lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CANn89iLNc-fsLJvkyvvnsyTsvBQgCqY5sLpRztLkHfjNvXG7KQ@mail.gmail.com>
Date: Tue, 2 Sep 2025 10:23:43 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: F6BVP <f6bvp@...e.fr>
Cc: Takamitsu Iwai <takamitz@...zon.co.jp>, linux-hams@...r.kernel.org, 
	netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, horms@...nel.org, enjuk@...zon.com, mingo@...nel.org, 
	tglx@...utronix.de, hawk@...nel.org, n.zhandarovich@...tech.ru, 
	kuniyu@...gle.com
Subject: Re: [PATCH v2 net 0/3] Introduce refcount_t for reference counting of rose_neigh

On Tue, Sep 2, 2025 at 10:19 AM F6BVP <f6bvp@...e.fr> wrote:
>
> Hi,
>
> I am facing an issue while trying to apply refcount rose patchs to
> latest stable release 6.16.4
>
> In rose_in.c the call to sk_filter_trim_cap function is using an extra
> argument that is not declared in 6.16.4  ~/include/linux/filter.h but
> appears in 6.17.0-rc.
>
> As a result I had to apply the following patch in order to be able to
> build kernel 6.16.4 with refcount patches.
>
> Otherwise ROSE module refcount patchs would prevent building rose module
> in stable kernel
>
> Is there any other solution ?
>

Note that these patches have ongoing syzbot reports.

If I was you, I would wait a bit.

ODEBUG: free active (active state 0) object: ffff88804fb25890 object
type: timer_list hint: rose_t0timer_expiry+0x0/0x150
include/linux/skbuff.h:2880
WARNING: CPU: 1 PID: 16472 at lib/debugobjects.c:612
debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 1 UID: 0 PID: 16472 Comm: syz.1.2858 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 07/12/2025
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 41 56 48 8b 14
dd e0 40 16 8c 4c 89 e6 48 c7 c7 60 35 16 8c e8 0f 46 91 fc 90 <0f> 0b
90 90 58 83 05 86 d0 c2 0b 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc90000a08a28 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff817a3358
RDX: ffff888031ae9e00 RSI: ffffffff817a3365 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8c163c00
R13: ffffffff8bafed40 R14: ffffffff8a7fa2b0 R15: ffffc90000a08b28
FS: 00007f10b4f3c6c0(0000) GS:ffff8881247b9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3dff8d CR3: 00000000325a7000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2348 [inline]
slab_free mm/slub.c:4680 [inline]
kfree+0x28f/0x4d0 mm/slub.c:4879
rose_neigh_put include/net/rose.h:166 [inline]
rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_is_held_type+0x107/0x150 kernel/locking/lockdep.c:5945
Code: 00 00 b8 ff ff ff ff 65 0f c1 05 dc a0 44 08 83 f8 01 75 2d 9c
58 f6 c4 02 75 43 48 f7 04 24 00 02 00 00 74 01 fb 48 83 c4 08 <44> 89
e8 5b 5d 41 5c 41 5d 41 5e 41 5f e9 f2 2f 7e f5 45 31 ed eb
RSP: 0018:ffffc9000eb1f978 EFLAGS: 00000286
RAX: 0000000000000046 RBX: 1ffff92001d63f38 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8de299c8 RDI: ffffffff8c163000
RBP: ffffffff8e5c11c0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888031ae9e00
R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
lock_is_held include/linux/lockdep.h:249 [inline]
> Regards,
>
> Bernard Pidoux,
> F6BVP
>
>
> Le 27/08/2025 à 16:50, patchwork-bot+netdevbpf@...nel.org a écrit :
> > Hello:
> >
> > This series was applied to netdev/net.git (main)
> > by Jakub Kicinski <kuba@...nel.org>:
> >
> > On Sat, 23 Aug 2025 17:58:54 +0900 you wrote:
> >> The current implementation of rose_neigh uses 'use' and 'count' field of
> >> type unsigned short as a reference count. This approach lacks atomicity,
> >> leading to potential race conditions. As a result, syzbot has reported
> >> slab-use-after-free errors due to unintended removals.
> >>
> >> This series introduces refcount_t for reference counting to ensure
> >> atomicity and prevent race conditions. The patches are structured as
> >> follows:
> >>
> >> [...]
> >
> > Here is the summary with links:
> >    - [v2,net,1/3] net: rose: split remove and free operations in rose_remove_neigh()
> >      https://git.kernel.org/netdev/net/c/dcb34659028f
> >    - [v2,net,2/3] net: rose: convert 'use' field to refcount_t
> >      https://git.kernel.org/netdev/net/c/d860d1faa6b2
> >    - [v2,net,3/3] net: rose: include node references in rose_neigh refcount
> >      https://git.kernel.org/netdev/net/c/da9c9c877597
> >
> > You are awesome, thank you!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ