Hi,
We would like to report the following bug which has been found by our modified version of syzkaller.======================================================
description: WARNING: refcount bug in sk_skb_reason_drop
affected file: net/core/skbuff.c
kernel version: 6.12.0-rc3
kernel commit: 6efbea77b390604a7be7364583e19cd2d6a1291b
git tree: upstream
kernel config: attached
crash reproducer: unattached
======================================================Crash log:refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8778 at lib/refcount.c:28 refcount_warn_saturate+0x10a/0x1a0
Modules linked in:
CPU: 1 UID: 0 PID: 8778 Comm: syz-executor.4 Not tainted 6.12.0-rc3-00183-g6efbea77b390 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x10a/0x1a0
Code: 00 e6 1f 88 e8 87 50 e4 fd 90 0f 0b 90 90 eb d6 e8 1b c8 0d fe c6 05 56 47 6f 08 01 90 48 c7 c7 60 e6 1f 88 e8 67 50 e4 fd 90 <0f> 0b 90 90 eb b6 e8 fb c7 0d fe c6 05 33 47 6f 08 01 90 48 c7 c7
RSP: 0018:ffffc900004d8850 EFLAGS: 00010246
RAX: 1e2ad9b498ce2e00 RBX: 0000000000000003 RCX: ffff88804acaa500
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900004d8860 R08: ffff88807ee28cd3 R09: 1ffff1100fdc519a
R10: dffffc0000000000 R11: ffffed100fdc519b R12: ffff88805167c0e4
R13: 0000000000000000 R14: ffff88805167c0e4 R15: 0000000000000000
FS: 000000003c279940(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 000000002aff8000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
sk_skb_reason_drop+0x141/0x150
j1939_xtp_rx_cts+0x3fe/0x790
j1939_tp_recv+0x65a/0xa40
j1939_can_recv+0x527/0x650
can_rcv_filter+0x22b/0x4d0
can_receive+0x239/0x330
can_rcv+0xf6/0x180
__netif_receive_skb+0x119/0x280
process_backlog+0x4b0/0xe90
__napi_poll+0x7b/0x300
net_rx_action+0x4df/0x930
handle_softirqs+0x21f/0x6c0
__do_softirq+0xf/0x16
do_softirq+0xed/0x190
</IRQ>
<TASK>
__local_bh_enable_ip+0x173/0x190
_raw_spin_unlock_bh+0x33/0x40
igmpv3_del_delrec+0x3c8/0x400
ip_mc_up+0x171/0x260
inetdev_event+0xa5d/0xea0
notifier_call_chain+0x158/0x350
raw_notifier_call_chain+0x31/0x40
call_netdevice_notifiers_info+0xb5/0x100
__dev_notify_flags+0x161/0x240
dev_change_flags+0xb5/0xe0
do_setlink+0x9e2/0x2900
rtnl_newlink+0x1316/0x18d0
rtnetlink_rcv_msg+0x637/0x970
netlink_rcv_skb+0x187/0x2c0
rtnetlink_rcv+0x20/0x30
netlink_unicast+0x52a/0x600
netlink_sendmsg+0x6c7/0x800
__sock_sendmsg+0x14a/0x180
__sys_sendto+0x33f/0x430
__x64_sys_sendto+0x7e/0xa0
x64_sys_call+0x2c2c/0x2ee0
do_syscall_64+0xf6/0x230
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x41778a
Code: 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c
RSP: 002b:00007ffc3ce57768 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000a82200 RCX: 000000000041778a
RDX: 000000000000002c RSI: 0000000000a82250 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffc3ce5777c R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000a82250
</TASK>We found similar bugs in the syzkaller-bugs mailing list (https://groups.google.com/g/syzkaller-bugs/c/rrilY4Y0KVQ/m/1Gj749LnAQAJ) and the kernel mailing list (https://lore.kernel.org/lkml/66fec2e2.050a0220.9ec68.0046.GAE@xxxxxxxxxx/), but they were all discovered on previous kernel versions (v6.11.0). We are continuing our efforts to generate a reproducer.Wishing you a nice day!
Best regards,
Ditto
Attachment:
fuzz_config
Description: Binary data