Giters

linux-can / linux

Linux kernel source tree

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ref counting issue for echo skbs

olerem opened this issue · comments

commented

This issue is reproducible only on real interface and not with vcan:

testj1939 -B -r can0: &
cansend can0 1823ff40#0123

After this steps we will get following warning:

[242410.368391] can: SAE J1939
[242410.848182] ------------[ cut here ]------------
[242410.853056] WARNING: CPU: 0 PID: 1101 at lib/refcount.c:156 refcount_inc_checked+0x50/0x54
[242410.861515] refcount_t: increment on 0; use-after-free.
[242410.866848] Modules linked in: can_j1939 coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan
[242410.876094] CPU: 0 PID: 1101 Comm: cansend Not tainted 5.4.0-rc4-00015-g723fbf781146 #1
[242410.884207] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[242410.890834] Backtrace: 
[242410.893410] [<c010f57c>] (dump_backtrace) from [<c010f918>] (show_stack+0x20/0x24)
[242410.901092]  r7:60000113 r6:c13b6cf8 r5:00000000 r4:c13b6cf8
[242410.906873] [<c010f8f8>] (show_stack) from [<c0c06638>] (dump_stack+0x80/0x94)
[242410.914214] [<c0c065b8>] (dump_stack) from [<c0127c14>] (__warn+0xe0/0x108)
[242410.921284]  r7:0000009c r6:c052526c r5:00000009 r4:c0ff056c
[242410.927054] [<c0127b34>] (__warn) from [<c0127ff0>] (warn_slowpath_fmt+0xa8/0xcc)
[242410.934644]  r7:c052526c r6:0000009c r5:c0ff056c r4:c0ff05a8
[242410.940421] [<c0127f4c>] (warn_slowpath_fmt) from [<c052526c>] (refcount_inc_checked+0x50/0x54)
[242410.949229]  r8:eccec780 r7:ecd63000 r6:ed76ec00 r5:ed1cee40 r4:ed1ce6c0
[242410.956101] [<c052521c>] (refcount_inc_checked) from [<bf030d50>] (j1939_can_recv+0x48/0x190 [can_j1939])
[242410.965818] [<bf030d08>] (j1939_can_recv [can_j1939]) from [<c0a9d508>] (can_rcv_filter+0xb4/0x268)
[242410.974974]  r7:ed1cee40 r6:9823ff40 r5:00000001 r4:ec0da000
[242410.980747] [<c0a9d454>] (can_rcv_filter) from [<c0a9dd98>] (can_receive+0xb0/0xe4)
[242410.988515]  r9:ec19fca4 r8:00000000 r7:eccec000 r6:ed055940 r5:c139d040 r4:ed1cee40
[242410.996370] [<c0a9dce8>] (can_receive) from [<c0a9de14>] (can_rcv+0x48/0x98)
[242411.003530]  r9:ec19fca4 r8:eccec650 r7:eccec630 r6:0000003d r5:c0a9ddcc r4:ed1cee40
[242411.011392] [<c0a9ddcc>] (can_rcv) from [<c098cdcc>] (__netif_receive_skb_one_core+0x64/0x88)
[242411.020021]  r5:c0a9ddcc r4:ed1cee40
[242411.023712] [<c098cd68>] (__netif_receive_skb_one_core) from [<c098ce60>] (__netif_receive_skb+0x38/0x94)
[242411.033380]  r5:c130633c r4:ed1cee40
[242411.037069] [<c098ce28>] (__netif_receive_skb) from [<c098cf20>] (netif_receive_skb_internal+0x64/0xf8)
[242411.046563]  r5:c130633c r4:ed1cee40
[242411.050250] [<c098cebc>] (netif_receive_skb_internal) from [<c098cfe8>] (netif_receive_skb+0x34/0x19c)
[242411.059659]  r5:00000001 r4:ed1cee40
[242411.063356] [<c098cfb4>] (netif_receive_skb) from [<c0770a28>] (can_rx_offload_napi_poll+0x58/0xb4)
[242411.072506]  r5:00000001 r4:eccec000
[242411.076198] [<c07709d0>] (can_rx_offload_napi_poll) from [<c098ea5c>] (net_rx_action+0x144/0x490)
[242411.085183]  r9:ec19fca4 r8:01716e8d r7:c12df280 r6:0000003d r5:00000001 r4:eccec650
[242411.093043] [<c098e918>] (net_rx_action) from [<c01025e8>] (__do_softirq+0x170/0x464)
[242411.100982]  r10:ec19e000 r9:00000102 r8:00000001 r7:c13be8e4 r6:00000003 r5:00000001
[242411.108911]  r4:c130308c
[242411.111562] [<c0102478>] (__do_softirq) from [<c012eb78>] (irq_exit+0xd8/0xf0)
[242411.118899]  r10:ec19fdc0 r9:ec008c00 r8:00000000 r7:00000001 r6:00000000 r5:00000022
[242411.126829]  r4:c12de4c0
[242411.129481] [<c012eaa0>] (irq_exit) from [<c018007c>] (__handle_domain_irq+0x90/0xf8)
[242411.137414]  r5:00000022 r4:c12de494
[242411.141100] [<c017ffec>] (__handle_domain_irq) from [<c0102354>] (gic_handle_irq+0x5c/0xa0)
[242411.149564]  r10:00000088 r9:ec19fdc0 r8:f4001100 r7:f4000100 r6:f400010c r5:c135a404
[242411.157495]  r4:c1305578 r3:ec19fdc0
[242411.161181] [<c01022f8>] (gic_handle_irq) from [<c0101a8c>] (__irq_svc+0x6c/0xa8)
[242411.168766] Exception stack(0xec19fdc0 to 0xec19fe08)
[242411.173931] fdc0: eda45000 00000000 00000001 effe96d8 ec19feb4 effe96d8 eda4af20 00000000
[242411.182220] fde0: 00000000 4f98618f 00000088 ec19fe44 ec19fe48 ec19fe10 c02a6cf8 c02a3984
[242411.190498] fe00: 60000113 ffffffff
[242411.194097]  r9:ec19e000 r8:00000000 r7:ec19fdf4 r6:ffffffff r5:60000113 r4:c02a3984
[242411.201964] [<c02a6c2c>] (alloc_set_pte) from [<c026b760>] (filemap_map_pages+0x390/0x3b8)
[242411.210342]  r10:00000088 r9:ed880840 r8:ea5f55f8 r7:00000001 r6:ec19feb4 r5:00000406
[242411.218273]  r4:effe96d8
[242411.220921] [<c026b3d0>] (filemap_map_pages) from [<c02a7c08>] (handle_mm_fault+0xc28/0x115c)
[242411.229557]  r10:eda45040 r9:ec19feb4 r8:00000079 r7:00000040 r6:b6f51000 r5:00000088
[242411.237487]  r4:c026b3d0
[242411.240137] [<c02a6fe0>] (handle_mm_fault) from [<c0118954>] (do_page_fault+0x12c/0x40c)
[242411.248339]  r10:eda45040 r9:eda4af20 r8:eda45000 r7:edb1b200 r6:80000007 r5:b6f5174c
[242411.256268]  r4:ec19ffb0
[242411.258915] [<c0118828>] (do_page_fault) from [<c0118ee4>] (do_PrefetchAbort+0x48/0x9c)
[242411.267028]  r10:b6fcf620 r9:00000000 r8:c0118828 r7:ec19ffb0 r6:b6f5174c r5:00000007
[242411.274957]  r4:c130aa04
[242411.277604] [<c0118e9c>] (do_PrefetchAbort) from [<c010210c>] (ret_from_exception+0x0/0x14)
[242411.286056] Exception stack(0xec19ffb0 to 0xec19fff8)
[242411.291214] ffa0:                                     00000000 00000000 00000000 e22dbd00
[242411.299502] ffc0: b6fcd434 b6fcd434 00000000 00000000 00000001 00000000 b6fcf620 b6fcc000
[242411.307787] ffe0: 00429f7c bee1bc50 b6f02981 b6f5174c 60000030 ffffffff
[242411.314511]  r8:10c5387d r7:10c5387d r6:ffffffff r5:60000030 r4:b6f5174c
[242411.321425] ---[ end trace e34de087d9f73e02 ]---
[242411.326180] flexcan 2090000.flexcan can0: j1939_simple_recv: Received already invalidated message
[242411.335217] ------------[ cut here ]------------
[242411.339963] WARNING: CPU: 0 PID: 1101 at lib/refcount.c:190 refcount_sub_and_test_checked+0xa8/0xb8
[242411.349158] refcount_t: underflow; use-after-free.
[242411.354095] Modules linked in: can_j1939 coda_vpu imx_vdoa videobuf2_vmalloc dw_hdmi_ahb_audio vcan
[242411.363333] CPU: 0 PID: 1101 Comm: cansend Tainted: G        W         5.4.0-rc4-00015-g723fbf781146 #1
[242411.372829] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[242411.379456] Backtrace: 
[242411.382024] [<c010f57c>] (dump_backtrace) from [<c010f918>] (show_stack+0x20/0x24)
[242411.389705]  r7:60000113 r6:c13b6cf8 r5:00000000 r4:c13b6cf8
[242411.395486] [<c010f8f8>] (show_stack) from [<c0c06638>] (dump_stack+0x80/0x94)
[242411.402825] [<c0c065b8>] (dump_stack) from [<c0127c14>] (__warn+0xe0/0x108)
[242411.409895]  r7:000000be r6:c0525318 r5:00000009 r4:c0ff056c
[242411.415664] [<c0127b34>] (__warn) from [<c0127ff0>] (warn_slowpath_fmt+0xa8/0xcc)
[242411.423255]  r7:c0525318 r6:000000be r5:c0ff056c r4:c0ff05d8
[242411.429033] [<c0127f4c>] (warn_slowpath_fmt) from [<c0525318>] (refcount_sub_and_test_checked+0xa8/0xb8)
[242411.438622]  r8:eccec780 r7:ecd63000 r6:ed983a08 r5:bf030e78 r4:00000000
[242411.445439] [<c0525270>] (refcount_sub_and_test_checked) from [<c0525340>] (refcount_dec_and_test_checked+0x18/0x1c)
[242411.456064]  r5:bf030e78 r4:ed76ec00
[242411.459758] [<c0525328>] (refcount_dec_and_test_checked) from [<c096bbac>] (sock_efree+0x20/0x34)
[242411.468748] [<c096bb8c>] (sock_efree) from [<c0972628>] (skb_release_head_state+0x60/0x90)
[242411.477116]  r5:bf030e78 r4:ed1ce6c0
[242411.480808] [<c09725c8>] (skb_release_head_state) from [<c0972674>] (skb_release_all+0x1c/0x34)
[242411.489608]  r5:bf030e78 r4:ed1ce6c0
[242411.493298] [<c0972658>] (skb_release_all) from [<c0972700>] (kfree_skb+0x4c/0x114)
[242411.501057]  r5:bf030e78 r4:ed1ce6c0
[242411.504796] [<c09726b4>] (kfree_skb) from [<bf030e78>] (j1939_can_recv+0x170/0x190 [can_j1939])
[242411.513604]  r7:ecd63000 r6:ed983a08 r5:ecd63008 r4:ed1ce6c0
[242411.519410] [<bf030d08>] (j1939_can_recv [can_j1939]) from [<c0a9d508>] (can_rcv_filter+0xb4/0x268)
[242411.528562]  r7:ed1cee40 r6:9823ff40 r5:00000001 r4:ec0da000
[242411.534333] [<c0a9d454>] (can_rcv_filter) from [<c0a9dd98>] (can_receive+0xb0/0xe4)
[242411.542099]  r9:ec19fca4 r8:00000000 r7:eccec000 r6:ed055940 r5:c139d040 r4:ed1cee40
[242411.549954] [<c0a9dce8>] (can_receive) from [<c0a9de14>] (can_rcv+0x48/0x98)
[242411.557113]  r9:ec19fca4 r8:eccec650 r7:eccec630 r6:0000003d r5:c0a9ddcc r4:ed1cee40
[242411.564971] [<c0a9ddcc>] (can_rcv) from [<c098cdcc>] (__netif_receive_skb_one_core+0x64/0x88)
[242411.573598]  r5:c0a9ddcc r4:ed1cee40
[242411.577286] [<c098cd68>] (__netif_receive_skb_one_core) from [<c098ce60>] (__netif_receive_skb+0x38/0x94)
[242411.586954]  r5:c130633c r4:ed1cee40
[242411.590644] [<c098ce28>] (__netif_receive_skb) from [<c098cf20>] (netif_receive_skb_internal+0x64/0xf8)
[242411.600138]  r5:c130633c r4:ed1cee40
[242411.603826] [<c098cebc>] (netif_receive_skb_internal) from [<c098cfe8>] (netif_receive_skb+0x34/0x19c)
[242411.613233]  r5:00000001 r4:ed1cee40
[242411.616928] [<c098cfb4>] (netif_receive_skb) from [<c0770a28>] (can_rx_offload_napi_poll+0x58/0xb4)
[242411.626076]  r5:00000001 r4:eccec000
[242411.629767] [<c07709d0>] (can_rx_offload_napi_poll) from [<c098ea5c>] (net_rx_action+0x144/0x490)
[242411.638750]  r9:ec19fca4 r8:01716e8d r7:c12df280 r6:0000003d r5:00000001 r4:eccec650
[242411.646609] [<c098e918>] (net_rx_action) from [<c01025e8>] (__do_softirq+0x170/0x464)
[242411.654550]  r10:ec19e000 r9:00000102 r8:00000001 r7:c13be8e4 r6:00000003 r5:00000001
[242411.662480]  r4:c130308c
[242411.665128] [<c0102478>] (__do_softirq) from [<c012eb78>] (irq_exit+0xd8/0xf0)
[242411.672462]  r10:ec19fdc0 r9:ec008c00 r8:00000000 r7:00000001 r6:00000000 r5:00000022
[242411.680391]  r4:c12de4c0
[242411.683040] [<c012eaa0>] (irq_exit) from [<c018007c>] (__handle_domain_irq+0x90/0xf8)
[242411.690972]  r5:00000022 r4:c12de494
[242411.694659] [<c017ffec>] (__handle_domain_irq) from [<c0102354>] (gic_handle_irq+0x5c/0xa0)
[242411.703121]  r10:00000088 r9:ec19fdc0 r8:f4001100 r7:f4000100 r6:f400010c r5:c135a404
[242411.711053]  r4:c1305578 r3:ec19fdc0
[242411.714740] [<c01022f8>] (gic_handle_irq) from [<c0101a8c>] (__irq_svc+0x6c/0xa8)
[242411.722326] Exception stack(0xec19fdc0 to 0xec19fe08)
[242411.727490] fdc0: eda45000 00000000 00000001 effe96d8 ec19feb4 effe96d8 eda4af20 00000000
[242411.735779] fde0: 00000000 4f98618f 00000088 ec19fe44 ec19fe48 ec19fe10 c02a6cf8 c02a3984
[242411.744058] fe00: 60000113 ffffffff
[242411.747657]  r9:ec19e000 r8:00000000 r7:ec19fdf4 r6:ffffffff r5:60000113 r4:c02a3984
[242411.755519] [<c02a6c2c>] (alloc_set_pte) from [<c026b760>] (filemap_map_pages+0x390/0x3b8)
[242411.763894]  r10:00000088 r9:ed880840 r8:ea5f55f8 r7:00000001 r6:ec19feb4 r5:00000406
[242411.771824]  r4:effe96d8
[242411.774471] [<c026b3d0>] (filemap_map_pages) from [<c02a7c08>] (handle_mm_fault+0xc28/0x115c)
[242411.783105]  r10:eda45040 r9:ec19feb4 r8:00000079 r7:00000040 r6:b6f51000 r5:00000088
[242411.791034]  r4:c026b3d0
[242411.793681] [<c02a6fe0>] (handle_mm_fault) from [<c0118954>] (do_page_fault+0x12c/0x40c)
[242411.801881]  r10:eda45040 r9:eda4af20 r8:eda45000 r7:edb1b200 r6:80000007 r5:b6f5174c
[242411.809810]  r4:ec19ffb0
[242411.812455] [<c0118828>] (do_page_fault) from [<c0118ee4>] (do_PrefetchAbort+0x48/0x9c)
[242411.820568]  r10:b6fcf620 r9:00000000 r8:c0118828 r7:ec19ffb0 r6:b6f5174c r5:00000007
[242411.828497]  r4:c130aa04
[242411.831143] [<c0118e9c>] (do_PrefetchAbort) from [<c010210c>] (ret_from_exception+0x0/0x14)
[242411.839594] Exception stack(0xec19ffb0 to 0xec19fff8)
[242411.844751] ffa0:                                     00000000 00000000 00000000 e22dbd00
[242411.853038] ffc0: b6fcd434 b6fcd434 00000000 00000000 00000001 00000000 b6fcf620 b6fcc000
[242411.861323] ffe0: 00429f7c bee1bc50 b6f02981 b6f5174c 60000030 ffffffff
[242411.868046]  r8:10c5387d r7:10c5387d r6:ffffffff r5:60000030 r4:b6f5174c
[242411.874911] ---[ end trace e34de087d9f73e03 ]---