| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210819143626.GA19918@xsang-OptiPlex-9020>
Date: Thu, 19 Aug 2021 22:36:26 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Nil Yi <teroincn@....com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, marcel@...tmann.org, johan.hedberg@...il.com,
luiz.dentz@...il.com, linux-bluetooth@...r.kernel.org
Subject: [net] c251113f4f: WARNING:at_lib/refcount.c:#refcount_warn_saturate
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: c251113f4fa86f02e1026b7c4abbf75ed3e00993 ("[PATCH] net: bluetooth: delete the redundant refcnt increment")
url: https://github.com/0day-ci/linux/commits/Nil-Yi/net-bluetooth-delete-the-redundant-refcnt-increment/20210815-165122
base: https://git.kernel.org/cgit/linux/kernel/git/bluetooth/bluetooth.git master
in testcase: trinity
version:
with following parameters:
number: 99999
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 50.884506][ T2827] ------------[ cut here ]------------
[ 50.887488][ T2827] refcount_t: underflow; use-after-free.
[ 50.890338][ T2827] WARNING: CPU: 1 PID: 2827 at lib/refcount.c:28 refcount_warn_saturate+0xa6/0x100
[ 50.893848][ T2827] Modules linked in: bridge 8021q garp stp mrp llc hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_use
r ib_core nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom sg ata_generic intel_rapl_msr bochs_drm ppdev drm_vram
_helper drm_ttm_helper ttm drm_kms_helper intel_rapl_common crct10dif_pclmul crc32_pclmul crc32c_intel syscopyarea ghash_clmulni_intel rapl ata_piix liba
ta sysfillrect sysimgblt fb_sys_fops ipmi_devintf ipmi_msghandler joydev drm serio_raw i2c_piix4 parport_pc parport ip_tables
[ 50.923352][ T2827] CPU: 1 PID: 2827 Comm: trinity-main Not tainted 5.13.0-rc3-00439-gc251113f4fa8 #1
[ 50.926860][ T2827] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 50.932538][ T2827] RIP: 0010:refcount_warn_saturate+0xa6/0x100
[ 50.935394][ T2827] Code: 05 a1 85 77 01 01 e8 d6 50 67 00 0f 0b c3 80 3d 8f 85 77 01 00 75 95 48 c7 c7 38 9f 1a 84 c6 05 7f 85 77 01 01 e8 b7 50 67 0
0 <0f> 0b c3 80 3d 6e 85 77 01 00 0f 85 72 ff ff ff 48 c7 c7 90 9f 1a
[ 50.943923][ T2827] RSP: 0018:ffffb81d4314fde8 EFLAGS: 00010282
[ 50.946846][ T2827] RAX: 0000000000000000 RBX: ffff99f8b0aa9d40 RCX: 0000000000000000
[ 50.950924][ T2827] RDX: ffff99fb6fd27a00 RSI: ffff99fb6fd17d50 RDI: ffff99fb6fd17d50
[ 50.955876][ T2827] RBP: ffff99f88125d000 R08: ffff99fb6fd17d50 R09: ffffb81d4314fc08
[ 50.959209][ T2827] R10: 0000000000000001 R11: 0000000000000001 R12: ffff99f88125c000
[ 50.965544][ T2827] R13: 0000000000000000 R14: ffff99f88125c2f8 R15: ffff99f88125d228
[ 50.972724][ T2827] FS: 00007ffbcd813740(0000) GS:ffff99fb6fd00000(0000) knlGS:0000000000000000
[ 50.978275][ T2827] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 50.982769][ T2827] CR2: 0000555c3810e9f0 CR3: 0000000328410000 CR4: 00000000000406e0
[ 50.987574][ T2827] DR0: 00007ffbcbba8000 DR1: 0000000000000000 DR2: 0000000000000000
[ 50.990848][ T2827] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 50.995960][ T2827] Call Trace:
[ 50.998330][ T2827] l2cap_sock_release+0xc2/0x100 [bluetooth]
[ 51.002490][ T2827] __sock_release+0x3d/0xc0
[ 51.005836][ T2827] sock_close+0x11/0x40
[ 51.008269][ T2827] __fput+0xa7/0x280
[ 51.012738][ T2827] task_work_run+0x69/0xc0
[ 51.015115][ T2827] do_exit+0x3b2/0xb80
[ 51.018001][ T2827] do_group_exit+0x3a/0xc0
[ 51.020387][ T2827] __x64_sys_exit_group+0x14/0x40
[ 51.024713][ T2827] do_syscall_64+0x40/0x80
[ 51.026963][ T2827] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 51.030014][ T2827] RIP: 0033:0x7ffbcd8fd9d6
[ 51.032196][ T2827] Code: Unable to access opcode bytes at RIP 0x7ffbcd8fd9ac.
[ 51.037517][ T2827] RSP: 002b:00007ffc7f5c04c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 51.040433][ T2827] RAX: ffffffffffffffda RBX: 00007ffbcd9ee760 RCX: 00007ffbcd8fd9d6
[ 51.046176][ T2827] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
[ 51.050571][ T2827] RBP: 0000000000000000 R08: 00000000000000e7 R09: ffffffffffffff80
[ 51.055088][ T2827] R10: 00007ffc7f5c0388 R11: 0000000000000246 R12: 00007ffbcd9ee760
[ 51.059553][ T2827] R13: 0000000000000001 R14: 00007ffbcd9f7428 R15: 0000000000000000
[ 51.062929][ T2827] ---[ end trace a2317e7106aa7089 ]---
To reproduce:
# build kernel
cd linux
cp config-5.13.0-rc3-00439-gc251113f4fa8 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.13.0-rc3-00439-gc251113f4fa8" of type "text/plain" (174131 bytes)
View attachment "job-script" of type "text/plain" (4636 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (18836 bytes)
View attachment "trinity" of type "text/plain" (8694 bytes)
Powered by blists - more mailing lists