[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200430082255.GH5770@shao2-debian>
Date: Thu, 30 Apr 2020 16:22:56 +0800
From: kernel test robot <lkp@...el.com>
To: Xiyu Yang <xiyuyang19@...an.edu.cn>
Cc: Xin Tan <tanxin.ctf@...il.com>, linux-x25@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
LKP <lkp@...ts.01.org>
Subject: 4becb7ee5b ("net/x25: Fix x25_neigh refcnt leak when x25 .."): [
89.261843] BUG: kernel NULL pointer dereference, address: 00000074
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902
Author: Xiyu Yang <xiyuyang19@...an.edu.cn>
AuthorDate: Sat Apr 25 21:06:25 2020 +0800
Commit: David S. Miller <davem@...emloft.net>
CommitDate: Mon Apr 27 11:20:30 2020 -0700
net/x25: Fix x25_neigh refcnt leak when x25 disconnect
x25_connect() invokes x25_get_neigh(), which returns a reference of the
specified x25_neigh object to "x25->neighbour" with increased refcnt.
When x25 connect success and returns, the reference still be hold by
"x25->neighbour", so the refcount should be decreased in
x25_disconnect() to keep refcount balanced.
The reference counting issue happens in x25_disconnect(), which forgets
to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
causing a refcnt leak.
Fix this issue by calling x25_neigh_put() before x25_disconnect()
returns.
Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
Signed-off-by: David S. Miller <davem@...emloft.net>
095f5614bf net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
4becb7ee5b net/x25: Fix x25_neigh refcnt leak when x25 disconnect
+-------------------------------------------------------+------------+------------+
| | 095f5614bf | 4becb7ee5b |
+-------------------------------------------------------+------------+------------+
| boot_successes | 29 | 1 |
| boot_failures | 4 | 10 |
| BUG:kernel_timeout_in_boot_stage | 1 | |
| BUG:kernel_hang_in_test_stage | 2 | |
| BUG:kernel_hang_in_boot_stage | 1 | 1 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 9 |
| Oops:#[##] | 0 | 9 |
| EIP:x25_disconnect | 0 | 9 |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0 | 9 |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate | 0 | 1 |
| EIP:refcount_warn_saturate | 0 | 1 |
+-------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>
Stopping syslogd/klogd: stopped syslogd (pid 459)
stopped klogd (pid 462)
done
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
[ 89.261843] BUG: kernel NULL pointer dereference, address: 00000074
[ 89.263892] #PF: supervisor write access in kernel mode
[ 89.264352] #PF: error_code(0x0002) - not-present page
[ 89.264799] *pde = 00000000
[ 89.265057] Oops: 0002 [#1] SMP
[ 89.265338] CPU: 1 PID: 785 Comm: trinity-c2 Not tainted 5.7.0-rc2-00379-g4becb7ee5b3d2 #1
[ 89.303957] EIP: x25_disconnect+0x81/0xbc
[ 89.304969] Code: b3 7c 02 00 00 75 0d 89 d8 ff 93 08 03 00 00 0f ba 6b 50 00 b8 a0 b9 f8 81 e8 a6 70 03 00 8b 8b 50 03 00 00 83 ca ff 8d 41 74 <f0> 0f c1 51 74 83 fa 01 75 09 89 c8 e8 12 32 81 ff eb 0e 85 d2 7f
[ 89.309273] EAX: 00000074 EBX: f25fb800 ECX: 00000000 EDX: ffffffff
[ 89.310597] ESI: 00000000 EDI: 00000008 EBP: f2ff5ed0 ESP: f2ff5ec0
[ 89.312086] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286
[ 89.313295] CR0: 80050033 CR2: 00000074 CR3: 72eb6000 CR4: 00140690
[ 89.314409] Call Trace:
[ 89.314796] x25_release+0x98/0xec
[ 89.317726] __sock_release+0x26/0x78
[ 89.318307] sock_close+0xd/0x11
[ 89.332917] __fput+0xe5/0x1a2
[ 89.333443] ____fput+0x8/0xa
[ 89.334210] task_work_run+0x53/0x76
[ 89.334789] do_exit+0x404/0x8f8
[ 89.335286] do_group_exit+0x82/0x82
[ 89.335833] __ia32_sys_exit_group+0x10/0x10
[ 89.336506] do_fast_syscall_32+0x8c/0xc5
[ 89.337749] entry_SYSENTER_32+0xaa/0x102
[ 89.338246] EIP: 0x77fc1c3d
[ 89.338588] Code: Bad RIP value.
[ 89.339050] EAX: ffffffda EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 89.339782] ESI: 00000080 EDI: 09d30ef8 EBP: 0000006e ESP: 7fc0c0fc
[ 89.340549] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000216
[ 89.341451] Modules linked in:
[ 89.341834] CR2: 0000000000000074
[ 89.342300] ---[ end trace 4adddd6044784e2e ]---
[ 89.342971] EIP: x25_disconnect+0x81/0xbc
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start b54e1dda887def1d16df3f47692ce7fbaccfb7d1 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c --
git bisect bad 8ea28476ea8059845ba55223fc779048553f4914 # 06:25 B 0 3 19 0 Merge 'nsaenz-linux-rpi/for-next' into devel-hourly-2020042823
git bisect bad 00be51a8460ac2298cf6515ca5ff90ec0214f986 # 07:05 B 0 4 20 0 Merge 'linux-review/Mason-Yang/mtd-spi-nor-macronix-Add-support-for-mx25l512-mx25u512/20200426-125136' into devel-hourly-2020042823
git bisect bad 5b07957c29cdcb3f9fd2850460abe343b3cb6edd # 07:56 B 0 2 18 0 Merge 'linux-review/Like-Xu/KVM-x86-pmu-Support-full-width-counting/20200428-055206' into devel-hourly-2020042823
git bisect bad ea46db9609519c8a9cbe7bfec63194adefd51a2d # 10:26 B 0 6 22 0 Merge 'linux-review/Ranjani-Sridharan/Kconfig-updates-for-DMIC-and-SOF-HDMI-support/20200428-093102' into devel-hourly-2020042823
git bisect good 98e97b9813c233f075a74c9a89e62e3ca35b00d3 # 14:34 G 10 0 0 0 Merge 'linux-review/Anders-Roxell/memory-tegra-mark-PM-functions-as-__maybe_unused/20200428-094935' into devel-hourly-2020042823
git bisect good e16c3f98a1906ef3b1a2c8d61c937b7a4f6a7628 # 16:07 G 11 0 0 0 Merge 'linux-review/sathyanarayanan-kuppuswamy-linux-intel-com/PCI-AER-Use-_OSC-negotiation-to-determine-AER-ownership/20200428-040550' into devel-hourly-2020042823
git bisect bad 60da1f95aa465e3b6ea917b753cfc8e8e0796459 # 17:01 B 1 1 1 1 Merge 'linux-review/Toke-H-iland-J-rgensen/wireguard-Use-tunnel-helpers-for-decapsulating-ECN-markings/20200428-082513' into devel-hourly-2020042823
git bisect good 7358cb29b9fd5a2553da6210e824052406698177 # 17:44 G 10 0 1 1 Merge 'linux-review/Eric-Dumazet/fq_codel-fix-TCA_FQ_CODEL_DROP_BATCH_SIZE-sanity-checks/20200427-190619' into devel-hourly-2020042823
git bisect good ffe419ae8a3e08aa9bad4878b99f5543d4ee5d6b # 18:17 G 10 0 0 0 Merge 'linux-review/UPDATE-20200428-085738/Sakari-Ailus/IPU3-ImgU-driver-parameter-struct-fixes/20200416-195812' into devel-hourly-2020042823
git bisect bad bae361c54fb6ac6eba3b4762f49ce14beb73ef13 # 18:56 B 0 4 20 0 bnxt_en: Improve AER slot reset.
git bisect bad 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 # 19:28 B 0 2 18 0 net/x25: Fix x25_neigh refcnt leak when x25 disconnect
git bisect good 18e6719c141e472fe3b9dce2d089eb89fdbce0b5 # 20:05 G 10 0 3 3 Merge branch 'vsock-virtio-fixes-about-packet-delivery-to-monitoring-devices'
git bisect good 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced # 21:02 G 10 0 1 1 net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
# first bad commit: [4becb7ee5b3d2829ed7b9261a245a77d5b7de902] net/x25: Fix x25_neigh refcnt leak when x25 disconnect
git bisect good 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced # 21:14 G 30 0 1 2 net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
# extra tests with debug options
git bisect bad 4becb7ee5b3d2829ed7b9261a245a77d5b7de902 # 21:31 B 0 2 18 0 net/x25: Fix x25_neigh refcnt leak when x25 disconnect
# extra tests on revert first bad commit
git bisect good c56c1e56fe4c60e83308391f3faf5100ff5d3874 # 22:30 G 10 0 1 1 Revert "net/x25: Fix x25_neigh refcnt leak when x25 disconnect"
# good: [c56c1e56fe4c60e83308391f3faf5100ff5d3874] Revert "net/x25: Fix x25_neigh refcnt leak when x25 disconnect"
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/lkp@lists.01.org
Download attachment "dmesg-yocto-vm-yocto-29:20200429193013:i386-randconfig-a003-20200428:5.7.0-rc2-00379-g4becb7ee5b3d2:1.gz" of type "application/gzip" (17664 bytes)
Download attachment "dmesg-yocto-vm-yocto-11:20200429210130:i386-randconfig-a003-20200428:5.7.0-rc2-00378-g095f5614bfe16e:1.gz" of type "application/gzip" (3872 bytes)
View attachment "reproduce-yocto-vm-yocto-29:20200429193013:i386-randconfig-a003-20200428:5.7.0-rc2-00379-g4becb7ee5b3d2:1" of type "text/plain" (932 bytes)
Download attachment "b54e1dda887def1d16df3f47692ce7fbaccfb7d1:gcc-7:i386-randconfig-a003-20200428:EIP:x25_disconnect.xz" of type "application/x-xz" (8892 bytes)
View attachment "config-5.7.0-rc2-00379-g4becb7ee5b3d2" of type "text/plain" (147214 bytes)
Powered by blists - more mailing lists