From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F22AC30658 for ; Tue, 2 Jul 2024 06:11:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 61E066B0088; Tue, 2 Jul 2024 02:11:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5CD596B0089; Tue, 2 Jul 2024 02:11:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 46E0D6B008A; Tue, 2 Jul 2024 02:11:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 281AF6B0088 for ; Tue, 2 Jul 2024 02:11:35 -0400 (EDT) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id B71B6161F79 for ; Tue, 2 Jul 2024 06:11:34 +0000 (UTC) X-FDA: 82293790908.19.BC281A8 Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf08.hostedemail.com (Postfix) with ESMTP id D7557160003 for ; Tue, 2 Jul 2024 06:11:31 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=none; spf=pass (imf08.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719900675; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aipXP6U0it2yCLNzIud9XOFvsxpQnzfISMQfLdpsa8M=; b=skZWbuNEdewL0cMnBDH73Vn2F1a0Rs8vrcYwLonfP7gcIPailmEKPrZwmyxPIQ9dBxv0Ry ZNh5/rM2qBTQjJIMWVgAnOTE4W5U1eSL4d0b4pufvGMJiV0Kj+hXtE7ZGvysuc6T0OfKmt 5nTcC6ZilpqgQ7kMX24fupQL0+rdz2s= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=none; spf=pass (imf08.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp designates 202.181.97.72 as permitted sender) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719900675; a=rsa-sha256; cv=none; b=zHEhfuQ3vG4ic0DAD/LVH8HKPgtFJ0kKHAxnmIGrbHRCt7Zs25AnE6OTH624BDCM1F2RAT u1EqTwCz89iD2Bi8T9EQC5dcJcQrclLa6PMwkixxU65pHVQYWzI6cFXk05NcLCW2atj8px 09BfaBJ03zEvL+RdttEc440DJzH2ShI= Received: from fsav315.sakura.ne.jp (fsav315.sakura.ne.jp [153.120.85.146]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 4626BDsl058061; Tue, 2 Jul 2024 15:11:13 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav315.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav315.sakura.ne.jp); Tue, 02 Jul 2024 15:11:13 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav315.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 4626BCmT058057 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Tue, 2 Jul 2024 15:11:12 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Tue, 2 Jul 2024 15:11:12 +0900 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [kernel?] KASAN: stack-out-of-bounds Read in __show_regs (2) To: Andrey Konovalov Cc: syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, kasan-dev , linux-mm , bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, mingo@redhat.com, tglx@linutronix.de, x86@kernel.org References: <000000000000a8c856061ae85e20@google.com> <82cf2f25-fd3b-40a2-8d2b-a6385a585601@I-love.SAKURA.ne.jp> Content-Language: en-US From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Stat-Signature: awhqtybejdrmywohszdwhfx6e68hms6m X-Rspam-User: X-Rspamd-Queue-Id: D7557160003 X-Rspamd-Server: rspam02 X-HE-Tag: 1719900691-287628 X-HE-Meta: U2FsdGVkX18NDqUZbf3yrGVT2ADtZNF6aTwqj45kPrC5gQw54JSxFKnrGhLbUX8em7m7rNDJV/n7iahe1cg3lFX6eakNewh1J5HfQ40gYWTGJkPv2F69fh+shqJKgHoyVyXvBK+TnuDqUsfIdIhuChJrZE1mKKDXpjhzygwVNeyJxBLUFA4JMND2cgyTnjWkMqmb9rfu+pIk6FZ/MNZM4Rlf5PFCG0th1xfKboB9ZemvqTRKkqyZMaA/LjEKN1lDBvfYYbBmqD1BG+dqchAZkMw0XZ6hUKH6f7aYcU5faGIlbTRswNmjfWEkhEsfQB7HpDztaA8L7Ed+McmyyaNZ0Yx0GfnZnrxyaGibqSR/+5MtsNFAv2uVLrluICLf0QtKY1WwfJzZGPhQbD026PtgcgYorY+KGOutaxt25IsJNlWbNT35troH8XS4AuFjYAuWBD3VT9TjF9KG4lLOdR802H7RR38RpI49uKO8HDTfo48Iyajx2oShgViGxX4A8G24616B5vgWhoTicZoYiR8Xj3xsQKcY1bHfMHE4qkihdlUxxxNE0QwhkckvTMJVPofOV86ImARJ00DO4jXCICiDgWdV3m/EZabMHmcJJRL7IHsqbH2UDxoTP7RCFxRIcXlyNjTrsh3LD3ZSSK6NMWEBlmZ+bLbWVREoHfxZ7GwtDbuLqZkXIg4MKrgqyypXv6C6NCY13lbLr3HQ0iJ2bZV/SEX/H+hQLuZ1iF7VLXcyl+EPgTyo9jGovRQ1r9B9kuDKMBvCHfSbFFw0I8l2vvWkttjRk2mWJXzxMdYbXhdNmfDTIRGsTYsK4MfhbiOcQiTEkkwcgzT6ngsWN2dEEis01GM/rCgwc/lnSYLKNBmxrPtMC2wx1TH/lz5WGFGUIZlxw6MUQynWvr0WGVTsGAsJjw5pTIFtwkpfJjiQFszPjB61kJsIpo2e/OZ8LpWodIdbDhWRMrX/X1cJmXnncA6 OJx4jr6C BukHAtqNi1kUjXdE4nFbb0h2BDar3ZmP4UCdiFEZ8vHrWvIavJvVxQcnkMni2Up7TW0tb/61o9fWG7PixceuMwgjbjZmyxvUQKCpkG+2KVa2BwoLBzgd//aGtNeBAz0B2S8fC39WTvvgHT3tom2K3+oP1dvhwOvArqoIQVZvNrU6hDTOxdB5Ldha/Y7X9wKWkY3dKNKe9ILSijDQDBeJgzJN6sJtIVJtjs7H4bHvBwfa2oGkQMw3Tz9oXmemdDbkqQKc3Zy/WVGVUqth4U00LCyPQ/ZZlYkwiL6fOtWZv1gFrafHZlWTkp7Y4SAGaJuE7FQrjy9vmdBRHu2uYiYLw4wOnjVtR9VKYQWojiGmDWwgdbqOKO0SlWuX1TBbmHOrakZ2qaMQLv5wxL8UaOnaOREy6Lj5OqCu40GMu6AzrYobfoEB4Edux7OLjASbw4Y1YZDhYKZBZybxlCrygGUVN+gRwz8qjXX0vqW9yKjHgmcIGj0CzkNazNb/2eQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/07/02 0:10, Andrey Konovalov wrote: > This is weird, because if the metadata is 00, then the memory should > be accessible and there should be no KASAN report. > > Which makes me believe you have some kind of a race in your patch (or > there's a race in the kernel that your patch somehow exposes). Yes, I consider that my patch is exposing an existing race, for I can't find a race in my patch. (Since https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=b96342141183ffa62bfed5998f9b808c84042322 calls get_task_struct() when recording in-use state, report_rtnl_holders() can't trigger use-after-free even if the thread died. Also, since previous version https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=5210cbe9a47fc5c1f43ba16d481e6335f3e2f345 synchronously calls synchronize_rcu() when clearing in-use state, report_rtnl_holders() can't trigger use-after-free because the thread can't die before calling put_rtnl_holder(). The variable "now" cannot be 0, and !cmpxchg(&rtnl_started[idx], 0, now) must serve as a serialization lock when recording in-use state.) > At > least between the moment KASAN detected the issue and the moment the > reporting procedure got to printing the memory state, the memory state > changed. Indeed, the exact line KASAN complained at varies suggests that the memory state is modified by somebody else. > As this is stack memory that comes from a vmalloc allocation, > I suspect the task whose stack had been at that location died, and > something else got mapped there. I consider that the task can't die while calling __show_regs() from report_rtnl_holders(). > > This is my best guess, I hope it's helpful. Well, KASAN says "out-of-bounds". But the reported address BUG: KASAN: stack-out-of-bounds in __show_regs+0x172/0x610 Read of size 8 at addr ffffc90003c4f798 by task kworker/u8:5/234 is within the kernel stack memory mapping The buggy address belongs to the virtual mapping at [ffffc90003c48000, ffffc90003c51000) created by: copy_process+0x5d1/0x3d7 . Why is this "out-of-bounds" ? What boundary did KASAN compare with? Is this just a race of KASAN detecting a problem and KASAN reporting that problem? (But as I explained above, it is unlikely that the thread to be reported can die while processing report_rtnl_holders()...)