From: kernel test robot <oliver.sang@intel.com>
To: Justin Suess <utilityemal77@gmail.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>, <bpf@vger.kernel.org>,
<oliver.sang@intel.com>
Subject: Re: [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown
Date: Wed, 20 May 2026 13:37:01 +0800 [thread overview]
Message-ID: <202605200724.c2adcd3c-lkp@intel.com> (raw)
In-Reply-To: <20260428201422.1518903-3-utilityemal77@gmail.com>
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__flush_work" on:
commit: ce0e78544f0e36b457f7130aa69ed6787760c7b6 ("bpf: Use rcu_work in BTF teardown")
url: https://github.com/intel-lab-lkp/linux/commits/Justin-Suess/bpf-Limit-fields-used-in-btf_record_equal-comparisons/20260430-120417
patch link: https://lore.kernel.org/all/20260428201422.1518903-3-utilityemal77@gmail.com/
patch subject: [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown
in testcase: boot
config: x86_64-rhel-9.4-bpf
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202605200724.c2adcd3c-lkp@intel.com
[ 146.626030][ T116] BUG: KASAN: slab-use-after-free in __flush_work (workqueue.c:4315)
[ 146.626925][ T116] Read of size 8 at addr ffff8882dde72080 by task udevd/116
[ 146.627704][ T116]
[ 146.628032][ T116] CPU: 1 UID: 0 PID: 116 Comm: udevd Not tainted 7.0.0+ #1 PREEMPT(full)
[ 146.628041][ T116] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 146.628045][ T116] Call Trace:
[ 146.628051][ T116] <TASK>
[ 146.628057][ T116] dump_stack_lvl (dump_stack.c:94 dump_stack.c:120)
[ 146.628071][ T116] print_address_description+0x70/0x300
[ 146.628079][ T116] ? lock_acquire (trace/events/lock.h:24 (discriminator 21) locking/lockdep.c:5831 (discriminator 21))
[ 146.628086][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628093][ T116] print_report (kasan/report.c:482)
[ 146.628097][ T116] ? __virt_addr_valid (linux/rcupdate.h:963 linux/mmzone.h:2279 x86/mm/physaddr.c:54)
[ 146.628103][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628107][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628111][ T116] kasan_report (kasan/report.c:595)
[ 146.628120][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628127][ T116] __flush_work (workqueue.c:4315)
[ 146.628133][ T116] ? __pfx___flush_work (linux/rcupdate.h:867 (discriminator 7))
[ 146.628138][ T116] ? flush_rcu_work (workqueue.c:4412)
[ 146.628142][ T116] ? lock_release (locking/lockdep.c:5889 locking/lockdep.c:5875)
[ 146.628146][ T116] ? __mutex_unlock_slowpath (linux/instrumented.h:55 linux/atomic/atomic-instrumented.h:4480 locking/mutex.c:993)
[ 146.628156][ T116] ? __pfx___mutex_unlock_slowpath (usercopy_64.c:?)
[ 146.628160][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628167][ T116] ? _find_next_bit (find_bit.c:157 (discriminator 2))
[ 146.628175][ T116] ? lock_is_held_type (locking/lockdep.c:5601 locking/lockdep.c:5940)
[ 146.628182][ T116] ? __might_resched (sched/core.c:9127 (discriminator 1))
[ 146.628190][ T116] flush_rcu_work (workqueue.c:4375 workqueue.c:4413)
[ 146.628195][ T116] btf_module_notify (bpf/btf.c:8454)
[ 146.628212][ T116] notifier_call_chain (notifier.c:85)
[ 146.628220][ T116] blocking_notifier_call_chain (notifier.c:380 notifier.c:368)
[ 146.628227][ T116] do_init_module (module/main.c:3202)
[ 146.628238][ T116] ? __pfx_do_init_module (trace/events/module.h:50 (discriminator 1))
[ 146.628242][ T116] ? load_module (module/main.c:2528 module/main.c:2523 module/main.c:3575)
[ 146.628247][ T116] ? kfree (linux/kasan.h:235 slub.c:2689 slub.c:6246 slub.c:6561)
[ 146.628256][ T116] load_module (module/main.c:3580)
[ 146.628266][ T116] ? __pfx_load_module (module/main.c:3020)
[ 146.628272][ T116] ? __pfx_kernel_read_file (??:?)
[ 146.628278][ T116] ? userfaultfd_unmap_complete (userfaultfd.c:864)
[ 146.628286][ T116] ? __pfx_generic_file_mmap_prepare (filemap.c:3995)
[ 146.628296][ T116] init_module_from_file (module/main.c:3777)
[ 146.628302][ T116] ? __pfx_init_module_from_file (module/main.c:3634)
[ 146.628312][ T116] ? idempotent_init_module (linux/spinlock.h:390 module/main.c:3688 module/main.c:3788)
[ 146.628317][ T116] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 146.628323][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628327][ T116] ? preempt_count_sub (sched/core.c:5873 (discriminator 2) sched/core.c:5870 (discriminator 2) sched/core.c:5892 (discriminator 2))
[ 146.628334][ T116] idempotent_init_module (module/main.c:3789)
[ 146.628341][ T116] ? __pfx_idempotent_init_module (module/main.c:3778)
[ 146.628351][ T116] ? security_capable (security.c:660 (discriminator 20))
[ 146.628358][ T116] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 146.628364][ T116] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 146.628372][ T116] ? trace_hardirqs_on_prepare (trace/trace_preemptirq.c:63 (discriminator 1) trace/trace_preemptirq.c:59 (discriminator 1))
[ 146.628376][ T116] ? do_syscall_64 (linux/irq-entry-common.h:285 (discriminator 1) linux/entry-common.h:330 (discriminator 1) x86/entry/syscall_64.c:100 (discriminator 1))
[ 146.628380][ T116] ? do_syscall_64 (linux/irq-entry-common.h:285 (discriminator 1) linux/entry-common.h:330 (discriminator 1) x86/entry/syscall_64.c:100 (discriminator 1))
[ 146.628383][ T116] ? exc_page_fault (x86/mm/fault.c:1474 x86/mm/fault.c:1527)
[ 146.628387][ T116] ? __lock_release+0x5d/0x1b0
[ 146.628391][ T116] ? handle_mm_fault (memory.c:6604 (discriminator 1) memory.c:6744 (discriminator 1))
[ 146.628397][ T116] ? exc_page_fault (x86/mm/fault.c:1474 x86/mm/fault.c:1527)
[ 146.628401][ T116] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 146.628405][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628408][ T116] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 146.628412][ T116] ? preempt_count_sub (sched/core.c:5873 (discriminator 2) sched/core.c:5870 (discriminator 2) sched/core.c:5892 (discriminator 2))
[ 146.628417][ T116] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 146.628421][ T116] ? irqentry_exit (linux/irq-entry-common.h:280 linux/irq-entry-common.h:325 entry/common.c:162)
[ 146.628426][ T116] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 146.628432][ T116] RIP: 0033:0x7fa4ddc65b99
[ 146.628439][ T116] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c7 12 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d c7 12 0c 00 mov 0xc12c7(%rip),%rcx # 0xc1301
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d c7 12 0c 00 mov 0xc12c7(%rip),%rcx # 0xc12d7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 146.628444][ T116] RSP: 002b:00007ffe04c429e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 146.628450][ T116] RAX: ffffffffffffffda RBX: 00005645ffd83ba0 RCX: 00007fa4ddc65b99
[ 146.628453][ T116] RDX: 0000000000000000 RSI: 00007fa4ddd3e1e3 RDI: 0000000000000007
[ 146.628456][ T116] RBP: 0000000000000000 R08: 0000000000000000 R09: 00005645ffd83ba0
[ 146.628459][ T116] R10: 0000000000000007 R11: 0000000000000246 R12: 00007fa4ddd3e1e3
[ 146.628461][ T116] R13: 0000000000020000 R14: 00007ffe04c42ae0 R15: 0000000000000000
[ 146.628469][ T116] </TASK>
[ 146.628471][ T116]
[ 146.634074][ T123] ata2: found unknown device (class 0)
[ 146.637503][ T116] Allocated by task 116:
[ 146.637516][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.637532][ T116] kasan_save_track (kasan/common.c:78)
[ 146.637537][ T116] __kasan_kmalloc (kasan/common.c:398 kasan/common.c:415)
[ 146.637542][ T116] btf_parse_module (linux/slab.h:950 linux/slab.h:1188 bpf/btf.c:6493)
[ 146.637549][ T116] btf_module_notify (bpf/btf.c:8371)
[ 146.637554][ T116] notifier_call_chain (notifier.c:85)
[ 146.637561][ T116] blocking_notifier_call_chain_robust (notifier.c:120 notifier.c:345 notifier.c:333)
[ 146.644370][ T123] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 146.644393][ T116] load_module (module/main.c:3357 module/main.c:3542)
[ 146.700116][ T116] init_module_from_file (module/main.c:3777)
[ 146.705423][ T116] idempotent_init_module (module/main.c:3789)
[ 146.706087][ T116] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 146.706706][ T116] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 146.707263][ T116] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 146.713649][ T116]
[ 146.713982][ T116] Freed by task 26:
[ 146.714445][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.715029][ T116] kasan_save_track (kasan/common.c:78)
[ 146.715582][ T116] kasan_save_free_info (kasan/generic.c:584)
[ 146.716161][ T116] __kasan_slab_free (kasan/common.c:253 kasan/common.c:285)
[ 146.721405][ T116] kfree (linux/kasan.h:235 slub.c:2689 slub.c:6246 slub.c:6561)
[ 146.721927][ T116] process_one_work (workqueue.c:3302)
[ 146.722483][ T116] worker_thread (workqueue.c:3385 workqueue.c:3466)
[ 146.723018][ T116] kthread (kthread.c:436)
[ 146.723505][ T116] ret_from_fork (x86/kernel/process.c:158)
[ 146.724036][ T116] ret_from_fork_asm (x86/entry/entry_64.S:245)
[ 146.724581][ T116]
[ 146.724896][ T116] Last potentially related work creation:
[ 146.725544][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.726082][ T116] kasan_record_aux_stack (kasan/generic.c:556)
[ 146.726665][ T116] insert_work (workqueue.c:2226)
[ 146.727162][ T116] __queue_work (workqueue.c:2381)
[ 146.727687][ T116] rcu_work_rcufn (workqueue.c:2649)
[ 146.728204][ T116] rcu_do_batch (rcu/tree.c:2617)
[ 146.728763][ T116] rcu_core (rcu/tree.c:2869)
[ 146.729259][ T116] handle_softirqs (softirq.c:622)
[ 146.729810][ T116] __irq_exit_rcu (softirq.c:656 softirq.c:496 softirq.c:735)
[ 146.730337][ T116] irq_exit_rcu ()
[ 146.733532][ T116] sysvec_apic_timer_interrupt+0x6d/0xb0
[ 146.734178][ T116] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 146.734850][ T116]
[ 146.735169][ T116] Second to last potentially related work creation:
[ 146.737858][ T116] kasan_save_stack (kasan/common.c:57)
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260520/202605200724.c2adcd3c-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2026-05-20 5:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 20:14 [PATCH bpf-next 0/4] bpf: Fix NMI deadlock in referenced kptr destructors Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 1/4] bpf: Limit fields used in btf_record_equal comparisons Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown Justin Suess
2026-04-29 1:49 ` sashiko-bot
2026-05-20 5:37 ` kernel test robot [this message]
2026-04-28 20:14 ` [PATCH bpf-next 3/4] bpf: Fix deadlock in kptr dtor in nmi Justin Suess
2026-04-29 2:29 ` sashiko-bot
2026-04-29 9:37 ` Alexei Starovoitov
2026-04-29 16:21 ` Justin Suess
2026-05-02 14:33 ` Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 4/4] selftests/bpf: Add kptr nmi deadlock reproducer Justin Suess
2026-04-29 3:39 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202605200724.c2adcd3c-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=bpf@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.