lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 30 Apr 2020 16:22:56 +0800
From:   kernel test robot <lkp@...el.com>
To:     Xiyu Yang <xiyuyang19@...an.edu.cn>
Cc:     Xin Tan <tanxin.ctf@...il.com>, linux-x25@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        LKP <lkp@...ts.01.org>
Subject: 4becb7ee5b ("net/x25: Fix x25_neigh refcnt leak when x25 .."): [
   89.261843] BUG: kernel NULL pointer dereference, address: 00000074

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

commit 4becb7ee5b3d2829ed7b9261a245a77d5b7de902
Author:     Xiyu Yang <xiyuyang19@...an.edu.cn>
AuthorDate: Sat Apr 25 21:06:25 2020 +0800
Commit:     David S. Miller <davem@...emloft.net>
CommitDate: Mon Apr 27 11:20:30 2020 -0700

    net/x25: Fix x25_neigh refcnt leak when x25 disconnect
    
    x25_connect() invokes x25_get_neigh(), which returns a reference of the
    specified x25_neigh object to "x25->neighbour" with increased refcnt.
    
    When x25 connect success and returns, the reference still be hold by
    "x25->neighbour", so the refcount should be decreased in
    x25_disconnect() to keep refcount balanced.
    
    The reference counting issue happens in x25_disconnect(), which forgets
    to decrease the refcnt increased by x25_get_neigh() in x25_connect(),
    causing a refcnt leak.
    
    Fix this issue by calling x25_neigh_put() before x25_disconnect()
    returns.
    
    Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
    Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

095f5614bf  net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
4becb7ee5b  net/x25: Fix x25_neigh refcnt leak when x25 disconnect
+-------------------------------------------------------+------------+------------+
|                                                       | 095f5614bf | 4becb7ee5b |
+-------------------------------------------------------+------------+------------+
| boot_successes                                        | 29         | 1          |
| boot_failures                                         | 4          | 10         |
| BUG:kernel_timeout_in_boot_stage                      | 1          |            |
| BUG:kernel_hang_in_test_stage                         | 2          |            |
| BUG:kernel_hang_in_boot_stage                         | 1          | 1          |
| BUG:kernel_NULL_pointer_dereference,address           | 0          | 9          |
| Oops:#[##]                                            | 0          | 9          |
| EIP:x25_disconnect                                    | 0          | 9          |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0          | 9          |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate     | 0          | 1          |
| EIP:refcount_warn_saturate                            | 0          | 1          |
+-------------------------------------------------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <lkp@...el.com>

Stopping syslogd/klogd: stopped syslogd (pid 459)
stopped klogd (pid 462)
done
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
[   89.261843] BUG: kernel NULL pointer dereference, address: 00000074
[   89.263892] #PF: supervisor write access in kernel mode
[   89.264352] #PF: error_code(0x0002) - not-present page
[   89.264799] *pde = 00000000 
[   89.265057] Oops: 0002 [#1] SMP
[   89.265338] CPU: 1 PID: 785 Comm: trinity-c2 Not tainted 5.7.0-rc2-00379-g4becb7ee5b3d2 #1
[   89.303957] EIP: x25_disconnect+0x81/0xbc
[   89.304969] Code: b3 7c 02 00 00 75 0d 89 d8 ff 93 08 03 00 00 0f ba 6b 50 00 b8 a0 b9 f8 81 e8 a6 70 03 00 8b 8b 50 03 00 00 83 ca ff 8d 41 74 <f0> 0f c1 51 74 83 fa 01 75 09 89 c8 e8 12 32 81 ff eb 0e 85 d2 7f
[   89.309273] EAX: 00000074 EBX: f25fb800 ECX: 00000000 EDX: ffffffff
[   89.310597] ESI: 00000000 EDI: 00000008 EBP: f2ff5ed0 ESP: f2ff5ec0
[   89.312086] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286
[   89.313295] CR0: 80050033 CR2: 00000074 CR3: 72eb6000 CR4: 00140690
[   89.314409] Call Trace:
[   89.314796]  x25_release+0x98/0xec
[   89.317726]  __sock_release+0x26/0x78
[   89.318307]  sock_close+0xd/0x11
[   89.332917]  __fput+0xe5/0x1a2
[   89.333443]  ____fput+0x8/0xa
[   89.334210]  task_work_run+0x53/0x76
[   89.334789]  do_exit+0x404/0x8f8
[   89.335286]  do_group_exit+0x82/0x82
[   89.335833]  __ia32_sys_exit_group+0x10/0x10
[   89.336506]  do_fast_syscall_32+0x8c/0xc5
[   89.337749]  entry_SYSENTER_32+0xaa/0x102
[   89.338246] EIP: 0x77fc1c3d
[   89.338588] Code: Bad RIP value.
[   89.339050] EAX: ffffffda EBX: 00000000 ECX: 00000000 EDX: 00000000
[   89.339782] ESI: 00000080 EDI: 09d30ef8 EBP: 0000006e ESP: 7fc0c0fc
[   89.340549] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000216
[   89.341451] Modules linked in:
[   89.341834] CR2: 0000000000000074
[   89.342300] ---[ end trace 4adddd6044784e2e ]---
[   89.342971] EIP: x25_disconnect+0x81/0xbc

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start b54e1dda887def1d16df3f47692ce7fbaccfb7d1 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c --
git bisect  bad 8ea28476ea8059845ba55223fc779048553f4914  # 06:25  B      0     3   19   0  Merge 'nsaenz-linux-rpi/for-next' into devel-hourly-2020042823
git bisect  bad 00be51a8460ac2298cf6515ca5ff90ec0214f986  # 07:05  B      0     4   20   0  Merge 'linux-review/Mason-Yang/mtd-spi-nor-macronix-Add-support-for-mx25l512-mx25u512/20200426-125136' into devel-hourly-2020042823
git bisect  bad 5b07957c29cdcb3f9fd2850460abe343b3cb6edd  # 07:56  B      0     2   18   0  Merge 'linux-review/Like-Xu/KVM-x86-pmu-Support-full-width-counting/20200428-055206' into devel-hourly-2020042823
git bisect  bad ea46db9609519c8a9cbe7bfec63194adefd51a2d  # 10:26  B      0     6   22   0  Merge 'linux-review/Ranjani-Sridharan/Kconfig-updates-for-DMIC-and-SOF-HDMI-support/20200428-093102' into devel-hourly-2020042823
git bisect good 98e97b9813c233f075a74c9a89e62e3ca35b00d3  # 14:34  G     10     0    0   0  Merge 'linux-review/Anders-Roxell/memory-tegra-mark-PM-functions-as-__maybe_unused/20200428-094935' into devel-hourly-2020042823
git bisect good e16c3f98a1906ef3b1a2c8d61c937b7a4f6a7628  # 16:07  G     11     0    0   0  Merge 'linux-review/sathyanarayanan-kuppuswamy-linux-intel-com/PCI-AER-Use-_OSC-negotiation-to-determine-AER-ownership/20200428-040550' into devel-hourly-2020042823
git bisect  bad 60da1f95aa465e3b6ea917b753cfc8e8e0796459  # 17:01  B      1     1    1   1  Merge 'linux-review/Toke-H-iland-J-rgensen/wireguard-Use-tunnel-helpers-for-decapsulating-ECN-markings/20200428-082513' into devel-hourly-2020042823
git bisect good 7358cb29b9fd5a2553da6210e824052406698177  # 17:44  G     10     0    1   1  Merge 'linux-review/Eric-Dumazet/fq_codel-fix-TCA_FQ_CODEL_DROP_BATCH_SIZE-sanity-checks/20200427-190619' into devel-hourly-2020042823
git bisect good ffe419ae8a3e08aa9bad4878b99f5543d4ee5d6b  # 18:17  G     10     0    0   0  Merge 'linux-review/UPDATE-20200428-085738/Sakari-Ailus/IPU3-ImgU-driver-parameter-struct-fixes/20200416-195812' into devel-hourly-2020042823
git bisect  bad bae361c54fb6ac6eba3b4762f49ce14beb73ef13  # 18:56  B      0     4   20   0  bnxt_en: Improve AER slot reset.
git bisect  bad 4becb7ee5b3d2829ed7b9261a245a77d5b7de902  # 19:28  B      0     2   18   0  net/x25: Fix x25_neigh refcnt leak when x25 disconnect
git bisect good 18e6719c141e472fe3b9dce2d089eb89fdbce0b5  # 20:05  G     10     0    3   3  Merge branch 'vsock-virtio-fixes-about-packet-delivery-to-monitoring-devices'
git bisect good 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced  # 21:02  G     10     0    1   1  net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
# first bad commit: [4becb7ee5b3d2829ed7b9261a245a77d5b7de902] net/x25: Fix x25_neigh refcnt leak when x25 disconnect
git bisect good 095f5614bfe16e5b3e191b34ea41b10d6fdd4ced  # 21:14  G     30     0    1   2  net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
# extra tests with debug options
git bisect  bad 4becb7ee5b3d2829ed7b9261a245a77d5b7de902  # 21:31  B      0     2   18   0  net/x25: Fix x25_neigh refcnt leak when x25 disconnect
# extra tests on revert first bad commit
git bisect good c56c1e56fe4c60e83308391f3faf5100ff5d3874  # 22:30  G     10     0    1   1  Revert "net/x25: Fix x25_neigh refcnt leak when x25 disconnect"
# good: [c56c1e56fe4c60e83308391f3faf5100ff5d3874] Revert "net/x25: Fix x25_neigh refcnt leak when x25 disconnect"

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/lkp@lists.01.org

Download attachment "dmesg-yocto-vm-yocto-29:20200429193013:i386-randconfig-a003-20200428:5.7.0-rc2-00379-g4becb7ee5b3d2:1.gz" of type "application/gzip" (17664 bytes)

Download attachment "dmesg-yocto-vm-yocto-11:20200429210130:i386-randconfig-a003-20200428:5.7.0-rc2-00378-g095f5614bfe16e:1.gz" of type "application/gzip" (3872 bytes)

View attachment "reproduce-yocto-vm-yocto-29:20200429193013:i386-randconfig-a003-20200428:5.7.0-rc2-00379-g4becb7ee5b3d2:1" of type "text/plain" (932 bytes)

Download attachment "b54e1dda887def1d16df3f47692ce7fbaccfb7d1:gcc-7:i386-randconfig-a003-20200428:EIP:x25_disconnect.xz" of type "application/x-xz" (8892 bytes)

View attachment "config-5.7.0-rc2-00379-g4becb7ee5b3d2" of type "text/plain" (147214 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ