[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200826085753.GK4299@shao2-debian>
Date: Wed, 26 Aug 2020 16:57:54 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: Roman Gushchin <guro@...com>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, kernel-team@...com,
linux-kernel@...r.kernel.org, Johannes Weiner <hannes@...xchg.org>,
Shakeel Butt <shakeelb@...gle.com>, linux-mm@...ck.org,
Roman Gushchin <guro@...com>, 0day robot <lkp@...el.com>,
lkp@...ts.01.org
Subject: [bpf] 3ebc0a7f46: BUG:KASAN:use-after-free_in_b
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 3ebc0a7f460e4f73f8c9ab9dca89a57dc32c1602 ("[PATCH bpf-next v4 03/30] bpf: memcg-based memory accounting for bpf maps")
url: https://github.com/0day-ci/linux/commits/Roman-Gushchin/bpf-switch-to-memcg-based-memory-accounting/20200821-233104
base: https://git.kernel.org/cgit/linux/kernel/git/bpf/bpf-next.git master
in testcase: locktorture
with following parameters:
runtime: 300s
test: cpuhotplug
test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors.
test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------------------------------------+------------+------------+
| | e96c019fb3 | 3ebc0a7f46 |
+-------------------------------------------------------------------------------+------------+------------+
| boot_successes | 0 | 0 |
| boot_failures | 6 | 4 |
| WARNING:suspicious_RCU_usage | 6 | |
| security/device_cgroup.c:#RCU-list_traversed_in_non-reader_section | 6 | |
| drivers/char/ipmi/ipmi_msghandler.c:#RCU-list_traversed_in_non-reader_section | 6 | |
| BUG:KASAN:use-after-free_in_b | 0 | 4 |
+-------------------------------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>
[ 41.560152] BUG: KASAN: use-after-free in bpf_map_free_deferred+0x117/0x38b
[ 41.560762] Read of size 8 at addr ffff8881e4114858 by task kworker/0:1/15
[ 41.561528]
[ 41.561737] CPU: 0 PID: 15 Comm: kworker/0:1 Not tainted 5.9.0-rc1-00133-g3ebc0a7f460e4 #1
[ 41.562648] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 41.563562] Workqueue: events bpf_map_free_deferred
[ 41.563937] Call Trace:
[ 41.564147] ? dump_stack+0x31/0x40
[ 41.564423] ? print_address_description+0x2c/0x6d8
[ 41.564851] ? rcu_read_unlock_sched_notrace+0x52/0x52
[ 41.565243] ? bpf_map_free_deferred+0x117/0x38b
[ 41.565582] ? kasan_report+0x1b1/0x222
[ 41.565872] ? bpf_map_free_deferred+0x117/0x38b
[ 41.566214] ? __asan_report_load8_noabort+0x1e/0x26
[ 41.566570] ? bpf_map_free_deferred+0x117/0x38b
[ 41.566906] ? bpf_map_charge_move+0x8d/0x8d
[ 41.567234] ? process_one_work+0x819/0xe1c
[ 41.567570] ? __lock_acquired+0x46e/0x5f6
[ 41.567885] ? pwq_dec_nr_in_flight+0x363/0x363
[ 41.568224] ? preempt_count_add+0x1b/0x24
[ 41.568535] ? __kasan_check_write+0x1e/0x26
[ 41.568843] ? worker_clr_flags+0x192/0x1b7
[ 41.569168] ? worker_thread+0x787/0x9e7
[ 41.569480] ? kthread+0x47e/0x494
[ 41.569730] ? create_worker+0x523/0x523
[ 41.570017] ? kthread_create_worker+0xc3/0xc3
[ 41.570345] ? ret_from_fork+0x1f/0x30
[ 41.570657]
[ 41.570781] Allocated by task 0:
[ 41.571016] (stack is not available)
[ 41.571290]
[ 41.571414] Freed by task 15:
[ 41.571640] arch_stack_walk+0xbc/0xd0
[ 41.571914] stack_trace_save+0x85/0xa6
[ 41.572203] kasan_save_stack+0x22/0x58
[ 41.572484] kasan_set_track+0x22/0x2e
[ 41.572762] kasan_set_free_info+0x29/0x3f
[ 41.573056] __kasan_slab_free+0x165/0x192
[ 41.573377] kasan_slab_free+0x11/0x19
[ 41.573649] slab_free_freelist_hook+0x1e5/0x29c
[ 41.573976] kfree+0x3b7/0x57a
[ 41.574202] trie_free+0x8d/0x14e
[ 41.574444] bpf_map_free_deferred+0xd2/0x38b
[ 41.574762] process_one_work+0x819/0xe1c
[ 41.575060] worker_thread+0x787/0x9e7
[ 41.575330] kthread+0x47e/0x494
[ 41.575566] ret_from_fork+0x1f/0x30
[ 41.575822]
[ 41.575945] The buggy address belongs to the object at ffff8881e4114800
[ 41.575945] which belongs to the cache kmalloc-512 of size 512
[ 41.576811] The buggy address is located 88 bytes inside of
[ 41.576811] 512-byte region [ffff8881e4114800, ffff8881e4114a00)
[ 41.577626] The buggy address belongs to the page:
[ 41.577971] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e4114
[ 41.578627] head:(____ptrval____) order:1 compound_mapcount:0
[ 41.579029] flags: 0x4000000000010200(slab|head)
[ 41.579358] raw: 4000000000010200 dead000000000100 dead000000000122 ffff8881f5c41280
[ 41.579921] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[ 41.580490] page dumped because: kasan: bad access detected
[ 41.580907]
[ 41.581029] Memory state around the buggy address:
[ 41.581366] ffff8881e4114700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.581860] ffff8881e4114780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.582369] >ffff8881e4114800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.582866] ^
[ 41.583292] ffff8881e4114880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.583787] ffff8881e4114900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 41.585494] ==================================================================
[ 41.586196] Disabling lock debugging due to kernel taint
[ 42.162717] rcu-perf: rcu_perf_writer 0 has 100 measurements
[ 42.199609] Dumping ftrace buffer:
[ 42.200080] (ftrace buffer empty)
[ 42.202418] rcu-perf: Test complete
[ 42.490753] random: systemd: uninitialized urandom read (16 bytes read)
[ 42.496513] random: systemd: uninitialized urandom read (16 bytes read)
[ OK ] Listening on RPCbind Server Activation Socket.
[ 42.503401] random: systemd: uninitialized urandom read (16 bytes read)
[ OK ] Created slice system-serial\x2dgetty.slice.
[ OK ] Created slice User and Session Slice.
[ OK ] Listening on udev Control Socket.
[ OK ] Listening on Syslog Socket.
[ OK ] Listening on udev Kernel Socket.
[ OK ] Listening on initctl Compatibility Named Pipe.
[ OK ] Reached target Swap.
[ OK ] Listening on Journal Socket.
Mounting POSIX Message Queue File System...
Starting Remount Root and Kernel File Systems...
Mounting Kernel Debug File System...
Starting udev Coldplug all Devices...
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Listening on Journal Socket (/dev/log).
[ OK ] Reached target Slices.
Mounting RPC Pipe File System...
Starting Load Kernel Modules...
[ OK ] Reached target Paths.
[ OK ] Listening on Journal Audit Socket.
[ 43.278865] random: fast init done
Starting Journal Service...
[ OK ] Created slice system-getty.slice.
[ OK ] Mounted POSIX Message Queue File System.
To reproduce:
# build kernel
cd linux
cp config-5.9.0-rc1-00133-g3ebc0a7f460e4 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
Thanks,
Rong Chen
View attachment "config-5.9.0-rc1-00133-g3ebc0a7f460e4" of type "text/plain" (136482 bytes)
View attachment "job-script" of type "text/plain" (4866 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14472 bytes)
Powered by blists - more mailing lists