From: syzbot <syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com>
To: aleksander.lobakin@intel.com, andrii@kernel.org, ast@kernel.org,
bjorn@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net,
davem@davemloft.net, edumazet@google.com, hawk@kernel.org,
john.fastabend@gmail.com, jonathan.lemon@gmail.com,
kuba@kernel.org, linux-kernel@vger.kernel.org,
maciej.fijalkowski@intel.com, magnus.karlsson@intel.com,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com, xuanzhuo@linux.alibaba.com
Subject: [syzbot] [bpf?] [net?] WARNING: refcount bug in xp_put_pool
Date: Mon, 31 Jul 2023 00:57:58 -0700 [thread overview]
Message-ID: <000000000000f7fbdd0601c3c9c5@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: d7b3af5a77e8 Add linux-next specific files for 20230728
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=101a8319a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=62dd327c382e3fe
dashboard link: https://syzkaller.appspot.com/bug?extid=8ada0057e69293a05fd4
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=146dbe31a80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11656a7ea80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5efa5e68267f/disk-d7b3af5a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b1f5d3e10263/vmlinux-d7b3af5a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/57cab469d186/bzImage-d7b3af5a.xz
The issue was bisected to:
commit 9f78bf330a66cd400b3e00f370f597e9fa939207
Author: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Date: Thu Feb 16 08:30:47 2023 +0000
xsk: support use vaddr as ring
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=13541155a80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=10d41155a80000
console output: https://syzkaller.appspot.com/x/log.txt?x=17541155a80000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
Fixes: 9f78bf330a66 ("xsk: support use vaddr as ring")
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 5078 at lib/refcount.c:28 refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 5078 Comm: kworker/0:3 Not tainted 6.5.0-rc3-next-20230728-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Workqueue: events drain_vmap_area_work
RIP: 0010:refcount_warn_saturate+0x140/0x1f0 lib/refcount.c:28
Code: 0a 31 ff 89 de e8 f0 3e 65 fd 84 db 0f 85 6e ff ff ff e8 b3 43 65 fd 48 c7 c7 c0 33 c8 8a c6 05 64 ce 74 0a 01 e8 60 99 2b fd <0f> 0b e9 4f ff ff ff e8 94 43 65 fd 0f b6 1d 4a ce 74 0a 31 ff 89
RSP: 0018:ffffc90000007d88 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff88807190d940 RSI: ffffffff814d5b56 RDI: 0000000000000001
RBP: ffff888071110460 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888071110460
R13: ffff8880710d24e8 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557361650 CR3: 00000000476b6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
xp_put_pool+0x8a/0x1e0 net/xdp/xsk_buff_pool.c:286
xsk_destruct+0x95/0x140 net/xdp/xsk.c:1601
__sk_destruct+0x4d/0x770 net/core/sock.c:2163
rcu_do_batch kernel/rcu/tree.c:2139 [inline]
rcu_core+0x7fb/0x1bb0 kernel/rcu/tree.c:2403
__do_softirq+0x218/0x965 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
common_interrupt+0xae/0xd0 arch/x86/kernel/irq.c:247
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:636
RIP: 0010:stack_trace_consume_entry+0xaf/0x160 kernel/stacktrace.c:93
Code: c0 03 38 d0 7c 08 84 d2 0f 85 90 00 00 00 8b 43 0c 85 c0 75 53 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 80 3c 02 00 <0f> 85 92 00 00 00 8d 45 01 89 43 10 48 8b 03 48 8d 2c e8 48 b8 00
RSP: 0018:ffffc90003d7f6d8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffc90003d7f7b8 RCX: 0000000000000000
RDX: 1ffff920007afef7 RSI: ffffffff81cffbd8 RDI: ffffc90003d7f7c4
RBP: 0000000000000000 R08: ffffc90003d7f72c R09: ffffffff8f40e62e
R10: ffffc90003d7f6f8 R11: 000000000000e4d6 R12: ffffffff8174c470
R13: ffffc90003d7f7b8 R14: 0000000000000000 R15: ffff88807190d940
arch_stack_walk+0x7f/0xf0 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
save_stack+0x160/0x1f0 mm/page_owner.c:128
__reset_page_owner+0x5a/0x190 mm/page_owner.c:149
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1160 [inline]
free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2383
free_unref_page+0x33/0x3b0 mm/page_alloc.c:2478
kasan_depopulate_vmalloc_pte+0x63/0x80 mm/kasan/shadow.c:427
apply_to_pte_range mm/memory.c:2735 [inline]
apply_to_pmd_range mm/memory.c:2779 [inline]
apply_to_pud_range mm/memory.c:2815 [inline]
apply_to_p4d_range mm/memory.c:2851 [inline]
__apply_to_page_range+0x5ed/0xdb0 mm/memory.c:2885
kasan_release_vmalloc+0xa8/0xc0 mm/kasan/shadow.c:544
__purge_vmap_area_lazy+0x8b9/0x2160 mm/vmalloc.c:1770
drain_vmap_area_work+0x54/0xd0 mm/vmalloc.c:1804
process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2603
worker_thread+0x687/0x1110 kernel/workqueue.c:2754
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 38 d0 cmp %dl,%al
2: 7c 08 jl 0xc
4: 84 d2 test %dl,%dl
6: 0f 85 90 00 00 00 jne 0x9c
c: 8b 43 0c mov 0xc(%rbx),%eax
f: 85 c0 test %eax,%eax
11: 75 53 jne 0x66
13: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1a: fc ff df
1d: 48 89 da mov %rbx,%rdx
20: 48 c1 ea 03 shr $0x3,%rdx
24: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
* 28: 0f 85 92 00 00 00 jne 0xc0 <-- trapping instruction
2e: 8d 45 01 lea 0x1(%rbp),%eax
31: 89 43 10 mov %eax,0x10(%rbx)
34: 48 8b 03 mov (%rbx),%rax
37: 48 8d 2c e8 lea (%rax,%rbp,8),%rbp
3b: 48 rex.W
3c: b8 .byte 0xb8
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2023-07-31 7:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-31 7:57 syzbot [this message]
[not found] <20230731110130.1456-1-hdanton@sina.com>
2023-07-31 11:27 ` [syzbot] [bpf?] [net?] WARNING: refcount bug in xp_put_pool syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000f7fbdd0601c3c9c5@google.com \
--to=syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bjorn@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jonathan.lemon@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maciej.fijalkowski@intel.com \
--cc=magnus.karlsson@intel.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.