From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC632C369B2 for ; Mon, 14 Apr 2025 17:42:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 540E428006C; Mon, 14 Apr 2025 13:42:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4ED2328005A; Mon, 14 Apr 2025 13:42:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3B54A28006C; Mon, 14 Apr 2025 13:42:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 1D31D28005A for ; Mon, 14 Apr 2025 13:42:32 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id D699D80535 for ; Mon, 14 Apr 2025 17:42:33 +0000 (UTC) X-FDA: 83333368986.01.8A0CADD Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf29.hostedemail.com (Postfix) with ESMTP id 3DE8C120003 for ; Mon, 14 Apr 2025 17:42:32 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=r6Dq8boi; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf29.hostedemail.com: domain of tj@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=tj@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1744652552; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FlIyl75YWW82D2bzzqVWPJjxiGdGNOfFrso7Cj/SltE=; b=pTqHRTWWPZj3fCcaMRMuDFiR5EPhb/3a1fmf+H27NYj2nQ6hXrI7lIQORer+8Ky/E147+x lV9poONcdeXUWcTR/wSAt+NExHXK3fMhOE25fhnFF3lRnhjQsgWangtk9jA9U94Uz+3uX8 e0+7PMxhsqihZ7NBxPhqgDfGelq/cO8= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744652552; a=rsa-sha256; cv=none; b=uGysiB81Hz+LD8sZsPCnUbbIoVxq7QFEAMyWfY11TEvDrwUItCZjOf8hkEGfvVoJTCBhtn xLZYLRNAhoSNwlcsR+pUC7DwVhFUc88Wl240Ff62LcsnqsC1aoC4avChsqHcXDa1n4tJ2H WcZfErpJUhFUO+8pXoTkJvBJkzHgEdY= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=r6Dq8boi; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf29.hostedemail.com: domain of tj@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=tj@kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 29DFCA4A136; Mon, 14 Apr 2025 17:37:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2152DC4CEE5; Mon, 14 Apr 2025 17:42:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1744652551; bh=rHNqKe0wnjxL9vRhO3SMhzsHYmLDT1uHMStxy6Kmuow=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=r6Dq8boiwz+d7sr6d7OCABDDiuE79ezZp447ak8CGukiVmWVkUBLVmqLf5ibin3mE +UMqUQHWbCzBh2PPIYYJQ9sVp6OgcGfQF15c8cBKXN+ju2uHHfUtR7Ac6m1gUg/qZD T0fx0tbQC0vtClBqf2kE8JHbG80SuUnso+zUp2AtIz/EhND09CQ6pOkzBByvu4sIzJ ZVs+HbVO6pJXKZUcuPiSGxJ/71PkOJBy53L87lMwtydwgR7IRuC4ahp1Z7CmvgAlJ3 2owF3lLT2QjX6nUj+3PDJLMApo9VKxU9U3Tl4uf3fQ5qDApwRExGKDp8iCe3IAOHE+ BwtHYpoe64NIQ== Date: Mon, 14 Apr 2025 07:42:30 -1000 From: tj To: Michal =?iso-8859-1?Q?Koutn=FD?= Cc: ffhgfv , hannes , cgroups , linux-kernel , linux-mm@kvack.org Subject: Re: KASAN: slab-use-after-free Read in cgroup_rstat_flush Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 3DE8C120003 X-Stat-Signature: ii13g6fdz1gck44oz6fpyst37zf9kzeu X-Rspam-User: X-HE-Tag: 1744652552-551796 X-HE-Meta: U2FsdGVkX1/K4XPu6urQXN5U8t4TGJeOp7x9+ycnbfnlpb0hvkoo0llBQYc7bfPsuq3okJMk/YRp8VbQBi8oU0zyQ5LzC1Q6+MgRCMTdb2cQwYVkcR6G88i23CoHQD1y4v2ohbuz6X9nwUEhDWQ14Z//P0Cim7sucerMNeDrXZeTrPZ4vhA4R/etDOkg+t5yyMwYxyRSWu3HsRX/dLLjBeZ5y7Pqk98A1ozG9YNtIA5VlteItRL5RhThLSRs41/fNoKrITJ5g5N+ab/BLk3uHc5VGV6HVNIIKk5D1EgFscmt/RmvsPjfelELqW3V4MWxCQpMIup52J4Miq6dtnMWdmSmY63elwXiM9yRB6pMBF8tn/v3hzLOqQVFePdABx/93KjTGbDP+Vzk1VThVJb+sFOqxxoOrRsMUCLjkjuJd3AaWDfQMMVDdXuBqb63PZox5yEaVwio2bfEgp7BAcSjZczuQ2BDepamoJGK9gqKRWHiOwdHBT9zu1GSs8+JzMub0A/STEV7Km4M/CACS00YW9FCdDUwqr6ZWVyxkOAcetwEXtHzHnIE9PabKztsMikeGqQLYAlEP9DNDXh52i76PV/Jk9abbycndzwvpje04bwUXmbMWRGIyWhFxbkAEnvb6zVNePppsgMdngPiYK7+bZEW7x7fLN6MfZBI5+IM6yHCA2UDST+TKhYX/54+jtI878l58a+dODQkNPf4zURRm/yQAFRuXT87HB59agyY31dLFbBzD6kvcakbyfcseRyHqqXJc8gmAna06aliLTxDcP3WTQbNdZrWg7izyhJciK8Xf7FcCXlxq4wCp/VwBq3YFfIzG8Wurv9GrkpEpqCVR9MNur4k1Io7uVAwvTJC9yy4NZxpILZiX8XKz175MaJRlabyNAyykcpU3HKt4F98rijVLCRLldJ+bC8sW6do//M5dDO5J32UBVGPq1fZJ0gpA9uQxuy0Woaht8bnATr A9Or0s13 ntUyz6v2357nfBYXhe09Pgvd/fZm5ZULPlrW4Q5Z6Bu19Bxecw3BvaGLyYcaDi9QrP51Uxo2drCriYVbgDaGTa1PJO8sLEfxOl/gNN4MBH5oMAmqc2gBzUqU57Br3C1gqs330pR1xzWWvtjD/RwQ+v+m1EuzX3+UKMUXfMRzzGI+pLr3U2XndrQ8qMK50M5Ug35OYSmxndE5ACYaYpY2vkPgf/g+UrFM5Ioc3++5gbD2XV1v5Mhnw0HH1Jsan8Yx7428gjdXKAry63bTFTDP1MZXSBntQ5kJg6mPv6NKmSrmOSBaClVYFQWqI7oUEsyiHlk1LkSZJN6HU6+4i/JvBNhmVzgoy1toBtxJV X-Bogosity: Ham, tests=bogofilter, spamicity=0.007699, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Apr 14, 2025 at 07:40:04PM +0200, Michal Koutný wrote: > Hello. > > On Mon, Apr 07, 2025 at 07:59:58AM -0400, ffhgfv wrote: > > Hello, I found a bug titled " KASAN: slab-use-after-free Read in cgroup_rstat_flush " with modified syzkaller in the Linux6.14. > > If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao , xingwei lee ,Penglei Jiang > > I use the same kernel as syzbot instance upstream: f6e0150b2003fb2b9265028a618aa1732b3edc8f > > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=da4b04ae798b7ef6 > > compiler: gcc version 11.4.0 > > > > Unfortunately, we do not have a repro. > > Thanks for sharing the report. > > > ------------[ cut here ]----------------------------------------- > > TITLE: KASAN: slab-use-after-free Read in cgroup_rstat_flush > > ================================================================== > > bridge_slave_0: left allmulticast mode > > bridge_slave_0: left promiscuous mode > > bridge0: port 1(bridge_slave_0) entered disabled state > > ================================================================== > > BUG: KASAN: slab-use-after-free in cgroup_rstat_cpu kernel/cgroup/rstat.c:19 [inline] > > BUG: KASAN: slab-use-after-free in cgroup_base_stat_flush kernel/cgroup/rstat.c:422 [inline] > > BUG: KASAN: slab-use-after-free in cgroup_rstat_flush+0x16ce/0x2180 kernel/cgroup/rstat.c:328 > > I read this like the struct cgroup is gone when the code try flushing > its respective stats (its ->rstat_cpu more precisely). > > Namely, > __mem_cgroup_flush_stats > cgroup_rstat_flush(memcg->css.cgroup); > this reference is taken at cgroup creation in init_and_link_css() > and released only in css_free_rwork_fn(). Maybe another casualty of the bug fixed by a22b3d54de94 ("cgroup/cpuset: Fix race between newly created partition and dying one")? Thanks. -- tejun