From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97934C54798 for ; Fri, 23 Feb 2024 15:22:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B8CFC6B0071; Fri, 23 Feb 2024 10:22:32 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B3C8E6B0072; Fri, 23 Feb 2024 10:22:32 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A05316B0074; Fri, 23 Feb 2024 10:22:32 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 928676B0071 for ; Fri, 23 Feb 2024 10:22:32 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 54C35410F1 for ; Fri, 23 Feb 2024 15:22:32 +0000 (UTC) X-FDA: 81823435344.21.B7CBA3F Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf03.hostedemail.com (Postfix) with ESMTP id 820A020018 for ; Fri, 23 Feb 2024 15:22:29 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf03.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1708701750; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Wbo+3NIdKlqMCnkFOBVs2GkLzROI0Vz3hWQRmIvv1Po=; b=gNNGGNtT/eN9ehar9z2NG0RNtQsM2ICCthz5rwV4DtvQGrdiEcNiSD0W6bzZjixPmJ12t0 Zg1PLI2Jzy/uu2Sj+rSPi+J2Hpi60//tgAOXZDk6axUUDfZzaZ/hkmVoak4w3rzh3Va3rj ZYZkcGMBRINIpDe2D7fG3sf2P8VvEx0= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=none; dmarc=none; spf=pass (imf03.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1708701750; a=rsa-sha256; cv=none; b=xVF5TXp/vdwxMjNOgrKdpZUg/NhWoSHBghyGT4oczicBZpJoVzimt8lqdxGp3XyU0E6Qav +6RlW0jUsIVZfJVdIagMx2ZMeJB/s2cwwKbJ44b1Ii6yQP1n8oQFWteGCg4F3GtBYTzrMn OapAH3NtsLovy18AQ+Tmpil8s6PdBbQ= Received: from fsav313.sakura.ne.jp (fsav313.sakura.ne.jp [153.120.85.144]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 41NFM5Cl065122; Sat, 24 Feb 2024 00:22:05 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav313.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp); Sat, 24 Feb 2024 00:22:05 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav313.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 41NFM5kN065118 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sat, 24 Feb 2024 00:22:05 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <6dd78966-1459-465d-a80a-39b17ecc38a6@I-love.SAKURA.ne.jp> Date: Sat, 24 Feb 2024 00:22:03 +0900 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [mm/page_alloc or mm/vmscan or mm/zswap] use-after-free in obj_malloc() Content-Language: en-US To: Sergey Senozhatsky , Alexander Potapenko Cc: Johannes Weiner , Yosry Ahmed , Nhat Pham , Minchan Kim , linux-mm , kasan-dev , Mark-PK Tsai References: <20240223044356.GJ11472@google.com> From: Tetsuo Handa In-Reply-To: <20240223044356.GJ11472@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 820A020018 X-Stat-Signature: x8hnibx3ymrfcrspfxxbkgkyczmseyif X-Rspam-User: X-HE-Tag: 1708701749-360795 X-HE-Meta: U2FsdGVkX189AxaCMCUJhXEU35xf/0mrHhIIttyoymwOUcXaLdOmcWj5Vqe52xAHeKLmndcekSH/aoYLoY3AoSO3q8gVNpCwJEOEBINaCky2SfxXdcLN21cyPHwsudI9VRa1D5KkR9aeAN+UH/qrRDxDkrjHL7FJXz9MfNMgQg3cFAXd0O+zfo9NMiw2IPw7AQYsZVZ14lRBxrTu4pRnjtn4VQqvvFn5FAZqrn7ZqM85nm3AdDSA3azjJqW5d6QQdiokV58ZR/R1TV0Eq36xhyndHCEGisZAhHIkuprr16yEJxmK+pJRt+/MWmzxzCL6j41r30PiyoG49mhIT/cu/wqhXaZJhaENqJlC9VhEeudSuCiUDTqNCkCvs+N2G4qWASCd0KeodMY3FmvmTho3gpJyrANj65pGKNjp1kwcupNtUZtYADtNCWR02QOteaVFCvzy8Wwwdck+XWMcwtuutmQ5GoswtHgBOdE6MHNcSfvMv2DdO0weez1C9Mkz4DRoLCFZSMrCyiz7xr83fsFEHVBodwKuL9WnuaHoVuOATMz69cUsv6YRcW9MXaWxk51ylMAK8EjeIlyCP499a3VPorTKg0r1Ts9MEANk0/Lthr5Y4EMGuEl9hZ6le16jwVPUiFPfY8aQEqj24hKZkCfEFAh7ScdnmRS91lgdbjMn3FDSQiv1xIqrqJHuP0c1nHfsU/MIaQiyH8Y61pvH1R9mlpnycZTxa0bvVWPmeLxXJ9npVhmLVu9by7OwXmO9TqecU2iYzTfQTGf1YZ7s5U7V4lnCY9+5btVkiWSrGrLED3Rc5g6HRHJQzC6Y62Fzj74GG3UEgXmn5hF6iuox5p2wduMBlIvpCULcymwejsbKN0Xxci+96WL3avjurxM6cM8VqqcoARUM2GwBgbpzFnqkOt3zYQYSjGyAjN9EYyx2JiQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/02/23 13:43, Sergey Senozhatsky wrote: > On (24/02/23 11:10), Tetsuo Handa wrote: >> >> I can observe this bug during evict_folios() from 6.7.0 to 6.8.0-rc5-00163-gffd2cb6b718e. >> Since I haven't observed with 6.6.0, this bug might be introduced in 6.7 cycle. > > Can we please run a bisect? Bisection pointed at commit afb2d666d025 ("zsmalloc: use copy_page for full page copy"), for copy_page() is implemented as non-instrumented code where KMSAN cannot handle. On x86_64, copy_page() is defined at arch/x86/lib/copy_page_64.S as below. ---------------------------------------- /* * Some CPUs run faster using the string copy instructions (sane microcode). * It is also a lot simpler. Use this when possible. But, don't use streaming * copy unless the CPU indicates X86_FEATURE_REP_GOOD. Could vary the * prefetch distance based on SMP/UP. */ ALIGN SYM_FUNC_START(copy_page) ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD movl $4096/8, %ecx rep movsq RET SYM_FUNC_END(copy_page) EXPORT_SYMBOL(copy_page) ---------------------------------------- To fix this problem, we need to implement copy_page() etc. in a way KMSAN can handle. Question to KASAN people: Is it possible to add annotation for KMSAN into assembly code? Do we need to disable assembly version and force use of C version when KMSAN is enabled? > > There are some zsmalloc patches for 6.8 (mm-unstable), I don't recall > anything in 6.7. > >> ---------------------------------------- >> [ 0.000000][ T0] Linux version 6.8.0-rc5-00163-gffd2cb6b718e (root@ubuntu) (Ubuntu clang version 14.0.0-1ubuntu1.1, Ubuntu LLD 14.0.0) #1094 SMP PREEMPT_DYNAMIC Fri Feb 23 01:45:21 UTC 2024 >> [ 50.026544][ T2974] ===================================================== >> [ 50.030627][ T2974] BUG: KMSAN: use-after-free in obj_malloc+0x6cc/0x7b0 >> [ 50.034611][ T2974] obj_malloc+0x6cc/0x7b0 >> obj_malloc at mm/zsmalloc.c:0 >> [ 50.037250][ T2974] zs_malloc+0xdbd/0x1400 >> zs_malloc at mm/zsmalloc.c:0 >> [ 50.039852][ T2974] zs_zpool_malloc+0xa5/0x1b0 >> zs_zpool_malloc at mm/zsmalloc.c:372 >> [ 50.044707][ T2974] zpool_malloc+0x110/0x150 >> zpool_malloc at mm/zpool.c:258 >> [ 50.049607][ T2974] zswap_store+0x2bbb/0x3d30 >> zswap_store at mm/zswap.c:1637 >> [ 50.054463][ T2974] swap_writepage+0x15b/0x4f0 >> swap_writepage at mm/page_io.c:198 >> [ 50.059392][ T2974] pageout+0x41d/0xef0 >> pageout at mm/vmscan.c:654 >> [ 50.064057][ T2974] shrink_folio_list+0x4d7a/0x7480 >> shrink_folio_list at mm/vmscan.c:1316 >> [ 50.069176][ T2974] evict_folios+0x30f1/0x5170 >> evict_folios at mm/vmscan.c:4521 >> [ 50.074082][ T2974] try_to_shrink_lruvec+0x983/0xd20 >> [ 50.079352][ T2974] shrink_one+0x72d/0xeb0 >> [ 50.084061][ T2974] shrink_many+0x70d/0x10b0 >> [ 50.088859][ T2974] lru_gen_shrink_node+0x577/0x850 >> [ 50.094192][ T2974] shrink_node+0x13d/0x1de0 >> [ 50.099028][ T2974] shrink_zones+0x878/0x14a0 >> [ 50.103958][ T2974] do_try_to_free_pages+0x2ac/0x16a0 >> [ 50.109138][ T2974] try_to_free_pages+0xd9e/0x1910 >> [ 50.114190][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 >> [ 50.119555][ T2974] __alloc_pages+0xb8c/0x1050 >> [ 50.124472][ T2974] alloc_pages_mpol+0x8e0/0xc80 >> [ 50.129367][ T2974] alloc_pages+0x224/0x240 >> [ 50.134022][ T2974] pipe_write+0xabe/0x2ba0 >> [ 50.138632][ T2974] vfs_write+0xfb0/0x1b80 >> [ 50.143171][ T2974] ksys_write+0x275/0x500 >> [ 50.147723][ T2974] __x64_sys_write+0xdf/0x120 >> [ 50.152431][ T2974] do_syscall_64+0xd1/0x1b0 >> [ 50.157106][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b >> [ 50.162382][ T2974] >> [ 50.165956][ T2974] Uninit was stored to memory at: >> [ 50.170819][ T2974] obj_malloc+0x70a/0x7b0 >> set_freeobj at mm/zsmalloc.c:476 >> (inlined by) obj_malloc at mm/zsmalloc.c:1333 >> [ 50.175341][ T2974] zs_malloc+0xdbd/0x1400 >> zs_malloc at mm/zsmalloc.c:0 >> [ 50.179923][ T2974] zs_zpool_malloc+0xa5/0x1b0 >> zs_zpool_malloc at mm/zsmalloc.c:372 >> [ 50.184636][ T2974] zpool_malloc+0x110/0x150 >> zpool_malloc at mm/zpool.c:258 >> [ 50.189257][ T2974] zswap_store+0x2bbb/0x3d30 >> zswap_store at mm/zswap.c:1637 >> [ 50.193918][ T2974] swap_writepage+0x15b/0x4f0 >> swap_writepage at mm/page_io.c:198 >> [ 50.198615][ T2974] pageout+0x41d/0xef0 >> pageout at mm/vmscan.c:654 >> [ 50.203012][ T2974] shrink_folio_list+0x4d7a/0x7480 >> shrink_folio_list at mm/vmscan.c:1316 >> [ 50.207772][ T2974] evict_folios+0x30f1/0x5170 >> evict_folios at mm/vmscan.c:4521 >> [ 50.212321][ T2974] try_to_shrink_lruvec+0x983/0xd20 >> [ 50.217092][ T2974] shrink_one+0x72d/0xeb0 >> [ 50.221441][ T2974] shrink_many+0x70d/0x10b0 >> [ 50.225891][ T2974] lru_gen_shrink_node+0x577/0x850 >> [ 50.230614][ T2974] shrink_node+0x13d/0x1de0 >> [ 50.235128][ T2974] shrink_zones+0x878/0x14a0 >> [ 50.239646][ T2974] do_try_to_free_pages+0x2ac/0x16a0 >> [ 50.244461][ T2974] try_to_free_pages+0xd9e/0x1910 >> [ 50.249151][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 >> [ 50.254148][ T2974] __alloc_pages+0xb8c/0x1050 >> [ 50.258679][ T2974] alloc_pages_mpol+0x8e0/0xc80 >> [ 50.263289][ T2974] alloc_pages+0x224/0x240 >> [ 50.267767][ T2974] pipe_write+0xabe/0x2ba0 >> [ 50.272190][ T2974] vfs_write+0xfb0/0x1b80 >> [ 50.276543][ T2974] ksys_write+0x275/0x500 >> [ 50.280931][ T2974] __x64_sys_write+0xdf/0x120 >> [ 50.289451][ T2974] do_syscall_64+0xd1/0x1b0 >> [ 50.303402][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b >> [ 50.318721][ T2974] >> [ 50.328931][ T2974] Uninit was created at: >> [ 50.341845][ T2974] free_unref_page_prepare+0x130/0xfc0 >> arch_static_branch_jump at arch/x86/include/asm/jump_label.h:55 >> (inlined by) memcg_kmem_online at include/linux/memcontrol.h:1840 >> (inlined by) free_pages_prepare at mm/page_alloc.c:1096 >> (inlined by) free_unref_page_prepare at mm/page_alloc.c:2346 >> [ 50.356492][ T2974] free_unref_page_list+0x139/0x1050 >> free_unref_page_list at mm/page_alloc.c:2532 >> [ 50.370898][ T2974] shrink_folio_list+0x7139/0x7480 >> list_empty at include/linux/list.h:373 >> (inlined by) list_splice at include/linux/list.h:545 >> (inlined by) shrink_folio_list at mm/vmscan.c:1490 >> [ 50.385025][ T2974] evict_folios+0x30f1/0x5170 >> evict_folios at mm/vmscan.c:4521 >> [ 50.398448][ T2974] try_to_shrink_lruvec+0x983/0xd20 >> [ 50.412660][ T2974] shrink_one+0x72d/0xeb0 >> [ 50.425591][ T2974] shrink_many+0x70d/0x10b0 >> [ 50.438827][ T2974] lru_gen_shrink_node+0x577/0x850 >> [ 50.454390][ T2974] shrink_node+0x13d/0x1de0 >> [ 50.479401][ T2974] shrink_zones+0x878/0x14a0 >> [ 50.529610][ T2974] do_try_to_free_pages+0x2ac/0x16a0 >> [ 50.544397][ T2974] try_to_free_pages+0xd9e/0x1910 >> [ 50.559556][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 >> [ 50.574932][ T2974] __alloc_pages+0xb8c/0x1050 >> [ 50.589024][ T2974] alloc_pages_mpol+0x8e0/0xc80 >> [ 50.603421][ T2974] alloc_pages+0x224/0x240 >> [ 50.616483][ T2974] pipe_write+0xabe/0x2ba0 >> [ 50.629601][ T2974] vfs_write+0xfb0/0x1b80 >> [ 50.643009][ T2974] ksys_write+0x275/0x500 >> [ 50.656157][ T2974] __x64_sys_write+0xdf/0x120 >> [ 50.670080][ T2974] do_syscall_64+0xd1/0x1b0 >> [ 50.683405][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b >> [ 50.698626][ T2974] >> ----------------------------------------