Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp2794268pxy;
        Tue, 3 Aug 2021 15:41:57 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwLkNCa5MZLRt+Y0HIugxhn6ydT3vGKZCzrPFWHqc4HehE061gF6oPP9kRhOAcR/TcwZ7/1
X-Received: by 2002:a05:6402:424e:: with SMTP id g14mr28701210edb.364.1628030517262;
        Tue, 03 Aug 2021 15:41:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1628030517; cv=none;
        d=google.com; s=arc-20160816;
        b=XA+C2CClpVKNxjSKqtGzLN28mTcBzKp+njj3qhW/bGzkqHfEKKxj0e4VwnCWNjQ9Ko
         WakwB7Ot/BxuKlKZbHO2bjpO6vc9xBV3Z7cax3l13tdK7HniYvkLe1wdKZQx2FhKAVBH
         7DavhBkbTSvrXyOoAAtOaySEo36OANrOfGFf9NiX+Uz2ORQvSRf/znT2KaUCo1UZ2Q/p
         AS202x6WnXmHh8oAb15GOQKS0bGK/JgEU2QULqH6s1nj8ITVWeGpJeti0ORc3sPVEo52
         Cs90qZY8F51nHOXQmBEPJ7jpZJptaS9wyXa0P8UzdVCeBOjqJlDB8JV7/RazrcSo+d6O
         RhSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=IxvJ3kNcHqPJOltM6QEZR4op6Xq6Iap0fFQoq3XfjDk=;
        b=p6+nseXDXJNTvPivFhlVir1zMDew7f/6YAN8SOr3IqzAtGPjMHQ8t4HBs/Jp0En9ES
         Hy2htgX/+yuC7m0f3j5sVqqi6rRx4xTdT2bnxqL+55vcLw6CHX8GgonVjZddx4jLxVFE
         j2XeF0JUbmGE3iyP0KYmc6ycAi6BtkcNdYEO+/HT5TgTipajV2Y117fmB76wzzKSti9U
         Rr4hFWiTGaIZUeA1McPsTwrlt5an6IldRJoenXjPpTxTkehsfHXj2y038OEYzaCt8U6l
         ESypxLO2rRXpO8is9fd4MIMZgw8RBuX+nyO3Zm2lBwXKlKtNcNSnIx7B0RgKmrsGgiP7
         x+Cw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=pNRU89QY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id gn42si166291ejc.509.2021.08.03.15.41.33;
        Tue, 03 Aug 2021 15:41:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=pNRU89QY;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233085AbhHCWcU (ORCPT <rfc822;liq3ea@gmail.com> + 99 others);
        Tue, 3 Aug 2021 18:32:20 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35504 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233000AbhHCWcS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Aug 2021 18:32:18 -0400
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C408AC061757;
        Tue,  3 Aug 2021 15:32:06 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id u25so612212oiv.5;
        Tue, 03 Aug 2021 15:32:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=IxvJ3kNcHqPJOltM6QEZR4op6Xq6Iap0fFQoq3XfjDk=;
        b=pNRU89QYktJGX/U529VWINcWShMtjw+tMcMUL8zyoreyigdHRuNOICggg5JhqFCuJ0
         Vj/JIorfE6IQQtxMfub4IACvm0IcyVPDbwkPmdG2pqXikHzPoLLu6TsHLeypOpTe7EqS
         vHea/r/QJfSwSspbmR5f9/Aw3fUt+6u5MP6/kJfzQwBtZu0kUzJcpISTdAjT0IwU5jNQ
         H2wDBn3US0wE9xW81pnN7M+fYFoB4cL2t7y6PHanNwQyUGztXu6Bbfokyns3HYwWkgDA
         8qd3b3r38KE+t/kUquWc+aBwBTvEVtaWYC9RKL9n9hzq4NukICNQAUbgN98Uht+6EUpd
         vduQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=IxvJ3kNcHqPJOltM6QEZR4op6Xq6Iap0fFQoq3XfjDk=;
        b=mvU/OGrd0xBtNQaGyo3k4WzO0fzUxIbgMfHdC9FASFKL12LUgBI54NhL8qkx0U53Fu
         nQpU4gsHbLhzWxVgTjH4eJTooNBEbgMH6+JmT0pRBIASFor7OAT1dpcjc3FUAbJ9Hwty
         1MfPWlgl9a7sgp3miwbZGCC3gx1c4q2nLjskbrpUO7f84KsTEnlsr1SFaxzuHmZdOgD9
         QkcTdeST8ev6vW0ijg6q5cJxozlLtLLvJgx7JflV3J/0UvQyid0ItIzJOs7ccRqLHHy/
         XkBREF8gcbM0T7qcwOC+pwx9YIYENA3tBQR45uOf8cAZAyCqn79QACjjWQg6472OrF7v
         0xHA==
X-Gm-Message-State: AOAM530bB5SF2ASkIMPFdbmZ+Ozu1aRM89xLxT7+kJ907jbD0qmnHM1y
        iDORjdxsBGN+NvtTPORvaSw=
X-Received: by 2002:aca:f354:: with SMTP id r81mr4913255oih.99.1628029924767;
        Tue, 03 Aug 2021 15:32:04 -0700 (PDT)
Received: from Davids-MacBook-Pro.local ([8.48.134.27])
        by smtp.googlemail.com with ESMTPSA id a7sm73851oti.47.2021.08.03.15.32.03
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 03 Aug 2021 15:32:04 -0700 (PDT)
Subject: Re: [syzbot] net-next boot error: WARNING: refcount bug in
 fib_create_info
To:     Jakub Kicinski <kuba@kernel.org>,
        Pavel Skripkin <paskripkin@gmail.com>
Cc:     syzbot <syzbot+c5ac86461673ef58847c@syzkaller.appspotmail.com>,
        davem@davemloft.net, dsahern@kernel.org,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        syzkaller-bugs@googlegroups.com, yoshfuji@linux-ipv6.org
References: <0000000000005e090405c8a9e1c3@google.com>
 <02372175-c3a1-3f8e-28fe-66d812f4c612@gmail.com>
 <e6eab0c9-7b2e-179b-b9c0-459dd9a75ed1@gmail.com>
 <20210803140435.19e560fe@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
From:   David Ahern <dsahern@gmail.com>
Message-ID: <80ea9025-05a7-ab21-ed53-5527356c4464@gmail.com>
Date:   Tue, 3 Aug 2021 16:32:02 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <20210803140435.19e560fe@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 8/3/21 3:04 PM, Jakub Kicinski wrote:
>>>
>>> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
>>> index f29feb7772da..bb9949f6bb70 100644
>>> --- a/net/ipv4/fib_semantics.c
>>> +++ b/net/ipv4/fib_semantics.c
>>> @@ -1428,6 +1428,7 @@ struct fib_info *fib_create_info(struct fib_config
>>> *cfg,
>>>    	}
>>>
>>>    	fib_info_cnt++;
>>> +	refcount_set(&fi->fib_treeref, 1);
>>>    	fi->fib_net = net;
>>>    	fi->fib_protocol = cfg->fc_protocol;
>>>    	fi->fib_scope = cfg->fc_scope;
>>
>> Oops, it's already fixed in -next, so
>>
>> #syz fix: ipv4: Fix refcount warning for new fib_info
>>
>>
>> BTW: there is one more bug with refcounts:
>>
>> link_it:
>> 	ofi = fib_find_info(fi);
>> 	if (ofi) {
>> 		fi->fib_dead = 1;
>> 		free_fib_info(fi);
>> 		refcount_inc(&ofi->fib_treeref);
>>
>> 		^^^^^^^^^^^^^^^^^^^^^^^
>> 		/ *fib_treeref is 0 here */
> 
> Why 0? ofi is an existing object it's already initialized.

yes, it is an existing object with a non-0 refcount.

> 
>> 		return ofi;
>> 	}
>>
>> 	refcount_set(&fi->fib_treeref, 1);
>>
>>
>> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
>> index f29feb7772da..38d1fc4d0be1 100644
>> --- a/net/ipv4/fib_semantics.c
>> +++ b/net/ipv4/fib_semantics.c
>> @@ -1543,6 +1543,8 @@ struct fib_info *fib_create_info(struct fib_config 
>> *cfg,
>>   	}
>>
>>   link_it:
>> +	refcount_set(&fi->fib_treeref, 1);

moving the refcount_set here causes all kinds of problems with the
release and error paths in this function.