On 8/25/24 11:45, kernel test robot wrote:
> Hello,
>
> kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_kmem_cache_rcu_uaf" on:
>
> commit: 3a34e8ea62cdeba64a66fa4489059c59ba4ec285 ("slub: Introduce CONFIG_SLUB_RCU_DEBUG")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master c79c85875f1af04040fe4492ed94ce37ad729c4d]
>
> in testcase: kunit
> version:
> with following parameters:
>
> group: group-00
>
>
>
> compiler: gcc-12
> test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 128G memory
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
It seems to me the kunit test produces the expected output and kasan doesn't
suppress dmesg output in kunit test context? So lkp probably already has all
the other kasan tests in some kind of allow filter, and this one would need
to be added as well?
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> | Closes: https://lore.kernel.org/oe-lkp/202408251741.4ce3b34e-oliver.sang@xxxxxxxxx
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20240825/202408251741.4ce3b34e-oliver.sang@xxxxxxxxx
>
>
> kern :err : [ 359.476745] ==================================================================
> kern :err : [ 359.479027] BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern :err : [ 359.480349] Read of size 1 at addr ffff888361948840 by task kunit_try_catch/4608
>
> kern :err : [ 359.482361] CPU: 29 UID: 0 PID: 4608 Comm: kunit_try_catch Tainted: G B N 6.11.0-rc2-00010-g3a34e8ea62cd #1
> kern :err : [ 359.484487] Tainted: [B]=BAD_PAGE, [N]=TEST
> kern :err : [ 359.485478] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
> kern :err : [ 359.486969] Call Trace:
> kern :err : [ 359.487837] <TASK>
> kern :err : [ 359.488673] dump_stack_lvl+0x53/0x70
> kern :err : [ 359.489634] print_address_description+0x2c/0x3a0
> kern :err : [ 359.490788] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern :err : [ 359.491900] print_report+0xb9/0x2b0
> kern :err : [ 359.492830] ? kasan_addr_to_slab+0xd/0xb0
> kern :err : [ 359.493806] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern :err : [ 359.494882] kasan_report+0xe8/0x120
> kern :err : [ 359.495797] ? kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern :err : [ 359.496862] kmem_cache_rcu_uaf+0x377/0x490 [kasan_test]
> kern :err : [ 359.497927] ? __pfx_kmem_cache_rcu_uaf+0x10/0x10 [kasan_test]
> kern :err : [ 359.499020] ? __schedule+0x7ec/0x1950
> kern :err : [ 359.499929] ? ktime_get_ts64+0x7f/0x230
> kern :err : [ 359.500843] kunit_try_run_case+0x1b0/0x490
> kern :err : [ 359.501772] ? __pfx_kunit_try_run_case+0x10/0x10
> kern :err : [ 359.502735] ? set_cpus_allowed_ptr+0x85/0xc0
> kern :err : [ 359.503662] ? __pfx_set_cpus_allowed_ptr+0x10/0x10
> kern :err : [ 359.504629] ? __pfx_kunit_try_run_case+0x10/0x10
> kern :err : [ 359.505579] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
> kern :err : [ 359.506640] kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern :err : [ 359.507642] kthread+0x2d8/0x3c0
> kern :err : [ 359.508468] ? __pfx_kthread+0x10/0x10
> kern :err : [ 359.509337] ret_from_fork+0x31/0x70
> kern :err : [ 359.510185] ? __pfx_kthread+0x10/0x10
> kern :err : [ 359.511042] ret_from_fork_asm+0x1a/0x30
> kern :err : [ 359.511912] </TASK>
>
> kern :err : [ 359.513276] Allocated by task 4608:
> kern :warn : [ 359.514082] kasan_save_stack+0x33/0x60
> kern :warn : [ 359.514917] kasan_save_track+0x14/0x30
> kern :warn : [ 359.515748] __kasan_slab_alloc+0x89/0x90
> kern :warn : [ 359.516595] kmem_cache_alloc_noprof+0x10e/0x380
> kern :warn : [ 359.517499] kmem_cache_rcu_uaf+0x10d/0x490 [kasan_test]
> kern :warn : [ 359.518464] kunit_try_run_case+0x1b0/0x490
> kern :warn : [ 359.519323] kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern :warn : [ 359.520274] kthread+0x2d8/0x3c0
> kern :warn : [ 359.521040] ret_from_fork+0x31/0x70
> kern :warn : [ 359.521825] ret_from_fork_asm+0x1a/0x30
>
> kern :err : [ 359.523201] Freed by task 0:
> kern :warn : [ 359.523891] kasan_save_stack+0x33/0x60
> kern :warn : [ 359.524646] kasan_save_track+0x14/0x30
> kern :warn : [ 359.525384] kasan_save_free_info+0x3b/0x60
> kern :warn : [ 359.526154] __kasan_slab_free+0x51/0x70
> kern :warn : [ 359.526901] slab_free_after_rcu_debug+0xf8/0x2a0
> kern :warn : [ 359.527711] rcu_do_batch+0x388/0xde0
> kern :warn : [ 359.528433] rcu_core+0x419/0xea0
> kern :warn : [ 359.529120] handle_softirqs+0x1d3/0x630
> kern :warn : [ 359.529858] __irq_exit_rcu+0x125/0x170
> kern :warn : [ 359.530584] sysvec_apic_timer_interrupt+0x6f/0x90
> kern :warn : [ 359.531389] asm_sysvec_apic_timer_interrupt+0x1a/0x20
>
> kern :err : [ 359.532754] Last potentially related work creation:
> kern :warn : [ 359.533562] kasan_save_stack+0x33/0x60
> kern :warn : [ 359.534283] __kasan_record_aux_stack+0xad/0xc0
> kern :warn : [ 359.535063] kmem_cache_free+0x337/0x4c0
> kern :warn : [ 359.535794] kmem_cache_rcu_uaf+0x14b/0x490 [kasan_test]
> kern :warn : [ 359.536644] kunit_try_run_case+0x1b0/0x490
> kern :warn : [ 359.537394] kunit_generic_run_threadfn_adapter+0x7d/0xe0
> kern :warn : [ 359.538244] kthread+0x2d8/0x3c0
> kern :warn : [ 359.538917] ret_from_fork+0x31/0x70
> kern :warn : [ 359.539616] ret_from_fork_asm+0x1a/0x30
>
> kern :err : [ 359.540850] The buggy address belongs to the object at ffff888361948840
> which belongs to the cache test_cache of size 200
> kern :err : [ 359.542668] The buggy address is located 0 bytes inside of
> freed 200-byte region [ffff888361948840, ffff888361948908)
>
> kern :err : [ 359.545021] The buggy address belongs to the physical page:
> kern :warn : [ 359.545911] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x361948
> kern :warn : [ 359.547012] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> kern :warn : [ 359.548094] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
> kern :warn : [ 359.549131] page_type: 0xfdffffff(slab)
> kern :warn : [ 359.549918] raw: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
> kern :warn : [ 359.551034] raw: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
> kern :warn : [ 359.552151] head: 0017ffffc0000040 ffff88821419ca00 dead000000000122 0000000000000000
> kern :warn : [ 359.553278] head: 0000000000000000 00000000801f001f 00000001fdffffff 0000000000000000
> kern :warn : [ 359.554406] head: 0017ffffc0000001 ffffea000d865201 ffffffffffffffff 0000000000000000
> kern :warn : [ 359.555532] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
> kern :warn : [ 359.556660] page dumped because: kasan: bad access detected
>
> kern :err : [ 359.558233] Memory state around the buggy address:
> kern :err : [ 359.559130] ffff888361948700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern :err : [ 359.560238] ffff888361948780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern :err : [ 359.561344] >ffff888361948800: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
> kern :err : [ 359.562451] ^
> kern :err : [ 359.563410] ffff888361948880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> kern :err : [ 359.564535] ffff888361948900: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> kern :err : [ 359.565661] ==================================================================
> kern :info : [ 359.982162] ok 38 kmem_cache_rcu_uaf
>
>
>
