Hello,
our bot applied this patch directly upon v6.15-rc5. could you let us know if
this is a correct appliment?
* a78cdfa4388ab9 (linux-review/Herbert-Xu/KEYS-Invert-FINAL_PUT-bit/20250505-122533) KEYS: Invert FINAL_PUT bit
* 92a09c47464d04 (tag: v6.15-rc5,
below reports is based on this appliement.
kernel test robot noticed "refcount_t:underflow;use-after-free" on:
commit: a78cdfa4388ab9b210c804b92453f14bbe199cbf ("[v2 PATCH] KEYS: Invert FINAL_PUT bit")
url: https://github.com/intel-lab-lkp/linux/commits/Herbert-Xu/KEYS-Invert-FINAL_PUT-bit/20250505-122533
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 92a09c47464d040866cf2b4cd052bc60555185fb
patch link: https://lore.kernel.org/all/aBccz2nJs5Asg6cN@xxxxxxxxxxxxxxxxxxx/
patch subject: [v2 PATCH] KEYS: Invert FINAL_PUT bit
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 300s
group: group-04
nr_groups: 5
config: i386-randconfig-014-20250509
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
there are other (random) issues as below.
+-------------------------------------------------------------------------+-----------+------------+
| | v6.15-rc5 | a78cdfa438 |
+-------------------------------------------------------------------------+-----------+------------+
| boot_successes | 80 | 0 |
| boot_failures | 0 | 48 |
| refcount_t:underflow;use-after-free | 0 | 48 |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate | 0 | 47 |
| EIP:refcount_warn_saturate | 0 | 48 |
| addition_on#;use-after-free | 0 | 46 |
| saturated;leaking_memory | 0 | 44 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 31 |
| Oops | 0 | 41 |
| EIP:keyctl_read_key | 0 | 27 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 36 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 10 |
| EIP:key_put | 0 | 1 |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0 | 5 |
| EIP:kmem_cache_alloc_noprof | 0 | 2 |
| BUG:Bad_rss-counter_state_mm:#type:MM_SWAPENTS_val | 0 | 1 |
| EIP:keyctl_describe_key | 0 | 1 |
| EIP:keyring_gc_check_iterator | 0 | 1 |
| EIP:dst_destroy | 0 | 3 |
| EIP:_raw_spin_unlock_irqrestore | 0 | 1 |
| EIP:put_pid | 0 | 4 |
| EIP:rb_erase | 0 | 1 |
| EIP:kernel_init_pages | 0 | 1 |
| EIP:lookup_user_key | 0 | 1 |
| EIP:strlen | 0 | 1 |
| INFO:task_blocked_for_more_than#seconds | 0 | 1 |
| BUG:kernel_hang_in_test_stage | 0 | 1 |
+-------------------------------------------------------------------------+-----------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202505091721.245cbe78-lkp@xxxxxxxxx
[ 8.510562][ T60] ------------[ cut here ]------------
[ 8.511283][ T60] refcount_t: underflow; use-after-free.
[ 8.511950][ T60] WARNING: CPU: 0 PID: 60 at lib/refcount.c:28 refcount_warn_saturate (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/refcount.c:28 (discriminator 3))
[ 8.512948][ T60] Modules linked in:
[ 8.513488][ T60] CPU: 0 UID: 0 PID: 60 Comm: kworker/0:2 Not tainted 6.15.0-rc5-00001-ga78cdfa4388a #1 PREEMPT 231a29fdcec5e4259d3c91818150ae4baf2b3615
[ 8.514973][ T60] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 8.516145][ T60] Workqueue: events key_garbage_collector
[ 8.516849][ T60] EIP: refcount_warn_saturate (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/refcount.c:28 (discriminator 3))
[ 8.517490][ T60] Code: fa c2 82 01 68 28 15 60 82 e8 e3 88 72 ff 0f 0b 58 c9 c3 8d b6 00 00 00 00 c6 05 2e fa c2 82 01 68 d0 14 60 82 e8 c7 88 72 ff <0f> 0b 59 c9 c3 66 90 89 c2 8b 00 3d 00 00 00 c0 74 12 83 f8 01 74
All code
========
0: fa cli
1: c2 82 01 ret $0x182
4: 68 28 15 60 82 push $0xffffffff82601528
9: e8 e3 88 72 ff call 0xffffffffff7288f1
e: 0f 0b ud2
10: 58 pop %rax
11: c9 leave
12: c3 ret
13: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
19: c6 05 2e fa c2 82 01 movb $0x1,-0x7d3d05d2(%rip) # 0xffffffff82c2fa4e
20: 68 d0 14 60 82 push $0xffffffff826014d0
25: e8 c7 88 72 ff call 0xffffffffff7288f1
2a:* 0f 0b ud2 <-- trapping instruction
2c: 59 pop %rcx
2d: c9 leave
2e: c3 ret
2f: 66 90 xchg %ax,%ax
31: 89 c2 mov %eax,%edx
33: 8b 00 mov (%rax),%eax
35: 3d 00 00 00 c0 cmp $0xc0000000,%eax
3a: 74 12 je 0x4e
3c: 83 f8 01 cmp $0x1,%eax
3f: 74 .byte 0x74
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 59 pop %rcx
3: c9 leave
4: c3 ret
5: 66 90 xchg %ax,%ax
7: 89 c2 mov %eax,%edx
9: 8b 00 mov (%rax),%eax
b: 3d 00 00 00 c0 cmp $0xc0000000,%eax
10: 74 12 je 0x24
12: 83 f8 01 cmp $0x1,%eax
15: 74 .byte 0x74
[ 8.519470][ T60] EAX: 00000026 EBX: 85c8c9c0 ECX: 0000025c EDX: 00000000
[ 8.520241][ T60] ESI: 85d4ede0 EDI: 821a0f00 EBP: 8405fe6c ESP: 8405fe68
[ 8.521168][ T60] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010286
[ 8.522055][ T60] CR0: 80050033 CR2: 77ecb6a1 CR3: 040b8000 CR4: 000406f0
[ 8.522824][ T60] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 8.523614][ T60] DR6: fffe0ff0 DR7: 00000400
[ 8.524161][ T60] Call Trace:
[ 8.524619][ T60] key_put (kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:400 kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:432 kbuild/obj/consumer/i386-randconfig-014-20250509/include/linux/refcount.h:450 kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/key.c:652)
[ 8.525119][ T60] keyring_free_object (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/keyring.c:390)
[ 8.525736][ T60] assoc_array_destroy_subtree+0x7b/0x17c
[ 8.526446][ T60] assoc_array_destroy (kbuild/obj/consumer/i386-randconfig-014-20250509/lib/assoc_array.c:445)
[ 8.527048][ T60] keyring_destroy (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/keyring.c:432)
[ 8.527617][ T60] key_gc_unused_keys+0xfb/0x134
[ 8.528301][ T60] key_garbage_collector (kbuild/obj/consumer/i386-randconfig-014-20250509/security/keys/gc.c:305)
[ 8.528967][ T60] process_one_work (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3243)
[ 8.529586][ T60] worker_thread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3313 kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3400)
[ 8.530157][ T60] kthread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/kthread.c:464)
[ 8.530681][ T60] ? rescuer_thread (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/workqueue.c:3346)
[ 8.531244][ T60] ? kthread_fetch_affinity+0x34/0x34
[ 8.531930][ T60] ret_from_fork (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/kernel/process.c:159)
[ 8.532498][ T60] ? kthread_fetch_affinity+0x34/0x34
[ 8.533164][ T60] ret_from_fork_asm (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/entry/entry_32.S:737)
[ 8.533766][ T60] entry_INT80_32 (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/entry/entry_32.S:945)
[ 8.534333][ T60] irq event stamp: 3905
[ 8.534868][ T60] hardirqs last enabled at (3917): __up_console_sem (kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:42 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:119 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/arch/x86/include/asm/irqflags.h:159 (discriminator 1) kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/printk/printk.c:344 (discriminator 1))
[ 8.535880][ T60] hardirqs last disabled at (3928): __up_console_sem (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/printk/printk.c:342 (discriminator 1))
[ 8.535891][ T60] softirqs last enabled at (3856): handle_softirqs (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:426 kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:607)
[ 8.535896][ T60] softirqs last disabled at (3851): __do_softirq (kbuild/obj/consumer/i386-randconfig-014-20250509/kernel/softirq.c:614)
[ 8.535904][ T60] ---[ end trace 0000000000000000 ]---
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250509/202505091721.245cbe78-lkp@xxxxxxxxx
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
