Hi Catalin,

First, thank you for maintaining kmemleak, a very useful tool!

I just added linux-mm ML in Cc, I hope that's OK, I didn't know which
list to add.

Recently, our CI validating our MPTCP tree reported a UaF linked to
kmemleak:

> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire (kernel/locking/lockdep.c:4925)
> Read of size 8 at addr ffff8880288e8738 by task kmemleak/67
> CPU: 0 PID: 67 Comm: kmemleak Tainted: G                 N 6.2.0-rc2-g1323854aa099 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
>  <TASK>
> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))
> print_address_description.constprop.0 (mm/kasan/report.c:307)
> print_report (mm/kasan/report.c:418)
> ? kasan_addr_to_slab (arch/x86/include/asm/bitops.h:207)
> ? __lock_acquire (kernel/locking/lockdep.c:4925)
> kasan_report (mm/kasan/report.c:184)
> ? __lock_acquire (kernel/locking/lockdep.c:4925)
> __lock_acquire (kernel/locking/lockdep.c:4925)
> ? mark_lock.part.0 (arch/x86/include/asm/bitops.h:228)
> ? debug_object_active_state (lib/debugobjects.c:950)
> lock_acquire (kernel/locking/lockdep.c:466)
> ? kmemleak_scan (mm/kmemleak.c:1527)
> ? mark_held_locks (kernel/locking/lockdep.c:4236)
> ? rcu_read_unlock (include/linux/rcupdate.h:793 (discriminator 5))
> ? lockdep_hardirqs_on_prepare.part.0 (kernel/locking/lockdep.c:466)
> ? __call_rcu_common.constprop.0 (arch/x86/include/asm/irqflags.h:29)
> ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4385)
> ? _raw_spin_lock_irq (include/linux/spinlock_api_smp.h:117)
> _raw_spin_lock_irq (include/linux/spinlock_api_smp.h:120)
> ? kmemleak_scan (mm/kmemleak.c:1527)
> kmemleak_scan (mm/kmemleak.c:1527)
> ? kmemleak_cond_resched (mm/kmemleak.c:1499)
> ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:850)
> ? kmemleak_scan.cold (mm/kmemleak.c:1703)
> ? kmemleak_scan.cold (mm/kmemleak.c:1703)
> kmemleak_scan_thread (mm/kmemleak.c:1724 (discriminator 2))
> kthread (kernel/kthread.c:376)
> ? kthread_complete_and_exit (kernel/kthread.c:331)
> ret_from_fork (arch/x86/entry/entry_64.S:314)
>  </TASK>
> Allocated by task 15209:
> kasan_save_stack (mm/kasan/common.c:46)
> kasan_set_track (mm/kasan/common.c:52)
> __kasan_slab_alloc (mm/kasan/common.c:328)
> kmem_cache_alloc (include/linux/kasan.h:201)
> __create_object (mm/kmemleak.c:451)
> kmem_cache_alloc_lru (mm/slub.c:3454)
> v9fs_alloc_inode (include/linux/fs.h:3116)
> alloc_inode (fs/inode.c:259)
> iget5_locked (fs/inode.c:1241)
> v9fs_inode_from_fid_dotl (fs/9p/vfs_inode_dotl.c:115)
> v9fs_vfs_lookup.part.0 (fs/9p/v9fs.h:227)
> __lookup_slow (include/linux/dcache.h:359)
> walk_component (include/linux/fs.h:771)
> link_path_walk.part.0.constprop.0 (fs/namei.c:2320)
> path_openat (fs/namei.c:2245 (discriminator 2))
> do_filp_open (fs/namei.c:3741)
> do_sys_openat2 (fs/open.c:1310)
> __x64_sys_openat (fs/open.c:1337)
> do_syscall_64 (arch/x86/entry/common.c:50)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> Freed by task 15:
> kasan_save_stack (mm/kasan/common.c:46)
> kasan_set_track (mm/kasan/common.c:52)
> kasan_save_free_info (mm/kasan/generic.c:520)
> ____kasan_slab_free (mm/kasan/common.c:238)
> slab_free_freelist_hook (mm/slub.c:1807)
> kmem_cache_free (mm/slub.c:3787)
> rcu_do_batch (include/linux/rcupdate.h:330)
> rcu_core (kernel/rcu/tree.c:2508)
> __do_softirq (arch/x86/include/asm/jump_label.h:27)
> Last potentially related work creation:
> kasan_save_stack (mm/kasan/common.c:46)
> __kasan_record_aux_stack (mm/kasan/generic.c:488)
> __call_rcu_common.constprop.0 (arch/x86/include/asm/irqflags.h:29)
> slab_free_freelist_hook (include/linux/kmemleak.h:48)
> kmem_cache_free (mm/slub.c:3787)
> rcu_do_batch (include/linux/rcupdate.h:330)
> rcu_core (kernel/rcu/tree.c:2508)
> __do_softirq (arch/x86/include/asm/jump_label.h:27)
> Second to last potentially related work creation:
> kasan_save_stack (mm/kasan/common.c:46)
> __kasan_record_aux_stack (mm/kasan/generic.c:488)
> __call_rcu_common.constprop.0 (arch/x86/include/asm/irqflags.h:29)
> slab_free_freelist_hook (include/linux/kmemleak.h:48)
> kmem_cache_free (mm/slub.c:3787)
> mas_destroy (lib/maple_tree.c:5770)
> mas_store_prealloc (lib/maple_tree.c:5701)
> __vma_adjust (mm/mmap.c:783)
> shift_arg_pages (include/linux/mm.h:2793)
> setup_arg_pages (fs/exec.c:832)
> load_elf_binary (fs/binfmt_elf.c:1015 (discriminator 8))
> search_binary_handler (fs/exec.c:1737)
> exec_binprm (fs/exec.c:1778)
> bprm_execve (fs/exec.c:1851)
> do_execveat_common.isra.0 (fs/exec.c:1956)
> __x64_sys_execve (fs/exec.c:2101)
> do_syscall_64 (arch/x86/entry/common.c:50)
> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
> The buggy address belongs to the object at ffff8880288e8720
>  which belongs to the cache kmemleak_object of size 240
> The buggy address is located 24 bytes inside of
>  240-byte region [ffff8880288e8720, ffff8880288e8810)
> The buggy address belongs to the physical page:
> page:0000000033bd1263 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880288e8720 pfn:0x288e8
> head:0000000033bd1263 order:1 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
> flags: 0x100000000010200(slab|head|node=0|zone=1)
> raw: 0100000000010200 ffff88800104d400 ffffea0000597910 ffffea00005e3090
> raw: ffff8880288e8720 00000000001a0014 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> Memory state around the buggy address:
>  ffff8880288e8600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff8880288e8680: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>>ffff8880288e8700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
>                                         ^
>  ffff8880288e8780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff8880288e8800: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
> ==================================================================

Followed by a few soft lockup's, see the attached file.

The full logs is available there:

  https://cirrus-ci.com/task/4706769230888960/


We had this issue in our tree when validating:

  1323854aa099 ("DO-NOT-MERGE: mptcp: enabled by default")

Which was on top of both:

 - net-next: a6f536063b69 ("qed: fix a typo in comment")
 - net: 0aa7d35f5d00 ("Merge branch '100GbE' of
git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue")

Which were on top of Linus tree:

 - 50011c32f421 ("Merge tag 'net-6.2-rc3' of
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net")


Unfortunately, apart from the config file -- also attached to this email
-- we don't have more to share: we are unable to reproduce it so far,
sorry for that. We wanted to share that with you, just in case it could
be useful. Hopefully this would be more helpful than creating noise! :)

Cheers,
Matt
-- 
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net