Re: [BUG][5.20] refcount_t: underflow; use-after-free

From: Mikhail Gavrilov
Date: Mon Sep 19 2022 - 19:28:17 EST


Hi!
Unfortunately the use-after-free issue still happens on the 6.0-rc5 kernel.
The issue became hard to repeat. I spent the whole day at the computer
when use-after-free again happened, I was playing the game Tiny Tina's
Wonderlands.
Therefore, forget about repeatability. It remains only to hope for
logs and tracing.
I didn't see anything new in the logs. It seems that we need to
somehow expand the logging so that the next time this happens we have
more information.

Sep 18 20:52:16 primary-ws gnome-shell[2388]:
meta_window_set_stack_position_no_sync: assertion
'window->stack_position >= 0' failed
Sep 18 20:52:27 primary-ws gnome-shell[2388]:
meta_window_set_stack_position_no_sync: assertion
'window->stack_position >= 0' failed
Sep 18 20:53:44 primary-ws gnome-shell[2388]: Window manager warning:
Window 0x4e00003 sets an MWM hint indicating it isn't resizable, but
sets min size 1 x 1 and max size 2147483647 x 2147483647; this doesn't
make much sense.
Sep 18 20:53:45 primary-ws kernel: umip_printk: 11 callbacks suppressed
Sep 18 20:53:45 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:14ebb0d03 sp:4ee528: SGDT instruction cannot be used by
applications.
Sep 18 20:53:45 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:14ebb0d03 sp:4ee528: For now, expensive software emulation returns
the result.
Sep 18 20:53:53 primary-ws gnome-shell[2388]:
meta_window_set_stack_position_no_sync: assertion
'window->stack_position >= 0' failed
Sep 18 20:53:53 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:14ebb0d03 sp:4ee528: SGDT instruction cannot be used by
applications.
Sep 18 20:53:53 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:14ebb0d03 sp:4ee528: For now, expensive software emulation returns
the result.
Sep 18 20:54:15 primary-ws kernel: umip: Wonderlands.exe[214194]
ip:15a270815 sp:6eaef490: SGDT instruction cannot be used by
applications.
Sep 18 20:56:01 primary-ws kernel: umip_printk: 15 callbacks suppressed
Sep 18 20:56:01 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:15e3a82b0 sp:4ed178: SGDT instruction cannot be used by
applications.
Sep 18 20:56:01 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:15e3a82b0 sp:4ed178: For now, expensive software emulation returns
the result.
Sep 18 20:56:03 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:15e3a82b0 sp:4edbe8: SGDT instruction cannot be used by
applications.
Sep 18 20:56:03 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:15e3a82b0 sp:4edbe8: For now, expensive software emulation returns
the result.
Sep 18 20:56:03 primary-ws kernel: umip: Wonderlands.exe[213853]
ip:15e3a82b0 sp:4ebf18: SGDT instruction cannot be used by
applications.
Sep 18 20:57:55 primary-ws kernel: ------------[ cut here ]------------
Sep 18 20:57:55 primary-ws kernel: refcount_t: underflow; use-after-free.
Sep 18 20:57:55 primary-ws kernel: WARNING: CPU: 22 PID: 235114 at
lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
Sep 18 20:57:55 primary-ws kernel: Modules linked in: tls uinput
rfcomm snd_seq_dummy snd_hrtimer nft_objref nf_conntrack_netbios_ns
nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib
nft_reject_inet nf_reject_ipv4 nf_>
Sep 18 20:57:55 primary-ws kernel: asus_wmi ledtrig_audio
sparse_keymap platform_profile irqbypass rfkill mc rapl snd_timer
video wmi_bmof pcspkr snd k10temp i2c_piix4 soundcore acpi_cpufreq
zram amdgpu drm_ttm_helper ttm iommu_v2 crct1>
Sep 18 20:57:55 primary-ws kernel: Unloaded tainted modules:
amd64_edac():1 amd64_edac():1 amd64_edac():1 amd64_edac():1
amd64_edac():1 amd64_edac():1 amd64_edac():1 amd64_edac():1
amd64_edac():1 pcc_cpufreq():1 pcc_cpufreq():1 amd64_eda>
Sep 18 20:57:55 primary-ws kernel: pcc_cpufreq():1 pcc_cpufreq():1
fjes():1 fjes():1 pcc_cpufreq():1 fjes():1 fjes():1 fjes():1 fjes():1
fjes():1
Sep 18 20:57:55 primary-ws kernel: CPU: 22 PID: 235114 Comm:
kworker/22:0 Tainted: G W L ------- ---
6.0.0-0.rc5.20220914git3245cb65fd91.39.fc38.x86_64 #1
Sep 18 20:57:55 primary-ws kernel: Hardware name: System manufacturer
System Product Name/ROG STRIX X570-I GAMING, BIOS 4403 04/27/2022
Sep 18 20:57:55 primary-ws kernel: Workqueue: events
drm_sched_entity_kill_jobs_work [gpu_sched]
Sep 18 20:57:55 primary-ws kernel: RIP: 0010:refcount_warn_saturate+0xba/0x110
Sep 18 20:57:55 primary-ws kernel: Code: 01 01 e8 69 6b 6f 00 0f 0b e9
32 38 a5 00 80 3d 4d 7d be 01 00 75 85 48 c7 c7 80 b7 8e 95 c6 05 3d
7d be 01 01 e8 46 6b 6f 00 <0f> 0b e9 0f 38 a5 00 80 3d 28 7d be 01 00
0f 85 5e ff ff ff 48 c7
Sep 18 20:57:55 primary-ws kernel: RSP: 0018:ffffa1a853ccbe60 EFLAGS: 00010286
Sep 18 20:57:55 primary-ws kernel: RAX: 0000000000000026 RBX:
ffff8e0e60a96c28 RCX: 0000000000000000
Sep 18 20:57:55 primary-ws kernel: RDX: 0000000000000001 RSI:
ffffffff958d255c RDI: 00000000ffffffff
Sep 18 20:57:55 primary-ws kernel: RBP: ffff8e19a83f5600 R08:
0000000000000000 R09: ffffa1a853ccbd10
Sep 18 20:57:55 primary-ws kernel: R10: 0000000000000003 R11:
ffff8e19ee2fffe8 R12: ffff8e19a83fc800
Sep 18 20:57:55 primary-ws kernel: R13: ffff8e0d44a4b440 R14:
ffff8e19a83fc805 R15: ffff8e0e60a96c30
Sep 18 20:57:55 primary-ws kernel: FS: 0000000000000000(0000)
GS:ffff8e19a8200000(0000) knlGS:0000000000000000
Sep 18 20:57:55 primary-ws kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
Sep 18 20:57:55 primary-ws kernel: CR2: 00001adc05fb2000 CR3:
00000002cf050000 CR4: 0000000000350ee0
Sep 18 20:57:55 primary-ws kernel: Call Trace:
Sep 18 20:57:55 primary-ws kernel: <TASK>
Sep 18 20:57:55 primary-ws kernel: process_one_work+0x2a0/0x600
Sep 18 20:57:55 primary-ws kernel: worker_thread+0x4f/0x3a0
Sep 18 20:57:55 primary-ws kernel: ? process_one_work+0x600/0x600
Sep 18 20:57:55 primary-ws kernel: kthread+0xf5/0x120
Sep 18 20:57:55 primary-ws kernel: ? kthread_complete_and_exit+0x20/0x20
Sep 18 20:57:55 primary-ws kernel: ret_from_fork+0x22/0x30
Sep 18 20:57:55 primary-ws kernel: </TASK>
Sep 18 20:57:55 primary-ws kernel: irq event stamp: 63606683
Sep 18 20:57:55 primary-ws kernel: hardirqs last enabled at
(63606691): [<ffffffff9418ce0e>] __up_console_sem+0x5e/0x70
Sep 18 20:57:55 primary-ws kernel: hardirqs last disabled at
(63606698): [<ffffffff9418cdf3>] __up_console_sem+0x43/0x70
Sep 18 20:57:55 primary-ws kernel: softirqs last enabled at
(63490566): [<ffffffff940ff749>] __irq_exit_rcu+0xf9/0x170
Sep 18 20:57:55 primary-ws kernel: softirqs last disabled at
(63490561): [<ffffffff940ff749>] __irq_exit_rcu+0xf9/0x170
Sep 18 20:57:55 primary-ws kernel: ---[ end trace 0000000000000000 ]---
Sep 18 20:57:56 primary-ws abrt-dump-journal-oops[1409]:
abrt-dump-journal-oops: Found oopses: 1
Sep 18 20:57:56 primary-ws abrt-dump-journal-oops[1409]:
abrt-dump-journal-oops: Creating problem directories
Sep 18 20:57:57 primary-ws abrt-notification[261766]: [🡕] System
encountered a non-fatal error in kthread_complete_and_exit()
Sep 18 20:57:57 primary-ws abrt-dump-journal-oops[1409]: Reported 1
kernel oopses to Abrt
Sep 18 20:58:23 primary-ws gsd-power[2776]: Failed to acquire idle
monitor proxy: Timeout was reached
Sep 18 20:58:23 primary-ws gsd-power[2776]: Error setting property
'PowerSaveMode' on interface org.gnome.Mutter.DisplayConfig: Timeout
was reached (g-io-error-quark, 24)
Sep 18 20:58:53 primary-ws gsd-power[2776]: Failed to acquire idle
monitor proxy: Timeout was reached
Sep 18 20:58:53 primary-ws gsd-power[2776]: Error setting property
'PowerSaveMode' on interface org.gnome.Mutter.DisplayConfig: Timeout
was reached (g-io-error-quark, 24)
Sep 18 20:58:54 primary-ws gsd-power[2776]: Failed to acquire idle
monitor proxy: Timeout was reached

Full kernel log: https://pastebin.com/nj2syLPM

--
Best Regards,
Mike Gavrilov.