| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iLNc-fsLJvkyvvnsyTsvBQgCqY5sLpRztLkHfjNvXG7KQ@mail.gmail.com> Date: Tue, 2 Sep 2025 10:23:43 -0700 From: Eric Dumazet <edumazet@...gle.com> To: F6BVP <f6bvp@...e.fr> Cc: Takamitsu Iwai <takamitz@...zon.co.jp>, linux-hams@...r.kernel.org, netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, enjuk@...zon.com, mingo@...nel.org, tglx@...utronix.de, hawk@...nel.org, n.zhandarovich@...tech.ru, kuniyu@...gle.com Subject: Re: [PATCH v2 net 0/3] Introduce refcount_t for reference counting of rose_neigh On Tue, Sep 2, 2025 at 10:19 AM F6BVP <f6bvp@...e.fr> wrote: > > Hi, > > I am facing an issue while trying to apply refcount rose patchs to > latest stable release 6.16.4 > > In rose_in.c the call to sk_filter_trim_cap function is using an extra > argument that is not declared in 6.16.4 ~/include/linux/filter.h but > appears in 6.17.0-rc. > > As a result I had to apply the following patch in order to be able to > build kernel 6.16.4 with refcount patches. > > Otherwise ROSE module refcount patchs would prevent building rose module > in stable kernel > > Is there any other solution ? > Note that these patches have ongoing syzbot reports. If I was you, I would wait a bit. ODEBUG: free active (active state 0) object: ffff88804fb25890 object type: timer_list hint: rose_t0timer_expiry+0x0/0x150 include/linux/skbuff.h:2880 WARNING: CPU: 1 PID: 16472 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612 Modules linked in: CPU: 1 UID: 0 PID: 16472 Comm: syz.1.2858 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612 Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 41 56 48 8b 14 dd e0 40 16 8c 4c 89 e6 48 c7 c7 60 35 16 8c e8 0f 46 91 fc 90 <0f> 0b 90 90 58 83 05 86 d0 c2 0b 01 48 83 c4 18 5b 5d 41 5c 41 5d RSP: 0018:ffffc90000a08a28 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff817a3358 RDX: ffff888031ae9e00 RSI: ffffffff817a3365 RDI: 0000000000000001 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8c163c00 R13: ffffffff8bafed40 R14: ffffffff8a7fa2b0 R15: ffffc90000a08b28 FS: 00007f10b4f3c6c0(0000) GS:ffff8881247b9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3dff8d CR3: 00000000325a7000 CR4: 0000000000350ef0 Call Trace: <IRQ> __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline] debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129 slab_free_hook mm/slub.c:2348 [inline] slab_free mm/slub.c:4680 [inline] kfree+0x28f/0x4d0 mm/slub.c:4879 rose_neigh_put include/net/rose.h:166 [inline] rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183 call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers+0x6ef/0x960 kernel/time/timer.c:2372 __run_timer_base kernel/time/timer.c:2384 [inline] __run_timer_base kernel/time/timer.c:2376 [inline] run_timer_base+0x114/0x190 kernel/time/timer.c:2393 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:lock_is_held_type+0x107/0x150 kernel/locking/lockdep.c:5945 Code: 00 00 b8 ff ff ff ff 65 0f c1 05 dc a0 44 08 83 f8 01 75 2d 9c 58 f6 c4 02 75 43 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 f2 2f 7e f5 45 31 ed eb RSP: 0018:ffffc9000eb1f978 EFLAGS: 00000286 RAX: 0000000000000046 RBX: 1ffff92001d63f38 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff8de299c8 RDI: ffffffff8c163000 RBP: ffffffff8e5c11c0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888031ae9e00 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 lock_is_held include/linux/lockdep.h:249 [inline] > Regards, > > Bernard Pidoux, > F6BVP > > > Le 27/08/2025 à 16:50, patchwork-bot+netdevbpf@...nel.org a écrit : > > Hello: > > > > This series was applied to netdev/net.git (main) > > by Jakub Kicinski <kuba@...nel.org>: > > > > On Sat, 23 Aug 2025 17:58:54 +0900 you wrote: > >> The current implementation of rose_neigh uses 'use' and 'count' field of > >> type unsigned short as a reference count. This approach lacks atomicity, > >> leading to potential race conditions. As a result, syzbot has reported > >> slab-use-after-free errors due to unintended removals. > >> > >> This series introduces refcount_t for reference counting to ensure > >> atomicity and prevent race conditions. The patches are structured as > >> follows: > >> > >> [...] > > > > Here is the summary with links: > > - [v2,net,1/3] net: rose: split remove and free operations in rose_remove_neigh() > > https://git.kernel.org/netdev/net/c/dcb34659028f > > - [v2,net,2/3] net: rose: convert 'use' field to refcount_t > > https://git.kernel.org/netdev/net/c/d860d1faa6b2 > > - [v2,net,3/3] net: rose: include node references in rose_neigh refcount > > https://git.kernel.org/netdev/net/c/da9c9c877597 > > > > You are awesome, thank you!
Powered by blists - more mailing lists