From: kernel test robot <oliver.sang@intel.com>
To: Dan Williams <dan.j.williams@intel.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
<gregkh@linuxfoundation.org>, <rafael.j.wysocki@intel.com>,
<tj@kernel.org>, <regressions@lists.linux.dev>,
<oliver.sang@intel.com>
Subject: Re: [PATCH v2] driver core: Fix userspace expectations of uevent_show() as a probe barrier
Date: Mon, 7 Oct 2024 17:39:34 +0800 [thread overview]
Message-ID: <202410071741.4aa3984e-oliver.sang@intel.com> (raw)
In-Reply-To: <172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com>
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__mutex_lock" on:
commit: cfb789a84ee6fe1368d091941af50e0eb6381d30 ("[PATCH v2] driver core: Fix userspace expectations of uevent_show() as a probe barrier")
url: https://github.com/intel-lab-lkp/linux/commits/Dan-Williams/driver-core-Fix-userspace-expectations-of-uevent_show-as-a-probe-barrier/20241003-055515
base: https://git.kernel.org/cgit/linux/kernel/git/gregkh/driver-core.git 9852d85ec9d492ebef56dc5f229416c925758edc
patch link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/
patch subject: [PATCH v2] driver core: Fix userspace expectations of uevent_show() as a probe barrier
in testcase: blktests
version: blktests-x86_64-80430af-1_20240910
with following parameters:
disk: 1SSD
test: block-001
compiler: gcc-12
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202410071741.4aa3984e-oliver.sang@intel.com
[ 51.504416][ T130] BUG: KASAN: slab-use-after-free in __mutex_lock+0x1003/0x1170
[ 51.504423][ T130] Read of size 8 at addr ffff8887ff562250 by task systemd-journal/130
[ 51.504427][ T130]
[ 51.504429][ T130] CPU: 2 UID: 0 PID: 130 Comm: systemd-journal Not tainted 6.12.0-rc1-00001-gcfb789a84ee6 #1
[ 51.504434][ T130] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 51.504436][ T130] Call Trace:
[ 51.504438][ T130] <TASK>
[ 51.504439][ T130] dump_stack_lvl (lib/dump_stack.c:123 (discriminator 1))
[ 51.504445][ T130] print_address_description+0x2c/0x3a0
[ 51.504451][ T130] ? __mutex_lock+0x1003/0x1170
[ 51.504455][ T130] print_report (mm/kasan/report.c:489)
[ 51.504459][ T130] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 51.504462][ T130] ? __mutex_lock+0x1003/0x1170
[ 51.504466][ T130] kasan_report (mm/kasan/report.c:603)
[ 51.504470][ T130] ? __mutex_lock+0x1003/0x1170
[ 51.504475][ T130] __mutex_lock+0x1003/0x1170
[ 51.504480][ T130] ? __pfx___mutex_lock+0x10/0x10
[ 51.504485][ T130] ? __pfx___might_resched (kernel/sched/core.c:8586)
[ 51.504491][ T130] mutex_lock (kernel/locking/mutex.c:286)
[ 51.504495][ T130] ? __pfx_mutex_lock (kernel/locking/mutex.c:282)
[ 51.504499][ T130] ? __kmalloc_node_noprof (include/linux/kasan.h:257 mm/slub.c:4265 mm/slub.c:4271)
[ 51.504503][ T130] ? seq_read_iter (fs/seq_file.c:210)
[ 51.504507][ T130] kernfs_seq_start (fs/kernfs/file.c:169)
[ 51.504511][ T130] seq_read_iter (fs/seq_file.c:225)
[ 51.504516][ T130] ? rw_verify_area (fs/read_write.c:470)
[ 51.504521][ T130] vfs_read (fs/read_write.c:488 fs/read_write.c:569)
[ 51.504524][ T130] ? kernfs_iop_getattr (fs/kernfs/inode.c:197)
[ 51.504528][ T130] ? __pfx_vfs_read (fs/read_write.c:550)
[ 51.504533][ T130] ? fdget_pos (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 fs/file.c:1177 fs/file.c:1185)
[ 51.504537][ T130] ? __pfx___seccomp_filter (kernel/seccomp.c:1218)
[ 51.504543][ T130] ksys_read (fs/read_write.c:712)
[ 51.504546][ T130] ? __pfx_ksys_read (fs/read_write.c:702)
[ 51.504550][ T130] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 51.504555][ T130] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 51.504558][ T130] RIP: 0033:0x7fddff64e1dc
[ 51.504562][ T130] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 d9 d5 f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 2f d6 f8 ff 48
All code
========
0: ec in (%dx),%al
1: 28 48 89 sub %cl,-0x77(%rax)
4: 54 push %rsp
5: 24 18 and $0x18,%al
7: 48 89 74 24 10 mov %rsi,0x10(%rsp)
c: 89 7c 24 08 mov %edi,0x8(%rsp)
10: e8 d9 d5 f8 ff callq 0xfffffffffff8d5ee
15: 48 8b 54 24 18 mov 0x18(%rsp),%rdx
1a: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
1f: 41 89 c0 mov %eax,%r8d
22: 8b 7c 24 08 mov 0x8(%rsp),%edi
26: 31 c0 xor %eax,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 34 ja 0x66
32: 44 89 c7 mov %r8d,%edi
35: 48 89 44 24 08 mov %rax,0x8(%rsp)
3a: e8 2f d6 f8 ff callq 0xfffffffffff8d66e
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 34 ja 0x3c
8: 44 89 c7 mov %r8d,%edi
b: 48 89 44 24 08 mov %rax,0x8(%rsp)
10: e8 2f d6 f8 ff callq 0xfffffffffff8d644
15: 48 rex.W
[ 51.504565][ T130] RSP: 002b:00007ffe3e501df0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 51.504569][ T130] RAX: ffffffffffffffda RBX: 000055d748fcdac0 RCX: 00007fddff64e1dc
[ 51.504572][ T130] RDX: 0000000000001008 RSI: 000055d748fcdac0 RDI: 000000000000001c
[ 51.504574][ T130] RBP: 000000000000001c R08: 0000000000000000 R09: 00007fddff728ce0
[ 51.504576][ T130] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000001008
[ 51.504578][ T130] R13: 0000000000001007 R14: ffffffffffffffff R15: 0000000000000002
[ 51.504583][ T130] </TASK>
[ 51.504585][ T130]
[ 51.504586][ T130] Allocated by task 1044:
[ 51.504588][ T130] kasan_save_stack (mm/kasan/common.c:48)
[ 51.504591][ T130] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 51.504594][ T130] __kasan_kmalloc (mm/kasan/common.c:377 mm/kasan/common.c:394)
[ 51.504597][ T130] __kmalloc_noprof (include/linux/kasan.h:257 mm/slub.c:4265 mm/slub.c:4277)
[ 51.504600][ T130] scsi_alloc_sdev (include/linux/slab.h:882 include/linux/slab.h:1014 drivers/scsi/scsi_scan.c:288)
[ 51.504604][ T130] scsi_probe_and_add_lun (drivers/scsi/scsi_scan.c:1210)
[ 51.504607][ T130] __scsi_scan_target (drivers/scsi/scsi_scan.c:1769)
[ 51.504610][ T130] scsi_scan_host_selected (drivers/scsi/scsi_scan.c:1877)
[ 51.504614][ T130] store_scan (drivers/scsi/scsi_sysfs.c:151 drivers/scsi/scsi_sysfs.c:191)
[ 51.504617][ T130] kernfs_fop_write_iter (fs/kernfs/file.c:348)
[ 51.504619][ T130] vfs_write (fs/read_write.c:590 fs/read_write.c:683)
[ 51.504622][ T130] ksys_write (fs/read_write.c:736)
[ 51.504624][ T130] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 51.504627][ T130] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 51.504629][ T130]
[ 51.504630][ T130] Freed by task 1044:
[ 51.504632][ T130] kasan_save_stack (mm/kasan/common.c:48)
[ 51.504635][ T130] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 51.504638][ T130] kasan_save_free_info (mm/kasan/generic.c:582)
[ 51.504640][ T130] __kasan_slab_free (mm/kasan/common.c:271)
[ 51.504643][ T130] kfree (mm/slub.c:4580 mm/slub.c:4728)
[ 51.504646][ T130] scsi_device_dev_release (drivers/scsi/scsi_sysfs.c:521 (discriminator 5))
[ 51.504649][ T130] device_release (drivers/base/core.c:2575)
[ 51.504653][ T130] kobject_cleanup (lib/kobject.c:689)
[ 51.504656][ T130] scsi_device_put (drivers/scsi/scsi.c:794)
[ 51.504658][ T130] sdev_store_delete (drivers/scsi/scsi_sysfs.c:791)
[ 51.504661][ T130] kernfs_fop_write_iter (fs/kernfs/file.c:348)
[ 51.504664][ T130] vfs_write (fs/read_write.c:590 fs/read_write.c:683)
[ 51.504666][ T130] ksys_write (fs/read_write.c:736)
[ 51.504668][ T130] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 51.504671][ T130] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 51.504674][ T130]
[ 51.504675][ T130] Last potentially related work creation:
[ 51.504676][ T130] kasan_save_stack (mm/kasan/common.c:48)
[ 51.504679][ T130] __kasan_record_aux_stack (mm/kasan/generic.c:541)
[ 51.504681][ T130] insert_work (include/linux/instrumented.h:68 include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
[ 51.504685][ T130] __queue_work (kernel/workqueue.c:6723)
[ 51.504689][ T130] queue_work_on (kernel/workqueue.c:2391)
[ 51.504692][ T130] sdev_evt_send (include/linux/spinlock.h:406 drivers/scsi/scsi_lib.c:2645)
[ 51.504694][ T130] scsi_evt_thread (drivers/scsi/scsi_lib.c:2596)
[ 51.504697][ T130] process_one_work (kernel/workqueue.c:3229)
[ 51.504701][ T130] worker_thread (kernel/workqueue.c:3304 kernel/workqueue.c:3391)
[ 51.504704][ T130] kthread (kernel/kthread.c:389)
[ 51.504707][ T130] ret_from_fork (arch/x86/kernel/process.c:147)
[ 51.504710][ T130] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 51.504713][ T130]
[ 51.504714][ T130] Second to last potentially related work creation:
[ 51.504716][ T130] kasan_save_stack (mm/kasan/common.c:48)
[ 51.504719][ T130] __kasan_record_aux_stack (mm/kasan/generic.c:541)
[ 51.504721][ T130] insert_work (include/linux/instrumented.h:68 include/asm-generic/bitops/instrumented-non-atomic.h:141 kernel/workqueue.c:788 kernel/workqueue.c:795 kernel/workqueue.c:2186)
[ 51.504724][ T130] __queue_work (kernel/workqueue.c:6723)
[ 51.504727][ T130] queue_work_on (kernel/workqueue.c:2391)
[ 51.504731][ T130] scsi_check_sense (include/scsi/scsi_eh.h:24 drivers/scsi/scsi_error.c:550)
[ 51.504734][ T130] scsi_decide_disposition (drivers/scsi/scsi_error.c:2024)
[ 51.504737][ T130] scsi_complete (drivers/scsi/scsi_lib.c:1515)
[ 51.504740][ T130] blk_complete_reqs (block/blk-mq.c:1126 (discriminator 3))
[ 51.504744][ T130] handle_softirqs (kernel/softirq.c:554)
[ 51.504747][ T130] run_ksoftirqd (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:97 kernel/softirq.c:411 kernel/softirq.c:928 kernel/softirq.c:919)
[ 51.504750][ T130] smpboot_thread_fn (kernel/smpboot.c:164 (discriminator 3))
[ 51.504753][ T130] kthread (kernel/kthread.c:389)
[ 51.504755][ T130] ret_from_fork (arch/x86/kernel/process.c:147)
[ 51.504758][ T130] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 51.504760][ T130]
[ 51.504761][ T130] The buggy address belongs to the object at ffff8887ff562000
[ 51.504761][ T130] which belongs to the cache kmalloc-4k of size 4096
[ 51.504764][ T130] The buggy address is located 592 bytes inside of
[ 51.504764][ T130] freed 4096-byte region [ffff8887ff562000, ffff8887ff563000)
[ 51.504767][ T130]
[ 51.504768][ T130] The buggy address belongs to the physical page:
[ 51.504770][ T130] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ff560
[ 51.504774][ T130] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 51.504776][ T130] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 51.504780][ T130] page_type: f5(slab)
[ 51.504783][ T130] raw: 0017ffffc0000040 ffff88810c843040 dead000000000122 0000000000000000
[ 51.504786][ T130] raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
[ 51.504789][ T130] head: 0017ffffc0000040 ffff88810c843040 dead000000000122 0000000000000000
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241007/202410071741.4aa3984e-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2024-10-07 9:39 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 21:54 [PATCH v2] driver core: Fix userspace expectations of uevent_show() as a probe barrier Dan Williams
2024-10-07 9:39 ` kernel test robot [this message]
2024-10-08 0:26 ` Dan Williams
2024-10-13 15:00 ` Greg KH
2024-10-28 9:08 ` Thorsten Leemhuis
2024-10-28 22:57 ` Dan Williams
2024-10-29 0:21 ` Greg KH
2024-12-31 7:56 ` Possible hungtask issue will be introduced with device_lock() in uevent_show() Zhang Zekun
2024-12-31 8:26 ` Greg KH
2025-01-04 6:02 ` zhangzekun (A)
2025-01-04 8:14 ` Greg KH
2025-01-23 2:07 ` Dan Williams
2025-01-27 3:27 ` zhangzekun (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202410071741.4aa3984e-oliver.sang@intel.com \
--to=oliver.sang@intel.com \
--cc=dan.j.williams@intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=rafael.j.wysocki@intel.com \
--cc=regressions@lists.linux.dev \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.