| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYs8qWWC5JyE3z44@shinmob>
Date: Tue, 10 Feb 2026 14:15:28 +0000
From: Shinichiro Kawasaki <shinichiro.kawasaki@....com>
To: Peter Zijlstra <peterz@...radead.org>
CC: Thomas Gleixner <tglx@...nel.org>, LKML <linux-kernel@...r.kernel.org>,
Ihor Solodrai <ihor.solodrai@...ux.dev>, Shrikanth Hegde
<sshegde@...ux.ibm.com>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Michael Jeanson <mjeanson@...icios.com>, Andrey Ryabinin
<ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>,
"kasan-dev@...glegroups.com" <kasan-dev@...glegroups.com>
Subject: Re: [patch V2 3/4] sched/mmcid: Drop per CPU CID immediately when
switching to per task mode
On Feb 10, 2026 / 14:03, Peter Zijlstra wrote:
> On Tue, Feb 10, 2026 at 11:51:10AM +0000, Shinichiro Kawasaki wrote:
> > On Feb 10, 2026 / 11:44, Thomas Gleixner wrote:
> > > On Tue, Feb 10 2026 at 07:33, Shinichiro Kawasaki wrote:
> > [...]
> > > > [ 65.768341] [ T1296] BUG: KASAN: slab-use-after-free in sched_mm_cid_exit+0x298/0x500
> > >
> > > Can you please decode these symbols (file/line) so that we actually see
> > > which access is flagged by KASAN?
> >
> > Sure, faddr2line points to the line the patch touched:
> >
> > $ ./scripts/faddr2line vmlinux sched_mm_cid_exit+0x298/0x500
> > sched_mm_cid_exit+0x298/0x500:
> > arch_clear_bit at arch/x86/include/asm/bitops.h:79
> > (inlined by) clear_bit at include/asm-generic/bitops/instrumented-atomic.h:42
> > (inlined by) mm_drop_cid at kernel/sched/sched.h:3746
> > (inlined by) mm_drop_cid_on_cpu at kernel/sched/sched.h:3762
> > (inlined by) sched_mm_cid_exit at kernel/sched/core.c:10737
>
> Could you please reproduce with the below added?
>
> Just to double check that that cid value isn't out of bounds.
>
> ---
> diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
> index bd350e40859d..dadfd6abc1fa 100644
> --- a/kernel/sched/sched.h
> +++ b/kernel/sched/sched.h
> @@ -3743,6 +3743,7 @@ static __always_inline bool cid_on_task(unsigned int cid)
>
> static __always_inline void mm_drop_cid(struct mm_struct *mm, unsigned int cid)
> {
> + WARN_ONCE(cid >= nr_cpu_ids, "XXX cid(%x) out of range(%x)\n", cid, nr_cpu_ids);
> clear_bit(cid, mm_cidmask(mm));
> }
>
Thanks for the action. I have applied the patch to v6.19 kernel, and reproduced
the KASAN. The added WARN was printed as follows. (Now I'm trying the fix patch
candidate that Thomas shared in another post)
[ 73.897104] [ T1031] run blktests zbd/013 at 2026-02-10 23:09:21
[ 73.987761] [ T1049] null_blk: disk nullb1 created
[ 74.417726] [ T1049] null_blk: nullb2: using native zone append
[ 74.436675] [ T1049] null_blk: disk nullb2 created
[ 75.983893] [ T1175] ------------[ cut here ]------------
[ 75.984939] [ T1175] XXX cid(20000003) out of range(4)
[ 75.985515] [ T1175] WARNING: kernel/sched/sched.h:3746 at sched_mm_cid_exit+0x37b/0x530, CPU#3: cryptsetup/1175
[ 75.986573] [ T1175] Modules linked in: dm_crypt null_blk nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr sunrpc 9pnet_virtio 9pnet pcspkr netfs i2c_piix4 i2c_smbus loop fuse dm_multipath nfnetlink vsock_loopback vmw_vsock_virtio_transport_common zram vsock xfs nvme bochs drm_client_lib drm_shmem_helper drm_kms_helper nvme_core drm nvme_keyring sym53c8xx nvme_auth scsi_transport_spi hkdf e1000 floppy serio_raw ata_generic pata_acpi i2c_dev qemu_fw_cfg
[ 75.992120] [ T1175] CPU: 3 UID: 0 PID: 1175 Comm: cryptsetup Not tainted 6.19.0+ #387 PREEMPT(voluntary)
[ 75.993151] [ T1175] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
[ 75.994146] [ T1175] RIP: 0010:sched_mm_cid_exit+0x37e/0x530
[ 75.994773] [ T1175] Code: 01 00 00 e8 74 90 48 00 48 8d bd 30 01 00 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e e9 5c 27 f9 ff 48 8d 3d 75 cf 85 04 44 89 e6 <67> 48 0f b9 3a 48 b8 00 00 00 00 00 fc ff df 48 89 da 83 e3 07 48
[ 75.996798] [ T1175] RSP: 0018:ffff888124bb7b20 EFLAGS: 00010016
[ 75.997442] [ T1175] RAX: 0000000000000003 RBX: ffffffff95e37da0 RCX: 1ffff110272ab021
[ 75.998296] [ T1175] RDX: 0000000000000004 RSI: 0000000020000003 RDI: ffffffff95e49f30
[ 75.999094] [ T1175] RBP: ffff888139558000 R08: ffff888139558108 R09: 0000000040000000
[ 75.999958] [ T1175] R10: 0000000000000003 R11: 0000000000000000 R12: 0000000020000003
[ 76.000812] [ T1175] R13: 0000000000000000 R14: ffff888139558178 R15: ffff88811d6baf80
[ 76.001632] [ T1175] FS: 00007f72777fc6c0(0000) GS:ffff888408490000(0000) knlGS:0000000000000000
[ 76.002579] [ T1175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 76.003299] [ T1175] CR2: 00007f7276ff97d0 CR3: 0000000104970000 CR4: 00000000000006f0
[ 76.004088] [ T1175] Call Trace:
[ 76.004476] [ T1175] <TASK>
[ 76.004793] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.005431] [ T1175] do_exit+0x25e/0x24c0
[ 76.005870] [ T1175] ? __pfx___up_read+0x10/0x10
[ 76.006389] [ T1175] ? __pfx_do_exit+0x10/0x10
[ 76.006867] [ T1175] ? lock_release+0x1ab/0x2f0
[ 76.007401] [ T1175] __x64_sys_exit+0x3e/0x50
[ 76.007835] [ T1175] x64_sys_call+0x14fe/0x1500
[ 76.008355] [ T1175] do_syscall_64+0x95/0x540
[ 76.008790] [ T1175] ? __pfx_do_madvise+0x10/0x10
[ 76.009336] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.009900] [ T1175] ? trace_hardirqs_on+0x14/0x140
[ 76.010458] [ T1175] ? lockdep_hardirqs_on+0x88/0x130
[ 76.010969] [ T1175] ? kvm_sched_clock_read+0xd/0x20
[ 76.011534] [ T1175] ? sched_clock+0xc/0x30
[ 76.011980] [ T1175] ? sched_clock_cpu+0x65/0x5c0
[ 76.012998] [ T1175] ? __pfx_rcu_do_batch+0x10/0x10
[ 76.014067] [ T1175] ? lockdep_hardirqs_on+0x88/0x130
[ 76.015102] [ T1175] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 76.016316] [ T1175] ? do_syscall_64+0x1d7/0x540
[ 76.017297] [ T1175] ? irqtime_account_irq+0xe4/0x330
[ 76.018350] [ T1175] ? lockdep_softirqs_on+0xc3/0x140
[ 76.019355] [ T1175] ? __irq_exit_rcu+0x126/0x240
[ 76.020361] [ T1175] ? handle_softirqs+0x6c5/0x790
[ 76.021380] [ T1175] ? __pfx_handle_softirqs+0x10/0x10
[ 76.022421] [ T1175] ? irqtime_account_irq+0x1a2/0x330
[ 76.023426] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.024526] [ T1175] ? irqentry_exit+0xe2/0x6a0
[ 76.025475] [ T1175] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 76.026569] [ T1175] RIP: 0033:0x7f727d48df89
[ 76.027485] [ T1175] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 <eb> f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85
[ 76.030452] [ T1175] RSP: 002b:00007f72777fbd30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 76.031767] [ T1175] RAX: ffffffffffffffda RBX: 00007f72777fc6c0 RCX: 00007f727d48df89
[ 76.033032] [ T1175] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000
[ 76.034377] [ T1175] RBP: 00007f72777fbdf0 R08: 00000000dd4d2955 R09: 0000000000000000
[ 76.035605] [ T1175] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f72777fc6c0
[ 76.036884] [ T1175] R13: 00007ffd89867320 R14: 00007f72777fccdc R15: 00007ffd89867427
[ 76.038169] [ T1175] </TASK>
[ 76.038894] [ T1175] irq event stamp: 116
[ 76.039771] [ T1175] hardirqs last enabled at (115): [<ffffffff941114d4>] _raw_spin_unlock_irq+0x24/0x50
[ 76.041167] [ T1175] hardirqs last disabled at (116): [<ffffffff941111e2>] _raw_spin_lock_irq+0x52/0x60
[ 76.042569] [ T1175] softirqs last enabled at (100): [<ffffffff9151adc6>] __irq_exit_rcu+0x126/0x240
[ 76.043945] [ T1175] softirqs last disabled at (63): [<ffffffff9151adc6>] __irq_exit_rcu+0x126/0x240
[ 76.045320] [ T1175] ---[ end trace 0000000000000000 ]---
[ 76.046319] [ T1175] ==================================================================
[ 76.047489] [ T1175] BUG: KASAN: use-after-free in sched_mm_cid_exit+0x27c/0x530
[ 76.048669] [ T1175] Write of size 8 at addr ffff88813d558b90 by task cryptsetup/1175
[ 76.050476] [ T1175] CPU: 3 UID: 0 PID: 1175 Comm: cryptsetup Tainted: G W 6.19.0+ #387 PREEMPT(voluntary)
[ 76.050480] [ T1175] Tainted: [W]=WARN
[ 76.050481] [ T1175] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
[ 76.050483] [ T1175] Call Trace:
[ 76.050484] [ T1175] <TASK>
[ 76.050486] [ T1175] dump_stack_lvl+0x6a/0x90
[ 76.050490] [ T1175] ? sched_mm_cid_exit+0x27c/0x530
[ 76.050492] [ T1175] print_report+0x170/0x4f3
[ 76.050495] [ T1175] ? __virt_addr_valid+0x22e/0x4e0
[ 76.050499] [ T1175] ? sched_mm_cid_exit+0x27c/0x530
[ 76.050501] [ T1175] kasan_report+0xad/0x150
[ 76.050506] [ T1175] ? sched_mm_cid_exit+0x27c/0x530
[ 76.050510] [ T1175] kasan_check_range+0x115/0x1f0
[ 76.050512] [ T1175] sched_mm_cid_exit+0x27c/0x530
[ 76.050515] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.050518] [ T1175] do_exit+0x25e/0x24c0
[ 76.050521] [ T1175] ? __pfx___up_read+0x10/0x10
[ 76.050524] [ T1175] ? __pfx_do_exit+0x10/0x10
[ 76.050526] [ T1175] ? lock_release+0x1ab/0x2f0
[ 76.050530] [ T1175] __x64_sys_exit+0x3e/0x50
[ 76.050533] [ T1175] x64_sys_call+0x14fe/0x1500
[ 76.050535] [ T1175] do_syscall_64+0x95/0x540
[ 76.050537] [ T1175] ? __pfx_do_madvise+0x10/0x10
[ 76.050541] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.050544] [ T1175] ? trace_hardirqs_on+0x14/0x140
[ 76.050546] [ T1175] ? lockdep_hardirqs_on+0x88/0x130
[ 76.050551] [ T1175] ? kvm_sched_clock_read+0xd/0x20
[ 76.050553] [ T1175] ? sched_clock+0xc/0x30
[ 76.050554] [ T1175] ? sched_clock_cpu+0x65/0x5c0
[ 76.050556] [ T1175] ? __pfx_rcu_do_batch+0x10/0x10
[ 76.050560] [ T1175] ? lockdep_hardirqs_on+0x88/0x130
[ 76.050562] [ T1175] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 76.050564] [ T1175] ? do_syscall_64+0x1d7/0x540
[ 76.050567] [ T1175] ? irqtime_account_irq+0xe4/0x330
[ 76.050569] [ T1175] ? lockdep_softirqs_on+0xc3/0x140
[ 76.050571] [ T1175] ? __irq_exit_rcu+0x126/0x240
[ 76.050573] [ T1175] ? handle_softirqs+0x6c5/0x790
[ 76.050577] [ T1175] ? __pfx_handle_softirqs+0x10/0x10
[ 76.050579] [ T1175] ? irqtime_account_irq+0x1a2/0x330
[ 76.050582] [ T1175] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 76.050584] [ T1175] ? irqentry_exit+0xe2/0x6a0
[ 76.050587] [ T1175] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 76.050589] [ T1175] RIP: 0033:0x7f727d48df89
[ 76.050591] [ T1175] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 <eb> f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85
[ 76.050593] [ T1175] RSP: 002b:00007f72777fbd30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 76.050596] [ T1175] RAX: ffffffffffffffda RBX: 00007f72777fc6c0 RCX: 00007f727d48df89
[ 76.050597] [ T1175] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000
[ 76.050598] [ T1175] RBP: 00007f72777fbdf0 R08: 00000000dd4d2955 R09: 0000000000000000
[ 76.050600] [ T1175] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f72777fc6c0
[ 76.050601] [ T1175] R13: 00007ffd89867320 R14: 00007f72777fccdc R15: 00007ffd89867427
[ 76.050606] [ T1175] </TASK>
[ 76.100141] [ T1175] The buggy address belongs to the physical page:
[ 76.101101] [ T1175] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88813d559100 pfn:0x13d558
[ 76.102440] [ T1175] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 76.103496] [ T1175] raw: 0017ffffc0000000 ffffea0004edd808 ffffea0004f85008 0000000000000000
[ 76.104692] [ T1175] raw: ffff88813d559100 0000000000070000 00000000ffffffff 0000000000000000
[ 76.105893] [ T1175] page dumped because: kasan: bad access detected
[ 76.107458] [ T1175] Memory state around the buggy address:
[ 76.108369] [ T1175] ffff88813d558a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 76.109509] [ T1175] ffff88813d558b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 76.110672] [ T1175] >ffff88813d558b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 76.111823] [ T1175] ^
[ 76.112661] [ T1175] ffff88813d558c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 76.113829] [ T1175] ffff88813d558c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 76.115000] [ T1175] ==================================================================
[ 76.116174] [ T1175] Disabling lock debugging due to kernel taint
[ 81.299309] [ T1577] device-mapper: zone: dm-0 using emulated zone append
[ 81.659065] [ C0] hrtimer: interrupt took 1305020 ns
Powered by blists - more mailing lists