From: Breno Leitao <leitao@debian.org>
To: Edward Adam Davis <eadavis@qq.com>
Cc: syzbot+ad601904231505ad6617@syzkaller.appspotmail.com,
davem@davemloft.net, edumazet@google.com, kernel@pengutronix.de,
kuba@kernel.org, linux-can@vger.kernel.org,
linux-kernel@vger.kernel.org, mkl@pengutronix.de,
netdev@vger.kernel.org, o.rempel@pengutronix.de,
pabeni@redhat.com, robin@protonic.nl, socketcan@hartkopp.net,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [can?] WARNING: refcount bug in j1939_session_put
Date: Wed, 7 Aug 2024 01:02:28 -0700 [thread overview]
Message-ID: <ZrMqFN4vE7WHRBjE@gmail.com> (raw)
In-Reply-To: <tencent_2878E872ED62CC507B1A6F702C096FD8960A@qq.com>
Hello Edward,
On Wed, Aug 07, 2024 at 09:42:40AM +0800, Edward Adam Davis wrote:
> Fixes: c9c0ee5f20c5 ("net: skbuff: Skip early return in skb_unref when debugging")
>
> Root cause: In commit c9c0ee5f20c5, There are following rules:
> In debug builds (CONFIG_DEBUG_NET set), the reference count is always decremented, even when it's 1
That is the goal, to pick problems like the one reported here. I.e, the
reference shouldn't be negative. If that is the case, it means that
there is a bug, and the skb is being unreferenced more than what it
needs to.
> This rule will cause the reference count to be 0 after calling skc_unref,
> which will affect the release of skb.
>
> The solution I have proposed is:
> Before releasing the SKB during session destroy, check the CONFIG_DEBUG_NET
> and skb_unref return values to avoid reference count errors caused by a
> reference count of 0 when releasing the SKB.
I am not sure this is the best approach. I would sugest finding where
the skb is being unreferenced first, so, it doesn't need to be
unreferenced again.
This suggestion is basically working around the findings.
Thanks for looking at this problem.
--breno
next prev parent reply other threads:[~2024-08-07 8:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-05 21:18 [syzbot] [can?] WARNING: refcount bug in j1939_session_put syzbot
2024-08-07 1:42 ` Edward Adam Davis
2024-08-07 2:00 ` syzbot
2024-08-07 8:02 ` Breno Leitao [this message]
2024-08-07 23:06 ` Edward Adam Davis
2024-08-07 12:35 ` [PATCH net-next] can: j1939: fix uaf in j1939_session_destroy Edward Adam Davis
2024-08-07 14:16 ` Jakub Kicinski
2024-08-07 23:08 ` [PATCH net-next V2] can: j1939: fix uaf warning " Edward Adam Davis
2024-08-08 7:49 ` Oleksij Rempel
2024-08-08 11:07 ` Edward Adam Davis
2024-08-08 11:57 ` Marc Kleine-Budde
2024-10-11 13:41 ` Sabyrzhan Tasbolatov
2024-10-11 14:10 ` Oleksij Rempel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZrMqFN4vE7WHRBjE@gmail.com \
--to=leitao@debian.org \
--cc=davem@davemloft.net \
--cc=eadavis@qq.com \
--cc=edumazet@google.com \
--cc=kernel@pengutronix.de \
--cc=kuba@kernel.org \
--cc=linux-can@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkl@pengutronix.de \
--cc=netdev@vger.kernel.org \
--cc=o.rempel@pengutronix.de \
--cc=pabeni@redhat.com \
--cc=robin@protonic.nl \
--cc=socketcan@hartkopp.net \
--cc=syzbot+ad601904231505ad6617@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).