lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <202503241538.c2138272-lkp@intel.com>
Date: Mon, 24 Mar 2025 15:59:53 +0800
From: kernel test robot <oliver.sang@...el.com>
To: David Howells <dhowells@...hat.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, Jeff Layton
	<jlayton@...nel.org>, <netfs@...ts.linux.dev>,
	<linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<oliver.sang@...el.com>
Subject: [dhowells-fs:ceph-iter] [netfs]  dcd7ee9385:
 refcount_t:underflow;use-after-free



Hello,

kernel test robot noticed "refcount_t:underflow;use-after-free" on:

commit: dcd7ee93858cda3afa28e7d5acd4896a058dd6de ("netfs: Implement bounce-buffering for unbuffered/DIO read")
https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git ceph-iter

in testcase: xfstests
version: xfstests-x86_64-8467552f-1_20241215
with following parameters:

	disk: 4HDD
	fs: ext4
	fs2: smbv3
	test: generic-214



config: x86_64-rhel-9.4-func
compiler: gcc-12
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202503241538.c2138272-lkp@intel.com


[  343.427835][ T1682] ------------[ cut here ]------------
[  343.433163][ T1682] refcount_t: underflow; use-after-free.
[ 343.438660][ T1682] WARNING: CPU: 2 PID: 1682 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) 
[  343.447798][ T1682] Modules linked in: nls_utf8 cifs cifs_arc4 nls_ucs2_utils rdma_cm iw_cm ib_cm ib_core cifs_md4 dns_resolver snd_hda_codec_hdmi snd_ctl_led btrfs snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_soc_avs blake2b_generic xor snd_soc_hda_codec zstd_compress snd_hda_ext_core raid6_pq intel_rapl_msr snd_soc_core intel_rapl_common snd_compress x86_pkg_temp_thermal snd_hda_intel sd_mod intel_powerclamp coretemp dell_pc snd_intel_dspcfg sg platform_profile snd_intel_sdw_acpi kvm_intel ipmi_devintf ipmi_msghandler i915 kvm dell_wmi snd_hda_codec ghash_clmulni_intel sha512_ssse3 dell_smbios intel_gtt cec drm_buddy sha256_ssse3 sha1_ssse3 ttm snd_hda_core rfkill wmi_bmof mei_wdt dcdbas sparse_keymap dell_wmi_descriptor rapl drm_display_helper snd_hwdep ahci intel_cstate snd_pcm libahci drm_kms_helper mei_me intel_uncore snd_timer pcspkr intel_pch_thermal libata snd video mei intel_pmc_core i2c_i801 soundcore i2c_smbus intel_vsec wmi pmt_telemetry acpi_pad pmt_class binfmt_misc loop fuse drm
[  343.447976][ T1682]  dm_mod ip_tables
[  343.542088][ T1682] CPU: 2 UID: 0 PID: 1682 Comm: cifsd Not tainted 6.14.0-rc4-00008-gdcd7ee93858c #1
[  343.551316][ T1682] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 343.559415][ T1682] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) 
[ 343.565344][ T1682] Code: 9f a1 b5 03 01 e8 26 99 cb fe 0f 0b eb b5 80 3d 8c a1 b5 03 00 75 ac 48 c7 c7 20 83 53 84 c6 05 7c a1 b5 03 01 e8 06 99 cb fe <0f> 0b eb 95 80 3d 6a a1 b5 03 00 75 8c 48 c7 c7 e0 83 53 84 c6 05
All code
========
   0:	9f                   	lahf
   1:	a1 b5 03 01 e8 26 99 	movabs 0xfecb9926e80103b5,%eax
   8:	cb fe 
   a:	0f 0b                	ud2
   c:	eb b5                	jmp    0xffffffffffffffc3
   e:	80 3d 8c a1 b5 03 00 	cmpb   $0x0,0x3b5a18c(%rip)        # 0x3b5a1a1
  15:	75 ac                	jne    0xffffffffffffffc3
  17:	48 c7 c7 20 83 53 84 	mov    $0xffffffff84538320,%rdi
  1e:	c6 05 7c a1 b5 03 01 	movb   $0x1,0x3b5a17c(%rip)        # 0x3b5a1a1
  25:	e8 06 99 cb fe       	call   0xfffffffffecb9930
  2a:*	0f 0b                	ud2		<-- trapping instruction
  2c:	eb 95                	jmp    0xffffffffffffffc3
  2e:	80 3d 6a a1 b5 03 00 	cmpb   $0x0,0x3b5a16a(%rip)        # 0x3b5a19f
  35:	75 8c                	jne    0xffffffffffffffc3
  37:	48 c7 c7 e0 83 53 84 	mov    $0xffffffff845383e0,%rdi
  3e:	c6                   	.byte 0xc6
  3f:	05                   	.byte 0x5

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	eb 95                	jmp    0xffffffffffffff99
   4:	80 3d 6a a1 b5 03 00 	cmpb   $0x0,0x3b5a16a(%rip)        # 0x3b5a175
   b:	75 8c                	jne    0xffffffffffffff99
   d:	48 c7 c7 e0 83 53 84 	mov    $0xffffffff845383e0,%rdi
  14:	c6                   	.byte 0xc6
  15:	05                   	.byte 0x5
[  343.584797][ T1682] RSP: 0018:ffffc900020bfac8 EFLAGS: 00010286
[  343.590720][ T1682] RAX: 0000000000000000 RBX: ffff8887f912fee8 RCX: ffffffff8277b84a
[  343.598547][ T1682] RDX: 1ffff110f0fe6ac8 RSI: 0000000000000008 RDI: ffff888787f35640
[  343.606377][ T1682] RBP: 0000000000000003 R08: 0000000000000001 R09: fffff52000417f0f
[  343.614205][ T1682] R10: ffffc900020bf87f R11: 0000000000000001 R12: 0000000000000000
[  343.622033][ T1682] R13: 000000000000000a R14: ffff88810fa041c8 R15: ffff8887f912fee8
[  343.629861][ T1682] FS:  0000000000000000(0000) GS:ffff888787f00000(0000) knlGS:0000000000000000
[  343.638643][ T1682] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  343.645082][ T1682] CR2: 0000564d628e7a48 CR3: 000000081aa6c003 CR4: 00000000003726f0
[  343.652908][ T1682] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  343.660735][ T1682] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  343.668560][ T1682] Call Trace:
[  343.671702][ T1682]  <TASK>
[ 343.674497][ T1682] ? __warn (kernel/panic.c:748) 
[ 343.678427][ T1682] ? refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) 
[ 343.683742][ T1682] ? report_bug (lib/bug.c:180 lib/bug.c:219) 
[ 343.688101][ T1682] ? handle_bug (arch/x86/kernel/traps.c:285) 
[ 343.692286][ T1682] ? exc_invalid_op (arch/x86/kernel/traps.c:309 (discriminator 1)) 
[ 343.696821][ T1682] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:574) 
[ 343.701713][ T1682] ? llist_add_batch (lib/llist.c:33 (discriminator 14)) 
[ 343.706426][ T1682] ? refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) 
[ 343.711749][ T1682] ? refcount_warn_saturate (lib/refcount.c:28 (discriminator 3)) 
[ 343.717070][ T1682] netfs_put_request (include/linux/refcount.h:275 include/linux/refcount.h:307 fs/netfs/objects.c:173) 
[ 343.721874][ T1682] smb2_readv_callback (include/linux/instrumented.h:96 include/linux/atomic/atomic-instrumented.h:400 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 include/linux/kref.h:64 fs/smb/client/cifsproto.h:744 fs/smb/client/smb2pdu.c:4621) cifs 
[ 343.727715][ T1682] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 343.732249][ T1682] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 343.737303][ T1682] ? __pfx_smb2_readv_callback (fs/smb/client/smb2pdu.c:4505) cifs 
[ 343.743566][ T1682] ? dequeue_mid (include/linux/list.h:215 include/linux/list.h:287 fs/smb/client/connect.c:854) cifs 
[ 343.748690][ T1682] cifs_demultiplex_thread (fs/smb/client/connect.c:1283) cifs 
[ 343.754855][ T1682] ? __pfx_cifs_demultiplex_thread (fs/smb/client/connect.c:1143) cifs 
[ 343.761451][ T1682] ? __pfx___schedule (kernel/sched/core.c:6646) 
[ 343.766158][ T1682] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 343.771386][ T1682] ? __kthread_parkme (arch/x86/include/asm/bitops.h:206 arch/x86/include/asm/bitops.h:238 include/asm-generic/bitops/instrumented-non-atomic.h:142 kernel/kthread.c:291) 
[ 343.776179][ T1682] ? __pfx_cifs_demultiplex_thread (fs/smb/client/connect.c:1143) cifs 
[ 343.782774][ T1682] kthread (kernel/kthread.c:464) 
[ 343.786699][ T1682] ? __pfx_kthread (kernel/kthread.c:413) 
[ 343.791143][ T1682] ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169) 
[ 343.796544][ T1682] ? __pfx_kthread (kernel/kthread.c:413) 
[ 343.800989][ T1682] ret_from_fork (arch/x86/kernel/process.c:148) 
[ 343.805265][ T1682] ? __pfx_kthread (kernel/kthread.c:413) 
[ 343.809714][ T1682] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[  343.814337][ T1682]  </TASK>
[  343.817220][ T1682] ---[ end trace 0000000000000000 ]---
[  343.975682][  T287] generic/214       _check_dmesg: something found in dmesg (see /lkp/benchmarks/xfstests/results//generic/214.dmesg)
[  343.975695][  T287]
[  343.992249][  T287] - output mismatch (see /lkp/benchmarks/xfstests/results//generic/214.out.bad)
[  343.992259][  T287]
[  344.004869][  T287]     --- tests/generic/214.out	2024-12-15 06:14:52.000000000 +0000
[  344.004879][  T287]
[  344.017021][  T287]     +++ /lkp/benchmarks/xfstests/results//generic/214.out.bad	2025-03-22 22:47:49.975533744 +0000
[  344.017032][  T287]
[  344.030312][  T287]     @@ -33,11 +33,7 @@
[  344.030321][  T287]
[  344.037642][  T287]      === falloc, write, sync, truncate, read ===
[  344.037651][  T287]
[  344.047135][  T287]      wrote 65536/65536 bytes at offset 73728
[  344.047144][  T287]
[  344.056685][  T287]      XXX Bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
[  344.056695][  T287]
[  344.068253][  T287]     -00000000:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[  344.068263][  T287]
[  344.079832][  T287]     -*
[  344.079841][  T287]
[  344.086467][  T287]     -00012000:  aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa  ................
[  344.086477][  T287]
[  344.098043][  T287]     -*
[  344.098051][  T287]
[  344.103114][  T287]     ...
[  344.103122][  T287]
[  344.111416][  T287]     (Run 'diff -u /lkp/benchmarks/xfstests/tests/generic/214.out /lkp/benchmarks/xfstests/results//generic/214.out.bad'  to see the entire diff)
[  344.111426][  T287]
[  344.128641][  T287] Ran: generic/214
[  344.128649][  T287]
[  344.134850][  T287] Failures: generic/214
[  344.134858][  T287]
[  344.141454][  T287] Failed 1 of 1 tests


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250324/202503241538.c2138272-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ