lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Nov 2017 11:57:18 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Vivien Didelot <vivien.didelot@...oirfairelinux.com>
Cc:     wfg@...ux.intel.com, Florian Fainelli <f.fainelli@...il.com>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        LKP <lkp@...org>
Subject: 8e5bf9759a ("net: dsa: simplify tree reference counting"): WARNING:
 CPU: 1 PID: 27 at lib/refcount.c:153 refcount_inc

Hi Vivien,

It looks linus/master and linux-next still has this issue.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit 8e5bf9759a06be2251fa96cfd8b412f1808c62f9
Author:     Vivien Didelot <vivien.didelot@...oirfairelinux.com>
AuthorDate: Fri Nov 3 19:05:22 2017 -0400
Commit:     David S. Miller <davem@...emloft.net>
CommitDate: Sun Nov 5 22:31:38 2017 +0900

     net: dsa: simplify tree reference counting
     
     DSA trees have a refcount used to automatically free the dsa_switch_tree
     structure once there is no switch devices inside of it.
     
     The refcount is incremented when a switch is added to the tree, and
     decremented when it is removed from it.
     
     But because of kref_init, the refcount is also incremented at
     initialization, and when looking up the tree from the list for symmetry.
     
     Thus the current code stores the number of switches plus one, and makes
     the switch registration more complex.
     
     To simplify the switch registration function, we reset the refcount to
     zero after initialization and don't increment it when looking up a tree.
     
     Signed-off-by: Vivien Didelot <vivien.didelot@...oirfairelinux.com>
     Reviewed-by: Florian Fainelli <f.fainelli@...il.com>
     Signed-off-by: David S. Miller <davem@...emloft.net>

49463b7f2d  net: dsa: make tree index unsigned
8e5bf9759a  net: dsa: simplify tree reference counting
0c86a6bd85  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
1efc584c71  Add linux-next specific files for 20171122
+-----------------------------------------+------------+------------+------------+---------------+
|                                         | 49463b7f2d | 8e5bf9759a | 0c86a6bd85 | next-20171122 |
+-----------------------------------------+------------+------------+------------+---------------+
| boot_successes                          | 35         | 0          | 0          | 0             |
| boot_failures                           | 0          | 15         | 19         | 1             |
| WARNING:at_lib/refcount.c:#refcount_inc | 0          | 15         | 19         | 1             |
| RIP:refcount_inc                        | 0          | 15         | 19         | 1             |
+-----------------------------------------+------------+------------+------------+---------------+

[   63.079692] zswap: pool creation failed
[   63.080219] page_owner is disabled
[   63.082254] dsa-loop fixed-0:1f: DSA mockup driver: 0x1f
[   63.082945] refcount_t: increment on 0; use-after-free.
[   63.083520] ------------[ cut here ]------------
[   63.084409] WARNING: CPU: 1 PID: 27 at lib/refcount.c:153 refcount_inc+0x112/0x150
[   63.085375] CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 4.14.0-rc7-02139-g8e5bf97 #1
[   63.086154] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   63.086987] Workqueue: events deferred_probe_work_func
[   63.087516] task: ffff88001cb20000 task.stack: ffffc900001e0000
[   63.088129] RIP: 0010:refcount_inc+0x112/0x150
[   63.088591] RSP: 0000:ffffc900001e3b50 EFLAGS: 00010202
[   63.089117] RAX: 000000000000002b RBX: 0000000000000001 RCX: 0000000000000000
[   63.090143] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff84b4f1f8
[   63.091289] RBP: ffffc900001e3b58 R08: 0000000000000001 R09: 0000000000000001
[   63.092481] R10: ffff880014eefa80 R11: 0000000000000001 R12: ffffffff84758800
[   63.093627] R13: ffff880014eefa80 R14: ffff880012045820 R15: ffff880014eefa80
[   63.094760] FS:  0000000000000000(0000) GS:ffff88001e400000(0000) knlGS:0000000000000000
[   63.096119] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   63.097046] CR2: ffffc90000164000 CR3: 0000000004211000 CR4: 00000000000006a0
[   63.098183] Call Trace:
[   63.098607]  _dsa_register_switch+0x884/0x1350
[   63.099332]  dsa_register_switch+0x2e/0x60
[   63.099998]  dsa_loop_drv_probe+0x18e/0x1a0
[   63.100707]  mdio_probe+0x46/0x60
[   63.101271]  really_probe+0x314/0x6a0
[   63.101873]  ? __driver_attach+0x210/0x210
[   63.102546]  driver_probe_device+0xb3/0x130
[   63.103221]  __device_attach_driver+0x18e/0x220
[   63.103960]  bus_for_each_drv+0xaf/0x150
[   63.104630]  __device_attach+0x134/0x2d0
[   63.105281]  device_initial_probe+0x16/0x20
[   63.105961]  bus_probe_device+0x8b/0x150
[   63.106610]  deferred_probe_work_func+0x17b/0x2d0
[   63.107374]  process_one_work+0x802/0x10b0
[   63.108087]  ? worker_thread+0x4f/0xaf0
[   63.108722]  worker_thread+0x6ee/0xaf0
[   63.109342]  kthread+0x1ee/0x200
[   63.109871]  ? rescuer_thread+0x700/0x700
[   63.110527]  ? __kthread_bind_mask+0xf0/0xf0
[   63.111220]  ret_from_fork+0x2a/0x40
[   63.111809] Code: 02 01 e8 e2 22 6a ff 48 c7 c7 80 88 f9 83 48 83 05 b3 e0 cb 04 01 48 83 05 23 76 3a 03 01 e8 a3 77 5c ff 48 83 05 a6 e0 cb 04 01 <0f> ff b9 01 00 00 00 31 d2 be 01 00 00 00 48 c7 c7 d8 7d be 84 
[   63.115201] ---[ end trace 8a309428dc8185af ]---
[   63.115957] DSA: switch 0 0 parsed

                                                           # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 868fa594b769bdeca6218d40eec56bd343aae2d0 bebc6082da0a9f5d47a1ea2edc099bf671058bd4 --
git bisect  bad c85fbc3fea63b6e0f05bb67d97bc01bc53f7833f  # 20:56  B      0     7   20   0  Merge 'nfc-next/master' into devel-spot-201711231601
git bisect good ecbafe0f96eb1da2d4238921d43d369848cd1177  # 21:14  G     10     0    0   0  Merge 'mtd-next/master' into devel-spot-201711231601
git bisect  bad d9d887e9349b132f7037e8be7863080f0b5ff1fb  # 21:38  B      0     9   22   0  Merge 'linux-review/venkat-prashanth2498-gmail-com/rtlwifi-rtl8723ae-Fix-embedded-function-names-with-__func__/20171123-122506' into devel-spot-201711231601
git bisect  bad e0e33e1d92008103302f14be27e744432d2b6d14  # 21:50  B      0     1   15   1  Merge 'wireless-testsing2/master' into devel-spot-201711231601
git bisect good 1ab791dc27faef5aee80fe76d73980d2de0bebc8  # 22:10  G     11     0   11  11  ipv4: timewait: Convert timers to use timer_setup()
git bisect good 02bc6e546e858b209c3ebe380a13a73b333b1b3f  # 00:07  G     11     0    0   0  net: dsa: introduce dsa_user_ports helper
git bisect good cf9cca2dd903b78d04ea7ad4cde0231988944d0f  # 01:07  G     11     0    0   0  net: hns3: Refactor mac_init function
git bisect good 27c565ae9d554fa1c00c799754cff43476c8d3b5  # 01:20  G     11     0    0   0  ipv6: remove IN6_ADDR_HSIZE from addrconf.h
git bisect  bad 37f1ba0909dfa12c75f8e8ea7a2f01355ebd60f1  # 01:47  B      0     9   22   0  selftests/bpf: add a test for device cgroup controller
git bisect  bad 6da2a940ac6a0680e50b3aaf945e409cea03c346  # 02:00  B      0     7   20   0  net: dsa: rework switch addition and removal
git bisect good 012bb8a8b5a2688590f829884acc83697d68a96d  # 02:17  G     10     0    0   0  nfp: bpf: drop support for cls_bpf with legacy actions
git bisect good b37a530613104aa3f592376c67a462823298759c  # 02:33  G     11     0    0   0  bpf: remove old offload/analyzer
git bisect good 99feaafcdb566e8f032e7acc2a303713ad6bf196  # 02:53  G     11     0    0   0  net: dsa: make switch index unsigned
git bisect  bad 8e5bf9759a06be2251fa96cfd8b412f1808c62f9  # 03:10  B      0     2   15   0  net: dsa: simplify tree reference counting
git bisect good 49463b7f2da1a115404b02c5533bc2c2125833a3  # 03:31  G     11     0    0   0  net: dsa: make tree index unsigned
# first bad commit: [8e5bf9759a06be2251fa96cfd8b412f1808c62f9] net: dsa: simplify tree reference counting
git bisect good 49463b7f2da1a115404b02c5533bc2c2125833a3  # 03:38  G     30     0    0   0  net: dsa: make tree index unsigned
# extra tests with debug options
git bisect  bad 8e5bf9759a06be2251fa96cfd8b412f1808c62f9  # 04:16  B      0    11   26   2  net: dsa: simplify tree reference counting
# extra tests on HEAD of linux-devel/devel-spot-201711231601
git bisect  bad 868fa594b769bdeca6218d40eec56bd343aae2d0  # 04:16  B      0    74   91   0  0day head guard for 'devel-spot-201711231601'
# extra tests on tree/branch linus/master
git bisect  bad 0c86a6bd85ff0629cd2c5141027fc1c8bb6cde9c  # 04:42  B      0     1   14   0  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
# extra tests on tree/branch linux-next/master
git bisect  bad 1efc584c7106993783e846bbcd4c43a87e5be9fa  # 05:12  B      0     1   14   0  Add linux-next specific files for 20171122

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-quantal-ivb41-107:20171124031100:x86_64-randconfig-r0-11231937:4.14.0-rc7-02139-g8e5bf97:1.gz" of type "application/gzip" (29987 bytes)

View attachment "reproduce-quantal-ivb41-107:20171124031100:x86_64-randconfig-r0-11231937:4.14.0-rc7-02139-g8e5bf97:1" of type "text/plain" (889 bytes)

View attachment "config-4.14.0-rc7-02139-g8e5bf97" of type "text/plain" (121281 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ