Re: [Linux kernel bug] WARNING in free_event

From: Ian Rogers
Date: Wed Apr 17 2024 - 10:52:06 EST


On Wed, Apr 17, 2024 at 6:38 AM Sam Sun <samsun1006219@xxxxxxxxx> wrote:
>
> Dear developers and maintainers,
>
> We encountered a kernel warning in the function free_event() while
> using our modified syzkaller. It was tested on the latest upstream
> linux(6.9-rc4). C repro and kernel config are attached to this email.
> Kernel dump log is listed below.
> ```

Thank you for the report, unfortunately there have also been similar
reports and some possibly related fixes posted:
https://lore.kernel.org/linux-perf-users/CAP-5=fUa+-Tj2b_hxk96Qg5=Qu7jYHgHREbsmBa2ZmuF-X9QaA@xxxxxxxxxxxxxx/
https://lore.kernel.org/lkml/20240329235812.18917-1-frederic@xxxxxxxxxx/
https://lore.kernel.org/lkml/20240410035506.599192-1-haifeng.xu@xxxxxxxxxx/

Thanks,
Ian

> ------------[ cut here ]------------
> unexpected event refcount: 2; ptr=ffff88801931e0c0
> WARNING: CPU: 0 PID: 8082 at kernel/events/core.c:5254
> free_event+0xa3/0xc0 kernel/events/core.c:5254
> Modules linked in:
> CPU: 0 PID: 8082 Comm: syz-executor381 Not tainted 6.7.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:free_event+0xa3/0xc0 kernel/events/core.c:5254
> Code: b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 25 48 8b
> b5 38 02 00 00 48 89 ea 48 c7 c7 c0 38 b7 8a e8 6e 30 9e ff 90 <0f> 0b
> 90 90 5d 41 5c 41 5d e9 bf 45 d7 ff 4c 89 ef e8 d7 e9 2b 00
> RSP: 0018:ffffc9000176f9e8 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff814c00fa
> RDX: ffff888063d919c0 RSI: ffffffff814c0107 RDI: 0000000000000001
> RBP: ffff88801931e0c0 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000002
> R13: ffff88801931e2f8 R14: ffff88801931e3a0 R15: ffff88801931e0c0
> FS: 0000000000000000(0000) GS:ffff888044200000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000008 CR3: 000000000cd78000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> perf_event_release_kernel+0x5d4/0x8f0 kernel/events/core.c:5421
> perf_release+0x37/0x50 kernel/events/core.c:5442
> __fput+0x282/0xbb0 fs/file_table.c:394
> task_work_run+0x168/0x260 kernel/task_work.c:180
> exit_task_work include/linux/task_work.h:38 [inline]
> do_exit+0xaf0/0x2a40 kernel/exit.c:869
> do_group_exit+0xd4/0x2a0 kernel/exit.c:1018
> get_signal+0x243c/0x2630 kernel/signal.c:2904
> arch_do_signal_or_restart+0x81/0x7d0 arch/x86/kernel/signal.c:309
> exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
> exit_to_user_mode_prepare+0x121/0x240 kernel/entry/common.c:204
> __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
> syscall_exit_to_user_mode+0x1e/0x60 kernel/entry/common.c:296
> ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
> </TASK>
> ```
> If you have any questions, please contact us.
> Reported by: Yue Sun <samsun1006219@xxxxxxxxx>
> Reported by: xingwei lee <xrivendell7@xxxxxxxxx>
>
> Best Regards,
> Yue