From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A66B8C28B2F for ; Tue, 11 Mar 2025 07:27:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5E2AC280003; Tue, 11 Mar 2025 03:27:29 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 592BC280001; Tue, 11 Mar 2025 03:27:29 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 45A58280003; Tue, 11 Mar 2025 03:27:29 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 26DB3280001 for ; Tue, 11 Mar 2025 03:27:29 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 8CE34161A9D for ; Tue, 11 Mar 2025 07:27:29 +0000 (UTC) X-FDA: 83208439818.05.F294BF5 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) by imf24.hostedemail.com (Postfix) with ESMTP id 6355E180002 for ; Tue, 11 Mar 2025 07:27:26 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=none; spf=pass (imf24.hostedemail.com: domain of liuye@kylinos.cn designates 124.126.103.232 as permitted sender) smtp.mailfrom=liuye@kylinos.cn; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1741678047; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+G4pT4ZF+bncMveeqXz42ez9By8gaOJjAuTeY+ai1o8=; b=6AOa8+qysPClcUymlf1GJUhgFcGiK4fDZn/hxnx9pAodMVE8pXxNPfNoH4MYsXhEZrw5Ts pUP8G3wlPwfTfEIDbMaz4gyId29yJIpltDCSnDGbG+nWNGv9/F/gSqZ6aAdnl8/fRNQkd2 2TTGLZt2sOJ0j7+g9eI/v+3u2t9pCMk= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=none; spf=pass (imf24.hostedemail.com: domain of liuye@kylinos.cn designates 124.126.103.232 as permitted sender) smtp.mailfrom=liuye@kylinos.cn; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741678047; a=rsa-sha256; cv=none; b=A9KfuIaFpUg9ZV0gTfoMrC2Oz91DbhjAW9xNV8chN+EjWMIxBcSLSgmfiJndZMVVL3FNCM l96aNsNWcUNal0Gseg07U8/eQnDexL1unTvluS4NF2vQ93swOsMh+SytmJqjvydDv1q+TM 3DAQTAp8nYsvRdmaKdVs7LeJszFsp1s= X-UUID: 43cfda32fe4a11efa216b1d71e6e1362-20250311 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.45,REQID:3dc87d35-bfe1-4761-a9de-ec26d9451ec1,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:6493067,CLOUDID:9bd491b5f3e91c0733a7b8ff98a6724a,BulkI D:nil,BulkQuantity:0,Recheck:0,SF:80|81|82|83|102,TC:nil,Content:0|52,EDM: -3,IP:nil,URL:1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0, AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0,ARC:0 X-CID-BVR: 0,NGT X-CID-BAS: 0,NGT,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULS X-UUID: 43cfda32fe4a11efa216b1d71e6e1362-20250311 Received: from node2.com.cn [(10.44.16.197)] by mailgw.kylinos.cn (envelope-from ) (Generic MTA) with ESMTP id 1192882239; Tue, 11 Mar 2025 15:27:19 +0800 Received: from node2.com.cn (localhost [127.0.0.1]) by node2.com.cn (NSMail) with SMTP id D4C66B804E8F; Tue, 11 Mar 2025 15:27:18 +0800 (CST) X-ns-mid: postfix-67CFE5D6-8161111199 Received: from [172.30.70.73] (unknown [172.30.70.73]) by node2.com.cn (NSMail) with ESMTPA id BCC3DB80758A; Tue, 11 Mar 2025 07:27:15 +0000 (UTC) Message-ID: Date: Tue, 11 Mar 2025 15:26:59 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [linux-next:master] [mm/vmalloc] ff6f2b81ea: WARNING:at_kernel/fork.c:#vm_area_init_from To: Uladzislau Rezki , Andrew Morton Cc: oe-lkp@lists.linux.dev, lkp@intel.com, Christop Hellwig , linux-mm@kvack.org References: <202503101629.7289b1-lkp@intel.com> Content-Language: en-US From: liuye In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 6355E180002 X-Stat-Signature: hrggy9zk4inhaxfc4x43renmm7pksfo9 X-Rspam-User: X-HE-Tag: 1741678046-170363 X-HE-Meta: U2FsdGVkX19nPZjv7mBzqiouwppb9ahrITH3I0IORdbMaAAuOk7pZk6j30pv2nVJP6B+rzCtI/hZbwriLlyCIFsnpzkxXTbWjQ4L2lMww8luLkhVsg+njpP/I6iqZBgDBHTu1XaCmknS/elvAKkWNpHShQGMYAT5OCmCoi22zWrF320rFCupp4cAHJvMXce4qQlWlN5/icnJF32QjvAc0TrUq3ea3hqAZJDC0jmkQncVLiB9ZU1fd6HLViXBARRTQ4Q6unHldsZq/kWRp0uMdomgqkh9pHXq275601aX3AK15hTJ2CKqgfUgZNfNPP9TjjpMboChtclEme2YEyubfZJz9489bOUJHatnmcKhf49qQj/W1gMct2Vb+vALGs3uZUHlwPIiCQsIxCYc1wGvH62ZDyZUdvAznqt16/MKIU3tlpxGCVmzPx55fU+JDMfze/gEAsCpMihI6IgJVyYrEEJYmUOKfTsR0eIoNW2rNyIyvraWn5mDxpDZ9a/hg64/ro3wftAd0UoG9kgFn2Kgz8aBCV9KOdhRGTii+Jx/1WmjJJD2RhBQuDocsGo5lA4iMorWt/NfmyrVRfLaev8OFzBjUsSyz0XnrlgrneMSKkga9ufnIgF9A7b/03hxuPT8PmMeVs22XMxe7bJZElzOcWw2AKhrIFUiMrZo5sS2LecAAGVF1bmj3LnlTmc/Z9gNmnptM+Sut8b9YWtOV4CTiDG62LadsfliFl0PtH5uHEMFl9sE4KWG/DdyDVtf/yMSKDLPmz/S7xn+fQObrwf9WRnOKh7KQlfIbh4N1neCtfE6XGZUkPAkj3AGTpjorXFnHGPPiuKc1ov7xOq0MkfFSZySynPwfSSSzurLdbgcwLAfBH1lzc5o5d17tH3wCV06gyxYKoZ1XWbg8q1Cl6O1to4LWgnJo6u/Xt0OYQYglx+wM29Uu2goxXnP8HL0msuXThp8tumXwTIQFfjJzgw z5eCmPUK I0rfF03/saJnUR3N8WasXnFY7ZEBJvW4vRmfOgVQF+akxE7VJ8UkcdUqO8rNBAl6YgB9eyfT20JhxhOYTC/Ozey2jnZpZDinC6r11B1qLFiHmBhhY+OKUd4CtZ76NsBCjUNnlhsySsZrIr7vhJV4kV88HnSz0WIBlN0YsAHLNZFyIYaFgkFemEW6wpQk4QXr1sJbD X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: =E5=9C=A8 2025/3/11 00:52, Uladzislau Rezki =E5=86=99=E9=81=93: > Hello, Andrew, Liu Ye. >=20 >> >> Hello, >> >> kernel test robot noticed "WARNING:at_kernel/fork.c:#vm_area_init_from= " on: >> >> commit: ff6f2b81eaa8a9fe5d158c6e7b1e58d3929c32c1 ("mm/vmalloc: move fr= ee_vm_area(area) from the __vmalloc_area_node function to the __vmalloc_n= ode_range_noprof function") >> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git maste= r >> >> [test failed on linux-next/master 0a2f889128969dab41861b6e40111aa03dc5= 7014] >> >> in testcase: trinity >> version:=20 >> with following parameters: >> >> runtime: 300s >> group: group-02 >> nr_groups: 5 >> >> >> >> config: x86_64-randconfig-101-20250306 >> compiler: gcc-12 >> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -= m 16G >> >> (please refer to attached dmesg/kmsg for entire log/backtrace) >> >> >> +-------------------------------------------------------------+-------= -----+------------+ >> | | fb8faf= 4337 | ff6f2b81ea | >> +-------------------------------------------------------------+-------= -----+------------+ >> | boot_successes | 9 = | 0 | >> | boot_failures | 0 = | 6 | >> | WARNING:at_kernel/fork.c:#vm_area_init_from | 0 = | 6 | >> | RIP:vm_area_init_from | 0 = | 6 | >> | BUG:KASAN:slab-use-after-free_in__vmalloc_node_range_noprof | 0 = | 5 | >> | WARNING:at_mm/vmalloc.c:#remove_vm_area | 0 = | 5 | >> | RIP:remove_vm_area | 0 = | 5 | >> | kernel_BUG_at_mm/vmalloc.c | 0 = | 5 | >> | Oops:invalid_opcode:#[##]PREEMPT_KASAN | 0 = | 5 | >> | RIP:__vmalloc_node_range_noprof | 0 = | 5 | >> | Kernel_panic-not_syncing:Fatal_exception | 0 = | 5 | >> +-------------------------------------------------------------+-------= -----+------------+ >> > The patch that is in question, indeed, looks buggy. At least i can see > how a use-after-free can occur: >=20 > > static void *__vmalloc_area_node(...) > ... > fail: > vfree(area->addr); > return NULL; > } > >=20 > > ... > ret =3D __vmalloc_area_node(area, gfp_mask, prot, shift, node); > if (!ret) { > free_vm_area(area); > goto fail; > } > ... > >=20 > vfree() - __also__ frees "vm_struct" where "area" points to. A NULL is > returned and free_vm_area() is invoked one more time on already freed > "area".=20 >=20 > Probably it is better to drop the below patch: >=20 > ff6f2b81eaa8a9fe5d158c6e7b1e58d3929c32c1 ("mm/vmalloc: move free_vm_are= a(area) from the __vmalloc_area_node function to the __vmalloc_node_range= _noprof function") >=20 If drop this commit, then the two =E2=80=9Cgoto fail; =E2=80=9Din the __v= malloc_area_node function will cause area memory leaks in the __vmalloc_a= rea_node function when returning. Perhaps the following changes should be added. If the following changes should fix all issues I will send a new patch. diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 61981ee1c9d2..1826f3d70885 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -3697,7 +3697,7 @@ static void *__vmalloc_area_node(struct vm_struct *= area, gfp_t gfp_mask, warn_alloc(gfp_mask, NULL, "vmalloc error: size %lu, failed to alloc= ate pages", area->nr_pages * PAGE_SIZE); - goto fail; + return NULL; } =20 /* @@ -3725,14 +3725,10 @@ static void *__vmalloc_area_node(struct vm_struct= *area, gfp_t gfp_mask, warn_alloc(gfp_mask, NULL, "vmalloc error: size %lu, failed to map pages", area->nr_pages * PAGE_SIZE); - goto fail; + return NULL; } =20 return area->addr; - -fail: - vfree(area->addr); - return NULL; } =20 Thanks, Liu Ye > -- > Uladzislau Rezki