[linux-next:master] [slub] 3a34e8ea62: BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:

commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

[test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]

in testcase: kunit
version: 
with following parameters:

	group: group-00



compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@xxxxxxxxx


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@xxxxxxxxx


kern  :err   : [  359.476745] ==================================================================
kern  :err   : [  359.479027] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.480349] Read of size 1 at addr ffff888361948840 by task kunit_try_catch/4608

kern  :err   : [  359.482361] CPU: 29 UID: 0 PID: 4608 Comm: kunit_try_catch Tainted: G    B            N 6.11.0-rc2-00010-g3a34e8ea62cd #1
kern  :err   : [  359.484487] Tainted: [B]=BAD_PAGE, [N]=TEST
kern  :err   : [  359.485478] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
kern  :err   : [  359.486969] Call Trace:
kern  :err   : [  359.487837]  <TASK>
kern  :err   : [  359.488673]  dump_stack_lvl+0x53/0x70
kern  :err   : [  359.489634]  print_address_description+0x2c/0x3a0
kern  :err   : [  359.490788]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.491900]  print_report+0xb9/0x2b0
kern  :err   : [  359.492830]  ? kasan_addr_to_slab+0xd/0xb0
kern  :err   : [  359.493806]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.494882]  kasan_report+0xe8/0x120
kern  :err   : [  359.495797]  ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.496862]  kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
kern  :err   : [  359.497927]  ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [kasan_test]
kern  :err   : [  359.499020]  ? __schedule+0x7ec/0x1950
kern  :err   : [  359.499929]  ? ktime_get_ts64+0x7f/0x230
kern  :err   : [  359.500843]  kunit_try_run_case+0x1b0/0x490
kern  :err   : [  359.501772]  ? __pfx_kunit_try_run_case+0x10/0x10
kern  :err   : [  359.502735]  ? set_cpus_allowed_ptr+0x85/0xc0
kern  :err   : [  359.503662]  ? __pfx_set_cpus_allowed_ptr+0x10/0x10
kern  :err   : [  359.504629]  ? __pfx_kunit_try_run_case+0x10/0x10
kern  :err   : [  359.505579]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
kern  :err   : [  359.506640]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :err   : [  359.507642]  kthread+0x2d8/0x3c0
kern  :err   : [  359.508468]  ? __pfx_kthread+0x10/0x10
kern  :err   : [  359.509337]  ret_from_fork+0x31/0x70
kern  :err   : [  359.510185]  ? __pfx_kthread+0x10/0x10
kern  :err   : [  359.511042]  ret_from_fork_asm+0x1a/0x30
kern  :err   : [  359.511912]  </TASK>

kern  :err   : [  359.513276] Allocated by task 4608:
kern  :warn  : [  359.514082]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.514917]  kasan_save_track+0x14/0x30
kern  :warn  : [  359.515748]  __kasan_slab_alloc+0x89/0x90
kern  :warn  : [  359.516595]  kmem_cache_alloc_noprof+0x10e/0x380
kern  :warn  : [  359.517499]  kmem_cache_rcu_uaf+0x10d/0x490 [kasan_test]
kern  :warn  : [  359.518464]  kunit_try_run_case+0x1b0/0x490
kern  :warn  : [  359.519323]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :warn  : [  359.520274]  kthread+0x2d8/0x3c0
kern  :warn  : [  359.521040]  ret_from_fork+0x31/0x70
kern  :warn  : [  359.521825]  ret_from_fork_asm+0x1a/0x30

kern  :err   : [  359.523201] Freed by task 0:
kern  :warn  : [  359.523891]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.524646]  kasan_save_track+0x14/0x30
kern  :warn  : [  359.525384]  kasan_save_free_info+0x3b/0x60
kern  :warn  : [  359.526154]  __kasan_slab_free+0x51/0x70
kern  :warn  : [  359.526901]  slab_free_after_rcu_debug+0xf8/0x2a0
kern  :warn  : [  359.527711]  rcu_do_batch+0x388/0xde0
kern  :warn  : [  359.528433]  rcu_core+0x419/0xea0
kern  :warn  : [  359.529120]  handle_softirqs+0x1d3/0x630
kern  :warn  : [  359.529858]  __irq_exit_rcu+0x125/0x170
kern  :warn  : [  359.530584]  sysvec_apic_timer_interrupt+0x6f/0x90
kern  :warn  : [  359.531389]  asm_sysvec_apic_timer_interrupt+0x1a/0x20

kern  :err   : [  359.532754] Last potentially related work creation:
kern  :warn  : [  359.533562]  kasan_save_stack+0x33/0x60
kern  :warn  : [  359.534283]  __kasan_record_aux_stack+0xad/0xc0
kern  :warn  : [  359.535063]  kmem_cache_free+0x337/0x4c0
kern  :warn  : [  359.535794]  kmem_cache_rcu_uaf+0x14b/0x490 [kasan_test]
kern  :warn  : [  359.536644]  kunit_try_run_case+0x1b0/0x490
kern  :warn  : [  359.537394]  kunit_generic_run_threadfn_adapter+0x7d/0xe0
kern  :warn  : [  359.538244]  kthread+0x2d8/0x3c0
kern  :warn  : [  359.538917]  ret_from_fork+0x31/0x70
kern  :warn  : [  359.539616]  ret_from_fork_asm+0x1a/0x30

kern  :err   : [  359.540850] The buggy address belongs to the object at ffff888361948840
                               which belongs to the cache test_cache of size 200
kern  :err   : [  359.542668] The buggy address is located 0 bytes inside of
                               freed 200-byte region [ffff888361948840, ffff888361948908)

kern  :err   : [  359.545021] The buggy address belongs to the physical page:
kern  :warn  : [  359.545911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x361948
kern  :warn  : [  359.547012] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
kern  :warn  : [  359.548094] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
kern  :warn  : [  359.549131] page_type: 0xfdffffff(slab)
kern  :warn  : [  359.549918] raw: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern  :warn  : [  359.551034] raw: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern  :warn  : [  359.552151] head: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
kern  :warn  : [  359.553278] head: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
kern  :warn  : [  359.554406] head: 0017ffffc0000001 ffffea000d865201 ffffffffffffffff 0000000000000000
kern  :warn  : [  359.555532] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
kern  :warn  : [  359.556660] page dumped because: kasan: bad access detected

kern  :err   : [  359.558233] Memory state around the buggy address:
kern  :err   : [  359.559130]  ffff888361948700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.560238]  ffff888361948780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.561344] >ffff888361948800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
kern  :err   : [  359.562451]                                            ^
kern  :err   : [  359.563410]  ffff888361948880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
kern  :err   : [  359.564535]  ffff888361948900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
kern  :err   : [  359.565661] ==================================================================
kern  :info  : [  359.982162]     ok 38 kmem_cache_rcu_uaf



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux