lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAADnVQLA=q573GEQukX63vfoqdAJK1CjoyD2=DZcQgeqAg-XMA@mail.gmail.com>
Date: Tue, 14 Oct 2025 13:53:04 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Harry Yoo <harry.yoo@...cle.com>, Peilin Ye <yepeilin@...gle.com>, 
	Shakeel Butt <shakeel.butt@...ux.dev>, Vlastimil Babka <vbabka@...e.cz>
Cc: kernel test robot <oliver.sang@...el.com>, kbuild test robot <lkp@...el.com>, 
	LKML <linux-kernel@...r.kernel.org>, linux-mm <linux-mm@...ck.org>, 
	bpf <bpf@...r.kernel.org>
Subject: kmemleak and bpf_timer. Was: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt

On Mon, Oct 13, 2025 at 2:45 AM Harry Yoo <harry.yoo@...cle.com> wrote:
>
> So here we are freeing an object that is allocated via kmalloc_nolock().
> (And before being allocated via kmalloc_nolock(), it was freed via
> kfree_rcu()).

There is another problem here, but the root cause is the same.

I see this kmemleak splat:
[    8.105530] kmemleak: Trying to color unknown object at
0xff11000100e918c0 as Black
[    8.106521] Call Trace:
[    8.106521]  <TASK>
[    8.106521]  dump_stack_lvl+0x4b/0x70
[    8.106521]  kvfree_call_rcu+0xcb/0x3b0
[    8.106521]  ? hrtimer_cancel+0x21/0x40
[    8.106521]  bpf_obj_free_fields+0x193/0x200
[    8.106521]  htab_map_update_elem+0x29c/0x410
[    8.106521]  bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b
[    8.106521]  bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86
[    8.106521]  bpf_prog_test_run_syscall+0xe1/0x2a0

it's due to combination of features and fixes,
but mainly this
commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path
in bpf_timer_init()")

__GFP_HIGH is confusing slab/kmemleak internals to skip
caling kmemleak_alloc_recursive(), so subsequent kfree_rcu()->
kvfree_call_rcu()->kmemleak_ignore() complains with above splat.

I think the only proper fix is to covert bpf_timer to use
kmalloc_nolock/kfree_nolock. I have a wip fix. Will send soon.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ