Re: [syzbot] WARNING: refcount bug in p9_client

All of lore.kernel.org
 help / color / mirror / Atom feed

* Re: [syzbot] WARNING: refcount bug in p9_client_walk
       [not found] <PH0PR05MB832071E5E0944D7C5CEA81DFB3B1A@PH0PR05MB8320.namprd05.prod.outlook.com>
@ 2023-11-15  7:06 ` asmadeus
  0 siblings, 0 replies; 2+ messages in thread
From: asmadeus @ 2023-11-15  7:06 UTC (permalink / raw)
  To: Albert Guo; +Cc: v9fs

Albert Guo wrote on Wed, Nov 15, 2023 at 03:50:48AM +0000:
> Hi Asemadeus,

Please always cc the subsystem's mailing list when asking such
questions; there's no point in singling out maintainers.
(And it'd really help if you wouldn't mispell names; although I guess
you could also say it does help since rilled up folks are more likely to
answer...)

> I’m Albert Guo from VMware.  Sorry to disturb you. I’m writing to you to seek some help for Linux 9p driver.
> We use 9p driver in our product.  We seem to encounter similar refcount issue in our test:
> [syzbot] WARNING: refcount bug in p9_client_walk
> https://groups.google.com/g/syzkaller-bugs/c/UrvjxOLiykQ/m/LlVAtCzQBQAJ?pli=1
> 
> syzbot
> 2023年3月23日 06:02:37
> 
> 收件人 syzkall...@googlegroups.com<mailto:syzkall...@googlegroups.com>
> Auto-closing this bug as obsolete.
> No recent activity, existing reproducers are no longer triggering the issue.
> 
> 
> Looks like the issue isn’t reproducible from syzbot? Is it fixed? Do
> you know which commit fix the issue?

It might have been fixed in 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 as
uninitialized use could be causing that, otherwise I don't know --
there's been no other fix around refcounting since that report...

> Our kernel version is  6.1.56: https://elixir.bootlin.com/linux/v6.1.56/source

But it's long been fixed (included in 6.2 and 6.1.2), so there must be
another problem.

Please give your full stack trace (and not just a link to syzbot); the
warn message might help.
Also, how often do you hit this? (Can we consider it "reproductible"
under test where you would be able to run with tracepoints, or
simplifying the load etc?)

-- 
Dominique Martinet | Asmadeus

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [syzbot] WARNING: refcount bug in p9_client_walk
@ 2022-11-21 16:08 syzbot
  0 siblings, 0 replies; 2+ messages in thread
From: syzbot @ 2022-11-21 16:08 UTC (permalink / raw)
  To: asmadeus, davem, edumazet, ericvh, kuba, linux-kernel, linux_oss,
	lucho, netdev, pabeni, syzkaller-bugs, v9fs-developer

Hello,

syzbot found the following issue on:

HEAD commit:    9500fc6e9e60 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=1519526e880000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b25c9f218686dd5e
dashboard link: https://syzkaller.appspot.com/bug?extid=2600f43a81c05675a9ae
compiler:       Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ff2aed880000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13b38365880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1363e60652f7/disk-9500fc6e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fcc4da811bb6/vmlinux-9500fc6e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0b554298f1fa/Image-9500fc6e.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2600f43a81c05675a9ae@syzkaller.appspotmail.com

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 3083 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 3083 Comm: syz-executor181 Not tainted 6.1.0-rc5-syzkaller-32269-g9500fc6e9e60 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
sp : ffff800012e7b9b0
x29: ffff800012e7b9b0 x28: ffff0000c6b51a40 x27: 0000000020000040
x26: 0000000000010002 x25: 0000000000000000 x24: ffff0000cd574088
x23: 0000000000000000 x22: 0000000000000000 x21: ffff0000ca9ffc0c
x20: 0000000000000003 x19: ffff80000d98f000 x18: 00000000000001cc
x17: 0000000000000000 x16: ffff80000dc18158 x15: ffff0000c6b51a40
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff0000c6b51a40
x11: ff808000081c6510 x10: 0000000000000000 x9 : 2060ebe174811d00
x8 : 2060ebe174811d00 x7 : ffff800008165f54 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcc8 x1 : 0000000100000000 x0 : 0000000000000026
Call trace:
 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 p9_fid_put include/net/9p/client.h:275 [inline]
 p9_client_walk+0x2a4/0x2e8 net/9p/client.c:1190
 v9fs_vfs_lookup+0xa0/0x37c fs/9p/vfs_inode.c:777
 __lookup_slow+0x14c/0x204 fs/namei.c:1685
 lookup_slow+0x44/0x68 fs/namei.c:1702
 walk_component+0x178/0x1b0 fs/namei.c:1993
 lookup_last fs/namei.c:2450 [inline]
 path_lookupat+0xc4/0x208 fs/namei.c:2474
 filename_lookup+0xf8/0x264 fs/namei.c:2503
 user_path_at_empty+0x5c/0x114 fs/namei.c:2876
 user_path_at include/linux/namei.h:57 [inline]
 do_mount fs/namespace.c:3380 [inline]
 __do_sys_mount fs/namespace.c:3591 [inline]
 __se_sys_mount fs/namespace.c:3568 [inline]
 __arm64_sys_mount+0x28c/0x3c4 fs/namespace.c:3568
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:584
irq event stamp: 1078
hardirqs last  enabled at (1077): [<ffff800008165fe4>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last  enabled at (1077): [<ffff800008165fe4>] finish_lock_switch+0x94/0xe8 kernel/sched/core.c:4950
hardirqs last disabled at (1078): [<ffff80000c0a4f34>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (1070): [<ffff8000080102e4>] _stext+0x2e4/0x37c
softirqs last disabled at (1059): [<ffff800008017c88>] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79
---[ end trace 0000000000000000 ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-11-15  7:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <PH0PR05MB832071E5E0944D7C5CEA81DFB3B1A@PH0PR05MB8320.namprd05.prod.outlook.com>
2023-11-15  7:06 ` [syzbot] WARNING: refcount bug in p9_client_walk asmadeus
2022-11-21 16:08 syzbot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.