Re: netconsole refcount warning
On Wed, Jul 12, 2017 at 3:30 PM, Cong Wang wrote: > On Sun, Jul 9, 2017 at 4:57 PM, Dave Jones wrote: >> The new refcount debugging code spews this twice during boot on my router.. >> >> >> refcount_t: increment on 0; use-after-free. >> [ cut here ] >> WARNING: CPU: 1 PID: 17 at lib/refcount.c:152 refcount_inc+0x2b/0x30 >> CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.12.0-firewall+ #8 >> task: 8801d4441ac0 task.stack: 8801d445 >> RIP: 0010:refcount_inc+0x2b/0x30 >> RSP: 0018:8801d4456da8 EFLAGS: 00010046 >> RAX: 002c RBX: 8801d4c3cf40 RCX: >> RDX: 002c RSI: 0003 RDI: ed003a88adab >> RBP: 8801d4456da8 R08: 0003 R09: fbfff4afcb57 >> R10: R11: fbfff4afcb58 R12: 8801d4c3c540 >> R13: 0082 R14: 8801ce9c7ff8 R15: 8801ce9c8aa0 >> FS: () GS:8801d6a0() knlGS: >> CS: 0010 DS: ES: CR0: 80050033 >> CR2: 7fa2b803156e CR3: 0001c405d000 CR4: 000406e0 >> Call Trace: >> zap_completion_queue+0xad/0x1a0 > > > Sigh... it is on purpose: > > commit 8a455b087c9629b3ae3b521b4f1ed16672f978cc > Author: Jarek Poplawski > Date: Thu Mar 20 16:07:27 2008 -0700 > > netpoll: zap_completion_queue: adjust skb->users counter > > zap_completion_queue() retrieves skbs from completion_queue where they > have > zero skb->users counter. Before dev_kfree_skb_any() it should be non-zero > yet, so it's increased now. > > Reported-and-tested-by: Andrew Morton > Signed-off-by: Jarek Poplawski > Signed-off-by: Andrew Morton > Signed-off-by: David S. Miller > > We need to review it now. :-/ I think we should explicitly set it to 1 with refcount_set() since we know it was 0 for sure. diff --git a/net/core/netpoll.c b/net/core/netpoll.c index d3408a6..8357f16 100644 --- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -277,7 +277,7 @@ static void zap_completion_queue(void) struct sk_buff *skb = clist; clist = clist->next; if (!skb_irq_freeable(skb)) { - refcount_inc(&skb->users); + refcount_set(&skb->users, 1); dev_kfree_skb_any(skb); /* put this one back */ } else { __kfree_skb(skb);
Re: netconsole refcount warning
On Sun, Jul 9, 2017 at 4:57 PM, Dave Jones wrote: > The new refcount debugging code spews this twice during boot on my router.. > > > refcount_t: increment on 0; use-after-free. > [ cut here ] > WARNING: CPU: 1 PID: 17 at lib/refcount.c:152 refcount_inc+0x2b/0x30 > CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.12.0-firewall+ #8 > task: 8801d4441ac0 task.stack: 8801d445 > RIP: 0010:refcount_inc+0x2b/0x30 > RSP: 0018:8801d4456da8 EFLAGS: 00010046 > RAX: 002c RBX: 8801d4c3cf40 RCX: > RDX: 002c RSI: 0003 RDI: ed003a88adab > RBP: 8801d4456da8 R08: 0003 R09: fbfff4afcb57 > R10: R11: fbfff4afcb58 R12: 8801d4c3c540 > R13: 0082 R14: 8801ce9c7ff8 R15: 8801ce9c8aa0 > FS: () GS:8801d6a0() knlGS: > CS: 0010 DS: ES: CR0: 80050033 > CR2: 7fa2b803156e CR3: 0001c405d000 CR4: 000406e0 > Call Trace: > zap_completion_queue+0xad/0x1a0 Sigh... it is on purpose: commit 8a455b087c9629b3ae3b521b4f1ed16672f978cc Author: Jarek Poplawski Date: Thu Mar 20 16:07:27 2008 -0700 netpoll: zap_completion_queue: adjust skb->users counter zap_completion_queue() retrieves skbs from completion_queue where they have zero skb->users counter. Before dev_kfree_skb_any() it should be non-zero yet, so it's increased now. Reported-and-tested-by: Andrew Morton Signed-off-by: Jarek Poplawski Signed-off-by: Andrew Morton Signed-off-by: David S. Miller We need to review it now. :-/
netconsole refcount warning
The new refcount debugging code spews this twice during boot on my router.. refcount_t: increment on 0; use-after-free. [ cut here ] WARNING: CPU: 1 PID: 17 at lib/refcount.c:152 refcount_inc+0x2b/0x30 CPU: 1 PID: 17 Comm: ksoftirqd/1 Not tainted 4.12.0-firewall+ #8 task: 8801d4441ac0 task.stack: 8801d445 RIP: 0010:refcount_inc+0x2b/0x30 RSP: 0018:8801d4456da8 EFLAGS: 00010046 RAX: 002c RBX: 8801d4c3cf40 RCX: RDX: 002c RSI: 0003 RDI: ed003a88adab RBP: 8801d4456da8 R08: 0003 R09: fbfff4afcb57 R10: R11: fbfff4afcb58 R12: 8801d4c3c540 R13: 0082 R14: 8801ce9c7ff8 R15: 8801ce9c8aa0 FS: () GS:8801d6a0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fa2b803156e CR3: 0001c405d000 CR4: 000406e0 Call Trace: zap_completion_queue+0xad/0x1a0 netpoll_poll_dev+0x16f/0x3f0 netpoll_send_skb_on_dev+0x25a/0x360 netpoll_send_udp+0x526/0x850 write_ext_msg+0x212/0x230 ? _raw_spin_unlock_irqrestore+0x43/0x70 ? write_msg+0x11f/0x130 console_unlock+0x3ea/0x6e0 vprintk_emit+0x298/0x3a0 vprintk_default+0x1f/0x30 vprintk_func+0x34/0xb0 printk+0x95/0xb2 ? show_regs_print_info+0x45/0x45 ? nf_log_buf_open+0x2c/0x70 ? nf_log_buf_close+0x26/0x70 nf_log_buf_close+0x3c/0x70 nf_log_ip_packet+0x111/0x250 nf_log_packet+0x19e/0x330 ? nf_logger_find_get+0x1c0/0x1c0 ? debug_show_all_locks+0x1e0/0x1e0 ? __local_bh_enable_ip+0x64/0xb0 ? debug_smp_processor_id+0x17/0x20 log_tg+0x13d/0x170 ? log_tg_check+0x70/0x70 ? trace_hardirqs_on+0xe/0x10 ? __local_bh_enable_ip+0x64/0xb0 ? _raw_spin_unlock_bh+0x35/0x40 ipt_do_table+0x770/0xbb0 ? mark_lock+0xb7/0x7d0 ? sched_clock_cpu+0x1c/0x130 ? ipt_alloc_initial_table+0x2d0/0x2d0 ? debug_smp_processor_id+0x17/0x20 ? __lock_is_held+0x55/0x110 ? ipt_unregister_table+0x50/0x50 iptable_filter_hook+0x53/0xd0 nf_hook_slow+0x4a/0x120 ip_local_deliver+0x1ba/0x2c0 ? ip_local_deliver+0x100/0x2c0 ? ip_call_ra_chain+0x270/0x270 ? inet_del_offload+0x40/0x40 ip_rcv_finish+0x2b9/0x880 ip_rcv+0x51f/0x8a0 ? ip_rcv+0x5ae/0x8a0 ? ip_local_deliver+0x2c0/0x2c0 ? ip_local_deliver_finish+0x4d0/0x4d0 ? ip_local_deliver+0x2c0/0x2c0 __netif_receive_skb_core+0xd4b/0x1210 ? enqueue_to_backlog+0x620/0x620 ? ktime_get_with_offset+0x11d/0x290 __netif_receive_skb+0x27/0xc0 ? debug_smp_processor_id+0x17/0x20 netif_receive_skb_internal+0x3e3/0xc90 ? netif_receive_skb_internal+0x90/0xc90 ? __build_skb+0x2f/0x140 ? __dev_queue_xmit+0xd30/0xd30 ? debug_dma_sync_single_for_device+0xb7/0xc0 ? debug_dma_sync_single_for_cpu+0xc0/0xc0 ? dev_gro_receive+0x90/0x9b0 ? __lock_is_held+0x30/0x110 ? __asan_loadN+0x10/0x20 ? skb_gro_reset_offset+0x93/0x140 napi_gro_receive+0x1d1/0x270 rtl8169_poll+0x49b/0xb30 net_rx_action+0x4c4/0x7d0 ? napi_complete_done+0x1b0/0x1b0 ? __lock_is_held+0x30/0x110 __do_softirq+0x113/0x611 run_ksoftirqd+0x22/0x90 smpboot_thread_fn+0x348/0x4f0 ? __local_bh_enable_ip+0xb0/0xb0 ? sort_range+0x30/0x30 ? schedule+0x6c/0xe0 ? __kthread_parkme+0xf2/0x110 kthread+0x1ab/0x200 ? sort_range+0x30/0x30 ? __kthread_create_on_node+0x340/0x340 ret_from_fork+0x27/0x40 Code: 55 48 89 e5 e8 97 ff ff ff 84 c0 74 02 5d c3 80 3d 5d 3e 06 01 00 75 f5 48 c7 c7 20 69 f1 a4 c6 05 4d 3e 06 01 01 e8 ca 41 bc ff <0f> ff 5d c3 90 55 48 89 e5 41 54 44 8d 27 48 8d 3e 53 48 8d 1e ---[ end trace a9116b75ea217b54 ]---