Re: sctp refcount bug.
On Thu, Jul 13, 2017 at 11:38:34AM -0300, Marcelo Ricardo Leitner wrote: > On Thu, Jul 13, 2017 at 10:36:39AM -0400, Dave Jones wrote: > > Hit this on Linus' current tree. > > > > > > refcount_t: underflow; use-after-free. > > Any tips on how to reproduce this? Only seen it once so far. Will see if I can narrow it down if it reproduces. It took ~12 hours of fuzzing to find overnight. Dave
Re: sctp refcount bug.
On Thu, Jul 13, 2017 at 10:36:39AM -0400, Dave Jones wrote: > Hit this on Linus' current tree. > > > refcount_t: underflow; use-after-free. Any tips on how to reproduce this? Marcelo
sctp refcount bug.
Hit this on Linus' current tree. refcount_t: underflow; use-after-free. [ cut here ] WARNING: CPU: 2 PID: 14455 at lib/refcount.c:186 refcount_sub_and_test+0x45/0x50 CPU: 2 PID: 14455 Comm: trinity-c46 Tainted: G D 4.12.0-think+ #11 task: 8804fc71b8c0 task.stack: c90002328000 RIP: 0010:refcount_sub_and_test+0x45/0x50 RSP: 0018:c9000232ba58 EFLAGS: 00010282 RAX: 0026 RBX: 88001db1d1c0 RCX: RDX: RSI: 88050a3ccca8 RDI: 88050a3ccca8 RBP: c9000232ba58 R08: R09: 0001 R10: c9000232ba88 R11: R12: 88000d3f9b40 R13: 880456948008 R14: 880456948870 R15: c9000232bd10 FS: 7f79b1032700() GS:88050a20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 008436726348 CR3: 00022cc87000 CR4: 001406e0 DR0: 7f731068f000 DR1: 7f2d83eb9000 DR2: 7f302340e000 DR3: DR6: 0ff0 DR7: 0600 Call Trace: sctp_wfree+0x5d/0x190 [sctp] skb_release_head_state+0x64/0xc0 skb_release_all+0x12/0x30 consume_skb+0x50/0x170 sctp_chunk_put+0x59/0x80 [sctp] sctp_chunk_free+0x26/0x30 [sctp] __sctp_outq_teardown+0x1d8/0x270 [sctp] sctp_outq_free+0xe/0x10 [sctp] sctp_association_free+0x92/0x220 [sctp] sctp_do_sm+0x12a6/0x1920 [sctp] ? __get_user_4+0x18/0x20 ? no_context+0x3f/0x360 ? lock_acquire+0xe7/0x1e0 ? skb_dequeue+0x1d/0x70 sctp_primitive_SHUTDOWN+0x33/0x40 [sctp] sctp_close+0x26e/0x2a0 [sctp] inet_release+0x3c/0x60 sock_release+0x1f/0x80 sock_close+0x12/0x20 __fput+0xf8/0x200 fput+0xe/0x10 task_work_run+0x85/0xc0 exit_to_usermode_loop+0xa8/0xb0 do_syscall_64+0x151/0x190 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7f79b095b1e9 RSP: 002b:7ffc5eca3088 EFLAGS: 0246 ORIG_RAX: 0120 RAX: fff2 RBX: 0120 RCX: 7f79b095b1e9 RDX: 006e RSI: 008436738120 RDI: 0130 RBP: 7ffc5eca3130 R08: R09: 0ff0 R10: 00080800 R11: 0246 R12: 0002 R13: 7f79b0ee9058 R14: 7f79b1032698 R15: 7f79b0ee9000 Code: 75 e6 85 d2 0f 94 c0 c3 31 c0 c3 80 3d ce 95 bc 00 00 75 f4 55 48 c7 c7 00 d9 ee 81 48 89 e5 c6 05 ba 95 bc 00 01 e8 fc 2c c0 ff <0f> ff 31 c0 5d c3 0f 1f 44 00 00 55 48 89 fe bf 01 00 00 00 48 ---[ end trace 19b7bd878c0f56fd ]--- [ cut here ] WARNING: CPU: 2 PID: 14455 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x1b8/0x1f0 CPU: 2 PID: 14455 Comm: trinity-c46 Tainted: G D W 4.12.0-think+ #11 task: 8804fc71b8c0 task.stack: c90002328000 RIP: 0010:inet_sock_destruct+0x1b8/0x1f0 RSP: 0018:c9000232bcf8 EFLAGS: 00010286 RAX: RBX: 88000d3f9b40 RCX: RDX: fd00 RSI: 0300 RDI: 88000d3f9ca8 RBP: c9000232bd08 R08: R09: R10: R11: R12: 88000d3f9ca8 R13: 88000d3f9b40 R14: 88000d3f9bc8 R15: 8801836e21d0 FS: 7f79b1032700() GS:88050a20() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 3b9ab732 CR3: 00022cc87000 CR4: 001406e0 DR0: 7f731068f000 DR1: 7f2d83eb9000 DR2: 7f302340e000 DR3: DR6: 0ff0 DR7: 0600 Call Trace: sctp_destruct_sock+0x25/0x30 [sctp] __sk_destruct+0x28/0x230 sk_destruct+0x20/0x30 __sk_free+0x43/0xa0 sk_free+0x25/0x30 sctp_close+0x218/0x2a0 [sctp] inet_release+0x3c/0x60 sock_release+0x1f/0x80 sock_close+0x12/0x20 __fput+0xf8/0x200 fput+0xe/0x10 task_work_run+0x85/0xc0 exit_to_usermode_loop+0xa8/0xb0 do_syscall_64+0x151/0x190 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x7f79b095b1e9 RSP: 002b:7ffc5eca3088 EFLAGS: 0246 ORIG_RAX: 0120 RAX: fff2 RBX: 0120 RCX: 7f79b095b1e9 RDX: 006e RSI: 008436738120 RDI: 0130 RBP: 7ffc5eca3130 R08: R09: 0ff0 R10: 00080800 R11: 0246 R12: 0002 R13: 7f79b0ee9058 R14: 7f79b1032698 R15: 7f79b0ee9000 Code: df e8 bd 5f f4 ff e9 07 ff ff ff 0f ff 8b 83 8c 02 00 00 85 c0 0f 84 2d ff ff ff 0f ff 8b 93 88 02 00 00 85 d2 0f 84 2b ff ff ff <0f> ff 8b 83 40 02 00 00 85 c0 0f 84 29 ff ff ff 0f ff e9 22 ff ---[ end trace 19b7bd878c0f56fe ]--- [ cut here ] WARNING: CPU: 2 PID: 14455 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x1c8/0x1f0 CPU: 2 PID: 14455 Comm: trinity-c46 Tainted: G D W 4.12.0-think+ #11 task: 8804fc71b8c0 task.stack: c90002328000 RIP: 0010:inet_sock_destruct+0x1c8/0x1f0 RSP: 0018:c9000232bcf8 EFLAGS: 00010206 RAX: 0300 RBX: 88000d3f9b40 RCX: RDX: fd00 RSI: 0300 RDI: fff
