| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202507230728.5545017c-lkp@intel.com>
Date: Wed, 23 Jul 2025 14:26:01 +0800
From: kernel test robot <oliver.sang@...el.com>
To: <thaumy.love@...il.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
<linux-perf-users@...r.kernel.org>, <linux-kernel@...r.kernel.org>, "Peter
Zijlstra" <peterz@...radead.org>, Ingo Molnar <mingo@...hat.com>, "Arnaldo
Carvalho de Melo" <acme@...nel.org>, Namhyung Kim <namhyung@...nel.org>,
Thaumy Cheng <thaumy.love@...il.com>, <oliver.sang@...el.com>
Subject: Re: [PATCH] perf/core: Fix missing read event generation on task exit
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__task_pid_nr_ns" on:
commit: 99c9e5f1d1d521da2d6b2e8db124138a5a62d01c ("[PATCH] perf/core: Fix missing read event generation on task exit")
url: https://github.com/intel-lab-lkp/linux/commits/thaumy-love-gmail-com/perf-core-Fix-missing-read-event-generation-on-task-exit/20250720-080504
base: https://git.kernel.org/cgit/linux/kernel/git/perf/perf-tools-next.git perf-tools-next
patch link: https://lore.kernel.org/all/20250720000424.12572-1-thaumy.love@gmail.com/
patch subject: [PATCH] perf/core: Fix missing read event generation on task exit
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 600s
config: x86_64-randconfig-074-20250720
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202507230728.5545017c-lkp@intel.com
[ 85.439456][ T728] BUG: KASAN: slab-use-after-free in __task_pid_nr_ns (kernel/pid.c:517)
[ 85.440144][ T728] Read of size 8 at addr ffff88815975d4a8 by task trinity-c3/728
[ 85.440807][ T728]
[ 85.441073][ T728] CPU: 0 UID: 65534 PID: 728 Comm: trinity-c3 Not tainted 6.16.0-rc3-00126-g99c9e5f1d1d5 #1 PREEMPT(full) 7cb1e1aeab1a1bce2ffdef82ac08cc822ee9d55c
[ 85.442261][ T728] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 85.443112][ T728] Call Trace:
[ 85.443436][ T728] <TASK>
[ 85.443736][ T728] dump_stack_lvl (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:109 arch/x86/include/asm/irqflags.h:151 lib/dump_stack.c:123)
[ 85.444146][ T728] print_address_description+0x6b/0x32b
[ 85.444687][ T728] ? __task_pid_nr_ns (kernel/pid.c:517)
[ 85.445118][ T728] print_report (mm/kasan/report.c:522)
[ 85.445522][ T728] ? __virt_addr_valid (arch/x86/mm/physaddr.c:65)
[ 85.445964][ T728] ? virt_to_slab (mm/slab.h:214)
[ 85.446365][ T728] ? kmem_cache_debug_flags (mm/slab.h:527)
[ 85.446828][ T728] ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:179)
[ 85.447339][ T728] ? __task_pid_nr_ns (kernel/pid.c:517)
[ 85.447777][ T728] kasan_report (mm/kasan/report.c:636)
[ 85.448175][ T728] ? __task_pid_nr_ns (kernel/pid.c:517)
[ 85.448610][ T728] __asan_report_load8_noabort (mm/kasan/report_generic.c:381)
[ 85.449088][ T728] __task_pid_nr_ns (kernel/pid.c:517)
[ 85.449513][ T728] perf_event_pid_type (kernel/events/core.c:1433)
[ 85.449954][ T728] perf_event_pid (kernel/events/core.c:1441)
[ 85.450359][ T728] perf_event_read_event (kernel/events/core.c:8520)
[ 85.450825][ T728] ? perf_event_switch_output (kernel/events/core.c:8510)
[ 85.451307][ T728] ? __lock_acquire (kernel/locking/lockdep.c:5240)
[ 85.451736][ T728] ? __kasan_check_write (mm/kasan/shadow.c:38)
[ 85.452189][ T728] ? lock_acquire (kernel/locking/lockdep.c:5836)
[ 85.452644][ T728] ? perf_remove_from_context (kernel/events/core.c:2558 (discriminator 9))
[ 85.453124][ T728] ? perf_event__header_size (kernel/events/core.c:2003)
[ 85.453597][ T728] ? perf_group_detach (kernel/events/core.c:2316)
[ 85.454042][ T728] __perf_remove_from_context (kernel/events/core.c:13965 kernel/events/core.c:2339 kernel/events/core.c:2510)
[ 85.454531][ T728] perf_remove_from_context (kernel/events/core.c:2561)
[ 85.455008][ T728] perf_event_exit_event+0xa5/0xe0
[ 85.455530][ T728] perf_event_exit_task_context (kernel/events/core.c:14068 (discriminator 3))
[ 85.456027][ T728] ? perf_event_exit_event+0xe0/0xe0
[ 85.456551][ T728] ? kfree (include/trace/events/kmem.h:94 mm/slub.c:4829)
[ 85.456921][ T728] ? yama_ptracer_del (security/yama/yama_lsm.c:197)
[ 85.457364][ T728] perf_event_free_task (kernel/events/core.c:14170)
[ 85.457794][ T728] copy_process (kernel/fork.c:2468)
[ 85.458212][ T728] ? pidfd_prepare (kernel/fork.c:1918)
[ 85.458672][ T728] ? __lock_acquire (kernel/locking/lockdep.c:5240)
[ 85.459110][ T728] ? rcu_lock_acquire (include/linux/rcupdate.h:331)
[ 85.459610][ T728] ? lock_acquire (kernel/locking/lockdep.c:5836)
[ 85.460062][ T728] kernel_clone (include/linux/random.h:26 kernel/fork.c:2600)
[ 85.460468][ T728] ? find_held_lock (kernel/locking/lockdep.c:5353)
[ 85.460993][ T728] ? create_io_thread (kernel/fork.c:2559)
[ 85.461731][ T728] ? rcu_read_unlock (include/linux/rcupdate.h:874 (discriminator 9))
[ 85.462465][ T728] ? __task_pid_nr_ns (kernel/pid.c:521 (discriminator 11))
[ 85.463254][ T728] __do_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:243)
[ 85.464101][ T728] ? __ia32_compat_sys_ia32_mmap (arch/x86/kernel/sys_ia32.c:243)
[ 85.464977][ T728] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4660)
[ 85.465914][ T728] ? rcu_lock_acquire (include/linux/rcupdate.h:331)
[ 85.466774][ T728] ? lock_acquire (kernel/locking/lockdep.c:5836)
[ 85.467537][ T728] ? rcu_lock_acquire (include/linux/rcupdate.h:331)
[ 85.468369][ T728] __ia32_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:240)
[ 85.469175][ T728] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-074-20250720/./arch/x86/include/generated/asm/syscalls_32.h:121)
[ 85.469884][ T728] __do_fast_syscall_32 (arch/x86/entry/syscall_32.c:83 arch/x86/entry/syscall_32.c:306)
[ 85.470731][ T728] ? rcu_read_unlock (include/linux/rcupdate.h:874 (discriminator 9))
[ 85.471470][ T728] ? __task_pid_nr_ns (kernel/pid.c:521 (discriminator 11))
[ 85.472232][ T728] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4660)
[ 85.473171][ T728] ? __do_fast_syscall_32 (arch/x86/entry/syscall_32.c:310)
[ 85.473958][ T728] ? irqentry_exit_to_user_mode (kernel/entry/common.c:187)
[ 85.474835][ T728] do_fast_syscall_32 (arch/x86/entry/syscall_32.c:331)
[ 85.475578][ T728] do_SYSENTER_32 (arch/x86/entry/syscall_32.c:370)
[ 85.476272][ T728] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[ 85.477152][ T728] RIP: 0023:0xf7f79579
[ 85.477809][ T728] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
All code
========
0: b8 01 10 06 03 mov $0x3061001,%eax
5: 74 b4 je 0xffffffffffffffbb
7: 01 10 add %edx,(%rax)
9: 07 (bad)
a: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
e: 10 08 adc %cl,(%rax)
10: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24:* 89 e5 mov %esp,%ebp <-- trapping instruction
26: 0f 34 sysenter
28: cd 80 int $0x80
2a: 5d pop %rbp
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 ret
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 ret
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
f: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
[ 85.480340][ T728] RSP: 002b:00000000ffea1d40 EFLAGS: 00000286 ORIG_RAX: 0000000000000078
[ 85.481557][ T728] RAX: ffffffffffffffda RBX: 0000000001200011 RCX: 0000000000000000
[ 85.482749][ T728] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000f7f722e8
[ 85.483938][ T728] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 85.485110][ T728] R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000
[ 85.486283][ T728] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 85.487473][ T728] </TASK>
[ 85.488026][ T728]
[ 85.488469][ T728] Allocated by task 728:
[ 85.489121][ T728] stack_trace_save (kernel/stacktrace.c:114)
[ 85.489831][ T728] kasan_save_stack (mm/kasan/common.c:48)
[ 85.490544][ T728] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 85.491286][ T728] kasan_save_alloc_info (mm/kasan/generic.c:563)
[ 85.492023][ T728] unpoison_slab_object (mm/kasan/common.c:320)
[ 85.492760][ T728] __kasan_slab_alloc (mm/kasan/common.c:348)
[ 85.493476][ T728] kmem_cache_alloc_noprof (mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4204)
[ 85.494245][ T728] copy_signal (kernel/fork.c:1648)
[ 85.494942][ T728] copy_process (kernel/fork.c:2166)
[ 85.495646][ T728] kernel_clone (include/linux/random.h:26 kernel/fork.c:2600)
[ 85.496351][ T728] __do_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:243)
[ 85.497150][ T728] __ia32_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:240)
[ 85.498002][ T728] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-074-20250720/./arch/x86/include/generated/asm/syscalls_32.h:121)
[ 85.498765][ T728] __do_fast_syscall_32 (arch/x86/entry/syscall_32.c:83 arch/x86/entry/syscall_32.c:306)
[ 85.499552][ T728] do_fast_syscall_32 (arch/x86/entry/syscall_32.c:331)
[ 85.500296][ T728] do_SYSENTER_32 (arch/x86/entry/syscall_32.c:370)
[ 85.501017][ T728] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[ 85.501945][ T728]
[ 85.502416][ T728] Freed by task 728:
[ 85.503050][ T728] stack_trace_save (kernel/stacktrace.c:114)
[ 85.503775][ T728] kasan_save_stack (mm/kasan/common.c:48)
[ 85.504510][ T728] kasan_save_track (arch/x86/include/asm/current.h:25 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 85.505228][ T728] kasan_save_free_info (mm/kasan/generic.c:579)
[ 85.505987][ T728] poison_slab_object (mm/kasan/common.c:248)
[ 85.506704][ T728] __kasan_slab_free (mm/kasan/common.c:271)
[ 85.507142][ T728] kmem_cache_free (mm/slub.c:4643 mm/slub.c:4745)
[ 85.507569][ T728] free_signal_struct (kernel/fork.c:721)
[ 85.508010][ T728] copy_process (kernel/fork.c:2454)
[ 85.508431][ T728] kernel_clone (include/linux/random.h:26 kernel/fork.c:2600)
[ 85.508840][ T728] __do_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:243)
[ 85.509323][ T728] __ia32_compat_sys_ia32_clone (arch/x86/kernel/sys_ia32.c:240)
[ 85.509808][ T728] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-074-20250720/./arch/x86/include/generated/asm/syscalls_32.h:121)
[ 85.510227][ T728] __do_fast_syscall_32 (arch/x86/entry/syscall_32.c:83 arch/x86/entry/syscall_32.c:306)
[ 85.510689][ T728] do_fast_syscall_32 (arch/x86/entry/syscall_32.c:331)
[ 85.511124][ T728] do_SYSENTER_32 (arch/x86/entry/syscall_32.c:370)
[ 85.511530][ T728] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127)
[ 85.512055][ T728]
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250723/202507230728.5545017c-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists