Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3291941ybl; Mon, 27 Jan 2020 00:55:16 -0800 (PST) X-Google-Smtp-Source: APXvYqzKtai4yRrNJWCu1nwLqjhaBmZLb5HCjzBFBzCgQqrLxjXt0A8qTpmm9j3sB6jRTwzPvG/O X-Received: by 2002:a9d:7d9a:: with SMTP id j26mr3898654otn.21.1580115316149; Mon, 27 Jan 2020 00:55:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580115316; cv=none; d=google.com; s=arc-20160816; b=CKqxYJCYnmI49EelymQnl6tsyUeGAJcWcjOlpd5Q9NrFjEjjZioNDlpAFIrpP3Jrfh z4l9Ou1dyUIf9HwOAQXa7gWve8IRqMBNUYFfYTxrDO8W+pghR8brjL246xwaY1PXPD7p jPSjir69g+XVpLrqfYVb05J+mdTVQfKIKcAt09SawPdsmj7fB9lpdZm1cnqwuDWw4cWt iHx+7ZBDbASp2k4bjpxHlGZWB/GEISKZ/qj2pomy38DCPwwTIoZZjkvN9QZ928+AbTvl GLy0lXlDrE+qB351l6oUAawMHSVZFMGxN/bIUW8xKKSaI/LAF2WOJR1VMaWzFiA/h/6e NAfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:subject:cc:to :from:dkim-signature; bh=MzyRcxue6yjRTY/bsxuSjERm4XTh8vYxPrOpGhEyNzU=; b=zNRU2sf7MIHEsvDzMcJ75EKFe3dyrEytsfcLRo7cnCPoMmT6hAZd+8b7TUxL2dJtfi SqTKlYROMmGEh0Y65XMMoKb/0qKdlt/TsxBmTiXIabsQwW8dg8MQgx487J8ya4PZor8d DPGbrtvfOFtAerXCoiBb/zEGafWyzicPCvHFpF2B9cIsVQjHXtNxkvi67Rn0zm9Eg5K6 8CqGD61SLy+m8bv8fwb9YApoHJRI2UyQQLy49SO/s3PlG5Z3sfFnfOAnHLlrR2FO+3Ng CjS9JViV4lnO0RHWv8X3ljq7oLQ19j71gmEep/5UenILMLGEdyfEL8FgvfrZqXvpejO8 bnhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@unikie-com.20150623.gappssmtp.com header.s=20150623 header.b=GE4NNOB0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1si3631199otk.42.2020.01.27.00.55.04; Mon, 27 Jan 2020 00:55:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@unikie-com.20150623.gappssmtp.com header.s=20150623 header.b=GE4NNOB0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729263AbgA0ImX (ORCPT + 99 others); Mon, 27 Jan 2020 03:42:23 -0500 Received: from mail-lj1-f193.google.com ([209.85.208.193]:43888 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729269AbgA0ImV (ORCPT ); Mon, 27 Jan 2020 03:42:21 -0500 Received: by mail-lj1-f193.google.com with SMTP id a13so9682726ljm.10 for ; Mon, 27 Jan 2020 00:42:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unikie-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=MzyRcxue6yjRTY/bsxuSjERm4XTh8vYxPrOpGhEyNzU=; b=GE4NNOB0RtsaSVq35OM2g+7Ru31Cosnv8xj7IIwpyF6JMX3nUX2v4EUkqokAfN+MPa ODFfrSEhw+QrxpHOfW30ebsoi4zvFdusMREDaqSZLy/cPOMcBlj398Dn+T2XuRBoPlcl rlE2Y1xWuZgwiRZDNQ+EHfCBHCkERjlOqhz7IGBjMZmwu8iYQvNO4abktTcKUabUaBLQ PcC4WvpOLt4eUXXDb7wB84GRxrdV2ezF5wBP3edLZV5cAp17907HMrJIB1BeMO+zJAja AtOqUOINiLwja+HbiQXMo8JcxDvX4ZMLHegbb+wmduAZM/pruCk6PQGSDnz+ZSpfhnZu v0NQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=MzyRcxue6yjRTY/bsxuSjERm4XTh8vYxPrOpGhEyNzU=; b=brSMnOGmz7kTSiJsiS8y70vf139IXoZ1fGGOi0ASer1WJSE3/yf4gSB6DvL7qgqDaT 8TGqd3aNlZgrR2xzn0H6bw2nliVnVsaM8I0yNQthkKkn0kgcCwDtVCz3RSsFGtByA+2z ZaWoSZ2AnPwO5MyWtC3MxogEtVBlaMHqqxey65upAITilEXCjh7TAt+72ANWgF8fhpdF FpA2cgSVhLxSp0JL0W7yPYGtXroHXJCC3xseVt97or+oZZJthLFamL1yzC0oDE3L4GXQ Dh5v+rz9hgyrbur96JACYKJxHGpUIDwpwbhGvG2oXMtGGk6o1iANMH3JnRyD+8hEkFLb yKIA== X-Gm-Message-State: APjAAAU3P/kIIgU7cvJDVgvfzYGuIWQHa/yhGA3w1+l3OO9VzLX4EgRF ticm5bC6vLy6o2wTdHKr6FdZKkUVXceqxg== X-Received: by 2002:a05:651c:111a:: with SMTP id d26mr9512082ljo.153.1580114538132; Mon, 27 Jan 2020 00:42:18 -0800 (PST) Received: from GL-434 ([109.204.235.119]) by smtp.gmail.com with ESMTPSA id y7sm754860ljy.92.2020.01.27.00.42.17 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 27 Jan 2020 00:42:17 -0800 (PST) From: jouni.hogander@unikie.com (Jouni =?utf-8?Q?H=C3=B6gander?=) To: Lukas Bulwahn Cc: Greg Kroah-Hartman , open list , Andrew Morton , Ben Hutchings , linux- stable , Netdev , Al Viro , linux-fsdevel@vger.kernel.org, Eric Dumazet , "David S. Miller" , syzkaller@googlegroups.com Subject: Re: [PATCH 4.19 000/306] 4.19.87-stable review References: <20191127203114.766709977@linuxfoundation.org> <20191128073623.GE3317872@kroah.com> <20191129085800.GF3584430@kroah.com> <87sgk8szhc.fsf@unikie.com> Date: Mon, 27 Jan 2020 10:42:16 +0200 In-Reply-To: (Lukas Bulwahn's message of "Sun, 26 Jan 2020 12:54:42 +0100 (CET)") Message-ID: <87h80h2suv.fsf@unikie.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Lukas Bulwahn writes: > On Wed, 22 Jan 2020, Jouni H=C3=B6gander wrote: > >> Greg Kroah-Hartman writes: >> >> > Now queued up, I'll push out -rc2 versions with this fix. >> >> > >> >> > greg k-h >> >>=20 >> >> We have also been informed about another regression these two commits >> >> are causing: >> >>=20 >> >> https://lore.kernel.org/lkml/ace19af4-7cae-babd-bac5-cd3505dcd874@I-l= ove.SAKURA.ne.jp/ >> >>=20 >> >> I suggest to drop these two patches from this queue, and give us a >> >> week to shake out the regressions of the change, and once ready, we >> >> can include the complete set of fixes to stable (probably in a week or >> >> two). >> > >> > Ok, thanks for the information, I've now dropped them from all of the >> > queues that had them in them. >> > >> > greg k-h >>=20 >> I have now run more extensive Syzkaller testing on following patches: >>=20 >> cb626bf566eb net-sysfs: Fix reference count leak >> ddd9b5e3e765 net-sysfs: Call dev_hold always in rx_queue_add_kobject >> e0b60903b434 net-sysfs: Call dev_hold always in netdev_queue_add_kobje >> 48a322b6f996 net-sysfs: fix netdev_queue_add_kobject() breakage >> b8eb718348b8 net-sysfs: Fix reference count leak in rx|netdev_queue_add_= kobject >>=20 >> These patches are fixing couple of memory leaks including this one found >> by Syzbot: https://syzkaller.appspot.com/bug?extid=3Dad8ca40ecd77896d51e2 >>=20 >> I can reproduce these memory leaks in following stable branches: 4.14, >> 4.19, and 5.4. >>=20 >> These are all now merged into net/master tree and based on my testing >> they are ready to be taken into stable branches as well. >> > > + syzkaller list > Jouni et. al, please drop Linus in further responses; Linus, it was wrong= =20 > to add you to this thread in the first place (reason is explained below) > > Jouni, thanks for investigating. > > It raises the following questions and comments: > > - Does the memory leak NOT appear on 4.9 and earlier LTS branches (or did= =20 > you not check that)? If it does not appear, can you bisect it with the=20 > reproducer to the commit between 4.14 and 4.9? I tested and these memory leaks are not reproucible in 4.9 and earlier. > > - Do the reproducers you found with your syzkaller testing show the same= =20 > behaviour (same bisection) as the reproducers from syzbot? Yes, they are same. > > - I fear syzbot's automatic bisection on is wrong, and Linus' commit=20 > 0e034f5c4bc4 ("iwlwifi: fix mis-merge that breaks the driver") is not to= =20 > blame here; that commit did not cause the memory leak, but fixed some=20 > unrelated issue that simply confuses syzbot's automatic bisection. > > Just FYI: Dmitry Vyukov's evaluation of the syzbot bisection shows that=20 > about 50% are wrong, e.g., due to multiple bugs being triggered with one= =20 > reproducer and the difficulty of automatically identifying them of being= =20 > different due to different root causes (despite the smart heuristics of=20 > syzkaller & syzbot). So, to identify the actual commit on which the memor= y=20 > leak first appeared, you need to bisect manually with your own judgement= =20 > if the reported bug stack trace fits to the issue you investigating. Or=20 > you use syzbot's automatic bisection but then with a reduced kernel confi= g=20 > that cannot be confused by other issues. You might possibly also hit a=20 > "beginning of time" in your bisection, where KASAN was simply not=20 > supported, then the initially causing commit can simply not determined by= =20 > bisection with the reproducer and needs some code inspection and=20 > archaeology with git. Can you go ahead try to identify the correct commit= =20 > for this issue? These two commits (that are not in 4.9 and earlier) are intorducing these l= eaks: commit e331c9066901dfe40bea4647521b86e9fb9901bb Author: YueHaibing Date: Tue Mar 19 10:16:53 2019 +0800 net-sysfs: call dev_hold if kobject_init_and_add success =20=20=20=20 [ Upstream commit a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e ] =20=20=20=20 In netdev_queue_add_kobject and rx_queue_add_kobject, if sysfs_create_group failed, kobject_put will call netdev_queue_release to decrease dev refcont, however dev_hold has not be called. So we will see this while unregistering dev: =20=20=20=20 unregister_netdevice: waiting for bcsh0 to become free. Usage count =3D= -1 =20=20=20=20 Reported-by: Hulk Robot Fixes: d0d668371679 ("net: don't decrement kobj reference count on init= fail ure") Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d0d6683716791b2a2761a1bb025c613eb73da6c3 Author: stephen hemminger Date: Fri Aug 18 13:46:19 2017 -0700 net: don't decrement kobj reference count on init failure =20=20=20=20 If kobject_init_and_add failed, then the failure path would decrement the reference count of the queue kobject whose reference count was already zero. =20=20=20=20 Fixes: 114cf5802165 ("bql: Byte queue limits") Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller > > > Lukas BR, Jouni H=C3=B6gander