Hi,linux kernel crypto maintainers I encountered a report from UAF kasan on the 6.12 kernel, It happened when executing the ltp example (./testcases/bin/pcrypt_aead01) https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/crypto/pcrypt_aead01.c This problem is very easy to reproduce in v6.12 While I was trying to solve it, I pulled the latest code, and now I am on 6.13-rc1. This problem no longer occurs, I don't know what happened, and I didn't see any commits that solved my problem when I looked at the commits. I am curious whether this problem has been solved. Attached is the kasan report: [ 50.449417] ================================================================== [ 50.449427] BUG: KASAN: slab-use-after-free in padata_find_next+0x2d6/0x3f0 [ 50.449443] Read of size 4 at addr ffff88881b726424 by task kworker/u157:1/775 [ 50.449451] [ 50.449457] CPU: 28 UID: 0 PID: 775 Comm: kworker/u157:1 Kdump: loaded Tainted: G E 6.12.0+ #35 [ 50.449470] Tainted: [E]=UNSIGNED_MODULE [ 50.449474] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 50.449481] Workqueue: pdecrypt_parallel padata_parallel_worker [ 50.449492] Call Trace: [ 50.449496] <TASK> [ 50.449501] dump_stack_lvl+0x5d/0x80 [ 50.449513] ? padata_find_next+0x2d6/0x3f0 [ 50.449520] print_report+0x174/0x505 [ 50.449532] ? __pfx_rt_spin_lock+0x10/0x10 [ 50.449542] ? padata_find_next+0x2d6/0x3f0 [ 50.449548] kasan_report+0xe0/0x160 [ 50.449559] ? padata_find_next+0x2d6/0x3f0 [ 50.449566] padata_find_next+0x2d6/0x3f0 [ 50.449572] ? queue_work_on+0x4c/0x80 [ 50.449585] padata_reorder+0x1cc/0x400 [ 50.449593] padata_parallel_worker+0x70/0x160 [ 50.449600] process_one_work+0x646/0xeb0 [ 50.449609] worker_thread+0x619/0x10e0 [ 50.449617] ? __kthread_parkme+0x86/0x140 [ 50.449626] ? __pfx_worker_thread+0x10/0x10 [ 50.449633] kthread+0x28d/0x350 [ 50.449640] ? recalc_sigpending+0x12e/0x1b0 [ 50.449651] ? __pfx_kthread+0x10/0x10 [ 50.449658] ret_from_fork+0x31/0x70 [ 50.449668] ? __pfx_kthread+0x10/0x10 [ 50.449675] ret_from_fork_asm+0x1a/0x30 [ 50.449686] </TASK> [ 50.449690] [ 50.449692] Allocated by task 12827: [ 50.449698] kasan_save_stack+0x30/0x50 [ 50.449705] kasan_save_track+0x14/0x30 [ 50.449711] __kasan_kmalloc+0xaa/0xb0 [ 50.449717] padata_alloc_pd+0x69/0x9f0 [ 50.449722] padata_alloc_shell+0x82/0x210 [ 50.449728] pcrypt_create+0x13b/0x7a0 [pcrypt] [ 50.449738] cryptomgr_probe+0x8d/0x230 [ 50.449747] kthread+0x28d/0x350 [ 50.449753] ret_from_fork+0x31/0x70 [ 50.449760] ret_from_fork_asm+0x1a/0x30 [ 50.449766] [ 50.449768] Freed by task 154: [ 50.449772] kasan_save_stack+0x30/0x50 [ 50.449778] kasan_save_track+0x14/0x30 [ 50.449784] kasan_save_free_info+0x3b/0x70 [ 50.449793] __kasan_slab_free+0x4f/0x70 [ 50.449800] kfree+0x119/0x440 [ 50.449808] padata_free_shell+0x262/0x320 [ 50.449814] pcrypt_free+0x43/0x90 [pcrypt] [ 50.449821] crypto_destroy_instance_workfn+0x79/0xc0 [ 50.449832] process_one_work+0x646/0xeb0 [ 50.449837] worker_thread+0x619/0x10e0 [ 50.449842] kthread+0x28d/0x350 [ 50.449848] ret_from_fork+0x31/0x70 [ 50.449855] ret_from_fork_asm+0x1a/0x30 [ 50.449862] [ 50.449863] The buggy address belongs to the object at ffff88881b726400 which belongs to the cache kmalloc-192 of size 192 [ 50.449870] The buggy address is located 36 bytes inside of freed 192-byte region [ffff88881b726400, ffff88881b7264c0) [ 50.449878] [ 50.449880] The buggy address belongs to the physical page: [ 50.449884] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x81b726 [ 50.449892] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 50.449898] flags: 0x50000000000040(head|node=1|zone=2) [ 50.449906] page_type: f5(slab) [ 50.449914] raw: 0050000000000040 ffff88810004c3c0 dead000000000122 0000000000000000 [ 50.449922] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 50.449928] head: 0050000000000040 ffff88810004c3c0 dead000000000122 0000000000000000 [ 50.449934] head: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 [ 50.449939] head: 0050000000000001 ffffea00206dc981 ffffffffffffffff 0000000000000000 [ 50.449945] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 [ 50.449948] page dumped because: kasan: bad access detected [ 50.449951] [ 50.449953] Memory state around the buggy address: [ 50.449957] ffff88881b726300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.449963] ffff88881b726380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.449967] >ffff88881b726400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.449971] ^ [ 50.449975] ffff88881b726480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.449979] ffff88881b726500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.449982] ==================================================================
