From: kernel test robot <oliver.sang@intel.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<keyrings@vger.kernel.org>, David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
"David S. Miller" <davem@davemloft.net>,
Peter Huewe <peterhuewe@gmx.de>, Jason Gunthorpe <jgg@ziepe.ca>,
Paul Moore <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"James Bottomley" <James.Bottomley@hansenpartnership.com>,
Mimi Zohar <zohar@linux.ibm.com>, <linux-crypto@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <linux-integrity@vger.kernel.org>,
<linux-security-module@vger.kernel.org>, <oliver.sang@intel.com>
Subject: Re: [v2 PATCH] KEYS: Invert FINAL_PUT bit
Date: Fri, 9 May 2025 17:34:09 +0800 [thread overview]
Message-ID: <202505091721.245cbe78-lkp@intel.com> (raw)
In-Reply-To: <aBccz2nJs5Asg6cN@gondor.apana.org.au>
Hello,
our bot applied this patch directly upon v6.15-rc5. could you let us know if
this is a correct appliment?
* a78cdfa4388ab9 (linux-review/Herbert-Xu/KEYS-Invert-FINAL_PUT-bit/20250505-122533) KEYS: Invert FINAL_PUT bit
* 92a09c47464d04 (tag: v6.15-rc5,
below reports is based on this appliement.
kernel test robot noticed "refcount_t:underflow;use-after-free" on:
commit: a78cdfa4388ab9b210c804b92453f14bbe199cbf ("[v2 PATCH] KEYS: Invert FINAL_PUT bit")
url: https://github.com/intel-lab-lkp/linux/commits/Herbert-Xu/KEYS-Invert-FINAL_PUT-bit/20250505-122533
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 92a09c47464d040866cf2b4cd052bc60555185fb
patch link: https://lore.kernel.org/all/aBccz2nJs5Asg6cN@gondor.apana.org.au/
patch subject: [v2 PATCH] KEYS: Invert FINAL_PUT bit
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 300s
group: group-04
nr_groups: 5
config: i386-randconfig-014-20250509
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
there are other (random) issues as below.
+-------------------------------------------------------------------------+-----------+------------+
| | v6.15-rc5 | a78cdfa438 |
+-------------------------------------------------------------------------+-----------+------------+
| boot_successes | 80 | 0 |
| boot_failures | 0 | 48 |
| refcount_t:underflow;use-after-free | 0 | 48 |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate | 0 | 47 |
| EIP:refcount_warn_saturate | 0 | 48 |
| addition_on#;use-after-free | 0 | 46 |
| saturated;leaking_memory | 0 | 44 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 31 |
| Oops | 0 | 41 |
| EIP:keyctl_read_key | 0 | 27 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 36 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 10 |
| EIP:key_put | 0 | 1 |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0 | 5 |
| EIP:kmem_cache_alloc_noprof | 0 | 2 |
| BUG:Bad_rss-counter_state_mm:#type:MM_SWAPENTS_val | 0 | 1 |
| EIP:keyctl_describe_key | 0 | 1 |
| EIP:keyring_gc_check_iterator | 0 | 1 |
| EIP:dst_destroy | 0 | 3 |
| EIP:_raw_spin_unlock_irqrestore | 0 | 1 |
| EIP:put_pid | 0 | 4 |
| EIP:rb_erase | 0 | 1 |
| EIP:kernel_init_pages | 0 | 1 |
| EIP:lookup_user_key | 0 | 1 |
| EIP:strlen | 0 | 1 |
| INFO:task_blocked_for_more_than#seconds | 0 | 1 |
| BUG:kernel_hang_in_test_stage | 0 | 1 |
+-------------------------------------------------------------------------+-----------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202505091721.245cbe78-lkp@intel.com
[ 8.510562][ T60] ------------[ cut here ]------------
[ 8.511283][ T60] refcount_t: underflow; use-after-free.
[ 8.511950][ T60] WARNING: CPU: 0 PID: 60 at lib/refcount.c:28 refcount_warn_saturate (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/refcount.c:28 (discriminator 3))
[ 8.512948][ T60] Modules linked in:
[ 8.513488][ T60] CPU: 0 UID: 0 PID: 60 Comm: kworker/0:2 Not tainted 6.15.0-rc5-00001-ga78cdfa4388a #1 PREEMPT 231a29fdcec5e4259d3c91818150ae4baf2b3615
[ 8.514973][ T60] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 8.516145][ T60] Workqueue: events key_garbage_collector
[ 8.516849][ T60] EIP: refcount_warn_saturate (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/refcount.c:28 (discriminator 3))
[ 8.517490][ T60] Code: fa c2 82 01 68 28 15 60 82 e8 e3 88 72 ff 0f 0b 58 c9 c3 8d b6 00 00 00 00 c6 05 2e fa c2 82 01 68 d0 14 60 82 e8 c7 88 72 ff <0f> 0b 59 c9 c3 66 90 89 c2 8b 00 3d 00 00 00 c0 74 12 83 f8 01 74
All code
========
0: fa cli
1: c2 82 01 ret $0x182
4: 68 28 15 60 82 push $0xffffffff82601528
9: e8 e3 88 72 ff call 0xffffffffff7288f1
e: 0f 0b ud2
10: 58 pop %rax
11: c9 leave
12: c3 ret
13: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
19: c6 05 2e fa c2 82 01 movb $0x1,-0x7d3d05d2(%rip) # 0xffffffff82c2fa4e
20: 68 d0 14 60 82 push $0xffffffff826014d0
25: e8 c7 88 72 ff call 0xffffffffff7288f1
2a:* 0f 0b ud2 <-- trapping instruction
2c: 59 pop %rcx
2d: c9 leave
2e: c3 ret
2f: 66 90 xchg %ax,%ax
31: 89 c2 mov %eax,%edx
33: 8b 00 mov (%rax),%eax
35: 3d 00 00 00 c0 cmp $0xc0000000,%eax
3a: 74 12 je 0x4e
3c: 83 f8 01 cmp $0x1,%eax
3f: 74 .byte 0x74
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 59 pop %rcx
3: c9 leave
4: c3 ret
5: 66 90 xchg %ax,%ax
7: 89 c2 mov %eax,%edx
9: 8b 00 mov (%rax),%eax
b: 3d 00 00 00 c0 cmp $0xc0000000,%eax
10: 74 12 je 0x24
12: 83 f8 01 cmp $0x1,%eax
15: 74 .byte 0x74
[ 8.519470][ T60] EAX: 00000026 EBX: 85c8c9c0 ECX: 0000025c EDX: 00000000
[ 8.520241][ T60] ESI: 85d4ede0 EDI: 821a0f00 EBP: 8405fe6c ESP: 8405fe68
[ 8.521168][ T60] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010286
[ 8.522055][ T60] CR0: 80050033 CR2: 77ecb6a1 CR3: 040b8000 CR4: 000406f0
[ 8.522824][ T60] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 8.523614][ T60] DR6: fffe0ff0 DR7: 00000400
[ 8.524161][ T60] Call Trace:
[ 8.524619][ T60] key_put (kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:400 kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:432 kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:450 kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/key.c:652)
[ 8.525119][ T60] keyring_free_object (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/keyring.c:390)
[ 8.525736][ T60] assoc_array_destroy_subtree+0x7b/0x17c
[ 8.526446][ T60] assoc_array_destroy (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/assoc_array.c:445)
[ 8.527048][ T60] keyring_destroy (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/keyring.c:432)
[ 8.527617][ T60] key_gc_unused_keys+0xfb/0x134
[ 8.528301][ T60] key_garbage_collector (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/gc.c:305)
[ 8.528967][ T60] process_one_work (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3243)
[ 8.529586][ T60] worker_thread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3313 kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3400)
[ 8.530157][ T60] kthread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/kthread.c:464)
[ 8.530681][ T60] ? rescuer_thread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3346)
[ 8.531244][ T60] ? kthread_fetch_affinity+0x34/0x34
[ 8.531930][ T60] ret_from_fork (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/kernel/process.c:159)
[ 8.532498][ T60] ? kthread_fetch_affinity+0x34/0x34
[ 8.533164][ T60] ret_from_fork_asm (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/entry/entry_32.S:737)
[ 8.533766][ T60] entry_INT80_32 (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/entry/entry_32.S:945)
[ 8.534333][ T60] irq event stamp: 3905
[ 8.534868][ T60] hardirqs last enabled at (3917): __up_console_sem (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:42 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:119 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:159 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/printk/printk.c:344 (discriminator 1))
[ 8.535880][ T60] hardirqs last disabled at (3928): __up_console_sem (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/printk/printk.c:342 (discriminator 1))
[ 8.535891][ T60] softirqs last enabled at (3856): handle_softirqs (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:426 kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:607)
[ 8.535896][ T60] softirqs last disabled at (3851): __do_softirq (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:614)
[ 8.535904][ T60] ---[ end trace 0000000000000000 ]---
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250509/202505091721.245cbe78-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2025-05-09 9:34 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-30 15:25 [PATCH] KEYS: Reduce smp_mb() calls in key_put() Jarkko Sakkinen
2025-05-03 14:39 ` Jarkko Sakkinen
2025-05-03 15:02 ` Herbert Xu
2025-05-04 16:55 ` Jarkko Sakkinen
2025-05-03 22:19 ` David Howells
2025-05-04 0:35 ` Herbert Xu
2025-05-04 5:36 ` [PATCH] KEYS: Invert FINAL_PUT bit Herbert Xu
2025-05-04 7:44 ` David Howells
2025-05-04 7:52 ` [v2 PATCH] " Herbert Xu
2025-05-09 9:34 ` kernel test robot [this message]
2025-05-09 9:45 ` [v3 " Herbert Xu
2025-05-12 9:19 ` David Howells
2025-05-12 11:42 ` Jarkko Sakkinen
2025-05-12 12:01 ` David Howells
2025-05-12 12:07 ` Herbert Xu
2025-05-04 16:42 ` [PATCH] KEYS: Reduce smp_mb() calls in key_put() Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202505091721.245cbe78-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=James.Bottomley@hansenpartnership.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lkp@intel.com \
--cc=lukas@wunner.de \
--cc=oe-lkp@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=peterhuewe@gmx.de \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.