WARNING: refcount bug in sk_alloc

From: syzbot
Date: Sat Mar 31 2018 - 11:54:11 EST


Hello,

syzbot hit the following crash on upstream commit
c2a9838452a4d71f76103c18c926468a9ea05713 (Fri Mar 30 05:27:12 2018 +0000)
Merge tag 'for-4.16/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=8362f345b3edaf37e986

So far this crash happened 27 times on bpf-next, upstream.
Unfortunately, I don't have any reproducer for this crash yet.
Raw console output: https://syzkaller.appspot.com/x/log.txt?id=5065618571132928
Kernel config: https://syzkaller.appspot.com/x/.config?id=-8440362230543204781
compiler: gcc (GCC) 7.1.1 20170620

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+8362f345b3edaf37e986@xxxxxxxxxxxxxxxxxxxxxxxxx
It will help syzbot understand when the bug is fixed. See footer for details.
If you forward the report, please keep this part and the footer.

device lo entered promiscuous mode
------------[ cut here ]------------
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 0 PID: 4461 at lib/refcount.c:153 refcount_inc+0x47/0x50 lib/refcount.c:153
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 4461 Comm: syz-executor3 Not tainted 4.16.0-rc7+ #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
panic+0x1e4/0x41c kernel/panic.c:183
__warn+0x1dc/0x200 kernel/panic.c:547
report_bug+0x1f4/0x2b0 lib/bug.c:186
fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
fixup_bug arch/x86/kernel/traps.c:247 [inline]
do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986
RIP: 0010:refcount_inc+0x47/0x50 lib/refcount.c:153
RSP: 0018:ffff8801af79f860 EFLAGS: 00010286
RAX: dffffc0000000008 RBX: ffff8801d26bc104 RCX: ffffffff815b7bde
RDX: 0000000000000000 RSI: 1ffff10035ef3ebc RDI: 1ffff10035ef3e91
RBP: ffff8801af79f868 R08: ffffffff87b3b658 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801af79faf8
R13: ffff8801ba2f3513 R14: ffff8801d26bc100 R15: ffff8801ba2f3501
get_net include/net/net_namespace.h:198 [inline]
sk_alloc+0x3f9/0x1440 net/core/sock.c:1537
inet_create+0x47c/0xf50 net/ipv4/af_inet.c:320
__sock_create+0x4d4/0x850 net/socket.c:1285
sock_create net/socket.c:1325 [inline]
SYSC_socket net/socket.c:1355 [inline]
SyS_socket+0xeb/0x1d0 net/socket.c:1335
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4573e7
RSP: 002b:00007fffdeb62308 EFLAGS: 00000206 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00000000000003f3 RCX: 00000000004573e7
RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007fffdeb629b0 R08: 0000000000000000 R09: 0000000000000001
R10: 000000000000000a R11: 0000000000000206 R12: 0000000000000c1e
R13: 0000000000000c1e R14: 0000000000000015 R15: 000000000004415e
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@xxxxxxxxxxxxxxxxx

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug report.
Note: all commands must start from beginning of the line in the email body.