[linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[kernel test robot]

Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:

commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

[test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]

in testcase: kunit
version: 
with following parameters:

	group: group-00



compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com


kern  :err   : [  359.476745] ==================================================================
kern  :err   : [  359.479027] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.480349] Read of size 1 at addr ffff888361948840 by task kunit_try_catch/4608

kern  :err   : [  359.482361] CPU: 29 UID: 0 PID: 4608 Comm: kunit_try_catch Tainted: G    B            N 6.11.0-rc2-00010-g3a34e8ea62cd #1
kern  :err   : [  359.484487] Tainted: [B]=BAD_PAGE, [N]=TEST
kern  :err   : [  359.485478] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
kern  :err   : [  359.486969] Call Trace:
kern  :err   : [  359.487837]  <TASK>
kern  :err   : [  359.488673]  dump_stack_lvl+0x53/0x70
kern  :err   : [  359.489634]  print_address_description+0x2c/0x3a0
kern  :err   : [  359.490788]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.491900]  print_report+0xb9/0x2b0
kern  :err   : [  359.492830]  ? kasan_addr_to_slab+0xd/0xb0
kern  :err   : [  359.493806]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.494882]  kasan_report+0xe8/0x120
kern  :err   : [  359.495797]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.496862]  kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.497927]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [kasan_test]
kern  :err   : [  359.499020]  ? __schedule+0x7ec/0x1950
kern  :err   : [  359.499929]  ? ktime_get_ts64+0x7f/0x230
kern  :err   : [  359.500843]  kunit_try_run_case+0x1b0/0x490
kern  :err   : [  359.501772]  ? __pfx_kunit_try_run_case+0x10/0x10
kern  :err   : [  359.502735]  ? set_cpus_allowed_ptr+0x85/0xc0
kern  :err   : [  359.503662]  ? __pfx_set_cpus_allowed_ptr+0x10/0x10
kern  :err   : [  359.504629]  ? __pfx_kunit_try_run_case+0x10/0x10
kern  :err   : [  359.505579]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
kern  :err   : [  359.506640]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :err   : [  359.507642]  kthread+0x2d8/0x3c0
kern  :err   : [  359.508468]  ? __pfx_kthread+0x10/0x10
kern  :err   : [  359.509337]  ret_from_fork+0x31/0x70
kern  :err   : [  359.510185]  ? __pfx_kthread+0x10/0x10
kern  :err   : [  359.511042]  ret_from_fork_asm+0x1a/0x30
kern  :err   : [  359.511912]  </TASK>

kern  :err   : [  359.513276] Allocated by task 4608:
kern  :warn  : [  359.514082]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.514917]  kasan_save_track+0x14/0x30
kern  :warn  : [  359.515748]  __kasan_slab_alloc+0x89/0x90
kern  :warn  : [  359.516595]  kmem_cache_alloc_noprof+0x10e/0x380
kern  :warn  : [  359.517499]  kmem_cache_rcu_uaf+0x10d/0x490 [kasan_test]
kern  :warn  : [  359.518464]  kunit_try_run_case+0x1b0/0x490
kern  :warn  : [  359.519323]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :warn  : [  359.520274]  kthread+0x2d8/0x3c0
kern  :warn  : [  359.521040]  ret_from_fork+0x31/0x70
kern  :warn  : [  359.521825]  ret_from_fork_asm+0x1a/0x30

kern  :err   : [  359.523201] Freed by task 0:
kern  :warn  : [  359.523891]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.524646]  kasan_save_track+0x14/0x30
kern  :warn  : [  359.525384]  kasan_save_free_info+0x3b/0x60
kern  :warn  : [  359.526154]  __kasan_slab_free+0x51/0x70
kern  :warn  : [  359.526901]  slab_free_after_rcu_debug+0xf8/0x2a0
kern  :warn  : [  359.527711]  rcu_do_batch+0x388/0xde0
kern  :warn  : [  359.528433]  rcu_core+0x419/0xea0
kern  :warn  : [  359.529120]  handle_softirqs+0x1d3/0x630
kern  :warn  : [  359.529858]  __irq_exit_rcu+0x125/0x170
kern  :warn  : [  359.530584]  sysvec_apic_timer_interrupt+0x6f/0x90
kern  :warn  : [  359.531389]  asm_sysvec_apic_timer_interrupt+0x1a/0x20

kern  :err   : [  359.532754] Last potentially related work creation:
kern  :warn  : [  359.533562]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.534283]  __kasan_record_aux_stack+0xad/0xc0
kern  :warn  : [  359.535063]  kmem_cache_free+0x337/0x4c0
kern  :warn  : [  359.535794]  kmem_cache_rcu_uaf+0x14b/0x490 [kasan_test]
kern  :warn  : [  359.536644]  kunit_try_run_case+0x1b0/0x490
kern  :warn  : [  359.537394]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :warn  : [  359.538244]  kthread+0x2d8/0x3c0
kern  :warn  : [  359.538917]  ret_from_fork+0x31/0x70
kern  :warn  : [  359.539616]  ret_from_fork_asm+0x1a/0x30

kern  :err   : [  359.540850] The buggy address belongs to the object at ffff888361948840
                               which belongs to the cache test_cache of size 200
kern  :err   : [  359.542668] The buggy address is located 0 bytes inside of
                               freed 200-byte region [ffff888361948840, ffff888361948908)

kern  :err   : [  359.545021] The buggy address belongs to the physical page:
kern  :warn  : [  359.545911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x361948
kern  :warn  : [  359.547012] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern  :warn  : [  359.548094] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern  :warn  : [  359.549131] page_type: 0xfdffffff(slab)
kern  :warn  : [  359.549918] raw: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern  :warn  : [  359.551034] raw: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern  :warn  : [  359.552151] head: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern  :warn  : [  359.553278] head: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern  :warn  : [  359.554406] head: 0017ffffc0000001 ffffea000d865201 ffffffffffffffff 0000000000000000
kern  :warn  : [  359.555532] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
kern  :warn  : [  359.556660] page dumped because: kasan: bad access detected

kern  :err   : [  359.558233] Memory state around the buggy address:
kern  :err   : [  359.559130]  ffff888361948700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.560238]  ffff888361948780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.561344] >ffff888361948800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
kern  :err   : [  359.562451]                                            ^
kern  :err   : [  359.563410]  ffff888361948880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  359.564535]  ffff888361948900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.565661] ==================================================================
kern  :info  : [  359.982162]     ok 38 kmem_cache_rcu_uaf



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[Vlastimil Babka]

On 8/25/24 11:45, kernel test robot wrote:
> Hello,
> 
> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
> 
> commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> 
> [test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
> 
> in testcase: kunit
> version: 
> with following parameters:
> 
> 	group: group-00
> 
> 
> 
> compiler: gcc-12
> test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
> 
> (please refer to attached dmesg/kmsg for entire log/backtrace)

It seems to me the kunit test produces the expected output and kasan doesn't
suppress dmesg output in kunit test context? So lkp probably already has all
the other kasan tests in some kind of allow filter, and this one would need
to be added as well?

> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com
> 
> 
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com
> 
> 
> kern  :err   : [  359.476745] ==================================================================
> kern  :err   : [  359.479027] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern  :err   : [  359.480349] Read of size 1 at addr ffff888361948840 by task kunit_try_catch/4608
> 
> kern  :err   : [  359.482361] CPU: 29 UID: 0 PID: 4608 Comm: kunit_try_catch Tainted: G    B            N 6.11.0-rc2-00010-g3a34e8ea62cd #1
> kern  :err   : [  359.484487] Tainted: [B]=BAD_PAGE, [N]=TEST
> kern  :err   : [  359.485478] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
> kern  :err   : [  359.486969] Call Trace:
> kern  :err   : [  359.487837]  <TASK>
> kern  :err   : [  359.488673]  dump_stack_lvl+0x53/0x70
> kern  :err   : [  359.489634]  print_address_description+0x2c/0x3a0
> kern  :err   : [  359.490788]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern  :err   : [  359.491900]  print_report+0xb9/0x2b0
> kern  :err   : [  359.492830]  ? kasan_addr_to_slab+0xd/0xb0
> kern  :err   : [  359.493806]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern  :err   : [  359.494882]  kasan_report+0xe8/0x120
> kern  :err   : [  359.495797]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern  :err   : [  359.496862]  kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern  :err   : [  359.497927]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [kasan_test]
> kern  :err   : [  359.499020]  ? __schedule+0x7ec/0x1950
> kern  :err   : [  359.499929]  ? ktime_get_ts64+0x7f/0x230
> kern  :err   : [  359.500843]  kunit_try_run_case+0x1b0/0x490
> kern  :err   : [  359.501772]  ? __pfx_kunit_try_run_case+0x10/0x10
> kern  :err   : [  359.502735]  ? set_cpus_allowed_ptr+0x85/0xc0
> kern  :err   : [  359.503662]  ? __pfx_set_cpus_allowed_ptr+0x10/0x10
> kern  :err   : [  359.504629]  ? __pfx_kunit_try_run_case+0x10/0x10
> kern  :err   : [  359.505579]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
> kern  :err   : [  359.506640]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern  :err   : [  359.507642]  kthread+0x2d8/0x3c0
> kern  :err   : [  359.508468]  ? __pfx_kthread+0x10/0x10
> kern  :err   : [  359.509337]  ret_from_fork+0x31/0x70
> kern  :err   : [  359.510185]  ? __pfx_kthread+0x10/0x10
> kern  :err   : [  359.511042]  ret_from_fork_asm+0x1a/0x30
> kern  :err   : [  359.511912]  </TASK>
> 
> kern  :err   : [  359.513276] Allocated by task 4608:
> kern  :warn  : [  359.514082]  kasan_save_stack+0x33/0x60
> kern  :warn  : [  359.514917]  kasan_save_track+0x14/0x30
> kern  :warn  : [  359.515748]  __kasan_slab_alloc+0x89/0x90
> kern  :warn  : [  359.516595]  kmem_cache_alloc_noprof+0x10e/0x380
> kern  :warn  : [  359.517499]  kmem_cache_rcu_uaf+0x10d/0x490 [kasan_test]
> kern  :warn  : [  359.518464]  kunit_try_run_case+0x1b0/0x490
> kern  :warn  : [  359.519323]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern  :warn  : [  359.520274]  kthread+0x2d8/0x3c0
> kern  :warn  : [  359.521040]  ret_from_fork+0x31/0x70
> kern  :warn  : [  359.521825]  ret_from_fork_asm+0x1a/0x30
> 
> kern  :err   : [  359.523201] Freed by task 0:
> kern  :warn  : [  359.523891]  kasan_save_stack+0x33/0x60
> kern  :warn  : [  359.524646]  kasan_save_track+0x14/0x30
> kern  :warn  : [  359.525384]  kasan_save_free_info+0x3b/0x60
> kern  :warn  : [  359.526154]  __kasan_slab_free+0x51/0x70
> kern  :warn  : [  359.526901]  slab_free_after_rcu_debug+0xf8/0x2a0
> kern  :warn  : [  359.527711]  rcu_do_batch+0x388/0xde0
> kern  :warn  : [  359.528433]  rcu_core+0x419/0xea0
> kern  :warn  : [  359.529120]  handle_softirqs+0x1d3/0x630
> kern  :warn  : [  359.529858]  __irq_exit_rcu+0x125/0x170
> kern  :warn  : [  359.530584]  sysvec_apic_timer_interrupt+0x6f/0x90
> kern  :warn  : [  359.531389]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
> 
> kern  :err   : [  359.532754] Last potentially related work creation:
> kern  :warn  : [  359.533562]  kasan_save_stack+0x33/0x60
> kern  :warn  : [  359.534283]  __kasan_record_aux_stack+0xad/0xc0
> kern  :warn  : [  359.535063]  kmem_cache_free+0x337/0x4c0
> kern  :warn  : [  359.535794]  kmem_cache_rcu_uaf+0x14b/0x490 [kasan_test]
> kern  :warn  : [  359.536644]  kunit_try_run_case+0x1b0/0x490
> kern  :warn  : [  359.537394]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern  :warn  : [  359.538244]  kthread+0x2d8/0x3c0
> kern  :warn  : [  359.538917]  ret_from_fork+0x31/0x70
> kern  :warn  : [  359.539616]  ret_from_fork_asm+0x1a/0x30
> 
> kern  :err   : [  359.540850] The buggy address belongs to the object at ffff888361948840
>                                which belongs to the cache test_cache of size 200
> kern  :err   : [  359.542668] The buggy address is located 0 bytes inside of
>                                freed 200-byte region [ffff888361948840, ffff888361948908)
> 
> kern  :err   : [  359.545021] The buggy address belongs to the physical page:
> kern  :warn  : [  359.545911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x361948
> kern  :warn  : [  359.547012] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> kern  :warn  : [  359.548094] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
> kern  :warn  : [  359.549131] page_type: 0xfdffffff(slab)
> kern  :warn  : [  359.549918] raw: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
> kern  :warn  : [  359.551034] raw: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
> kern  :warn  : [  359.552151] head: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
> kern  :warn  : [  359.553278] head: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
> kern  :warn  : [  359.554406] head: 0017ffffc0000001 ffffea000d865201 ffffffffffffffff 0000000000000000
> kern  :warn  : [  359.555532] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
> kern  :warn  : [  359.556660] page dumped because: kasan: bad access detected
> 
> kern  :err   : [  359.558233] Memory state around the buggy address:
> kern  :err   : [  359.559130]  ffff888361948700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern  :err   : [  359.560238]  ffff888361948780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern  :err   : [  359.561344] >ffff888361948800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
> kern  :err   : [  359.562451]                                            ^
> kern  :err   : [  359.563410]  ffff888361948880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> kern  :err   : [  359.564535]  ffff888361948900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern  :err   : [  359.565661] ==================================================================
> kern  :info  : [  359.982162]     ok 38 kmem_cache_rcu_uaf
> 
> 
> 

Re: [linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[Jann Horn]

Hi!

On Sun, Aug 25, 2024 at 11:45 AM kernel test robot
<oliver.sang@intel.com> wrote:
> Hello,
>
> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
>
> commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
>
> in testcase: kunit
> version:
> with following parameters:
>
>         group: group-00
>
>
>
> compiler: gcc-12
> test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com

Oh, this is a weird one...

Do you happen to have either the vmlinux ELF file that this issue
happened with, or a version of the bug report that's been run through
scripts/decode_stacktrace.sh, so that we can tell whether the reported
slab-use-after-free is on line 1029 (which would mean that either ASAN
is not tracking the state of the object correctly or the object is
freed earlier than it should) or line 1039 (which would mean the
KUNIT_EXPECT_KASAN_FAIL() is not working at it should)?

Re: [linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[Vlastimil Babka]

On 8/26/24 22:18, Jann Horn wrote:
> Hi!
> 
> On Sun, Aug 25, 2024 at 11:45 AM kernel test robot
> <oliver.sang@intel.com> wrote:
>> Hello,
>>
>> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
>>
>> commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
>> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>>
>> [test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
>>
>> in testcase: kunit
>> version:
>> with following parameters:
>>
>>         group: group-00
>>
>>
>>
>> compiler: gcc-12
>> test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
>>
>> (please refer to attached dmesg/kmsg for entire log/backtrace)
>>
>>
>>
>> If you fix the issue in a separate patch/commit (i.e. not just a new version of
>> the same patch/commit), kindly add following tags
>> | Reported-by: kernel test robot <oliver.sang@intel.com>
>> | Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com
>>
>>
>> The kernel config and materials to reproduce are available at:
>> https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com
> 
> Oh, this is a weird one...

As I replied I think lkp simply reacts to the BUG: in dmesg and doesn't
filter it out as an expected test output.

> Do you happen to have either the vmlinux ELF file that this issue
> happened with, or a version of the bug report that's been run through
> scripts/decode_stacktrace.sh, so that we can tell whether the reported
> slab-use-after-free is on line 1029 (which would mean that either ASAN
> is not tracking the state of the object correctly or the object is

The reported freed stack suggests the object was already freed by rcu, so we
should be past the rcu_read_unlock();

> freed earlier than it should) or line 1039 (which would mean the
> KUNIT_EXPECT_KASAN_FAIL() is not working at it should)?

There's also "ok 38 kmem_cache_rcu_uaf" in the log so the kunit test macro
is satisfied.

Re: [linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[Oliver Sang]

hi, Vlastimil Babka and Jann Horn,

On Mon, Aug 26, 2024 at 10:27:29PM +0200, Vlastimil Babka wrote:
> On 8/26/24 22:18, Jann Horn wrote:
> > Hi!
> > 
> > On Sun, Aug 25, 2024 at 11:45 AM kernel test robot
> > <oliver.sang@intel.com> wrote:
> >> Hello,
> >>
> >> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
> >>
> >> commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
> >> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> >>
> >> [test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
> >>
> >> in testcase: kunit
> >> version:
> >> with following parameters:
> >>
> >>         group: group-00
> >>
> >>
> >>
> >> compiler: gcc-12
> >> test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
> >>
> >> (please refer to attached dmesg/kmsg for entire log/backtrace)
> >>
> >>
> >>
> >> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> >> the same patch/commit), kindly add following tags
> >> | Reported-by: kernel test robot <oliver.sang@intel.com>
> >> | Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@intel.com
> >>
> >>
> >> The kernel config and materials to reproduce are available at:
> >> https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@intel.com
> > 
> > Oh, this is a weird one...
> 
> As I replied I think lkp simply reacts to the BUG: in dmesg and doesn't
> filter it out as an expected test output.

got it. we will follow to filter out expected test output.

> 
> > Do you happen to have either the vmlinux ELF file that this issue
> > happened with, or a version of the bug report that's been run through
> > scripts/decode_stacktrace.sh, so that we can tell whether the reported
> > slab-use-after-free is on line 1029 (which would mean that either ASAN
> > is not tracking the state of the object correctly or the object is
> 
> The reported freed stack suggests the object was already freed by rcu, so we
> should be past the rcu_read_unlock();
> 
> > freed earlier than it should) or line 1039 (which would mean the
> > KUNIT_EXPECT_KASAN_FAIL() is not working at it should)?
> 
> There's also "ok 38 kmem_cache_rcu_uaf" in the log so the kunit test macro
> is satisfied.

thanks a lot for information!