| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Apr 2023 17:15:54 +0800
From: kernel test robot <yujie.liu@...el.com>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
Aaron Lu <aaron.lu@...el.com>,
Peter Zijlstra <peterz@...radead.org>,
<linux-kernel@...r.kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Subject: Re: [RFC PATCH] sched: Introduce mm_cid runqueue cache
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__lock_acquire" on:
commit: 1ed2ac17a591daac640ef7149cdc3c8e0870e474 ("[RFC PATCH] sched: Introduce mm_cid runqueue cache")
url: https://github.com/intel-lab-lkp/linux/commits/Mathieu-Desnoyers/sched-Introduce-mm_cid-runqueue-cache/20230328-035418
base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 05bfb338fa8dd40b008ce443e397fc374f6bd107
patch link: https://lore.kernel.org/all/20230327195318.137094-1-mathieu.desnoyers@efficios.com/
patch subject: [RFC PATCH] sched: Introduce mm_cid runqueue cache
in testcase: kernel-selftests
version: kernel-selftests-x86_64-60acb023-1_20230329
with following parameters:
group: net
test-description: The kernel contains a set of "self tests" under the tools/testing/selftests/ directory. These are intended to be small unit tests to exercise individual code paths in the kernel.
test-url: https://www.kernel.org/doc/Documentation/kselftest.txt
compiler: gcc-11
test machine: 8 threads Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz (Skylake) with 28G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <yujie.liu@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202304041648.ed32a338-yujie.liu@intel.com
[ 1109.619462][T29663] ==================================================================
[ 1109.627355][T29663] BUG: KASAN: slab-use-after-free in __lock_acquire+0x1f45/0x2390
[ 1109.634978][T29663] Read of size 8 at addr ffff888214d05430 by task dmesg/29663
[ 1109.642245][T29663]
[ 1109.644420][T29663] CPU: 6 PID: 29663 Comm: dmesg Not tainted 6.3.0-rc3-00009-g1ed2ac17a591 #1
[ 1109.652983][T29663] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
[ 1109.661026][T29663] Call Trace:
[ 1109.664149][T29663] <TASK>
[ 1109.666926][T29663] dump_stack_lvl+0x4b/0x80
[ 1109.671261][T29663] print_address_description+0x2c/0x3d0
[ 1109.677668][T29663] print_report+0xb5/0x270
[ 1109.681916][T29663] ? kasan_addr_to_slab+0xd/0xa0
[ 1109.686681][T29663] ? __lock_acquire+0x1f45/0x2390
[ 1109.691533][T29663] kasan_report+0xc5/0xf0
[ 1109.695708][T29663] ? __lock_acquire+0x1f45/0x2390
[ 1109.700585][T29663] ? __lock_acquire+0x1f45/0x2390
[ 1109.705438][T29663] ? __lock_acquire+0x15c3/0x2390
[ 1109.710289][T29663] ? mark_usage+0x2a0/0x2a0
[ 1109.714638][T29663] ? lock_acquire+0x19d/0x4c0
[ 1109.719145][T29663] ? mm_cid_get+0x221/0x4f0
[ 1109.724084][T29663] ? lock_release+0x200/0x200
[ 1109.728589][T29663] ? lock_downgrade+0x100/0x100
[ 1109.733270][T29663] ? do_raw_spin_lock+0x137/0x280
[ 1109.738120][T29663] ? spin_bug+0x1d0/0x1d0
[ 1109.742283][T29663] ? _raw_spin_lock+0x30/0x40
[ 1109.746788][T29663] ? mm_cid_get+0x221/0x4f0
[ 1109.751725][T29663] ? mm_cid_get+0x221/0x4f0
[ 1109.756664][T29663] ? sched_mm_cid_after_execve+0x1c2/0x4e0
[ 1109.762293][T29663] ? bprm_execve+0x1b9/0x5e0
[ 1109.766714][T29663] ? do_execveat_common+0x4cc/0x6b0
[ 1109.772343][T29663] ? getname_flags+0x8e/0x450
[ 1109.777454][T29663] ? __x64_sys_execve+0x8c/0xb0
[ 1109.782132][T29663] ? do_syscall_64+0x5a/0x80
[ 1109.786566][T29663] ? entry_SYSCALL_64_after_hwframe+0x5e/0xc8
[ 1109.792471][T29663] </TASK>
[ 1109.795334][T29663]
[ 1109.797526][T29663] Allocated by task 23542:
[ 1109.801773][T29663] kasan_save_stack+0x27/0x50
[ 1109.806276][T29663] kasan_set_track+0x25/0x30
[ 1109.810694][T29663] __kasan_slab_alloc+0x55/0x60
[ 1109.815371][T29663] kmem_cache_alloc+0x190/0x360
[ 1109.820045][T29663] dup_mm+0x22/0x310
[ 1109.824809][T29663] copy_process+0x52d0/0x5520
[ 1109.829313][T29663] kernel_clone+0xc8/0x5d0
[ 1109.833580][T29663] __do_sys_clone+0xa6/0xe0
[ 1109.837911][T29663] do_syscall_64+0x5a/0x80
[ 1109.842160][T29663] entry_SYSCALL_64_after_hwframe+0x5e/0xc8
[ 1109.847883][T29663]
[ 1109.850057][T29663] Freed by task 29602:
[ 1109.853963][T29663] kasan_save_stack+0x27/0x50
[ 1109.858475][T29663] kasan_set_track+0x25/0x30
[ 1109.862901][T29663] kasan_save_free_info+0x2e/0x40
[ 1109.867760][T29663] __kasan_slab_free+0x10a/0x190
[ 1109.872541][T29663] slab_free_freelist_hook+0xba/0x170
[ 1109.877739][T29663] kmem_cache_free+0x1a4/0x300
[ 1109.882329][T29663] finish_task_switch+0x556/0x910
[ 1109.887783][T29663] __schedule+0x751/0x1740
[ 1109.892029][T29663] schedule+0x13e/0x230
[ 1109.896015][T29663] wait_for_partner+0x15d/0x320
[ 1109.900694][T29663] fifo_open+0x8a3/0xa10
[ 1109.904766][T29663] do_dentry_open+0x449/0x1020
[ 1109.909356][T29663] do_open+0x678/0xf70
[ 1109.913257][T29663] path_openat+0x25f/0x650
[ 1109.917521][T29663] do_filp_open+0x1ba/0x3f0
[ 1109.921852][T29663] do_sys_openat2+0x127/0x400
[ 1109.926355][T29663] __x64_sys_openat+0x128/0x1e0
[ 1109.931032][T29663] do_syscall_64+0x5a/0x80
[ 1109.935276][T29663] entry_SYSCALL_64_after_hwframe+0x5e/0xc8
[ 1109.940988][T29663]
[ 1109.943159][T29663] The buggy address belongs to the object at ffff888214d05380
[ 1109.943159][T29663] which belongs to the cache mm_struct of size 2168
[ 1109.956897][T29663] The buggy address is located 176 bytes inside of
[ 1109.956897][T29663] freed 2168-byte region [ffff888214d05380, ffff888214d05bf8)
[ 1109.970558][T29663]
[ 1109.972733][T29663] The buggy address belongs to the physical page:
[ 1109.978962][T29663] page:ffffea0008534000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x214d00
[ 1109.988990][T29663] head:ffffea0008534000 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 1109.997724][T29663] memcg:ffff8881f2640681
[ 1110.001796][T29663] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 1110.009844][T29663] raw: 0017ffffc0010200 ffff888100052340 ffffea001d4d8410 ffffea000d38be10
[ 1110.018233][T29663] raw: 0000000000000000 00000000000d000d 00000001ffffffff ffff8881f2640681
[ 1110.026621][T29663] page dumped because: kasan: bad access detected
[ 1110.032851][T29663]
[ 1110.035025][T29663] Memory state around the buggy address:
[ 1110.040478][T29663] ffff888214d05300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1110.048348][T29663] ffff888214d05380: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1110.056218][T29663] >ffff888214d05400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1110.064087][T29663] ^
[ 1110.069544][T29663] ffff888214d05480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1110.077410][T29663] ffff888214d05500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1110.085289][T29663] ==================================================================
[ 1110.093168][T29663] Disabling lock debugging due to kernel taint
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
View attachment "config-6.3.0-rc3-00009-g1ed2ac17a591" of type "text/plain" (172326 bytes)
View attachment "job-script" of type "text/plain" (6769 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (92404 bytes)
View attachment "kernel-selftests" of type "text/plain" (120999 bytes)
View attachment "job.yaml" of type "text/plain" (5919 bytes)
View attachment "reproduce" of type "text/plain" (510 bytes)
Powered by blists - more mailing lists