[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZC5SoIRIFJpSpivX@xpf.sh.intel.com>
Date: Thu, 6 Apr 2023 13:03:28 +0800
From: Pengfei Xu <pengfei.xu@...el.com>
To: John Fastabend <john.fastabend@...il.com>
CC: Eric Dumazet <edumazet@...gle.com>, <linux-kernel@...r.kernel.org>,
<ast@...nel.org>, <heng.su@...el.com>, <lkp@...el.com>,
<linux-gpio@...r.kernel.org>, <linux-kselftest@...r.kernel.org>,
<yi1.lai@...el.com>
Subject: Re: [Syzkaller & bisect] There is WARNING: refcount bug in
sock_map_free in v6.3-rc1
Hi John,
On 2023-04-05 at 14:37:06 -0700, John Fastabend wrote:
> Pengfei Xu wrote:
> > On 2023-04-04 at 11:43:36 +0200, Eric Dumazet wrote:
> > > On Tue, Apr 4, 2023 at 11:31 AM Pengfei Xu <pengfei.xu@...el.com> wrote:
> > > >
> > > > ++ GPIO and kself-test mailing list.
> > > >
> > > > Hi kernel experts,
> > > >
> > > > It's a soft remind.
> > > >
> > > > My colleague Lai Yi found that similar "refcount_t: underflow; use-after-free"
> > > > issue still existed in v6.3-rc5 kernel on x86 platforms.
> > > >
> > > > We could reproduce issue from kself-test: gpio-mockup.sh easily:
> > > > kernel/tools/testing/selftests/gpio/gpio-mockup.sh:
> > > >
> > > > "
> > > > [ 5781.338917] -----------[ cut here ]-----------
> > > > [ 5781.344192] refcount_t: underflow; use-after-free.
> > > > [ 5781.349666] WARNING: CPU: 250 PID: 82496 at lib/refcount.c:25 refcount_warn_saturate+0xbe/0x110
> > > > [ 5781.359550] Modules linked in: gpio_mockup isst_if_mmio isst_if_mbox_pci intel_th_sth stm_core intel_th_pti intel_th_pci intel_th_gth pmt_telemetry pmt_class intel_vsec intel_rapl_msr intel_rapl_common nfsv3 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace bridge stp llc sunrpc intel_uncore_frequency intel_uncore_frequency_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp iTCO_wdt ofpart kvm_intel intel_pmc_bxt iTCO_vendor_support spi_nor mtd intel_sdsi kvm spdm irqbypass dax_hmem joydev asn1_encoder snd_pcm mei_me i2c_i801 spi_intel_pci isst_if_common idxd snd_timer intel_th i2c_smbus spi_intel mei i2c_ismt ipmi_ssif cxl_acpi ipmi_si cxl_core acpi_power_meter crc32c_intel i40e igb dca igc pinctrl_emmitsburg pinctrl_intel pwm_lpss fuse [last unloaded: isst_if_mmio]
> > > > [ 5781.438080] CPU: 250 PID: 82496 Comm: modprobe Not tainted 6.3.0-rc5 #1
> > > > [ 5781.449711] Hardware name: Intel Corporation, BIOS IFWI 03/12/2023
> > > > [ 5781.461615] RIP: 0010:refcount_warn_saturate+0xbe/0x110
> > > > [ 5781.467585] Code: 01 01 e8 75 56 8e ff 0f 0b c3 cc cc cc cc 80 3d 4c 67 ac 01 00 75 85 48 c7 c7 b0 31 cd a9 c6 05 3c 67 ac 01 01 e8 52 56 8e ff <0f> 0b c3 cc cc cc cc 80 3d 27 67 ac 01 00 0f 85 5e ff ff ff 48 c7
> > > > [ 5781.488761] RSP: 0018:ff45a7f44d39feb0 EFLAGS: 00010286
> > > > [ 5781.494745] RAX: 0000000000000000 RBX: ffffffffc0b36540 RCX: 0000000000000000
> > > > [ 5781.502871] RDX: 0000000000000002 RSI: ffffffffa9c065c8 RDI: 00000000ffffffff
> > > > [ 5781.510984] RBP: ff31c1afa78cb800 R08: 0000000000000001 R09: 0000000000000003
> > > > [ 5781.519100] R10: ff31c1b6fc000000 R11: ff31c1b6fc000000 R12: ff31c1afa78c4f40
> > > > [ 5781.527215] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > > > [ 5781.535337] FS: 00007f9bc705a740(0000) GS:ff31c1b700280000(0000) knlGS:0000000000000000
> > > > [ 5781.544529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > [ 5781.551063] CR2: 00007f9bc5e50dc0 CR3: 000000093b36c003 CR4: 0000000000f71ee0
> > > > [ 5781.559180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > > [ 5781.567307] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> > > > [ 5781.575413] PKRU: 55555554
> > > > [ 5781.578551] Call Trace:
> > > > [ 5781.581394] <TASK>
> > > > [ 5781.583868] gpio_mockup_exit+0x33/0x420 [gpio_mockup]
> > > > [ 5781.589756] __do_sys_delete_module.constprop.0+0x180/0x270
> > > > [ 5781.596112] ? syscall_trace_enter.constprop.0+0x17f/0x1b0
> > > > [ 5781.602354] do_syscall_64+0x43/0x90
> > >
> > > I hear you but this trace has nothing to do with the bpf/sockmap commit ?
> > >
> > I just saw the same WARNING from kself-test: gpio-mockup.sh, maybe
> > it's different issue, sorry.
> > "
> > refcount_t: underflow; use-after-free.
> > [ 5781.349666] WARNING: CPU: 250 PID: 82496 at lib/refcount.c:25
> > "
>
> The ./gpio-mockup.sh thing doesn't use sockmap at all right? I can't see
> why the bisec to that patch would happen off-hand.
>
Indeed, I double checked the suspected commit, and even revert the commit
on top of v6.3-rc5 kernel, above ./gpio-mockup.sh still trigger the
"refcount_t: underflow; use-after-free." problem.
So "gpio-mockup.sh triggered issue" is a different issue, if I find some
more clue, I will report the gpio kself-test issue with another email.
Sorry for inconvenience.
Thanks!
BR.
> >
> > Thanks!
> > BR.
> > -Pengfei
> >
> > > My change looks correct, so your bisection might simply trigger because
> > > of a wider window for another bug to surface.
> > >
> > > John, do you have an idea of what is going on here ?
>
> No idea here.
Powered by blists - more mailing lists