Re: [PATCH v2 1/4] tracing/user_events: Prepare find/delete for same name events

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <oliver.sang@intel.com>
To: Beau Belgrave <beaub@linux.microsoft.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
	<linux-kernel@vger.kernel.org>,
	<linux-trace-kernel@vger.kernel.org>, <rostedt@goodmis.org>,
	<mhiramat@kernel.org>, <mathieu.desnoyers@efficios.com>,
	<oliver.sang@intel.com>
Subject: Re: [PATCH v2 1/4] tracing/user_events: Prepare find/delete for same name events
Date: Wed, 14 Feb 2024 12:13:38 +0800	[thread overview]
Message-ID: <202402141240.cc5aba78-oliver.sang@intel.com> (raw)
In-Reply-To: <20240202184449.1674-2-beaub@linux.microsoft.com>



Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_user_events_ioctl" on:

commit: fecc001d587ceeeb47043c20353f257e3f01b39f ("[PATCH v2 1/4] tracing/user_events: Prepare find/delete for same name events")
url: https://github.com/intel-lab-lkp/linux/commits/Beau-Belgrave/tracing-user_events-Prepare-find-delete-for-same-name-events/20240203-031207
patch link: https://lore.kernel.org/all/20240202184449.1674-2-beaub@linux.microsoft.com/
patch subject: [PATCH v2 1/4] tracing/user_events: Prepare find/delete for same name events

in testcase: kernel-selftests
version: kernel-selftests-x86_64-60acb023-1_20230329
with following parameters:

	group: user_events



compiler: gcc-12
test machine: 36 threads 1 sockets Intel(R) Core(TM) i9-10980XE CPU @ 3.00GHz (Cascade Lake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202402141240.cc5aba78-oliver.sang@intel.com


[ 106.969333][ T2278] BUG: KASAN: slab-use-after-free in user_events_ioctl (kernel/trace/trace_events_user.c:2067 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[  106.970079][ T2278] Read of size 8 at addr ffff88816644ef38 by task abi_test/2278
[  106.970788][ T2278]
[  106.971058][ T2278] CPU: 2 PID: 2278 Comm: abi_test Not tainted 6.7.0-rc8-00001-gfecc001d587c #1
[  106.971881][ T2278] Hardware name: Gigabyte Technology Co., Ltd. X299 UD4 Pro/X299 UD4 Pro-CF, BIOS F8a 04/27/2021
[  106.972829][ T2278] Call Trace:
[  106.973185][ T2278]  <TASK>
[ 106.973514][ T2278] dump_stack_lvl (lib/dump_stack.c:108) 
[ 106.973966][ T2278] print_address_description+0x2c/0x3a0 
[ 106.974597][ T2278] ? user_events_ioctl (kernel/trace/trace_events_user.c:2067 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[ 106.975099][ T2278] print_report (mm/kasan/report.c:476) 
[ 106.975542][ T2278] ? kasan_addr_to_slab (mm/kasan/common.c:35) 
[ 106.976025][ T2278] ? user_events_ioctl (kernel/trace/trace_events_user.c:2067 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[ 106.976531][ T2278] kasan_report (mm/kasan/report.c:590) 
[ 106.976978][ T2278] ? user_events_ioctl (kernel/trace/trace_events_user.c:2067 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[ 106.977481][ T2278] user_events_ioctl (kernel/trace/trace_events_user.c:2067 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[ 106.977970][ T2278] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:871 fs/ioctl.c:857 fs/ioctl.c:857) 
[ 106.978441][ T2278] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 106.978889][ T2278] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[  106.979462][ T2278] RIP: 0033:0x7f2e121c8b5b
[ 106.979907][ T2278] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
All code
========
   0:	00 48 89             	add    %cl,-0x77(%rax)
   3:	44 24 18             	rex.R and $0x18,%al
   6:	31 c0                	xor    %eax,%eax
   8:	48 8d 44 24 60       	lea    0x60(%rsp),%rax
   d:	c7 04 24 10 00 00 00 	movl   $0x10,(%rsp)
  14:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  19:	48 8d 44 24 20       	lea    0x20(%rsp),%rax
  1e:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
  23:	b8 10 00 00 00       	mov    $0x10,%eax
  28:	0f 05                	syscall
  2a:*	89 c2                	mov    %eax,%edx		<-- trapping instruction
  2c:	3d 00 f0 ff ff       	cmp    $0xfffff000,%eax
  31:	77 1c                	ja     0x4f
  33:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
  38:	64                   	fs
  39:	48                   	rex.W
  3a:	2b                   	.byte 0x2b
  3b:	04 25                	add    $0x25,%al
  3d:	28 00                	sub    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	89 c2                	mov    %eax,%edx
   2:	3d 00 f0 ff ff       	cmp    $0xfffff000,%eax
   7:	77 1c                	ja     0x25
   9:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
   e:	64                   	fs
   f:	48                   	rex.W
  10:	2b                   	.byte 0x2b
  11:	04 25                	add    $0x25,%al
  13:	28 00                	sub    %al,(%rax)
	...
[  106.981608][ T2278] RSP: 002b:00007ffcb0ba5ed0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  106.982385][ T2278] RAX: ffffffffffffffda RBX: 00007ffcb0ba6228 RCX: 00007f2e121c8b5b
[  106.983128][ T2278] RDX: 0000564d434bc6fe RSI: 0000000040082a01 RDI: 0000000000000005
[  106.983878][ T2278] RBP: 00007ffcb0ba5f40 R08: 0000000000000000 R09: 00007f2e120c9b80
[  106.984626][ T2278] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  106.986296][ T2278] R13: 00007ffcb0ba6238 R14: 0000564d434bedc8 R15: 00007f2e123cc020
[  106.987040][ T2278]  </TASK>
[  106.987364][ T2278]
[  106.987635][ T2278] Allocated by task 2278:
[ 106.988071][ T2278] kasan_save_stack (mm/kasan/common.c:46) 
[ 106.988543][ T2278] kasan_set_track (mm/kasan/common.c:52) 
[ 106.988999][ T2278] __kasan_kmalloc (mm/kasan/common.c:374 mm/kasan/common.c:383) 
[ 106.989465][ T2278] user_event_parse (include/linux/slab.h:600 include/linux/slab.h:721 kernel/trace/trace_events_user.c:1978) 
[ 106.989939][ T2278] user_events_ioctl_reg (kernel/trace/trace_events_user.c:2342) 
[ 106.990462][ T2278] user_events_ioctl (kernel/trace/trace_events_user.c:2538) 
[ 106.990954][ T2278] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:871 fs/ioctl.c:857 fs/ioctl.c:857) 
[ 106.991428][ T2278] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 106.991871][ T2278] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[  106.992436][ T2278]
[  106.992705][ T2278] Freed by task 2278:
[ 106.993112][ T2278] kasan_save_stack (mm/kasan/common.c:46) 
[ 106.993582][ T2278] kasan_set_track (mm/kasan/common.c:52) 
[ 106.994043][ T2278] kasan_save_free_info (mm/kasan/generic.c:524) 
[ 106.994544][ T2278] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) 
[ 106.995028][ T2278] slab_free_freelist_hook (mm/slub.c:1826) 
[ 106.995553][ T2278] __kmem_cache_free (mm/slub.c:3809 mm/slub.c:3822) 
[ 106.996026][ T2278] destroy_user_event (kernel/trace/trace_events_user.c:1489 kernel/trace/trace_events_user.c:1467) 
[ 106.996513][ T2278] user_events_ioctl (kernel/trace/trace_events_user.c:2077 kernel/trace/trace_events_user.c:2401 kernel/trace/trace_events_user.c:2543) 
[ 106.997009][ T2278] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:871 fs/ioctl.c:857 fs/ioctl.c:857) 
[ 106.997483][ T2278] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 106.997926][ T2278] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129) 
[  106.998496][ T2278]
[  106.998768][ T2278] The buggy address belongs to the object at ffff88816644ee00
[  106.998768][ T2278]  which belongs to the cache kmalloc-cg-512 of size 512
[  107.000035][ T2278] The buggy address is located 312 bytes inside of
[  107.000035][ T2278]  freed 512-byte region [ffff88816644ee00, ffff88816644f000)
[  107.001266][ T2278]
[  107.001532][ T2278] The buggy address belongs to the physical page:
[  107.002142][ T2278] page:ffffea0005991200 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88816644b800 pfn:0x166448
[  107.003179][ T2278] head:ffffea0005991200 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  107.003996][ T2278] memcg:ffff888160dfc4e9
[  107.004425][ T2278] flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[  107.005189][ T2278] page_type: 0xffffffff()
[  107.005635][ T2278] raw: 0017ffffc0000840 ffff888100051700 ffffea0004050810 ffff888100043dc8
[  107.006434][ T2278] raw: ffff88816644b800 0000000000150008 00000001ffffffff ffff888160dfc4e9
[  107.007223][ T2278] page dumped because: kasan: bad access detected
[  107.007841][ T2278]
[  107.008111][ T2278] Memory state around the buggy address:
[  107.008660][ T2278]  ffff88816644ee00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  107.009416][ T2278]  ffff88816644ee80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  107.010161][ T2278] >ffff88816644ef00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  107.010907][ T2278]                                         ^
[  107.011471][ T2278]  ffff88816644ef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  107.012215][ T2278]  ffff88816644f000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  107.012967][ T2278] ==================================================================
[  107.013787][ T2278] Disabling lock debugging due to kernel taint



The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240214/202402141240.cc5aba78-oliver.sang@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

next prev parent reply	other threads:[~2024-02-14  4:13 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-02 18:44 [PATCH v2 0/4] tracing/user_events: Introduce multi-format events Beau Belgrave
2024-02-02 18:44 ` [PATCH v2 1/4] tracing/user_events: Prepare find/delete for same name events Beau Belgrave
2024-02-14  4:13   ` kernel test robot [this message]
2024-02-02 18:44 ` [PATCH v2 2/4] tracing/user_events: Introduce multi-format events Beau Belgrave
2024-02-02 18:44 ` [PATCH v2 3/4] selftests/user_events: Test " Beau Belgrave
2024-02-02 18:44 ` [PATCH v2 4/4] tracing/user_events: Document multi-format flag Beau Belgrave

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202402141240.cc5aba78-oliver.sang@intel.com \
    --to=oliver.sang@intel.com \
    --cc=beaub@linux.microsoft.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-trace-kernel@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mhiramat@kernel.org \
    --cc=oe-lkp@lists.linux.dev \
    --cc=rostedt@goodmis.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.