From: kernel test robot <oliver.sang@intel.com>
To: Jann Horn <jannh@google.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
Linux Memory Management List <linux-mm@kvack.org>,
Vlastimil Babka <vbabka@suse.cz>,
Andrey Konovalov <andreyknvl@gmail.com>,
Marco Elver <elver@google.com>, <kasan-dev@googlegroups.com>,
<oliver.sang@intel.com>
Subject: [linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf
Date: Sun, 25 Aug 2024 17:45:00 +0800 [thread overview]
Message-ID: <202408251741.4ce3b34e-oliver.sang@intel.com> (raw)
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
in testcase: kunit
version:
with following parameters:
group: group-00
compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com
kern :err : [ 359.476745] ==================================================================
kern :err : [ 359.479027] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern :err : [ 359.480349] Read of size 1 at addr ffff888361948840 by task kunit_try_catch/4608
kern :err : [ 359.482361] CPU: 29 UID: 0 PID: 4608 Comm: kunit_try_catch Tainted: G B N 6.11.0-rc2-00010-g3a34e8ea62cd #1
kern :err : [ 359.484487] Tainted: [B]=BAD_PAGE, [N]=TEST
kern :err : [ 359.485478] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
kern :err : [ 359.486969] Call Trace:
kern :err : [ 359.487837] <TASK>
kern :err : [ 359.488673] dump_stack_lvl+0x53/0x70
kern :err : [ 359.489634] print_address_description+0x2c/0x3a0
kern :err : [ 359.490788] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern :err : [ 359.491900] print_report+0xb9/0x2b0
kern :err : [ 359.492830] ? kasan_addr_to_slab+0xd/0xb0
kern :err : [ 359.493806] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern :err : [ 359.494882] kasan_report+0xe8/0x120
kern :err : [ 359.495797] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern :err : [ 359.496862] kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern :err : [ 359.497927] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [kasan_test]
kern :err : [ 359.499020] ? __schedule+0x7ec/0x1950
kern :err : [ 359.499929] ? ktime_get_ts64+0x7f/0x230
kern :err : [ 359.500843] kunit_try_run_case+0x1b0/0x490
kern :err : [ 359.501772] ? __pfx_kunit_try_run_case+0x10/0x10
kern :err : [ 359.502735] ? set_cpus_allowed_ptr+0x85/0xc0
kern :err : [ 359.503662] ? __pfx_set_cpus_allowed_ptr+0x10/0x10
kern :err : [ 359.504629] ? __pfx_kunit_try_run_case+0x10/0x10
kern :err : [ 359.505579] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
kern :err : [ 359.506640] kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern :err : [ 359.507642] kthread+0x2d8/0x3c0
kern :err : [ 359.508468] ? __pfx_kthread+0x10/0x10
kern :err : [ 359.509337] ret_from_fork+0x31/0x70
kern :err : [ 359.510185] ? __pfx_kthread+0x10/0x10
kern :err : [ 359.511042] ret_from_fork_asm+0x1a/0x30
kern :err : [ 359.511912] </TASK>
kern :err : [ 359.513276] Allocated by task 4608:
kern :warn : [ 359.514082] kasan_save_stack+0x33/0x60
kern :warn : [ 359.514917] kasan_save_track+0x14/0x30
kern :warn : [ 359.515748] __kasan_slab_alloc+0x89/0x90
kern :warn : [ 359.516595] kmem_cache_alloc_noprof+0x10e/0x380
kern :warn : [ 359.517499] kmem_cache_rcu_uaf+0x10d/0x490 [kasan_test]
kern :warn : [ 359.518464] kunit_try_run_case+0x1b0/0x490
kern :warn : [ 359.519323] kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern :warn : [ 359.520274] kthread+0x2d8/0x3c0
kern :warn : [ 359.521040] ret_from_fork+0x31/0x70
kern :warn : [ 359.521825] ret_from_fork_asm+0x1a/0x30
kern :err : [ 359.523201] Freed by task 0:
kern :warn : [ 359.523891] kasan_save_stack+0x33/0x60
kern :warn : [ 359.524646] kasan_save_track+0x14/0x30
kern :warn : [ 359.525384] kasan_save_free_info+0x3b/0x60
kern :warn : [ 359.526154] __kasan_slab_free+0x51/0x70
kern :warn : [ 359.526901] slab_free_after_rcu_debug+0xf8/0x2a0
kern :warn : [ 359.527711] rcu_do_batch+0x388/0xde0
kern :warn : [ 359.528433] rcu_core+0x419/0xea0
kern :warn : [ 359.529120] handle_softirqs+0x1d3/0x630
kern :warn : [ 359.529858] __irq_exit_rcu+0x125/0x170
kern :warn : [ 359.530584] sysvec_apic_timer_interrupt+0x6f/0x90
kern :warn : [ 359.531389] asm_sysvec_apic_timer_interrupt+0x1a/0x20
kern :err : [ 359.532754] Last potentially related work creation:
kern :warn : [ 359.533562] kasan_save_stack+0x33/0x60
kern :warn : [ 359.534283] __kasan_record_aux_stack+0xad/0xc0
kern :warn : [ 359.535063] kmem_cache_free+0x337/0x4c0
kern :warn : [ 359.535794] kmem_cache_rcu_uaf+0x14b/0x490 [kasan_test]
kern :warn : [ 359.536644] kunit_try_run_case+0x1b0/0x490
kern :warn : [ 359.537394] kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern :warn : [ 359.538244] kthread+0x2d8/0x3c0
kern :warn : [ 359.538917] ret_from_fork+0x31/0x70
kern :warn : [ 359.539616] ret_from_fork_asm+0x1a/0x30
kern :err : [ 359.540850] The buggy address belongs to the object at ffff888361948840
which belongs to the cache test_cache of size 200
kern :err : [ 359.542668] The buggy address is located 0 bytes inside of
freed 200-byte region [ffff888361948840, ffff888361948908)
kern :err : [ 359.545021] The buggy address belongs to the physical page:
kern :warn : [ 359.545911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x361948
kern :warn : [ 359.547012] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern :warn : [ 359.548094] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern :warn : [ 359.549131] page_type: 0xfdffffff(slab)
kern :warn : [ 359.549918] raw: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern :warn : [ 359.551034] raw: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern :warn : [ 359.552151] head: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern :warn : [ 359.553278] head: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern :warn : [ 359.554406] head: 0017ffffc0000001 ffffea000d865201 ffffffffffffffff 0000000000000000
kern :warn : [ 359.555532] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
kern :warn : [ 359.556660] page dumped because: kasan: bad access detected
kern :err : [ 359.558233] Memory state around the buggy address:
kern :err : [ 359.559130] ffff888361948700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern :err : [ 359.560238] ffff888361948780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern :err : [ 359.561344] >ffff888361948800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
kern :err : [ 359.562451] ^
kern :err : [ 359.563410] ffff888361948880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern :err : [ 359.564535] ffff888361948900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern :err : [ 359.565661] ==================================================================
kern :info : [ 359.982162] ok 38 kmem_cache_rcu_uaf
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2024-08-25 9:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-25 9:45 kernel test robot [this message]
2024-08-26 20:16 ` Vlastimil Babka
2024-08-26 20:18 ` Jann Horn
2024-08-26 20:27 ` Vlastimil Babka
2024-08-27 7:27 ` Oliver Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202408251741.4ce3b34e-oliver.sang@intel.com \
--to=oliver.sang@intel.com \
--cc=andreyknvl@gmail.com \
--cc=elver@google.com \
--cc=jannh@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox