Google Git
Sign in
android / platform / external / syzkaller / bb6c338b9e670cf70d21927770f424cee38e06f6 / . / pkg / report / testdata / linux / report / 158
blob: a9768d624c433d3ea8e450c419f49623b60c98fe [file] [log] [blame]
TITLE: WARNING: refcount bug in dev_activate
[ 359.890494] refcount_t: increment on 0; use-after-free.
[ 359.914113] ------------[ cut here ]------------
[ 359.919670] WARNING: CPU: 0 PID: 28200 at lib/refcount.c:152 refcount_inc+0x47/0x50
2017/08/31 09:09:03 executing program 2:
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r0 = perf_event_open(&(0x7f000001d000)={0x2, 0x78, 0xdf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000007000-0xa)="2f6465762f70746d7800", 0x20003, 0x0)
mmap(&(0x7f0000007000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
r2 = dup(r1)
ioctl$KVM_GET_REGS(r2, 0x8090ae81, &(0x7f00001bb000)={[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0x0})
ioctl$TIOCMGET(r0, 0x5415, &(0x7f0000e85000)=0x0)
ioctl$TIOCSCTTY(r2, 0x540e, 0x800)
r3 = socket$inet(0x2, 0x2, 0x0)
getsockopt$sock_int(r2, 0x1, 0x200000000032, &(0x7f0000a1d000-0x4)=0x0, &(0x7f0000a8f000-0x4)=0x4)
r4 = socket$kcm(0x29, 0x5, 0x0)
writev(r4, &(0x7f0000e5b000)=[{&(0x7f0000c7c000)="4ab6b00b23359a6a25d060bfd09f633f4929df8bc1ea04c19cbf9ca9d96e33a184a46f0c6ebed565a793332077fe2005e180962553f6486616c22bc8254220dcf916a833f31ef38227acf2f47170ba7143635a1b91eb4504b1febc6a5789c926a809ad57545373ebcc5b1e9ccffbd8192fc721baa2107595f09b4124d7a14159d1ae2203ccd768e901cf3ac21e0d6a12da29ede746be4fce5a1911b2b8895096cac5186eadefe76d2077f44ff2feb7a5e448863220679bc1e8f58bec3b0a40f55371d1b2a7d542716928c6846de42bafc6cc093dcc4ac44d52618da3fd190dad7af93dd999a79b716597e6feda6369a5d53a12c332d1f1", 0xf7}, {&(0x7f0000ef7000)="8a7c9f32c556f72679a2062cb55358182e1dd7e13c49536e92899dea88490bae49c8cf792959d550c602fd9cce8ad6ac930a16b02d14b4555e4f5df016716514e7df686782df9af01e0b1735eef3e21e9f34419fba568230027d945d223ac5cadd9bdd1dd9b2c5bd826f452b67cb95550d3e5076cf9cef5857ba9923a369e319b7289ad5c216a3991abd01c9647f602e33a84b26e1e086da95299f7983604e39a5dc02a5b188f0a85a08dd290895e44c6d74f4be8613399baa5cf0bf731cda420f26b40d7324", 0xc6}, {&(0x7f0000d7b000-0xf7)="3a90cea993628e38282a20eaf9243cfb3498f39b3a64df551ab649ce086b8ee95f6fb3d0f9be8b8f648c78027908ca2d6c46a3ee8cf83d695c132f64ad4be84fcc93d47ea38de50d219e43e668a4574b5870b06f353e64334b2342b1cd97f9ed21e79ad77839270fcd95e37f97e97b42b0c365d82da33c2f98141c97449382ff2f06457e9b9f2299393ccccd8a6bd9a524aefb7b816e0e2b8b556b62a5669de8ba2d82fa956941da2647b83e86a78631e2ea04756ec340e0d51a3fa95e162c2040b7d6895b18d72e7c56593bf6906324188c904786705384443d89137af988acc6257654c0a95f4e45080ba481949f0d8e27c4ff3bd537", 0xf7}, {&(0x7f000023d000-0x8d)="ef1e47bc1b92b8aa3ee83fe3d494dfe12a2f72e8d6d2f28035a4e80ad64d24b7d18d26fc03d2b5ba48cff12f44a43114c6bb5d4478816589820e215929a5e7af69ef374de43bf3e18ab0e24ea599618415e6a937c11ec1b9aecdda619370f68e3de7c8b4803635dd196a14fa172c807d185b464083743dd59146d48ac7d3bc193f85eda847a963b3900de205d3", 0x8d}, {&(0x7f00005c3000-0x4d)="f198f10b08173e545f9033f2472d72055a780614aa9e45ef68d4a9d9f42e048770033930435e39bb04801d080488a522006dc1b10978daf10de9ce9408ad741c36b21dea713b803fb15bf04959", 0x4d}], 0x5)
fsync(r3)
mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
perf_event_open(&(0x7f00008a8000-0x78)={0x4000000002, 0x78, 0xdb, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80000000000000, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0, 0x3, 0xffffffffffffffff, 0x0)
r5 = syz_open_dev$sndtimer(&(0x7f0000000000)="2f6465762f736e642f74696d657200", 0x0, 0x0)
getsockopt$inet_sctp_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f0000bbf000)={<r6=>0x0, 0x20, 0x1000, 0x3, 0x7, 0x1800000000}, &(0x7f0000025000-0x4)=0x14)
setsockopt$inet_sctp6_SCTP_ASSOCINFO(r2, 0x84, 0x1, &(0x7f000005d000-0x14)={r6, 0x1, 0xffffffff, 0xfffffffffffffffa, 0x80000, 0x3ff}, 0x14)
ioctl$SNDRV_TIMER_IOCTL_GPARAMS(r5, 0x40485404, &(0x7f0000f88000-0x48)={{0x0, 0x0, 0x0, 0x0, 0x9}, 0x0, 0x0, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]})
ioctl$SNDRV_TIMER_IOCTL_STATUS(r2, 0x80605414, &(0x7f00007a9000)="000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
ioctl$sock_kcm_SIOCKCMUNATTACH(r2, 0x89e1, &(0x7f00006d2000-0x4)={r3})
r7 = socket$netlink(0x10, 0x3, 0xb)
mkdir(&(0x7f000028c000-0x8)="2e2f66696c653000", 0x82)
writev(r7, &(0x7f00004a4000)=[{&(0x7f0000aea000-0x39)="390000001300194700bb61e1c305000040000200050000000000000080000900130001000000ff00280fe20000000000000000000000000ad670", 0x3a}], 0x1)
sendto$llc(r2, &(0x7f0000cde000)="993812b205fe34116b1bbe2cafa830e4cb8d5daf991e3c42e1c54d368363207f5f7f6b99e8970d953bc11ddaa01362e3ad69fb5174f000f78bb5f001fd462e3c68438a5f01117ee10fc8975a828c91a5bcadce8f1b80090fcae973289c27c5cd0129475c6140133664df66e4b1e06d8313946dcba4664a5a259e34797e95b9", 0x7f, 0x20040841, &(0x7f000042f000-0x10)={0x1a, 0x17, 0xadef, 0x3, 0x7, 0x3f, @random="573a697a8ca5", [0x0, 0x0]}, 0x10)
fstat(r0, &(0x7f00004fc000-0x44)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0})
socketpair$ax25(0x3, 0x3, 0xc4, &(0x7f000095a000)={0xffffffffffffffff, 0xffffffffffffffff})
r8 = signalfd4(0xffffffffffffffff, &(0x7f0000ce2000)={0x7fffffff}, 0x8, 0x0)
read(r8, &(0x7f0000e78000-0x80)="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 0x80)
inotify_init1(0x80804)
setsockopt$inet_sctp6_SCTP_EVENTS(r2, 0x84, 0xb, &(0x7f00002f6000-0xb)={0x0, 0x100000001, 0x1, 0x9, 0x7, 0x0, 0x1, 0x8, 0x7, 0xcccc, 0x10000005}, 0xb)
[ 359.985135] Kernel panic - not syncing: panic_on_warn set ...
[ 359.985135]
[ 359.992585] CPU: 0 PID: 28200 Comm: syz-executor7 Not tainted 4.13.0-rc7+ #60
[ 359.999847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 360.009190] Call Trace:
[ 360.011774] dump_stack+0x194/0x257
[ 360.015414] ? arch_local_irq_restore+0x53/0x53
[ 360.020091] panic+0x1e4/0x417
[ 360.023270] ? __warn+0x1d9/0x1d9
[ 360.026706] ? show_regs_print_info+0x65/0x65
[ 360.031193] ? retint_kernel+0x10/0x10
[ 360.035065] ? __warn+0x1a9/0x1d9
[ 360.038513] ? refcount_inc+0x47/0x50
[ 360.042297] __warn+0x1c4/0x1d9
[ 360.045578] ? refcount_inc+0x47/0x50
[ 360.049371] report_bug+0x211/0x2d0
[ 360.053032] fixup_bug+0x40/0x90
[ 360.056390] do_trap+0x260/0x390
[ 360.059766] do_error_trap+0x120/0x390
[ 360.063653] ? vprintk_emit+0x49b/0x590
[ 360.067619] ? do_trap+0x390/0x390
[ 360.071177] ? refcount_inc+0x47/0x50
[ 360.074961] ? vprintk_emit+0x3ea/0x590
[ 360.078936] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 360.083775] do_invalid_op+0x1b/0x20
[ 360.087475] invalid_op+0x1e/0x30
[ 360.090909] RIP: 0010:refcount_inc+0x47/0x50
[ 360.095323] RSP: 0018:ffff8801cb557928 EFLAGS: 00010282
[ 360.100669] RAX: 000000000000002b RBX: ffffffff8608f514 RCX: 0000000000000000
[ 360.107934] RDX: 000000000000002b RSI: ffffffff8159319e RDI: ffffed00396aaf19
[ 360.115187] RBP: ffff8801cb557930 R08: 0000000000000001 R09: 0000000000000000
[ 360.122452] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8608f3c0
[ 360.129703] R13: 0000000000000001 R14: ffff8801c27e3580 R15: dffffc0000000000
[ 360.136985] ? vprintk_func+0x5e/0xc0
[ 360.140775] ? refcount_inc+0x47/0x50
[ 360.144568] dev_activate+0x7d3/0xaa0
[ 360.148368] ? qdisc_create_dflt+0x160/0x160
[ 360.152765] ? __local_bh_enable_ip+0x9d/0x160
[ 360.157340] ? trace_hardirqs_on_caller+0x421/0x5c0
[ 360.162343] ? dev_set_rx_mode+0x2f/0x40
[ 360.166389] ? trace_hardirqs_on+0xd/0x10
[ 360.170526] ? __local_bh_enable_ip+0x9d/0x160
[ 360.175096] ? _raw_spin_unlock_bh+0x30/0x40
[ 360.179499] __dev_open+0x227/0x330
[ 360.183113] ? dev_set_rx_mode+0x40/0x40
[ 360.187159] ? dev_set_rx_mode+0x2f/0x40
[ 360.191219] ? trace_hardirqs_on+0xd/0x10
[ 360.195351] ? __local_bh_enable_ip+0x9d/0x160
[ 360.199920] ? _raw_spin_unlock_bh+0x30/0x40
[ 360.204325] ? dev_set_rx_mode+0x40/0x40
[ 360.208373] __dev_change_flags+0x159/0x3d0
[ 360.212687] dev_change_flags+0x88/0x140
[ 360.216747] devinet_ioctl+0x123d/0x19a0
[ 360.220809] ? inet_ifa_byprefix+0x1e0/0x1e0
[ 360.225275] inet_ioctl+0x117/0x1c0
[ 360.228885] ? inet_ioctl+0x117/0x1c0
[ 360.232675] sock_do_ioctl+0x65/0xb0
[ 360.236381] sock_ioctl+0x2c2/0x440
[ 360.240000] ? dlci_ioctl_set+0x40/0x40
[ 360.243959] do_vfs_ioctl+0x1b1/0x1520
[ 360.247840] ? ioctl_preallocate+0x2b0/0x2b0
[ 360.252241] ? selinux_capable+0x40/0x40
[ 360.256295] ? __sb_end_write+0xa0/0xd0
[ 360.260263] ? fput+0xd2/0x140
[ 360.263459] ? security_file_ioctl+0x89/0xb0
[ 360.267876] SyS_ioctl+0x8f/0xc0
[ 360.271253] entry_SYSCALL_64_fastpath+0x1f/0xbe
[ 360.275990] RIP: 0033:0x451e59
[ 360.279173] RSP: 002b:00007f7999f6ac08 EFLAGS: 00000216 ORIG_RAX: 0000000000000010
[ 360.286864] RAX: ffffffffffffffda RBX: 00000000007180b0 RCX: 0000000000451e59
[ 360.294114] RDX: 000000002044ffe0 RSI: 0000000000008914 RDI: 0000000000000006
[ 360.301364] RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
[ 360.308614] R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004b69f7
[ 360.315866] R13: 00007f7999f6ab48 R14: 00000000004b6a07 R15: 0000000000000000
[ 360.323787] Dumping ftrace buffer:
[ 360.327372] (ftrace buffer empty)
[ 360.331051] Kernel Offset: disabled
[ 360.334650] Rebooting in 86400 seconds..