LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Christian Brauner <christian.brauner@ubuntu.com>
To: Naresh Kamboju <naresh.kamboju@linaro.org>,
	"open list:KERNEL SELFTEST FRAMEWORK" 
	<linux-kselftest@vger.kernel.org>,
	open list <linux-kernel@vger.kernel.org>
Cc: John Stultz <john.stultz@linaro.org>,
	tkjos@google.com, Shuah Khan <shuah@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	ardb@kernel.org, Kees Cook <keescook@chromium.org>,
	lkft-triage@lists.linaro.org
Subject: Re: WARNING: at refcount.c:190 refcount_sub_and_test_checked+0xac/0xc8 - refcount_t: underflow; use-after-free.
Date: Wed, 11 Mar 2020 10:13:57 +0100	[thread overview]
Message-ID: <FBB76EEA-5503-4D57-AD2B-642D0CA7C090@ubuntu.com> (raw)
In-Reply-To: <CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com>

On March 11, 2020 8:52:16 AM GMT+01:00, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>While running selftest binderfs_test on linux mainline the following
>warning on arm64, arm, x86_64 and i386.
>
>[  329.383391] refcount_t: underflow; use-after-free.
>[  329.391025] WARNING: CPU: 0 PID: 2604 at
>/usr/src/kernel/lib/refcount.c:28 refcount_warn_saturate+0xd4/0x150
>[  329.403319] Modules linked in: cls_bpf sch_fq algif_hash af_alg
>rfkill tda998x drm_kms_helper drm crct10dif_ce fuse
>[  329.413828] CPU: 0 PID: 2604 Comm: binderfs_test Not tainted
>5.6.0-rc5 #1
>[  329.420640] Hardware name: ARM Juno development board (r2) (DT)
>[  329.426584] pstate: 40000005 (nZcv daif -PAN -UAO)
>[  329.431402] pc : refcount_warn_saturate+0xd4/0x150
>[  329.436216] lr : refcount_warn_saturate+0xd4/0x150
>[  329.441026] sp : ffff800013d03a70
>[  329.444356] x29: ffff800013d03a70 x28: ffff00092c3f8000
>[  329.449694] x27: 0000000000000000 x26: ffff80001236f000
>[  329.455033] x25: ffff800012656000 x24: 0000000000000001
>[  329.460371] x23: ffff800012656f76 x22: ffff80001265b2c0
>[  329.465709] x21: ffff000929035c00 x20: ffff00095cd8ce00
>[  329.471048] x19: ffff80001261c848 x18: ffffffffffffffff
>[  329.476386] x17: 0000000000000000 x16: 0000000000000000
>[  329.481724] x15: ffff80001236fa88 x14: ffff800093d03767
>[  329.487062] x13: ffff800013d03775 x12: ffff80001239e000
>[  329.492400] x11: 0000000005f5e0ff x10: ffff800013d03700
>[  329.497738] x9 : ffff8000126ddc68 x8 : 0000000000000028
>[  329.503076] x7 : ffff800010190a5c x6 : ffff00097ef0b428
>[  329.508414] x5 : ffff00097ef0b428 x4 : ffff00092c3f8000
>[  329.513752] x3 : ffff800012370000 x2 : 0000000000000000
>[  329.519090] x1 : 295161095161e100 x0 : 0000000000000000
>[  329.524429] Call trace:
>[  329.526894]  refcount_warn_saturate+0xd4/0x150
>[  329.531362]  binderfs_evict_inode+0xcc/0xe8
>[  329.535567]  evict+0xa8/0x188
>[  329.538552]  iput+0x278/0x318
>[  329.541537]  dentry_unlink_inode+0x154/0x170
>[  329.545827]  __dentry_kill+0xc4/0x1d8
>[  329.549509]  shrink_dentry_list+0xf4/0x210
>[  329.553625]  shrink_dcache_parent+0x124/0x210
>[  329.558002]  do_one_tree+0x20/0x50
>[  329.561423]  shrink_dcache_for_umount+0x30/0x98
>[  329.565975]  generic_shutdown_super+0x2c/0xf8
>[  329.570354]  kill_anon_super+0x24/0x48
>[  329.574122]  kill_litter_super+0x2c/0x38
>[  329.578065]  binderfs_kill_super+0x24/0x48
>[  329.582182]  deactivate_locked_super+0x74/0xa0
>[  329.586647]  deactivate_super+0x8c/0x98
>[  329.590502]  cleanup_mnt+0xd8/0x130
>[  329.594008]  __cleanup_mnt+0x20/0x30
>[  329.597605]  task_work_run+0x90/0x150
>[  329.601287]  do_notify_resume+0x130/0x498
>[  329.605317]  work_pending+0x8/0x14
>[  329.608736] irq event stamp: 1612
>[  329.612072] hardirqs last  enabled at (1611): [<ffff800010190bf4>]
>console_unlock+0x514/0x5d8
>[  329.620631] hardirqs last disabled at (1612): [<ffff8000100a904c>]
>debug_exception_enter+0xac/0xe8
>[  329.629622] softirqs last  enabled at (1608): [<ffff8000100818bc>]
>__do_softirq+0x4c4/0x578
>[  329.638005] softirqs last disabled at (1561): [<ffff80001010b6ac>]
>irq_exit+0x144/0x150
>[  329.646035] ---[ end trace bac6584738d9306f ]---
>
>Metadata:
>---------------
>  git branch: master
>git repo:
>https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
>  git describe: v5.6-rc5
>  kernel-config:
>http://snapshots.linaro.org/openembedded/lkft/lkft/sumo/intel-corei7-64/lkft/linux-mainline/2518/config
>
>Full test log,
>https://lkft.validation.linaro.org/scheduler/job/1273667#L6591
>https://lkft.validation.linaro.org/scheduler/job/1273569#L6222
>https://lkft.validation.linaro.org/scheduler/job/1273548#L6126
>https://lkft.validation.linaro.org/scheduler/job/1273596#L4687

Thanks, I'll take a look in a little bit.

  parent reply	other threads:[~2020-03-11  9:14 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-11  7:52 Naresh Kamboju
2020-03-11  7:52 ` Naresh Kamboju
2020-03-11  9:13 ` Christian Brauner [this message]
2020-03-11  9:13   ` Christian Brauner
2020-03-11 10:53 ` [PATCH] binderfs: use refcount for binder control devices too Christian Brauner
2020-03-11 18:25   ` Todd Kjos
2020-03-12 13:15   ` [PATCH 1/3] binderfs: port tests to test harness infrastructure Christian Brauner
2020-03-12 13:15     ` [PATCH 2/3] binderfs: add stress test for binderfs binder devices Christian Brauner
2020-03-12 23:53       ` Kees Cook
2020-03-13 12:54         ` Christian Brauner
2020-03-12 13:15     ` [PATCH 3/3] binderfs_test: switch from /dev to /tmp as mountpoint Christian Brauner
2020-03-12 23:54       ` Kees Cook
2020-03-13 12:55         ` Christian Brauner
2020-03-12 21:24     ` [PATCH] binderfs: port to new mount api Christian Brauner
2020-03-12 23:56       ` Kees Cook
2020-03-13 12:55         ` Christian Brauner
2020-03-13 12:56           ` Christian Brauner
2020-03-12 23:51     ` [PATCH 1/3] binderfs: port tests to test harness infrastructure Kees Cook
2020-03-13 15:24     ` [PATCH v2 " Christian Brauner
2020-03-13 15:24       ` [PATCH v2 2/3] binderfs_test: switch from /dev to a unique per-test mountpoint Christian Brauner
2020-03-13 23:07         ` Kees Cook
2020-03-13 15:24       ` [PATCH v2 3/3] binderfs: add stress test for binderfs binder devices Christian Brauner
2020-03-13 23:08         ` Kees Cook
2020-03-16 22:44           ` Hridya Valsaraju
2020-03-17  8:27             ` Christian Brauner
2020-03-13 23:07       ` [PATCH v2 1/3] binderfs: port tests to test harness infrastructure Kees Cook
2020-03-13 15:34     ` [PATCH v2] binderfs: port to new mount api Christian Brauner
2020-03-13 23:08       ` Kees Cook
2020-03-18 12:29       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=FBB76EEA-5503-4D57-AD2B-642D0CA7C090@ubuntu.com \
    --to=christian.brauner@ubuntu.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=ardb@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=john.stultz@linaro.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=lkft-triage@lists.linaro.org \
    --cc=naresh.kamboju@linaro.org \
    --cc=shuah@kernel.org \
    --cc=tkjos@google.com \
    --subject='Re: WARNING: at refcount.c:190 refcount_sub_and_test_checked+0xac/0xc8 - refcount_t: underflow; use-after-free.' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).