From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1570FC369B2 for ; Mon, 14 Apr 2025 19:25:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9D92828007B; Mon, 14 Apr 2025 15:25:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 987D4280077; Mon, 14 Apr 2025 15:25:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 84E8728007B; Mon, 14 Apr 2025 15:25:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 66062280077 for ; Mon, 14 Apr 2025 15:25:10 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id ADD4E1C6BF2 for ; Mon, 14 Apr 2025 19:25:11 +0000 (UTC) X-FDA: 83333627622.10.395FECB Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf01.hostedemail.com (Postfix) with ESMTP id 4FA7B4000C for ; Mon, 14 Apr 2025 19:25:09 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KON0hFk6; spf=pass (imf01.hostedemail.com: domain of llong@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=llong@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1744658709; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=E0oKbr4kKS2qbRj/Sg6H3NOkvDBAaqSfhBlFVEGNmFs=; b=M0MW+74N5mgEBm8+2aHStwe7CApWUrvCNGFHCYVJCFeftOEc7+RjnEDSBoXyYz099uMZKe 7bKckP7FYHBd7Z8wgIO+DftkeqpLjG0VLQ1L2Tbl17/jWJAp5bb6cBXeDxws40oV6OwHoY GbFkQYNdr3G+4GPdsd2uoT57M934unw= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KON0hFk6; spf=pass (imf01.hostedemail.com: domain of llong@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=llong@redhat.com; dmarc=pass (policy=quarantine) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744658709; a=rsa-sha256; cv=none; b=kOB//we8tH3itcpg+ROmjJZp/hHnzo4WCrBIVUeeGelaX20ZC9q10wXuCWLRpbDFYnZgOg /v60REvs+bERwtBiF5F5lFcHiKAC5mYZ2igkpNsVgr+1taoBeTT3JRZEG8OVPg1HJN7rvX iAAxOgFbTORrZn2FlPTuhyq8rj5Vdck= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1744658708; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=E0oKbr4kKS2qbRj/Sg6H3NOkvDBAaqSfhBlFVEGNmFs=; b=KON0hFk64d/he1pRrlRkBh+JDBPeSY8yt///JSS5ZSuA4h0oNBvVjZZ87BEdXXSognchNa K2AhLsyW4C+36y2pOr6fXwdkuodQJi8mXg4sd5olo8F/I0z661M/HcvY6kTWRcbNwAiBc5 JGf0rqryhKJW5LbU48Vu5KClGvwxvaU= Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-167-cKXOzsTtPPqGT_b9oTVZow-1; Mon, 14 Apr 2025 15:25:07 -0400 X-MC-Unique: cKXOzsTtPPqGT_b9oTVZow-1 X-Mimecast-MFC-AGG-ID: cKXOzsTtPPqGT_b9oTVZow_1744658706 Received: by mail-io1-f70.google.com with SMTP id ca18e2360f4ac-85b3888569bso396014439f.1 for ; Mon, 14 Apr 2025 12:25:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744658706; x=1745263506; h=content-transfer-encoding:in-reply-to:content-language:references :cc:to:subject:user-agent:mime-version:date:message-id:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=E0oKbr4kKS2qbRj/Sg6H3NOkvDBAaqSfhBlFVEGNmFs=; b=lFZTN9CmVWV00g3+k7m4xd5HAqD5lG8L5W3DSGFYKoZ3qTpLgKIQYNe6AjvYmxv1Cv VEUSHJcEYxzT5FUwGMsMWLcZbMDLxaXfDZvRUvl3lsmN29dFOeGLcLIFfukZ7nkYboEm MB+7OXjqclp5+l6N8iXhB8LNSNUepiovFGB7ZYx1xEfHttH7b2KdlkxC7T5gwjokWpdD S2meE3tbxo5C8JKEmW4+Xi50jVlr7wSGoIWXGiGzTilYhFa7w3FdiMt0+kuAMFwS62DN 8AnnuDDzurUx7JGOdD0pWN6jSNzXYRFP4ZhJlrlH5T8ADHsJIxopqkpVCrudEDqVp6Fl v2eA== X-Forwarded-Encrypted: i=1; AJvYcCW1iV4hd/BjEo94jxrNW0y7iVQEkAxYVCfhb7u6yMfEvQqft43lDlFJtVB4v7Vonkp41zm8p+VMBQ==@kvack.org X-Gm-Message-State: AOJu0YxYOqicXx0sjF/zvm2nsasXrH0kEcVJOgx+04XoiqPmK1lhazg3 RCQ5Bm2mB1+oQFDIZzBYcRI88TNqCbmoOrw678DCSFMyhNafcRdZOaSW0dkfYfOLhs4qGJE+8tb fyLFK0r66KZq2VPE6EI7wTfkLeF3EU3KXx6UCNby3PK96e4w0 X-Gm-Gg: ASbGncsRnXovvyIGJC1taq7q4f38gINpwQmApI9cqvDDhJpghI2tZIBHcBszTKjyCMb SZwMjQmKr1xMA2XGQSepUtVwyiEVGyU2FQ5nqceItnfeOHZSNjzruchAzX3pHNDIHGtoZ3mPxp/ ZJ941ut97kP0Jz+i2unUGT5CIG6YcqopDrmWIDKnD2uyyvqhvMxs9Sl8Tx9X65qFGxF6FLdx41p vYK9m3a2RRpqkn6UG4peIlIbZ2pxuOQEqQeMkSAJQv3Z4jCwF25OIIaXWZUE6Ef1qYo1RSPhgXX g4brY+n0VCEKrxZxPsbz/E9nbzkGI9kCo07NV2TPHy1gMwDKY+3atWkblA== X-Received: by 2002:a5e:de42:0:b0:85e:16e9:5e8d with SMTP id ca18e2360f4ac-861b1903fecmr65512139f.7.1744658706486; Mon, 14 Apr 2025 12:25:06 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE24mqzq/9JMt9xaqFo8zuLdM4dyfEF/N/Li2nupDLceIwyojLaqOylmpm30VyJDGcNLVELxw== X-Received: by 2002:a5e:de42:0:b0:85e:16e9:5e8d with SMTP id ca18e2360f4ac-861b1903fecmr65510239f.7.1744658706176; Mon, 14 Apr 2025 12:25:06 -0700 (PDT) Received: from ?IPV6:2601:408:c101:1d00:6621:a07c:fed4:cbba? ([2601:408:c101:1d00:6621:a07c:fed4:cbba]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4f505d1873bsm2721724173.48.2025.04.14.12.25.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Apr 2025 12:25:05 -0700 (PDT) From: Waiman Long X-Google-Original-From: Waiman Long Message-ID: <45f38b98-43e0-4d0a-9106-f8b537f59a17@redhat.com> Date: Mon, 14 Apr 2025 15:25:03 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: KASAN: slab-use-after-free Read in cgroup_rstat_flush To: tj , =?UTF-8?Q?Michal_Koutn=C3=BD?= Cc: ffhgfv , hannes , cgroups , linux-kernel , linux-mm@kvack.org References: In-Reply-To: X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: GMeo4KAnCsSooqWD0anYR2ZAJ6pQtUi7T7CvPQoFAyo_1744658706 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4FA7B4000C X-Stat-Signature: ndoqegbw9p5wwct4ypnfoi67xgzzfhwo X-Rspam-User: X-Rspamd-Server: rspam12 X-HE-Tag: 1744658709-305516 X-HE-Meta: U2FsdGVkX18mFxW0PRWrQ5jhhPyc7nKrW31In7R4Qy7B9EFaQ3BtuJ8pckCJ37gSDJkiwhMOPH8iwmnAnaoei5DWknb3/tQ645uA8XIuHFTqlZL0lr6/zMwLJUIWC4LTrtfIseJiws+ICrU2TyhFOmT0ab6K3CAgPmWhvo1pMTduULzEpy0NEGIjNiUCw/83U5tWGI3/bZhLLw9WWO88C/pTGM+0bafkWgd5UfUCLpMMAZBFHZbTlqD2ukzb1FsmnJsxyuErcm5e0Nj52ApIorX2aNqBIIBqHC/keVZ1SQ34hmqpvj7/uWDVQH8ilXfjdmPfPnSLK/qUr56bW8eeN3gBzWZONDtj+LmopKYGj4GNYFRPU6cLCz4lCluXpjd+aN+spHyCB7gOFzwJdY2wEQLGbfWqElNe4R19iihZvpJuejLs8uEQMdyY7kxgjQ/Jc9A/Vs3RtvHmym2VWa2KtY+mZyTthwblhgdM4kpXKuvob7MCQCjmx+pwjtRkmq9iu/AOb1H6YLmBPE2EPblKatYxp+84uokiyJxe7XMO2+Xt7hAvI2WmeR7G0Spt6pb02iozb0BMUpYryArg0MWdUJo/82HaG2R3T/EvzTzTrVlz9f4WYeNWZWl/L/3dEFeP30wOdl7dclON5oreNcAtgcmRBuDyvEYpwYke3TsEpTLgsLED1xRUh7VlPjGeiubo0Kp13HfkIQtOYwd/KVtrYSvWfilNG1zS5ocrR+oTssrir1VGoQW9cR764lGZdiWSxTzvrmY+FSWcY7v4+IzaQDVMr7My8aqGgkOjGruUdBPzti+UQ9P6qwb9NZDncjRSQAOPq6ZEo55/CCWyO6BnfV3I+wajKDcilGKOUkr/N5opZsZnea4IvZfm6w4e7W9SGaKsJkFeFZt3BbHgqnd/WlpF/88OXmnCAvdUVjn78NV1BxbO1EK21Rmjq2m9KtfoG+llCoobo57OIBSCm/K 3vVtJjT4 vkudNa8MEwRb/mJZ5SXQTE+oQy2usFFdi1C/LL+ZKgXDABQRWa9K/edsE4WbYV9jIMKfmR4DZyL3+qi6C/wMJl03r8LBfDQsh2bxNVoonCl/Zq+H76m8DKHmwBTkMSH1jYMJIeCB4MjVsnu9+kWRad4bYRmQOpnTpp3Q8Fx1hSsdyCeZcMbqbQesCQUx6K7BiKn3sFSWHAx+ZzQgs9uLtVD7j1Qe/5xT4iK3s0r3MDbUP0AtstM9PnntaTW4he5y4ZgSGOTNWbwcqxo2sDW97NGB8I2bJTzIcKUxOtaJLrCVssQxhNii3N2nz6gHr605BcDPKkdo+WNJVAzM50/kXogcpUL/Xp3UQtD4Z4jyAPV5wRvwWt3S+8am2ssLmH3/qhGxcGLdrnvZrv6hLRH35Uv4ZYeNWB8CaR7ah9axSWz8yIU6cvOF63f+7Rt6AQCjNrX4hpy2kj1ChFAxb8WAuyxi4kkPrjvf1WyRmQTIBBRMGH8pf3qFxF7E6/rSRm7kfFxpo75BSoKUxhDzEe59XSdmClr2rCQOsWRly568sjc5vRIuwkcgsIGUUvOVWLeNXWmEoRxcS73TWs/vzKe1IQYthAN+nqO2D2pfB X-Bogosity: Ham, tests=bogofilter, spamicity=0.000057, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 4/14/25 1:42 PM, tj wrote: > On Mon, Apr 14, 2025 at 07:40:04PM +0200, Michal Koutný wrote: >> Hello. >> >> On Mon, Apr 07, 2025 at 07:59:58AM -0400, ffhgfv wrote: >>> Hello, I found a bug titled " KASAN: slab-use-after-free Read in cgroup_rstat_flush " with modified syzkaller in the Linux6.14. >>> If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao , xingwei lee ,Penglei Jiang >>> I use the same kernel as syzbot instance upstream: f6e0150b2003fb2b9265028a618aa1732b3edc8f >>> kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=da4b04ae798b7ef6 >>> compiler: gcc version 11.4.0 >>> >>> Unfortunately, we do not have a repro. >> Thanks for sharing the report. >> >>> ------------[ cut here ]----------------------------------------- >>> TITLE: KASAN: slab-use-after-free Read in cgroup_rstat_flush >>> ================================================================== >>> bridge_slave_0: left allmulticast mode >>> bridge_slave_0: left promiscuous mode >>> bridge0: port 1(bridge_slave_0) entered disabled state >>> ================================================================== >>> BUG: KASAN: slab-use-after-free in cgroup_rstat_cpu kernel/cgroup/rstat.c:19 [inline] >>> BUG: KASAN: slab-use-after-free in cgroup_base_stat_flush kernel/cgroup/rstat.c:422 [inline] >>> BUG: KASAN: slab-use-after-free in cgroup_rstat_flush+0x16ce/0x2180 kernel/cgroup/rstat.c:328 >> I read this like the struct cgroup is gone when the code try flushing >> its respective stats (its ->rstat_cpu more precisely). >> >> Namely, >> __mem_cgroup_flush_stats >> cgroup_rstat_flush(memcg->css.cgroup); >> this reference is taken at cgroup creation in init_and_link_css() >> and released only in css_free_rwork_fn(). > Maybe another casualty of the bug fixed by a22b3d54de94 ("cgroup/cpuset: Fix > race between newly created partition and dying one")? You mean the rcu_read_lock isn't held for the entire flushing operation so that the cgroup structure itself may have been freed near the end. Right? Cheers, Longman > > Thanks. >