lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Mar 2022 14:46:59 +0300 From: David Kahurani <k.kahurani@...il.com> To: davem@...emloft.net, ericvh@...il.com, kuba@...nel.org, linux-kernel@...r.kernel.org, linux_oss@...debyte.com, lucho@...kov.net, netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com, v9fs-developer@...ts.sourceforge.net, syzbot+5e28cdb7ebd0f2389ca4@...kaller.appspotmail.com Subject: Re: [syzbot] WARNING in p9_client_destroy Sorry, got to resend this in plain text. It doesn't look like it is getting through to the mailing lists. On Thu, Mar 24, 2022 at 3:13 PM David Kahurani <k.kahurani@...il.com> wrote: > > On Monday, February 28, 2022 at 4:38:57 AM UTC+3 asmadeus@...ewreck.org wrote: >> >> syzbot wrote on Sun, Feb 27, 2022 at 04:53:29PM -0800: >> > kmem_cache_destroy 9p-fcall-cache: Slab cache still has objects when >> > called from p9_client_destroy+0x213/0x370 net/9p/client.c:1100 >> >> hmm, there is no previous "Packet with tag %d has still references" >> (sic) message, so this is probably because p9_tag_cleanup only relies on >> rcu read lock for consistency, so even if the connection has been closed >> above (clnt->trans_mode->close) there could have been a request sent >> (= tag added) just before that which isn't visible on the destroying >> side? >> >> I guess adding an rcu_barrier() is what makes most sense here to protect >> this case? >> I'll send a patch in the next few days unless it was a stupid idea. > > > Looking at this brought me to the same conclusion. > > --------------------- > > From cd5a11207a140004bf55005fac7f7e4cec2fd075 Mon Sep 17 00:00:00 2001 > From: David Kahurani <k.kahurani@...il.com> > Date: Thu, 24 Mar 2022 15:00:23 +0300 > Subject: [PATCH] net/9p: Flush any delayed rce free > > As is best practice > > kmem_cache_destroy 9p-fcall-cache: Slab cache still has objects when called from p9_client_destroy+0x213/0x370 net/9p/client.c:1100 > WARNING: CPU: 1 PID: 3701 at mm/slab_common.c:502 kmem_cache_destroy mm/slab_common.c:502 [inline] > WARNING: CPU: 1 PID: 3701 at mm/slab_common.c:502 kmem_cache_destroy+0x13b/0x140 mm/slab_common.c:490 > Modules linked in: > CPU: 1 PID: 3701 Comm: syz-executor.3 Not tainted 5.17.0-rc5-syzkaller-00021-g23d04328444a #0 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 > RIP: 0010:kmem_cache_destroy mm/slab_common.c:502 [inline] > RIP: 0010:kmem_cache_destroy+0x13b/0x140 mm/slab_common.c:490 > Code: da a8 0e 48 89 ee e8 44 6e 15 00 eb c1 c3 48 8b 55 58 48 c7 c6 60 cd b6 89 48 c7 c7 30 83 3a 8b 48 8b 4c 24 18 e8 9b 30 60 07 <0f> 0b eb a0 90 41 55 49 89 d5 41 54 49 89 f4 55 48 89 fd 53 48 83 > RSP: 0018:ffffc90002767cf0 EFLAGS: 00010282 > RAX: 0000000000000000 RBX: 1ffff920004ecfa5 RCX: 0000000000000000 > RDX: ffff88801e56a280 RSI: ffffffff815f4b38 RDI: fffff520004ecf90 > RBP: ffff888020ba8b00 R08: 0000000000000000 R09: 0000000000000000 > R10: ffffffff815ef1ce R11: 0000000000000000 R12: 0000000000000001 > R13: ffffc90002767d68 R14: dffffc0000000000 R15: 0000000000000000 > FS: 00005555561b0400(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000555556ead708 CR3: 0000000068b97000 CR4: 0000000000150ef0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > p9_client_destroy+0x213/0x370 net/9p/client.c:1100 > v9fs_session_close+0x45/0x2d0 fs/9p/v9fs.c:504 > v9fs_kill_super+0x49/0x90 fs/9p/vfs_super.c:226 > deactivate_locked_super+0x94/0x160 fs/super.c:332 > deactivate_super+0xad/0xd0 fs/super.c:363 > cleanup_mnt+0x3a2/0x540 fs/namespace.c:1173 > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > tracehook_notify_resume include/linux/tracehook.h:188 [inline] > exit_to_user_mode_loop kernel/entry/common.c:175 [inline] > exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 > __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] > syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 > do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x7f5ff63ed4c7 > Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff01862e98 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 > RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f5ff63ed4c7 > RDX: 00007fff01862f6c RSI: 000000000000000a RDI: 00007fff01862f60 > RBP: 00007fff01862f60 R08: 00000000ffffffff R09: 00007fff01862d30 > R10: 00005555561b18b3 R11: 0000000000000246 R12: 00007f5ff64451ea > R13: 00007fff01864020 R14: 00005555561b1810 R15: 00007fff01864060 > </TASK> > > Signed-off-by: David Kahurani <k.kahurani@...il.com> > Reported-by: syzbot+5e28cdb7ebd0f2389ca4@...kaller.appspotmail.com > --- > net/9p/client.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/9p/client.c b/net/9p/client.c > index 8bba0d9cf..67c51913a 100644 > --- a/net/9p/client.c > +++ b/net/9p/client.c > @@ -1097,6 +1097,7 @@ void p9_client_destroy(struct p9_client *clnt) > > p9_tag_cleanup(clnt); > > + rcu_barrier(); > kmem_cache_destroy(clnt->fcall_cache); > kfree(clnt); > } > -- > 2.25.1 > >
Powered by blists - more mailing lists