From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDB73CEB2E0 for ; Wed, 2 Oct 2024 17:56:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3DFA16B0419; Wed, 2 Oct 2024 13:56:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 38E4A6B041B; Wed, 2 Oct 2024 13:56:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 16E526B0419; Wed, 2 Oct 2024 13:56:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id D356A6B0414 for ; Wed, 2 Oct 2024 13:56:14 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 64E1E120E0D for ; Wed, 2 Oct 2024 17:56:14 +0000 (UTC) X-FDA: 82629416268.30.6DD61A4 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by imf04.hostedemail.com (Postfix) with ESMTP id C44C94000C for ; Wed, 2 Oct 2024 17:56:09 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b="T8VSWC/y"; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=z3phtg9z; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=oracle.com; spf=pass (imf04.hostedemail.com: domain of lorenzo.stoakes@oracle.com designates 205.220.165.32 as permitted sender) smtp.mailfrom=lorenzo.stoakes@oracle.com ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1727891665; a=rsa-sha256; cv=pass; b=nS5xU7N5ix2aWtOL9qbBGTXFVe9RSP1qaxqADY2ewep6dxvrhCk62lL8BeyPG4DEeD379P 1Emsn7xuOJUNKl0btLrdA7z1fMDtwNdg48gZtlkXxfNkUbz1Snftz1SPQ/P7qDL4umhHYv LHV5DK4ZDbsXXPrhClKzdvk1iXrCMAo= ARC-Authentication-Results: i=2; imf04.hostedemail.com; dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b="T8VSWC/y"; dkim=pass header.d=oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=z3phtg9z; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=oracle.com; spf=pass (imf04.hostedemail.com: domain of lorenzo.stoakes@oracle.com designates 205.220.165.32 as permitted sender) smtp.mailfrom=lorenzo.stoakes@oracle.com ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727891665; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4nd17rFB9avr10NTtvBS7y1ApaU0fMrteSuGyyIkq9Y=; b=E6j93oTWbo98+RxWUGbExtdlZhYUHrHS+ZCcw9JKQQFOnCHTEiIj1kpgsxF1e3zpBFcMOy I6Get3Zpx+cyfajDng6ILNLjhAdTLyLS4gKCrEmXMkA50E8BUhZnnVAZcizh/7SuYd4UJ0 DmK0La0f+gGyuChJBxsx4yjxqVmAjCM= Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 492HfbWg025721; Wed, 2 Oct 2024 17:56:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= date:from:to:cc:subject:message-id:references:content-type :content-transfer-encoding:in-reply-to:mime-version; s= corp-2023-11-20; bh=4nd17rFB9avr10NTtvBS7y1ApaU0fMrteSuGyyIkq9Y=; b= T8VSWC/yNXmptc6lEfpFs+AGeH81GN2X5Ajk0H1xn5QidLOCqDJETPf18YXKosR3 XGEQyoZxsm6dbanbWMidSxsar3954RliiKoq5JgN8DhvurjJ8yNX+gqYpjXnCBpH Py6NymQBJWgWKuKWyb9WiXJlfv850oR3RWb5CAPRoURo8k3fVnSZrXQDmA2+oDTq WJFacJEkR2mnjEJQFXtyYMNkBmCwDx9EX7yzmJmKsHvIQuxKEx8JMa+t5HIehooz 5/xuomREOOID/l6NZtugWh+sNrlISI9y8bYytXGbcLtzvh5P3/+Wroazm1QF8sB/ F6Gf9U9K/pbZO77BSOBulQ== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 41x8qba92f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 02 Oct 2024 17:56:07 +0000 (GMT) Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 492HSTWO012523; Wed, 2 Oct 2024 17:56:05 GMT Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2045.outbound.protection.outlook.com [104.47.74.45]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 41x888xx0d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 02 Oct 2024 17:56:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aLWEcydiYz/d5Fq0KRI1CxpWCcZSNpr+rP7c0e8AJA4czCbrv7fWQHP+6XESQmTyxAr6NYnNDAtaAb1tB6L1qetZWuxnN4HJ8pZXwpJVSev4c5+gjzoaakkRhFrNie2T4xoC8nhGaKZLhjM7AivM7NJWyfyzF2KXCjVmE6sgNgfBKnxGOBL4hF9q75RcV3wkHARchLBrFByhi/HCL45Gc6juq1NDMVnuWL460ja+heLLRKHSOYkwGU3B3A5AOORDVh2giuqlgeZhvM6v6LWMAgt3ko7ht9bxrXaJPmiVLsmHCLsJatQilPbGsep3UV59rPyBIsTSwIxc7un/rqK0rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4nd17rFB9avr10NTtvBS7y1ApaU0fMrteSuGyyIkq9Y=; b=tNvJnKQWKLF+dH0sOOU2XvUoBocWhkjhhwXga4BtGaGVzAmsdto3NiKLQrIkoUJHLSTsNbSXDKo5YkGDRCI8Z8a/hkS1ZCAx0H3bJB62HUqu2r8E+lryhIq5cVi9ITabaDC9TidS3s5wFqb0cbPGaVV79/axG/8IQo70RmP2yIiuHH1XifDXznrnIJW3t1aG2dlrpSdfrB202eTqduhT8rsUQHHHZ+rs0p0XFe7AC/OT7yUz55HKcxBPaz5FIJMV489j1FkxLhaORW1IdTHlWs/YotqTiQYoa5TXI3yJrlhoM1UvjiJu7Ifx7cIMO+5u6tZlX/x2pIy7oq8WyD8iyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4nd17rFB9avr10NTtvBS7y1ApaU0fMrteSuGyyIkq9Y=; b=z3phtg9zjd9fWhdryJDgwVjQcZum6vhKA74fzl9vHcnFMG8kdUhBDQy6U5ThVCunudvh3AR6BNwFe88IONaQ3s8N+XMCEB99geAEx+4fwknIU4bGakDPOWpiA9ObKZtYFCcOOCbxXE1RkXkqVIK6iNPWKYdQUQy+TPthu+xooio= Received: from SJ0PR10MB5613.namprd10.prod.outlook.com (2603:10b6:a03:3d0::5) by CH0PR10MB5161.namprd10.prod.outlook.com (2603:10b6:610:c3::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8026.15; Wed, 2 Oct 2024 17:56:03 +0000 Received: from SJ0PR10MB5613.namprd10.prod.outlook.com ([fe80::4239:cf6f:9caa:940e]) by SJ0PR10MB5613.namprd10.prod.outlook.com ([fe80::4239:cf6f:9caa:940e%5]) with mapi id 15.20.8026.016; Wed, 2 Oct 2024 17:56:03 +0000 Date: Wed, 2 Oct 2024 18:55:59 +0100 From: Lorenzo Stoakes To: Mikhail Gavrilov Cc: Linux List Kernel Mailing , Linux regressions mailing list , linux-fsdevel@vger.kernel.org, Liam.Howlett@oracle.com, Andrew Morton , Linux Memory Management List Subject: Re: 6.12/BUG: KASAN: slab-use-after-free in m_next at fs/proc/task_mmu.c:187 Message-ID: References: Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-ClientProxiedBy: LO4P265CA0123.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c6::10) To SJ0PR10MB5613.namprd10.prod.outlook.com (2603:10b6:a03:3d0::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ0PR10MB5613:EE_|CH0PR10MB5161:EE_ X-MS-Office365-Filtering-Correlation-Id: 13c20c67-26e7-4255-6795-08dce30b7b1d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014|10070799003; X-Microsoft-Antispam-Message-Info: =?utf-8?B?T0hsemNiR1BDMEFnS1BLdjRFOFhPUFZUT0hCWTFodWFCZzV2KzMzTUY1c1hG?= =?utf-8?B?Z1ZvUVNwTTRZSzE0bVNVb1hFcTlvRUI1V3NNWmdHOXMrb1lZNU9pTEhMVE5R?= =?utf-8?B?dUJSTXo5dmR5VWUydzJJTVdiUnFPMkF1bWE2SFRXR1NGUWtmd2FuSEJwTElS?= =?utf-8?B?aTRmdGdkb24rdUdZbVBWQmc3Y1c0VXhjUmdFelhkWUkyZ3ZxejBJR2IweHhQ?= =?utf-8?B?NHNvQ0lUR2JQTE9HYUVNbXU5OXZVaWF4WUpXaU9IcXdrQ0p2bHYzdm1vaU1T?= =?utf-8?B?Ui9iNkNYTnNlVHl1ZnhVMHFpeGptanJlVUJnTW9LRTlKc1NWOWwvTVVXQ01a?= =?utf-8?B?OVpyc2tTQ2x0SEhjZUJEaXU4Mk5EYlFXakRlcjcwQ3RjK1FMSWg2dzdib2RV?= =?utf-8?B?czFKMXVVWDBNU0FROXB1djdKR2ZxbWNabTlHL29nMjZzNUN0dVBYejZYU3VP?= =?utf-8?B?TlZYVGNnK214UWJPZkRaSzNGSHJFcGZGbzNYd0NVU05WZkJ3VDJvZUlmZzNi?= =?utf-8?B?WS9TWjRvaVp2YlVnRUl3RStGM1d1YzhLSkZYakJsU2dHM0xvZmhSVEtjUHcy?= =?utf-8?B?clV6QVFmRnNNZENKdmNhUWJPTUNBNmJNdnZyUTlpZjliNE1nSFphTUhuc0Ju?= =?utf-8?B?S2d6cjRXTTAzYis4VjFUYWdwMmNXQzlLZXBCdXNsVFZwUTdUTEFPUFIyWnYx?= =?utf-8?B?VVRrV1ZLdTQwV2V3RGxiOXp3ckFUVHhpb1htdm9KMkQ1VVJna21meXk4bnNF?= =?utf-8?B?Ukg3ZWVXNkdhcHZ3bEZlZnUrUWg1R21rNkVwZzBqL1JBU1ZXbHNqQmxodUMv?= =?utf-8?B?dGlPVE5qSm84QmdkanFYVmdaWW9JY0liR1NVaXpBSUJEb3lsem1jQU43VGZj?= =?utf-8?B?ZzVXWkRySFEvL1Axd2ZocXZYS3RhMms2RFI1bm43RlRoT0RMcHVETWc5SWh2?= =?utf-8?B?WFBDT1Z3NnNtZDFvdDV0N1BNeUZ0L3ZEYmMvVlRxUlZMdWF1ZXpJQk8yOFRt?= =?utf-8?B?ZE8rOFVTU2JmVTQzUG4zL1NSYmx2OGNxYzRmSjZjTFBYR015dGtLVEZWWUpB?= =?utf-8?B?SDFXazRjSTFPRU4vNUdod3RSWTArcVF3bTFMMm1yT2J5aVdURzRBTkdlVGtK?= =?utf-8?B?NFFaUU1FaDBpNWpGRGg0NTZTUmtXQnRLenA3ekZicjdPejkwQklxS3JJQm9P?= =?utf-8?B?MURabzlwM1ZwVWJpRGhyS1lDVUxzblhjNUtRRVpabU45U0hiQXNCZ1JFcEdu?= =?utf-8?B?THgzZGZVbDA1empRYzNOLzBJYTFVdDVCdDlWWGFRc0U2bG85Z0Q5NWs1ZWUr?= =?utf-8?B?ZEE1ZzBGVkdHNFhkMFZBVVZTb0h1S25hVHppckNXc3ZqRXBpRUtoK2xUQ005?= =?utf-8?B?MEpMaTVqN1NCelgxRHpuSlRxWlNBQnVhbVNIY3g0aFREUVA5bTc2ZTljaFJ5?= =?utf-8?B?MklIRzY4RkxNMENqNWtBaCtnbUF1U09Udk50WDRGV1FMT2dxVGdKbGkxaDRX?= =?utf-8?B?YkRURzlRM1lyK2RtS1VpMm53RDFLWFhTekJkclFPN0ZsWmVLd0pKYUo0U3NQ?= =?utf-8?B?cmJJRmFLc2hkWjk3WFBIa2dSNTZ5bzZXZlMwNXgwb0oraE1HNzM0T01Yam5h?= =?utf-8?Q?65LuDE6PAwq1U94QI3l4RDzAMoOZvwjuzyOnyvUoLcyg=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SJ0PR10MB5613.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(10070799003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?c1RhOVRTSVBlUzRDdXZpdzJPandtVHcwaDB4TnpmWGhZYzN2N2JRdEZadm1y?= =?utf-8?B?ZVZsdHFGa21ITDlibmVuOE8yVkJHUzJCQkQrakpETy9MekRGNko1c2RudHVw?= =?utf-8?B?QUYzRHlaY3VFY2VuS21kb3VyUVJTenpyQTg0ZW90T3dCZVU3UlFnZ3l4V2NP?= =?utf-8?B?RS9Ic2I1dzNwRjZCdVRmNTBHNlQ1RG95MnZjaitoNHQ2U3ZGbVNpRUo3WXVk?= =?utf-8?B?RFg4VkF6d2NOUzk2YU9VQ0gzdnhHZmdvdkJmNG9NL0hud1pteW1EdkV0VEFm?= =?utf-8?B?VWtMZFpCSWdMc04vYlhMeE5SaUNYVFhFbllFUmFKaTh6OU53NnU2SnNUaVdh?= =?utf-8?B?MU8yVmhLTTFQVHpmbmJNMUk4ekJuL3k3RG0wUm52d3ZwdkJTTksyd0FtNVBn?= =?utf-8?B?MTVzSFNjUVpmQ0JWdGlZSlBzR2ZWZGl4OWxPdk9TVWRnQ1NYTmZsNnJsTUt3?= =?utf-8?B?OTBtSDlzcE8yMUhMY2g0QTZpNkg5bFRzdGRHODhhTGdJOFJiNEdqbElCZmpx?= =?utf-8?B?MUxDMG4yQXk0dHlqV3prL1VxVERhL0VlMjZlNDg3R2pEYjlibXplL1hobXEw?= =?utf-8?B?c1JuRnA1YXpQOHV2U2thZlVBMUhjc1JPeEV4aDhCRE1pamorR3YxZmRtamtG?= =?utf-8?B?dGt2UGR2cms2NzAwRXJJT29ENlNXM2xKNmJaajVxMCtvRkp4M2lrbUlmcy9Q?= =?utf-8?B?NUVjeVJ0cEhiTmE2aysrMUhvRUNDS3V6L2s1YTNyZkpVY3lSOUUyaXRpay9H?= =?utf-8?B?cm02cndrZkV5WEQrVER4Qm96cUxxNVJzc2NYZW51YVBxa2I0S2MvM0VzV2FE?= =?utf-8?B?S24yNHU3SWZiaXg5dWprdnNIMUVGeW9KT2xRbEE4ZjhHQ2hHenFYNitReWU5?= =?utf-8?B?NUpJMnA3djkxZmVjbENCQWdpeGFGcnlqVFJLYkwwZUMxWUpwYlFJTDdpUGIr?= =?utf-8?B?ZlNqODArMTdXODJrMk0xeHgvVXFPeXJsa29NWmU1aHlhSGhjTW5mbGF5VFBs?= =?utf-8?B?RC9lTHc4bURMU0F1aWM3dW5nVDZEVjhqVzh4TlZJV1JkSUR1SGtYd1JSb2Vz?= =?utf-8?B?eXYzT3gzQXdyejFPdFRTUFZXMEpFNnhDWFBWdEhhSVdHNXlROGJmODNmSFhX?= =?utf-8?B?VnVVRkp4MHNidTByTmpoM3pNUmFSV2Z5eWt6Szhqb0FQWENOektKTlBTa3RD?= =?utf-8?B?Sk9CcTc0ZldSV2g3NjlmY2syZnp2bmluTVlxL3pYM3cycHRSQnk4TU1WanhH?= =?utf-8?B?TmoweXpsdmtRRG9EOWlJTjFNYVJITDZNcFBvOVBwc1l2UHVnQkFYZjBYa0Vo?= =?utf-8?B?Ym5vcWpCUm1Fb3ZmbnU0Njd3ZWtJZ05NWkhnV1hLMzFYR1Z1NlVtODQ5aTRw?= =?utf-8?B?MXo0ZUFLLytEajR0TVRpdGdFbUxqR0FJa2Z3YTFNUjRCbFNTdGg5b1Rqd2Nx?= =?utf-8?B?MmdqTkZBTG9wVVNsNzh4VUltaFFHSHBKR0tmVmcvUktlVk11MGhRaUVGc3Ex?= =?utf-8?B?cXZZU2Mxem9jM0pVcEpydmFBdjZscWxiWmdLZkRLbk01cHdIZVB4c1Q4ZFF0?= =?utf-8?B?dnNQajQ2NXVTWXNoUXAzL3JDem5WQTg4d1dXT3gzSlNCSGV4SzNXWjZMLy9q?= =?utf-8?B?QklxdHZjeUNuQUdIVVJxc0NPc3Y3THo2aFJFdDdza0MwL1g4WmpHLzJEUldL?= =?utf-8?B?ZXJ3bjgwcDJ0OGJ6Qnl2TTFEZ2libHpEUFhFbERoOEJhc2lzNVV1WEl0emZI?= =?utf-8?B?aWVqdnZwditWSE5zU0JXeEdXbXVMRWF5UzRnNCszanRUSE52QnJBVTlnMmUz?= =?utf-8?B?UHNtVWpyUVROQU9YNmROSGFYUWhiS2NPYkRBSEhZekFKcm5IMkl5TXg3WFN5?= =?utf-8?B?VkMzQU9QRlZ1RlJWSVhUejVEaHovcXhFRmJUTkZvVzlnMk9vYTVrUmsvU2Va?= =?utf-8?B?SHlObFV1Qk41aVBzR1lQSmNXb1pidmhYUUw2OTlXWkN0OHFLbXhKcnp5eHBM?= =?utf-8?B?ejIybE8zK2crdldUOUtMa3FBa2xwV29HUlprSHZtWWNMaE9LZFVXbStKdFNB?= =?utf-8?B?b2tIcUFtQlFFM2FLVTVCNDlnZzJkaitwNEl3Y3ZNZjdrRzZhWmcxMVRRa3pi?= =?utf-8?B?RGMvWFNHcHA0RnptMlhsYmxSZVRNQmhCY3UvTkdBdGxpQ1h6anFJNWZVUlhq?= =?utf-8?B?Q2pBa3FGa2J3ZjI2Rk5WR3NIcVhiQ3V1ZG1KODRCaGNjSzRWMUpKUnJoVjBh?= =?utf-8?B?dlJUZDQvbFI2ZFBwYjNKNjZEK3F3PT0=?= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: MIkh2hYda6MK7J77WPaegTCw2/74dLa3F1IZZ/qePCP6VCKcjwsgeiqRSfSORjqPi8EWo+etwfEMM4FFkUTUpOWkslWMjwyfvghIIPt1cXoxoNrbZ69RLFHuXDpjV4rxpo1gXs6eOA59VJ9SujBz0T4HG9fFvrzOqDRRNAKItVycAmtf54veNLLxwIMK7+EqhU415uSjAaagrqlLdQOlv4WLJCyYt2ECzXunT96xwYRgPAPMXyC14PPLvxEsDGixuweDcuQm/r/xmi4AAqi4TMRelZ71gmJLPVBhNx8Z8Lv1FD1a3cFXK6A0bYEU6TptDsq6ZV214QxN1FjcJWE3XISW7W0OzDmxbAxATYMUD0o9M0UhuaAjFV7+At5HUu0ACdDw2i7uhdaIAbgUIpYrrlDHnl4eYYAFZUQDHJ7KM/+j0YqWHL5dtWMcIIH6+TQeSBEHqy8L68CeQl0EUd520mu3oHiflAWDoiIKF2N2nO6RLDLpwkrViEnClZJNDDdaVnKkd6R/zfuMXz3IzqQWKHLI+1GiXsO3zwcD53y76GrGf3cjE0s9ayg8mRPH2/GeSEY4mJjJdsmlphJKhnuy+6H0A9xK/Piqh0KYC02QuvQ= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 13c20c67-26e7-4255-6795-08dce30b7b1d X-MS-Exchange-CrossTenant-AuthSource: SJ0PR10MB5613.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Oct 2024 17:56:03.2083 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: g40WwT8fomiFu6GZxfaPvfgF6hREqcn9rprq4kIvCaSX+ujHOPSi5eEZERWbFZKaJP6NA8z7O/+xZwDTa0KTbMPPUNB2wMTMXeg/VxrkOUM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5161 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-02_18,2024-09-30_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 malwarescore=0 mlxscore=0 spamscore=0 suspectscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2408220000 definitions=main-2410020129 X-Proofpoint-GUID: mtPrtIJ1v5Sagpny1XWVPNE-rt7i3bMV X-Proofpoint-ORIG-GUID: mtPrtIJ1v5Sagpny1XWVPNE-rt7i3bMV X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: C44C94000C X-Stat-Signature: ipgyahuqdrc8ht9w96hxrdesim9rru3h X-Rspam-User: X-HE-Tag: 1727891769-577412 X-HE-Meta: U2FsdGVkX19j75AijpdlAWasgrtm4YXwzmF3p3I+ZHreb+a16qYq/zdKTAJ6CR7ONPATOwnHlzIxdjjgNVML9DmyIpO/SR47C57nUNLXBLngidOaQ4bOwCXAdzDUTe9/cxZdx5zzw8SGXPZ3W0Y8xOQV9lXRpDZZX+4XpMoPUlJq5egoDdRzVr1r0wamXIoaGmQMo0DtSc49N/npHZ7rpzEpFiQfl0qf4wtkXVpuXS7TPLXdYY1nv2qyDR8fVIEtoO7rlwNxjAEpLMbwd7WpbqNt5p/h33Zs87sBLTEEyNvxhL7JsTWYPgjaykQLH2O3WAmdvW2alqVUcgCGieQXAcBhXPhQ2IQqsxZIpXLJ1yiH/kSKQcX3fIrQQgu5fXFm+wD5Fu/GwxevCybGa20sA0RtA7DRwnHWyIb7TdJgfP8YQZPC31nC8NI5xAJHxtUA5MbTBDxpHvAy4wK7XLgRIBKuHNlK4LRS9ZNvie0p0jyUPXA8NbeZ6U05S7Ymx97ApFqA/Kul1hDGjYz5/Ax8y45ssfDj2o8hoC4Ao8bGU+xZv48Am1QYngzaTQiQzjNLO9fR8tP3cBGSr/3qITimG8myIQdi3G7D5MExjxEL5wcSoraWt++3AoragkWCHweaSTavVAf1SuREebgN8B67mDQZgAlfVzEeHLFVGP0pRhSEn+kE4xsLM8LLJ2viku8SVuqgNn4r3rmxSx6N/wwzCDoSLjp8UGRCiYIptQaPcVQZCtvA4tZ+0fHLfE6EVHW1ATFGwrh6Tp4QyR7Q/PzurdxVWG8gc9jFadPQ/8Gjy++SkOOMmm3TGKpIzUYrbkM7JujMyhcTNfE9983rZ1neQn1D6SNwWhR+YBDA4IK8cPdaCSJQL132Pwv+Zk33ryonutPl5x8qTvy7xcp3w2fbttF+5keBj6Yj5RIb527aUZmDG8YZT36Kw7YUfjbRzDTYqh5GweWzSdwWrpnUYYI /7ggxuFK 0EfCRZXftWujjMWCEmDZn0itQ4I8mtsUprLZnsYYEMfNU4bKtlDOYMq9uvxQXfmMZAKgoUsSZ/xQH7nreDM80NYwtH1vRGYqh80B0t5Fnq58N1wqZ5P781act9HduFi4Vk82tjbGfMEbc4cAF4fWK1oIfNPHYbR7i83BIzhp2ez50gGOu9To8dql4iwOPYT5/g/pPUJuOdFxcBHRUfHm+Cq7AnwnYpWzhYnWnqplph5HQ+75Z8zXcmpbk6gTg0qyyHhhXYwyHDRms9JuLfgOYdIt4aJg3trJT0uqjyVTBV4UQ5bQ0LCShG1N+Mdb5S+RURSDEY7JMYmzPWt7k4XlbTsVn9B6HDo0lsmwRFmxBQS2kBwCIoUj1OD+3wydaGw7V5AptUxh9s5F4v/ztYNpWhdIujFq23kgbsQFxBILeKS5Dkzz37K1NPxHEz0SDa+eznOH3ca1vTRNztHnDIEmT/utmWxHb6+9NY8JVNJGN1Njjfyd8X4CRHsa2MrLxFatQK9oRsA+QazGaltNSLoona/K6voVEqmDZN2AsseD1h93DzQ2jMNyYN9tj/v5guui0iOCtSd4C2ajxWR/FqD7XJwnxkuHkskWOGp6TuzVfZKG2d5ww6kGB4d0x1500Ob1vpk0tnQQGIYdzSjlvm/ARuEtUxJxm28HMYP+f9dhFEYQcVNxdonw6Eu8Zf0kC3br1X0ubSFQuvV3iWDm/1MXNAPJk79P9A2F6U2F5HyVR1Bt/wsYSaaQt/1NrncUwzg4hHpC1H4S1VRc2y2lv+rsphnjDkfWYceRBc1HHmDFTOL4qPGn6ngWSRslB2QC0kn1oH9QucBRBRBg/Pgo7G66V4myWQCwb8UZ7QLQ02MhShd6/rzB4jhZCmwr46/henKMdRpJlUTVdYvylgwB7YAooYH3nnsZDugJD8p2oGe9pTEWmnRtT/6sOPV8T41tcg52+2krTR0cxpASocZ1x1E7G3f7y3R7T TrspoRE4 wcRvXh5aOYjc6Iv4l053hg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Thanks for your report! On Wed, Oct 02, 2024 at 10:34:32PM GMT, Mikhail Gavrilov wrote: > On Wed, Sep 25, 2024 at 3:28 AM Mikhail Gavrilov > wrote: > > > > Hi, > > I am testing kernel snapshots on Fedora Rawhide and Today with build > > on commit de5cb0dcb74c I saw for the first time "KASAN: > > slab-use-after-free in m_next+0x13b". > > Unfortunately it is not clear what triggered this problem because it > > happened after 21 hour uptime. > > > > Full trace looks like: > > input: Noble FoKus Mystique (AVRCP) as /devices/virtual/input/input26 > > ================================================================== > > BUG: KASAN: slab-use-after-free in m_next+0x13b/0x170 > > Read of size 8 at addr ffff8885609b40f0 by task htop/3847 > > > > CPU: 14 UID: 1000 PID: 3847 Comm: htop Tainted: G W L > > ------- --- 6.12.0-0.rc0.20240923gitde5cb0dcb74c.9.fc42.x86_64+debug > > #1 > > Tainted: [W]=WARN, [L]=SOFTLOCKUP > > Hardware name: ASUS System Product Name/ROG STRIX B650E-I GAMING WIFI, > > BIOS 3040 09/12/2024 > > Call Trace: > > > > dump_stack_lvl+0x84/0xd0 > > ? m_next+0x13b/0x170 > > print_report+0x174/0x505 > > ? m_next+0x13b/0x170 > > ? __virt_addr_valid+0x231/0x420 > > ? m_next+0x13b/0x170 > > kasan_report+0xab/0x180 > > ? m_next+0x13b/0x170 > > m_next+0x13b/0x170 > > seq_read_iter+0x8e5/0x1130 > > seq_read+0x2b4/0x3c0 > > ? __pfx_seq_read+0x10/0x10 > > ? inode_security+0x54/0xf0 > > ? rw_verify_area+0x3b2/0x5e0 > > vfs_read+0x165/0xa20 > > ? __pfx_vfs_read+0x10/0x10 > > ? ktime_get_coarse_real_ts64+0x41/0xd0 > > ? local_clock_noinstr+0xd/0x100 > > ? __pfx_lock_release+0x10/0x10 > > ksys_read+0xfb/0x1d0 > > ? __pfx_ksys_read+0x10/0x10 > > ? ktime_get_coarse_real_ts64+0x41/0xd0 > > do_syscall_64+0x97/0x190 > > ? __lock_acquire+0xdcd/0x62c0 > > ? __pfx___lock_acquire+0x10/0x10 > > ? __pfx___lock_acquire+0x10/0x10 > > ? __pfx___lock_acquire+0x10/0x10 > > ? audit_filter_inodes.part.0+0x12d/0x220 > > ? local_clock_noinstr+0xd/0x100 > > ? __pfx_lock_release+0x10/0x10 > > ? rcu_is_watching+0x12/0xc0 > > ? kfree+0x27c/0x4d0 > > ? audit_reset_context+0x8c5/0xee0 > > ? lockdep_hardirqs_on_prepare+0x171/0x400 > > ? do_syscall_64+0xa3/0x190 > > ? lockdep_hardirqs_on+0x7c/0x100 > > ? do_syscall_64+0xa3/0x190 > > ? do_syscall_64+0xa3/0x190 > > entry_SYSCALL_64_after_hwframe+0x76/0x7e > > RIP: 0033:0x7f4190dcac36 > > Code: 89 df e8 2d c1 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 15 > > 83 e2 39 83 fa 08 75 0d e8 32 ff ff ff 66 90 48 8b 45 10 0f 05 <48> 8b > > 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 > > RSP: 002b:00007ffcde82b690 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 > > RAX: ffffffffffffffda RBX: 00007f4190ce3740 RCX: 00007f4190dcac36 > > RDX: 0000000000000400 RSI: 000055bf5e823a20 RDI: 0000000000000005 > > RBP: 00007ffcde82b6a0 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4190f44fd0 > > R13: 00007f4190f44e80 R14: 000055bf5e823e20 R15: 000055bf5ecc9160 > > > > > > Allocated by task 176289: > > kasan_save_stack+0x30/0x50 > > kasan_save_track+0x14/0x30 > > __kasan_slab_alloc+0x6e/0x70 > > kmem_cache_alloc_noprof+0x15a/0x3d0 > > vm_area_dup+0x23/0x190 > > __split_vma+0x137/0xd40 > > vms_gather_munmap_vmas+0x29d/0xfc0 > > mmap_region+0x35a/0x1f50 > > do_mmap+0x8e7/0x1020 > > vm_mmap_pgoff+0x178/0x2f0 > > __do_fast_syscall_32+0x86/0x110 > > do_fast_syscall_32+0x32/0x80 > > sysret32_from_system_call+0x0/0x4a > > > > Freed by task 0: > > kasan_save_stack+0x30/0x50 > > kasan_save_track+0x14/0x30 > > kasan_save_free_info+0x3b/0x70 > > __kasan_slab_free+0x37/0x50 > > kmem_cache_free+0x1a7/0x5a0 > > rcu_do_batch+0x3fd/0x1120 > > rcu_core+0x636/0x9b0 > > handle_softirqs+0x1e9/0x8d0 > > __irq_exit_rcu+0xbb/0x1c0 > > irq_exit_rcu+0xe/0x30 > > sysvec_apic_timer_interrupt+0xa1/0xd0 > > asm_sysvec_apic_timer_interrupt+0x1a/0x20 > > > > Last potentially related work creation: > > kasan_save_stack+0x30/0x50 > > __kasan_record_aux_stack+0x8e/0xa0 > > __call_rcu_common.constprop.0+0xf4/0x10d0 > > vma_complete+0x720/0x10b0 > > commit_merge+0x42a/0x1310 > > vma_expand+0x313/0xad0 > > vma_merge_new_range+0x2cd/0xec0 > > mmap_region+0x432/0x1f50 > > do_mmap+0x8e7/0x1020 > > vm_mmap_pgoff+0x178/0x2f0 > > __do_fast_syscall_32+0x86/0x110 > > do_fast_syscall_32+0x32/0x80 > > sysret32_from_system_call+0x0/0x4a > > > > The buggy address belongs to the object at ffff8885609b40f0 > > which belongs to the cache vm_area_struct of size 176 > > The buggy address is located 0 bytes inside of > > freed 176-byte region [ffff8885609b40f0, ffff8885609b41a0) > > > > The buggy address belongs to the physical page: > > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5609b4 > > head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > > memcg:ffff88814d36d001 > > flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) > > page_type: f5(slab) > > raw: 0017ffffc0000040 ffff888108113d40 dead000000000100 dead000000000122 > > raw: 0000000000000000 0000000000220022 00000001f5000000 ffff88814d36d001 > > head: 0017ffffc0000040 ffff888108113d40 dead000000000100 dead000000000122 > > head: 0000000000000000 0000000000220022 00000001f5000000 ffff88814d36d001 > > head: 0017ffffc0000001 ffffea0015826d01 ffffffffffffffff 0000000000000000 > > head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 > > page dumped because: kasan: bad access detected > > > > Memory state around the buggy address: > > ffff8885609b3f80: 00 00 00 00 00 00 00 00 00 00 00 00task_mmu 00 00 00 00 > > ffff8885609b4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > >ffff8885609b4080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb > > ^ > > ffff8885609b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > > ffff8885609b4180: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00 > > ================================================================== > > Disabling lock debugging due to kernel taint > > > > > sh /usr/src/kernels/(uname -r)/scripts/faddr2line /lib/debug/lib/modules/(uname -r)/vmlinux m_next+0x13b > > m_next+0x13b/0x170: > > proc_get_vma at fs/proc/task_mmu.c:136 > > (inlined by) m_next at fs/proc/task_mmu.c:187 > > > > > cat -n /usr/src/debug/kernel-6.11-8833-gde5cb0dcb74c/linux-6.12.0-0.rc0.20240923gitde5cb0dcb74c.9.fc42.x86_64/fs/proc/task_mmu.c | sed -n '182,192 p' > > 182 { > > 183 if (*ppos == -2UL) { > > 184 *ppos = -1UL; > > 185 return NULL; > > 186 } > > 187 return proc_get_vma(m->private, ppos); > > 188 } > > 189 > > 190 static void m_stop(struct seq_file *m, void *v) > > 191 { > > 192 struct proc_maps_private *priv = m->private; > > > > > git blame fs/proc/task_mmu.c -L 182,192 > > Blaming lines: 100% (11/11), done. > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 182) { > > c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 183) > > if (*ppos == -2UL) { > > c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 184) > > *ppos = -1UL; > > c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 185) > > return NULL; > > c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 186) } > > c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 187) > > return proc_get_vma(m->private, ppos); > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 188) } > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 189) > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 190) > > static void m_stop(struct seq_file *m, void *v) > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 191) { > > a6198797cc3fd (Matt Mackall 2008-02-04 22:29:03 -0800 192) > > struct proc_maps_private *priv = m->private; > > > > Hmm this line hasn't changed for two years. > > > > Machine spec: https://linux-hardware.org/?probe=323b76ce48 > > I attached below full kernel log and build config. > > > > Can anyone figure out what happened or should we wait for the second > > manifestation of this issue? > > > > Finally I spotted that this issue is caused by the Steam client. > And usually happens after downloading game updates. > Looks like Steam client runs some post update scripts which cause > slab-use-after-free in m_next. Yeah similar issue being investigated elsewhere, See https://lore.kernel.org/all/c63a64a9-cdee-4586-85ba-800e8e1a8054@lucifer.local/ for latest update. This is ongoing, but also steam, also this commit and also related to steam update doing something strange, so strange I literally can't repro locally :) but Bert in that thread can. We can reliably repro it with CONFIG_DEBUG_VM_MAPLE_TREE, CONFIG_DEBUG_VM, and CONFIG_DEBUG_MAPLE_TREE set, if you set these you should see a report more quickly (let us know if you do). Also note that there is a critical error handling fix in https://lore.kernel.org/linux-mm/20241002073932.13482-1-lorenzo.stoakes@oracle.com/ Which should get hotfixed soon. > > Git bisect found the first bad commit: > commit f8d112a4e657c65c888e6b8a8435ef61a66e4ab8 (HEAD) > Author: Liam R. Howlett > Date: Fri Aug 30 00:00:54 2024 -0400 > > mm/mmap: avoid zeroing vma tree in mmap_region() > > Instead of zeroing the vma tree and then overwriting the area, let the > area be overwritten and then clean up the gathered vmas using > vms_complete_munmap_vmas(). > > To ensure locking is downgraded correctly, the mm is set regardless of > MAP_FIXED or not (NULL vma). > > If a driver is mapping over an existing vma, then clear the ptes before > the call_mmap() invocation. This is done using the vms_clean_up_area() > helper. If there is a close vm_ops, that must also be called to ensure > any cleanup is done before mapping over the area. This also means that > calling open has been added to the abort of an unmap operation, for now. > > Since vm_ops->open() and vm_ops->close() are not always undo each other > (state cleanup may exist in ->close() that is lost forever), the code > cannot be left in this way, but that change has been isolated to another > commit to make this point very obvious for traceability. > > Temporarily keep track of the number of pages that will be removed and > reduce the charged amount. > > This also drops the validate_mm() call in the vma_expand() function. It > is necessary to drop the validate as it would fail since the mm map_count > would be incorrect during a vma expansion, prior to the cleanup from > vms_complete_munmap_vmas(). > > Clean up the error handing of the vms_gather_munmap_vmas() by calling the > verification within the function. > > Link: https://lkml.kernel.org/r/20240830040101.822209-15-Liam.Howlett@oracle.com > Signed-off-by: Liam R. Howlett > Reviewed-by: Lorenzo Stoakes > Cc: Bert Karwatzki > Cc: Jeff Xu > Cc: Jiri Olsa > Cc: Kees Cook > Cc: Lorenzo Stoakes > Cc: Mark Brown > Cc: Matthew Wilcox > Cc: "Paul E. McKenney" > Cc: Paul Moore > Cc: Sidhartha Kumar > Cc: Suren Baghdasaryan > Cc: Vlastimil Babka > Signed-off-by: Andrew Morton > > mm/mmap.c | 57 +++++++++++++++++++++++++++------------------------------ > mm/vma.c | 54 ++++++++++++++++++++++++++++++++++++++++++------------ > mm/vma.h | 22 ++++++++++++++++------ > 3 files changed, 85 insertions(+), 48 deletions(-) > > -- > Best Regards, > Mike Gavrilov.