6.12/BUG: KASAN: slab-use-after-free in m_next at fs/proc/task_mmu.c:187

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I am testing kernel snapshots on Fedora Rawhide and Today with build
on commit de5cb0dcb74c I saw for the first time "KASAN:
slab-use-after-free in m_next+0x13b".
Unfortunately it is not clear what triggered this problem because it
happened after 21 hour uptime.

Full trace looks like:
input: Noble FoKus Mystique (AVRCP) as /devices/virtual/input/input26
==================================================================
BUG: KASAN: slab-use-after-free in m_next+0x13b/0x170
Read of size 8 at addr ffff8885609b40f0 by task htop/3847

CPU: 14 UID: 1000 PID: 3847 Comm: htop Tainted: G        W    L
-------  ---  6.12.0-0.rc0.20240923gitde5cb0dcb74c.9.fc42.x86_64+debug
#1
Tainted: [W]=WARN, [L]=SOFTLOCKUP
Hardware name: ASUS System Product Name/ROG STRIX B650E-I GAMING WIFI,
BIOS 3040 09/12/2024
Call Trace:
 <TASK>
 dump_stack_lvl+0x84/0xd0
 ? m_next+0x13b/0x170
 print_report+0x174/0x505
 ? m_next+0x13b/0x170
 ? __virt_addr_valid+0x231/0x420
 ? m_next+0x13b/0x170
 kasan_report+0xab/0x180
 ? m_next+0x13b/0x170
 m_next+0x13b/0x170
 seq_read_iter+0x8e5/0x1130
 seq_read+0x2b4/0x3c0
 ? __pfx_seq_read+0x10/0x10
 ? inode_security+0x54/0xf0
 ? rw_verify_area+0x3b2/0x5e0
 vfs_read+0x165/0xa20
 ? __pfx_vfs_read+0x10/0x10
 ? ktime_get_coarse_real_ts64+0x41/0xd0
 ? local_clock_noinstr+0xd/0x100
 ? __pfx_lock_release+0x10/0x10
 ksys_read+0xfb/0x1d0
 ? __pfx_ksys_read+0x10/0x10
 ? ktime_get_coarse_real_ts64+0x41/0xd0
 do_syscall_64+0x97/0x190
 ? __lock_acquire+0xdcd/0x62c0
 ? __pfx___lock_acquire+0x10/0x10
 ? __pfx___lock_acquire+0x10/0x10
 ? __pfx___lock_acquire+0x10/0x10
 ? audit_filter_inodes.part.0+0x12d/0x220
 ? local_clock_noinstr+0xd/0x100
 ? __pfx_lock_release+0x10/0x10
 ? rcu_is_watching+0x12/0xc0
 ? kfree+0x27c/0x4d0
 ? audit_reset_context+0x8c5/0xee0
 ? lockdep_hardirqs_on_prepare+0x171/0x400
 ? do_syscall_64+0xa3/0x190
 ? lockdep_hardirqs_on+0x7c/0x100
 ? do_syscall_64+0xa3/0x190
 ? do_syscall_64+0xa3/0x190
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f4190dcac36
Code: 89 df e8 2d c1 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 15
83 e2 39 83 fa 08 75 0d e8 32 ff ff ff 66 90 48 8b 45 10 0f 05 <48> 8b
5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
RSP: 002b:00007ffcde82b690 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f4190ce3740 RCX: 00007f4190dcac36
RDX: 0000000000000400 RSI: 000055bf5e823a20 RDI: 0000000000000005
RBP: 00007ffcde82b6a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4190f44fd0
R13: 00007f4190f44e80 R14: 000055bf5e823e20 R15: 000055bf5ecc9160
 </TASK>

Allocated by task 176289:
 kasan_save_stack+0x30/0x50
 kasan_save_track+0x14/0x30
 __kasan_slab_alloc+0x6e/0x70
 kmem_cache_alloc_noprof+0x15a/0x3d0
 vm_area_dup+0x23/0x190
 __split_vma+0x137/0xd40
 vms_gather_munmap_vmas+0x29d/0xfc0
 mmap_region+0x35a/0x1f50
 do_mmap+0x8e7/0x1020
 vm_mmap_pgoff+0x178/0x2f0
 __do_fast_syscall_32+0x86/0x110
 do_fast_syscall_32+0x32/0x80
 sysret32_from_system_call+0x0/0x4a

Freed by task 0:
 kasan_save_stack+0x30/0x50
 kasan_save_track+0x14/0x30
 kasan_save_free_info+0x3b/0x70
 __kasan_slab_free+0x37/0x50
 kmem_cache_free+0x1a7/0x5a0
 rcu_do_batch+0x3fd/0x1120
 rcu_core+0x636/0x9b0
 handle_softirqs+0x1e9/0x8d0
 __irq_exit_rcu+0xbb/0x1c0
 irq_exit_rcu+0xe/0x30
 sysvec_apic_timer_interrupt+0xa1/0xd0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20

Last potentially related work creation:
 kasan_save_stack+0x30/0x50
 __kasan_record_aux_stack+0x8e/0xa0
 __call_rcu_common.constprop.0+0xf4/0x10d0
 vma_complete+0x720/0x10b0
 commit_merge+0x42a/0x1310
 vma_expand+0x313/0xad0
 vma_merge_new_range+0x2cd/0xec0
 mmap_region+0x432/0x1f50
 do_mmap+0x8e7/0x1020
 vm_mmap_pgoff+0x178/0x2f0
 __do_fast_syscall_32+0x86/0x110
 do_fast_syscall_32+0x32/0x80
 sysret32_from_system_call+0x0/0x4a

The buggy address belongs to the object at ffff8885609b40f0
 which belongs to the cache vm_area_struct of size 176
The buggy address is located 0 bytes inside of
 freed 176-byte region [ffff8885609b40f0, ffff8885609b41a0)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5609b4
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88814d36d001
flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
page_type: f5(slab)
raw: 0017ffffc0000040 ffff888108113d40 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000220022 00000001f5000000 ffff88814d36d001
head: 0017ffffc0000040 ffff888108113d40 dead000000000100 dead000000000122
head: 0000000000000000 0000000000220022 00000001f5000000 ffff88814d36d001
head: 0017ffffc0000001 ffffea0015826d01 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8885609b3f80: 00 00 00 00 00 00 00 00 00 00 00 00task_mmu 00 00 00 00
 ffff8885609b4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8885609b4080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb
                                                             ^
 ffff8885609b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8885609b4180: fb fb fb fb fc fc fc fc fc fc fc fc 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint

> sh /usr/src/kernels/(uname -r)/scripts/faddr2line /lib/debug/lib/modules/(uname -r)/vmlinux m_next+0x13b
m_next+0x13b/0x170:
proc_get_vma at fs/proc/task_mmu.c:136
(inlined by) m_next at fs/proc/task_mmu.c:187

> cat -n /usr/src/debug/kernel-6.11-8833-gde5cb0dcb74c/linux-6.12.0-0.rc0.20240923gitde5cb0dcb74c.9.fc42.x86_64/fs/proc/task_mmu.c | sed -n '182,192 p'
   182 {
   183 if (*ppos == -2UL) {
   184 *ppos = -1UL;
   185 return NULL;
   186 }
   187 return proc_get_vma(m->private, ppos);
   188 }
   189
   190 static void m_stop(struct seq_file *m, void *v)
   191 {
   192 struct proc_maps_private *priv = m->private;

> git blame fs/proc/task_mmu.c -L 182,192
Blaming lines: 100% (11/11), done.
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 182) {
c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 183)
 if (*ppos == -2UL) {
c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 184)
         *ppos = -1UL;
c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 185)
         return NULL;
c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 186)   }
c4c84f06285e4 (Matthew Wilcox (Oracle) 2022-09-06 19:48:57 +0000 187)
 return proc_get_vma(m->private, ppos);
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 188) }
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 189)
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 190)
static void m_stop(struct seq_file *m, void *v)
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 191) {
a6198797cc3fd (Matt Mackall            2008-02-04 22:29:03 -0800 192)
 struct proc_maps_private *priv = m->private;

Hmm this line hasn't changed for two years.

Machine spec: https://linux-hardware.org/?probe=323b76ce48
I attached below full kernel log and build config.

Can anyone figure out what happened or should we wait for the second
manifestation of this issue?

-- 
Best Regards,
Mike Gavrilov.

Attachment: 6.12.0-0.rc0.20240923gitde5cb0dcb74c.9.fc42-BUG-KASAN-slab-use-after-free-in-m_next.zip
Description: Zip archive

Attachment: .config.zip
Description: Zip archive

[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux