| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202510311606.76b65d2b-lkp@intel.com>
Date: Fri, 31 Oct 2025 16:21:08 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Thomas Gleixner <tglx@...utronix.de>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
Peter Zijlstra <peterz@...radead.org>, Lorenzo Stoakes
<lorenzo.stoakes@...cle.com>, <linux-perf-users@...r.kernel.org>,
<oliver.sang@...el.com>
Subject: [linus:master] [perf] 448f97fba9: addition_on#;use-after-free
Hello,
kernel test robot noticed "addition_on#;use-after-free" on:
commit: 448f97fba9013ffa13f5dd82febd18836b189499 ("perf: Convert mmap() refcounts to refcount_t")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linus/master e53642b87a4f4b03a8d7e5f8507fc3cd0c595ea6]
[test failed on linux-next/master 131f3d9446a6075192cdd91f197989d98302faa6]
in testcase: perf-fuzzer
version: perf-fuzzer-x86_64-54251c2-1_20251010
with following parameters:
runtime: 1h
config: x86_64-rhel-9.4-bpf
compiler: gcc-14
test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz (Haswell) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202510311606.76b65d2b-lkp@intel.com
kern :warn : [ 316.770155] [ T746] ------------[ cut here ]------------
kern :warn : [ 316.776217] [ T746] refcount_t: addition on 0; use-after-free.
kern :warn : [ 316.782957] [ T746] WARNING: CPU: 6 PID: 746 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25 (discriminator 1))
kern :warn : [ 316.792896] [ T746] Modules linked in: binfmt_misc snd_hda_codec_intelhdmi snd_hda_codec_hdmi btrfs blake2b_generic intel_rapl_msr xor intel_rapl_common zstd_compress x86_pkg_temp_thermal intel_powerclamp raid6_pq coretemp i915 sd_mod sg kvm_intel snd_hda_codec_alc882 snd_hda_codec_realtek_lib snd_hda_codec_generic kvm snd_hda_intel drm_buddy irqbypass ttm snd_soc_rt5640 ghash_clmulni_intel snd_soc_rl6231 snd_hda_codec regmap_i2c rapl mxm_wmi drm_display_helper snd_hda_core snd_soc_core snd_intel_dspcfg cec intel_cstate snd_intel_sdw_acpi snd_compress snd_hwdep drm_client_lib ahci libahci i2c_i801 intel_uncore drm_kms_helper pcspkr mei_me i2c_smbus snd_pcm alx libata intel_gtt snd_timer agpgart lpc_ich mei mdio snd video soundcore joydev wmi acpi_pad drm nfnetlink ip_tables x_tables sch_fq_codel
kern :warn : [ 316.869646] [ T746] CPU: 6 UID: 0 PID: 746 Comm: perf_fuzzer Tainted: G S 6.17.0-rc1-00015-g448f97fba901 #1 PREEMPT(full)
kern :warn : [ 316.884174] [ T746] Tainted: [S]=CPU_OUT_OF_SPEC
kern :warn : [ 316.889845] [ T746] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
kern :warn : [ 316.900399] [ T746] RIP: 0010:refcount_warn_saturate (lib/refcount.c:25 (discriminator 1))
kern :warn : [ 316.907362] [ T746] Code: ed 48 ff 0f 0b e9 72 ff ff ff 80 3d 2d 28 78 03 00 0f 85 65 ff ff ff 48 c7 c7 e0 6d 18 83 c6 05 19 28 78 03 01 e8 d1 ed 48 ff <0f> 0b e9 4b ff ff ff 48 c7 c7 a0 6e 18 83 c6 05 fd 27 78 03 01 e8
All code
========
0: ed in (%dx),%eax
1: 48 ff 0f decq (%rdi)
4: 0b e9 or %ecx,%ebp
6: 72 ff jb 0x7
8: ff (bad)
9: ff 80 3d 2d 28 78 incl 0x78282d3d(%rax)
f: 03 00 add (%rax),%eax
11: 0f 85 65 ff ff ff jne 0xffffffffffffff7c
17: 48 c7 c7 e0 6d 18 83 mov $0xffffffff83186de0,%rdi
1e: c6 05 19 28 78 03 01 movb $0x1,0x3782819(%rip) # 0x378283e
25: e8 d1 ed 48 ff call 0xffffffffff48edfb
2a:* 0f 0b ud2 <-- trapping instruction
2c: e9 4b ff ff ff jmp 0xffffffffffffff7c
31: 48 c7 c7 a0 6e 18 83 mov $0xffffffff83186ea0,%rdi
38: c6 05 fd 27 78 03 01 movb $0x1,0x37827fd(%rip) # 0x378283c
3f: e8 .byte 0xe8
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: e9 4b ff ff ff jmp 0xffffffffffffff52
7: 48 c7 c7 a0 6e 18 83 mov $0xffffffff83186ea0,%rdi
e: c6 05 fd 27 78 03 01 movb $0x1,0x37827fd(%rip) # 0x3782812
15: e8 .byte 0xe8
kern :warn : [ 316.928851] [ T746] RSP: 0018:ffff8883fe0b7670 EFLAGS: 00010282
kern :warn : [ 316.935833] [ T746] RAX: 0000000000000000 RBX: ffff8881dfe99ba0 RCX: ffffffff815808ea
kern :warn : [ 316.944745] [ T746] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000001
kern :warn : [ 316.953661] [ T746] RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed107fc16e88
kern :warn : [ 316.962585] [ T746] R10: ffff8883fe0b7447 R11: 0000000000000001 R12: ffff8881dfe99ba0
kern :warn : [ 316.971497] [ T746] R13: ffff8883e42f3b80 R14: ffffffff8452af00 R15: 0000000000000002
kern :warn : [ 316.980445] [ T746] FS: 00007f0cc151f740(0000) GS:ffff8883e1814000(0000) knlGS:0000000000000000
kern :warn : [ 316.990282] [ T746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kern :warn : [ 316.997804] [ T746] CR2: 000055d13d833000 CR3: 00000003fec60005 CR4: 00000000001727f0
kern :warn : [ 317.006694] [ T746] DR0: ffffffff81000000 DR1: 0000000000000000 DR2: 0000000000000000
kern :warn : [ 317.015594] [ T746] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
kern :warn : [ 317.024478] [ T746] Call Trace:
kern :warn : [ 317.028657] [ T746] <TASK>
kern :warn : [ 317.032479] [ T746] perf_mmap_rb (include/linux/refcount.h:289 include/linux/refcount.h:366 include/linux/refcount.h:383 kernel/events/core.c:7001)
kern :warn : [ 317.037867] [ T746] ? __pfx_perf_mmap_rb (kernel/events/core.c:6975)
kern :warn : [ 317.043770] [ T746] ? __rcu_read_lock (kernel/rcu/tree_plugin.h:391 (discriminator 1) kernel/rcu/tree_plugin.h:414 (discriminator 1))
kern :warn : [ 317.049419] [ T746] ? __pfx_mas_preallocate (lib/maple_tree.c:5525)
kern :warn : [ 317.055590] [ T746] perf_mmap (kernel/events/core.c:7159)
kern :warn : [ 317.060631] [ T746] __mmap_new_vma (include/linux/fs.h:2289 mm/internal.h:167 mm/vma.c:2413 mm/vma.c:2476)
kern :warn : [ 317.066168] [ T746] __mmap_region (mm/vma.c:2669)
kern :warn : [ 317.071635] [ T746] ? __pfx___mmap_region (mm/vma.c:2641)
kern :warn : [ 317.077624] [ T746] ? mas_prev_node (lib/maple_tree.c:4493)
kern :warn : [ 317.083239] [ T746] ? mas_prev_slot (lib/maple_tree.c:575 lib/maple_tree.c:4415 lib/maple_tree.c:4566)
kern :warn : [ 317.088885] [ T746] ? mas_prev (lib/maple_tree.c:5884 lib/maple_tree.c:5877)
kern :warn : [ 317.093923] [ T746] ? mm_get_unmapped_area_vmflags (mm/mmap.c:806)
kern :warn : [ 317.100703] [ T746] mmap_region (mm/vma.c:2743)
kern :warn : [ 317.105999] [ T746] do_mmap (mm/mmap.c:558)
kern :warn : [ 317.110943] [ T746] ? __pfx_perf_mmap (kernel/events/core.c:7119)
kern :warn : [ 317.116588] [ T746] ? __pfx_do_mmap (mm/mmap.c:339)
kern :warn : [ 317.122045] [ T746] ? down_write_killable (kernel/locking/rwsem.c:1320 (discriminator 3) kernel/locking/rwsem.c:1331 (discriminator 3) kernel/locking/rwsem.c:1603 (discriminator 3))
kern :warn : [ 317.128164] [ T746] ? preempt_count_sub (kernel/sched/core.c:5845 kernel/sched/core.c:5841 kernel/sched/core.c:5863)
kern :warn : [ 317.133953] [ T746] ? down_write_killable (kernel/locking/rwsem.c:1320 (discriminator 3) kernel/locking/rwsem.c:1331 (discriminator 3) kernel/locking/rwsem.c:1603 (discriminator 3))
kern :warn : [ 317.140084] [ T746] ? __pfx_down_write_killable (kernel/locking/rwsem.c:1599)
kern :warn : [ 317.146549] [ T746] vm_mmap_pgoff (mm/util.c:580)
kern :warn : [ 317.151956] [ T746] ? __pfx_vm_mmap_pgoff (mm/util.c:568)
kern :warn : [ 317.157859] [ T746] ? lock_acquire (include/trace/events/lock.h:24 (discriminator 2) kernel/locking/lockdep.c:5831 (discriminator 2))
kern :warn : [ 317.163208] [ T746] ? rcu_is_watching (arch/x86/include/asm/atomic.h:23 include/linux/atomic/atomic-arch-fallback.h:457 include/linux/context_tracking.h:128 kernel/rcu/tree.c:751)
kern :warn : [ 317.168713] [ T746] ? __fget_files (include/linux/rcupdate.h:341 include/linux/rcupdate.h:871 fs/file.c:1072)
kern :warn : [ 317.174075] [ T746] ? __fget_files (fs/file.c:1075)
kern :warn : [ 317.179445] [ T746] ksys_mmap_pgoff (mm/mmap.c:604)
kern :warn : [ 317.184883] [ T746] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
kern :warn : [ 317.190002] [ T746] ? do_syscall_64 (arch/x86/entry/syscall_64.c:113)
kern :warn : [ 317.195394] [ T746] ? do_syscall_64 (arch/x86/entry/syscall_64.c:113)
kern :warn : [ 317.200773] [ T746] ? do_syscall_64 (arch/x86/entry/syscall_64.c:113)
kern :warn : [ 317.206098] [ T746] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
kern :warn : [ 317.212575] [ T746] RIP: 0033:0x7f0cc162ede2
kern :warn : [ 317.217550] [ T746] Code: 00 00 00 0f 1f 44 00 00 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 3b 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 5b 5d c3 0f 1f 00 48 8b 05 e1 9f 0d 00 64
All code
========
0: 00 00 add %al,(%rax)
2: 00 0f add %cl,(%rdi)
4: 1f (bad)
5: 44 00 00 add %r8b,(%rax)
8: 41 f7 c1 ff 0f 00 00 test $0xfff,%r9d
f: 75 27 jne 0x38
11: 55 push %rbp
12: 89 cd mov %ecx,%ebp
14: 53 push %rbx
15: 48 89 fb mov %rdi,%rbx
18: 48 85 ff test %rdi,%rdi
1b: 74 3b je 0x58
1d: 41 89 ea mov %ebp,%r10d
20: 48 89 df mov %rbx,%rdi
23: b8 09 00 00 00 mov $0x9,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 76 ja 0xa8
32: 5b pop %rbx
33: 5d pop %rbp
34: c3 ret
35: 0f 1f 00 nopl (%rax)
38: 48 8b 05 e1 9f 0d 00 mov 0xd9fe1(%rip),%rax # 0xda020
3f: 64 fs
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 76 ja 0x7e
8: 5b pop %rbx
9: 5d pop %rbp
a: c3 ret
b: 0f 1f 00 nopl (%rax)
e: 48 8b 05 e1 9f 0d 00 mov 0xd9fe1(%rip),%rax # 0xd9ff6
15: 64 fs
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251031/202510311606.76b65d2b-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists