| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Apr 2022 12:12:54 -0400
From: Qian Cai <quic_qiancai@...cinc.com>
To: Andrey Konovalov <andreyknvl@...il.com>
CC: <andrey.konovalov@...ux.dev>,
Andrew Morton <akpm@...ux-foundation.org>,
Marco Elver <elver@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Andrey Ryabinin <ryabinin.a.a@...il.com>,
kasan-dev <kasan-dev@...glegroups.com>,
Linux Memory Management List <linux-mm@...ck.org>,
Vincenzo Frascino <vincenzo.frascino@....com>,
"Catalin Marinas" <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
"Mark Rutland" <mark.rutland@....com>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Peter Collingbourne <pcc@...gle.com>,
Evgenii Stepanov <eugenis@...gle.com>,
LKML <linux-kernel@...r.kernel.org>,
Andrey Konovalov <andreyknvl@...gle.com>
Subject: Re: [PATCH v6 00/39] kasan, vmalloc, arm64: add vmalloc tagging
support for SW/HW_TAGS
On Thu, Apr 28, 2022 at 05:28:12PM +0200, Andrey Konovalov wrote:
> No ideas so far.
>
> Looks like the page has reserved tag set when it's being freed.
>
> Does this crash only happen with the SW_TAGS mode?
No, the system is running exclusively with CONFIG_KASAN_GENERIC=y
> Does this crash only happen when loading modules?
Yes. Here is another sligtly different path at the bottom.
> Does your system have any hot-plugged memory?
No.
BUG: Bad page state in process systemd-udevd pfn:403fc007c
page:fffffd00fd001f00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x403fc007c
flags: 0x1bfffc0000001000(reserved|node=1|zone=2|lastcpupid=0xffff)
raw: 1bfffc0000001000 fffffd00fd001f08 fffffd00fd001f08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
CPU: 101 PID: 2004 Comm: systemd-udevd Not tainted 5.17.0-rc8-next-20220317-dirty #39
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
dump_stack
bad_page
free_pcp_prepare
free_pages_prepare at mm/page_alloc.c:1348
(inlined by) free_pcp_prepare at mm/page_alloc.c:1403
free_unref_page
__free_pages
free_pages.part.0
free_pages
kasan_depopulate_vmalloc_pte
(inlined by) kasan_depopulate_vmalloc_pte at mm/kasan/shadow.c:359
apply_to_pte_range
apply_to_pte_range at mm/memory.c:2547
apply_to_pmd_range
apply_to_pud_range
__apply_to_page_range
apply_to_existing_page_range
kasan_release_vmalloc
(inlined by) kasan_release_vmalloc at mm/kasan/shadow.c:469
__purge_vmap_area_lazy
_vm_unmap_aliases.part.0
__vunmap
__vfree
vfree
module_memfree
free_module
do_init_module
load_module
__do_sys_finit_module
__arm64_sys_finit_module
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
Disabling lock debugging due to kernel taint
BUG: Bad page state in process systemd-udevd pfn:403fc007b
page:fffffd00fd001ec0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x403fc007b
flags: 0x1bfffc0000001000(reserved|node=1|zone=2|lastcpupid=0xffff)
raw: 1bfffc0000001000 fffffd00fd001ec8 fffffd00fd001ec8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
CPU: 101 PID: 2004 Comm: systemd-udevd Tainted: G B 5.17.0-rc8-next-20220317-dirty #39
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
dump_stack
bad_page
free_pcp_prepare
free_unref_page
__free_pages
free_pages.part.0
free_pages
kasan_depopulate_vmalloc_pte
apply_to_pte_range
apply_to_pmd_range
apply_to_pud_range
__apply_to_page_range
apply_to_existing_page_range
kasan_release_vmalloc
__purge_vmap_area_lazy
_vm_unmap_aliases.part.0
__vunmap
__vfree
vfree
module_memfree
free_module
do_init_module
load_module
__do_sys_finit_module
__arm64_sys_finit_module
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
Powered by blists - more mailing lists