Re: WARNING: refcount bug in sk_skb_reason_drop

From: Xia Chu
Date: Wed Oct 23 2024 - 23:40:46 EST


We would like to extend our sincere apologies for the oversight. In our previous email, we neglected to attach the kernel compilation configuration file, which we understand is essential for your review.

Enclosed in this email, you will find the kernel configuration file that was missing.

Once again, we apologize for any inconvenience this may have caused. If you require any further information or additional files, please do not hesitate to let us know.

Best regards,
Ditto

Xia Chu <jiangmo9@xxxxxxxxx> 于2024年10月24日周四 11:24写道:
Hi,

We would like to report the following bug which has been found by our modified version of syzkaller.

======================================================
description: WARNING: refcount bug in sk_skb_reason_drop
affected file: net/core/skbuff.c
kernel version: 6.12.0-rc3
kernel commit: 6efbea77b390604a7be7364583e19cd2d6a1291b
git tree: upstream
kernel config: attached
crash reproducer: unattached
======================================================
Crash log:
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 8778 at lib/refcount.c:28 refcount_warn_saturate+0x10a/0x1a0
Modules linked in:
CPU: 1 UID: 0 PID: 8778 Comm: syz-executor.4 Not tainted 6.12.0-rc3-00183-g6efbea77b390 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x10a/0x1a0
Code: 00 e6 1f 88 e8 87 50 e4 fd 90 0f 0b 90 90 eb d6 e8 1b c8 0d fe c6 05 56 47 6f 08 01 90 48 c7 c7 60 e6 1f 88 e8 67 50 e4 fd 90 <0f> 0b 90 90 eb b6 e8 fb c7 0d fe c6 05 33 47 6f 08 01 90 48 c7 c7
RSP: 0018:ffffc900004d8850 EFLAGS: 00010246
RAX: 1e2ad9b498ce2e00 RBX: 0000000000000003 RCX: ffff88804acaa500
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900004d8860 R08: ffff88807ee28cd3 R09: 1ffff1100fdc519a
R10: dffffc0000000000 R11: ffffed100fdc519b R12: ffff88805167c0e4
R13: 0000000000000000 R14: ffff88805167c0e4 R15: 0000000000000000
FS:  000000003c279940(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000f000 CR3: 000000002aff8000 CR4: 0000000000752ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 sk_skb_reason_drop+0x141/0x150
 j1939_xtp_rx_cts+0x3fe/0x790
 j1939_tp_recv+0x65a/0xa40
 j1939_can_recv+0x527/0x650
 can_rcv_filter+0x22b/0x4d0
 can_receive+0x239/0x330
 can_rcv+0xf6/0x180
 __netif_receive_skb+0x119/0x280
 process_backlog+0x4b0/0xe90
 __napi_poll+0x7b/0x300
 net_rx_action+0x4df/0x930
 handle_softirqs+0x21f/0x6c0
 __do_softirq+0xf/0x16
 do_softirq+0xed/0x190
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x173/0x190
 _raw_spin_unlock_bh+0x33/0x40
 igmpv3_del_delrec+0x3c8/0x400
 ip_mc_up+0x171/0x260
 inetdev_event+0xa5d/0xea0
 notifier_call_chain+0x158/0x350
 raw_notifier_call_chain+0x31/0x40
 call_netdevice_notifiers_info+0xb5/0x100
 __dev_notify_flags+0x161/0x240
 dev_change_flags+0xb5/0xe0
 do_setlink+0x9e2/0x2900
 rtnl_newlink+0x1316/0x18d0
 rtnetlink_rcv_msg+0x637/0x970
 netlink_rcv_skb+0x187/0x2c0
 rtnetlink_rcv+0x20/0x30
 netlink_unicast+0x52a/0x600
 netlink_sendmsg+0x6c7/0x800
 __sock_sendmsg+0x14a/0x180
 __sys_sendto+0x33f/0x430
 __x64_sys_sendto+0x7e/0xa0
 x64_sys_call+0x2c2c/0x2ee0
 do_syscall_64+0xf6/0x230
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x41778a
Code: 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c
RSP: 002b:00007ffc3ce57768 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000a82200 RCX: 000000000041778a
RDX: 000000000000002c RSI: 0000000000a82250 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffc3ce5777c R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000003 R15: 0000000000a82250
 </TASK>

We found similar bugs in the syzkaller-bugs mailing list (https://groups.google.com/g/syzkaller-bugs/c/rrilY4Y0KVQ/m/1Gj749LnAQAJ) and the kernel mailing list (https://lore.kernel.org/lkml/66fec2e2.050a0220.9ec68.0046.GAE@xxxxxxxxxx/), but they were all discovered on previous kernel versions (v6.11.0). We are continuing our efforts to generate a reproducer.

Wishing you a nice day!

Best regards,
Ditto

Attachment: fuzz_config
Description: Binary data