020 23:22:38 +0800
Subject: [PATCH] sctp: fix refcount bug in sctp_wfree

We should iterate over the datamsgs to modify
all chunks(skbs) to newsk.

The following case cause the bug:
for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
        sctp_check_transmitted
                SKB was moved to outq->sacked list
        then throw away the sack queue
                SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

        sctp_for_each_tx_datachunk(
        sctp_clear_owner_w);
        sctp_assoc_migrate();
        sctp_for_each_tx_datachunk(
        sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
        sctp_chunk_put (for another skb)
                sctp_datamsg_put
                        __kfree_skb(msg->frag_list)
                                sctp_wfree (for SKB)
	SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by:syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
 net/sctp/socket.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 1b56fc440606..75acbd5d4597 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -147,29 +147,43 @@ static void sctp_clear_owner_w(struct sctp_chunk *chunk)
 	skb_orphan(chunk->skb);
 }
 
+#define traverse_and_process()	\
+do {				\
+	msg = chunk->msg;	\
+	if (msg == prev_msg)	\
+		continue;	\
+	list_for_each_entry(c, &msg->chunks, frag_list) {	\
+		if ((clear && asoc->base.sk == c->skb->sk) ||	\
+		    (!clear && asoc->base.sk != c->skb->sk))	\
+		    cb(c);	\
+	}			\
+} while (0)
+
 static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
+				       bool clear,
 				       void (*cb)(struct sctp_chunk *))
 
 {
+	struct sctp_datamsg *msg, *prev_msg = NULL;
 	struct sctp_outq *q = &asoc->outqueue;
+	struct sctp_chunk *chunk, *c;
 	struct sctp_transport *t;
-	struct sctp_chunk *chunk;
 
 	list_for_each_entry(t, &asoc->peer.transport_addr_list, transports)
 		list_for_each_entry(chunk, &t->transmitted, transmitted_list)
-			cb(chunk);
+			traverse_and_process();
 
 	list_for_each_entry(chunk, &q->retransmit, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->sacked, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->abandoned, transmitted_list)
-		cb(chunk);
+		traverse_and_process();
 
 	list_for_each_entry(chunk, &q->out_chunk_list, list)
-		cb(chunk);
+		traverse_and_process();
 }
 
 static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk,
@@ -9574,9 +9588,9 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
 	 * paths won't try to lock it and then oldsk.
 	 */
 	lock_sock_nested(newsk, SINGLE_DEPTH_NESTING);
-	sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w);
+	sctp_for_each_tx_datachunk(assoc, true, sctp_clear_owner_w);
 	sctp_assoc_migrate(assoc, newsk);
-	sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w);
+	sctp_for_each_tx_datachunk(assoc, false, sctp_set_owner_w);
 
 	/* If the association on the newsk is already closed before accept()
 	 * is called, set RCV_SHUTDOWN flag.
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 30+ messages in thread

* Re: WARNING: refcount bug in sctp_wfree
  2020-03-26 16:17         ` Qiujun Huang
@ 2020-03-26 21:25           ` syzbot
  0 siblings, 0 replies; 30+ messages in thread
From: syzbot @ 2020-03-26 21:25 UTC (permalink / raw)
  To: anenbupt, davem, kuba, linux-kernel, linux-sctp, marcelo.leitner,
	netdev, nhorman, syzkaller-bugs, vyasevich

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger crash:

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com

Tested on:

commit:         9420e8ad Merge tag 'for-linus' of git://git.kernel.org/pub..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ac76c43beddbd9
dashboard link: https://syzkaller.appspot.com/bug?extid=cea71eec5d6de256d54d
compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1670bfbbe00000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 30+ messages in thread

end of thread, other threads:[~2020-03-26 21:25 UTC | newest]

Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-10  1:35 WARNING: refcount bug in sctp_wfree syzbot
2020-03-10  9:39 ` syzbot
2020-03-10 16:01   ` Kees Cook
2020-03-16 15:51     ` Will Deacon
2020-03-16 16:25       ` Qiujun Huang
2020-03-10 16:45 ` 黄秋钧
2020-03-11 15:00 ` Qiujun Huang
2020-03-14  2:51   ` Qiujun Huang
2020-03-14  2:59     ` Qiujun Huang
2020-03-14  2:54 ` Qiujun Huang
2020-03-14  2:55   ` Qiujun Huang
2020-03-14  4:08     ` syzbot
2020-03-14  4:04   ` syzbot
2020-03-14  5:10 ` Qiujun Huang
2020-03-14  9:03   ` syzbot
2020-03-15  7:59 ` Qiujun Huang
2020-03-15  8:12   ` syzbot
2020-03-20 11:11 ` Qiujun Huang
2020-03-20 14:28   ` syzbot
2020-03-22  4:11 ` Qiujun Huang
2020-03-22  4:39   ` syzbot
2020-03-22  6:41     ` Qiujun Huang
2020-03-22  7:18       ` syzbot
2020-03-26 15:38 ` Qiujun Huang
2020-03-26 15:38   ` syzbot
2020-03-26 15:38   ` syzbot
2020-03-26 15:53     ` Qiujun Huang
2020-03-26 15:53       ` syzbot
2020-03-26 16:17         ` Qiujun Huang
2020-03-26 21:25           ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).