From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: syzbot <syzbot+e9be5674af5e3a0b9ecc@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
kasan-dev <kasan-dev@googlegroups.com>,
linux-mm <linux-mm@kvack.org>,
bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com,
mingo@redhat.com, tglx@linutronix.de, x86@kernel.org
Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2)
Date: Tue, 2 Jul 2024 15:11:12 +0900 [thread overview]
Message-ID: <ec7411af-01ac-4ebd-99ad-98019ff355bf@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <CA+fCnZdg=o3bA-kBM4UKEftiGfBffWXbqSapje8w25aKUk_4Nw@mail.gmail.com>
On 2024/07/02 0:10, Andrey Konovalov wrote:
> This is weird, because if the metadata is 00, then the memory should
> be accessible and there should be no KASAN report.
>
> Which makes me believe you have some kind of a race in your patch (or
> there's a race in the kernel that your patch somehow exposes).
Yes, I consider that my patch is exposing an existing race, for I can't
find a race in my patch. (Since
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b96342141183ffa62bfed5998f9b808c84042322
calls get_task_struct() when recording in-use state, report_rtnl_holders()
can't trigger use-after-free even if the thread died. Also, since previous version
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=5210cbe9a47fc5c1f43ba16d481e6335f3e2f345
synchronously calls synchronize_rcu() when clearing in-use state,
report_rtnl_holders() can't trigger use-after-free because the thread
can't die before calling put_rtnl_holder(). The variable "now" cannot be
0, and !cmpxchg(&rtnl_started[idx], 0, now) must serve as a serialization
lock when recording in-use state.)
> At
> least between the moment KASAN detected the issue and the moment the
> reporting procedure got to printing the memory state, the memory state
> changed.
Indeed, the exact line KASAN complained at varies suggests that the
memory state is modified by somebody else.
> As this is stack memory that comes from a vmalloc allocation,
> I suspect the task whose stack had been at that location died, and
> something else got mapped there.
I consider that the task can't die while calling __show_regs() from
report_rtnl_holders().
>
> This is my best guess, I hope it's helpful.
Well, KASAN says "out-of-bounds". But the reported address
BUG: KASAN: stack-out-of-bounds in __show_regs+0x172/0x610
Read of size 8 at addr ffffc90003c4f798 by task kworker/u8:5/234
is within the kernel stack memory mapping
The buggy address belongs to the virtual mapping at
[ffffc90003c48000, ffffc90003c51000) created by:
copy_process+0x5d1/0x3d7
. Why is this "out-of-bounds" ? What boundary did KASAN compare with?
Is this just a race of KASAN detecting a problem and KASAN reporting
that problem? (But as I explained above, it is unlikely that the thread
to be reported can die while processing report_rtnl_holders()...)
next prev parent reply other threads:[~2024-07-02 6:11 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <000000000000a8c856061ae85e20@google.com>
2024-06-25 1:22 ` Tetsuo Handa
2024-07-01 12:43 ` Tetsuo Handa
2024-07-01 15:10 ` Andrey Konovalov
2024-07-02 6:11 ` Tetsuo Handa [this message]
2024-07-02 7:05 ` Tetsuo Handa
[not found] ` <CA+fCnZfxCWZYX-7vJzMcwN4vKguuskk5rGYA2Ntotw=owOZ6Sg@mail.gmail.com>
2024-07-02 15:21 ` Tetsuo Handa
2024-07-07 10:32 ` Tetsuo Handa
2024-08-01 23:39 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ec7411af-01ac-4ebd-99ad-98019ff355bf@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=andreyknvl@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=syzbot+e9be5674af5e3a0b9ecc@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox