Re: [Syzkaller & bisect] There is WARNING: refcount bug in sock_map_free in v6.3-rc1

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pengfei Xu <pengfei.xu@intel.com>
To: John Fastabend <john.fastabend@gmail.com>
Cc: Eric Dumazet <edumazet@google.com>,
	<linux-kernel@vger.kernel.org>, <ast@kernel.org>,
	<heng.su@intel.com>, <lkp@intel.com>,
	<linux-gpio@vger.kernel.org>, <linux-kselftest@vger.kernel.org>,
	<yi1.lai@intel.com>
Subject: Re: [Syzkaller & bisect] There is WARNING: refcount bug in sock_map_free in v6.3-rc1
Date: Thu, 6 Apr 2023 13:03:28 +0800	[thread overview]
Message-ID: <ZC5SoIRIFJpSpivX@xpf.sh.intel.com> (raw)
In-Reply-To: <642dea024554c_1ab91208f4@john.notmuch>

Hi John,

On 2023-04-05 at 14:37:06 -0700, John Fastabend wrote:
> Pengfei Xu wrote:
> > On 2023-04-04 at 11:43:36 +0200, Eric Dumazet wrote:
> > > On Tue, Apr 4, 2023 at 11:31 AM Pengfei Xu <pengfei.xu@intel.com> wrote:
> > > >
> > > > ++ GPIO and kself-test mailing list.
> > > >
> > > > Hi kernel experts,
> > > >
> > > > It's a soft remind.
> > > >
> > > > My colleague Lai Yi found that similar "refcount_t: underflow; use-after-free"
> > > > issue still existed in v6.3-rc5 kernel on x86 platforms.
> > > >
> > > > We could reproduce issue from kself-test: gpio-mockup.sh easily:
> > > > kernel/tools/testing/selftests/gpio/gpio-mockup.sh:
> > > >
> > > > "
> > > > [ 5781.338917] -----------[ cut here ]-----------
> > > > [ 5781.344192] refcount_t: underflow; use-after-free.
> > > > [ 5781.349666] WARNING: CPU: 250 PID: 82496 at lib/refcount.c:25 refcount_warn_saturate+0xbe/0x110
> > > > [ 5781.359550] Modules linked in: gpio_mockup isst_if_mmio isst_if_mbox_pci intel_th_sth stm_core intel_th_pti intel_th_pci intel_th_gth pmt_telemetry pmt_class intel_vsec intel_rapl_msr intel_rapl_common nfsv3 rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace bridge stp llc sunrpc intel_uncore_frequency intel_uncore_frequency_common i10nm_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp iTCO_wdt ofpart kvm_intel intel_pmc_bxt iTCO_vendor_support spi_nor mtd intel_sdsi kvm spdm irqbypass dax_hmem joydev asn1_encoder snd_pcm mei_me i2c_i801 spi_intel_pci isst_if_common idxd snd_timer intel_th i2c_smbus spi_intel mei i2c_ismt ipmi_ssif cxl_acpi ipmi_si cxl_core acpi_power_meter crc32c_intel i40e igb dca igc pinctrl_emmitsburg pinctrl_intel pwm_lpss fuse [last unloaded: isst_if_mmio]
> > > > [ 5781.438080] CPU: 250 PID: 82496 Comm: modprobe Not tainted 6.3.0-rc5 #1
> > > > [ 5781.449711] Hardware name: Intel Corporation, BIOS IFWI 03/12/2023
> > > > [ 5781.461615] RIP: 0010:refcount_warn_saturate+0xbe/0x110
> > > > [ 5781.467585] Code: 01 01 e8 75 56 8e ff 0f 0b c3 cc cc cc cc 80 3d 4c 67 ac 01 00 75 85 48 c7 c7 b0 31 cd a9 c6 05 3c 67 ac 01 01 e8 52 56 8e ff <0f> 0b c3 cc cc cc cc 80 3d 27 67 ac 01 00 0f 85 5e ff ff ff 48 c7
> > > > [ 5781.488761] RSP: 0018:ff45a7f44d39feb0 EFLAGS: 00010286
> > > > [ 5781.494745] RAX: 0000000000000000 RBX: ffffffffc0b36540 RCX: 0000000000000000
> > > > [ 5781.502871] RDX: 0000000000000002 RSI: ffffffffa9c065c8 RDI: 00000000ffffffff
> > > > [ 5781.510984] RBP: ff31c1afa78cb800 R08: 0000000000000001 R09: 0000000000000003
> > > > [ 5781.519100] R10: ff31c1b6fc000000 R11: ff31c1b6fc000000 R12: ff31c1afa78c4f40
> > > > [ 5781.527215] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > > > [ 5781.535337] FS: 00007f9bc705a740(0000) GS:ff31c1b700280000(0000) knlGS:0000000000000000
> > > > [ 5781.544529] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > [ 5781.551063] CR2: 00007f9bc5e50dc0 CR3: 000000093b36c003 CR4: 0000000000f71ee0
> > > > [ 5781.559180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > > [ 5781.567307] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> > > > [ 5781.575413] PKRU: 55555554
> > > > [ 5781.578551] Call Trace:
> > > > [ 5781.581394] <TASK>
> > > > [ 5781.583868] gpio_mockup_exit+0x33/0x420 [gpio_mockup]
> > > > [ 5781.589756] __do_sys_delete_module.constprop.0+0x180/0x270
> > > > [ 5781.596112] ? syscall_trace_enter.constprop.0+0x17f/0x1b0
> > > > [ 5781.602354] do_syscall_64+0x43/0x90
> > > 
> > > I hear you but this trace has nothing to do with the bpf/sockmap commit ?
> > > 
> >    I just saw the same WARNING from kself-test: gpio-mockup.sh, maybe
> >    it's different issue, sorry.
> > "
> > refcount_t: underflow; use-after-free.
> > [ 5781.349666] WARNING: CPU: 250 PID: 82496 at lib/refcount.c:25
> > "
> 
> The  ./gpio-mockup.sh thing doesn't use sockmap at all right? I can't see
> why the bisec to that patch would happen off-hand.
> 
  Indeed, I double checked the suspected commit, and even revert the commit
  on top of v6.3-rc5 kernel,  above ./gpio-mockup.sh still trigger the
  "refcount_t: underflow; use-after-free." problem.

  So "gpio-mockup.sh triggered issue" is a different issue, if I find some
  more clue, I will report the gpio kself-test issue with another email.
  Sorry for inconvenience.

  Thanks!
  BR.
> > 
> >   Thanks!
> >   BR.
> >   -Pengfei
> > 
> > > My change looks correct, so your bisection might simply trigger because
> > > of a wider window for another bug to surface.
> > > 
> > > John, do you have an idea of what is going on here ?
> 
> No idea here.

     prev parent reply	other threads:[~2023-04-06  5:02 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-07 14:36 [Syzkaller & bisect] There is WARNING: refcount bug in sock_map_free in v6.3-rc1 Pengfei Xu
2023-03-07 15:18 ` Pengfei Xu
2023-04-04  9:32   ` Pengfei Xu
2023-04-04  9:43     ` Eric Dumazet
2023-04-04 14:05       ` Pengfei Xu
2023-04-05 21:37         ` John Fastabend
2023-04-06  5:03           ` Pengfei Xu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZC5SoIRIFJpSpivX@xpf.sh.intel.com \
    --to=pengfei.xu@intel.com \
    --cc=ast@kernel.org \
    --cc=edumazet@google.com \
    --cc=heng.su@intel.com \
    --cc=john.fastabend@gmail.com \
    --cc=linux-gpio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=yi1.lai@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.