From: Yosry Ahmed <yosry.ahmed@linux.dev>
To: Chengming Zhou <chengming.zhou@linux.dev>
Cc: ffhgfv <xnxc22xnxc22@qq.com>, hannes <hannes@cmpxchg.org>,
nphamcs <nphamcs@gmail.com>, akpm <akpm@linux-foundation.org>,
linux-mm <linux-mm@kvack.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: Linux6.14-rc5: KASAN: use-after-free Read in zswap_store
Date: Mon, 17 Mar 2025 18:18:39 +0000 [thread overview]
Message-ID: <Z9hnf0Zv7_1vkh3n@google.com> (raw)
In-Reply-To: <e6039be4-c7dc-4f2b-9ea3-5b16181d5a1a@linux.dev>
On Mon, Mar 17, 2025 at 10:33:20AM +0800, Chengming Zhou wrote:
> On 2025/3/17 08:13, ffhgfv wrote:
> > Hello, I found a bug titled " KASAN: use-after-free Read in zswap_store " with modified syzkaller in the Linux6.14-rc5.
> > If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <xnxc22xnxc22@qq.com>, xingwei lee <xrivendell7@gmail.com>, Zhizhuo Tang <strforexctzzchange@foxmail.com>
> >
> > I use the same kernel as syzbot instance upstream: 7eb172143d5508b4da468ed59ee857c6e5e01da6
> > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=da4b04ae798b7ef6
> > compiler: gcc version 11.4.0
> > ------------[ cut here ]-----------------------------------------
> > TITLE: KASAN: use-after-free Read in zswap_store
> > ==================================================================
> > ==================================================================
> > BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
> > BUG: KASAN: use-after-free in do_raw_spin_lock+0x285/0x2e0 kernel/locking/spinlock_debug.c:115
> > Read of size 4 at addr ffff88804e78e014 by task kswapd0/98
> >
> > CPU: 0 UID: 0 PID: 98 Comm: kswapd0 Not tainted 6.14.0-rc5-dirty #11
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Call Trace:
> > <task>
> > __dump_stack lib/dump_stack.c:94 [inline]
> > dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
> > print_address_description mm/kasan/report.c:408 [inline]
> > print_report+0xc1/0x630 mm/kasan/report.c:521
> > kasan_report+0x93/0xc0 mm/kasan/report.c:634
> > debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
> > do_raw_spin_lock+0x285/0x2e0 kernel/locking/spinlock_debug.c:115
> > spin_lock include/linux/spinlock.h:351 [inline]
> > z3fold_page_lock mm/z3fold.c:223 [inline]
> > z3fold_alloc mm/z3fold.c:1060 [inline]
> > z3fold_zpool_malloc+0x9b1/0x1410 mm/z3fold.c:1388
> > zswap_compress mm/zswap.c:971 [inline]
> > zswap_store_page mm/zswap.c:1462 [inline]
> > zswap_store+0xe46/0x41e0 mm/zswap.c:1571
> > swap_writepage+0x3a7/0x1430 mm/page_io.c:278
> > pageout+0x3bf/0xac0 mm/vmscan.c:696
> > shrink_folio_list+0x3509/0x4480 mm/vmscan.c:1402
> > evict_folios+0x849/0x2100 mm/vmscan.c:4660
> > try_to_shrink_lruvec+0x608/0x9b0 mm/vmscan.c:4821
> > shrink_one+0x412/0x7d0 mm/vmscan.c:4866
> > shrink_many mm/vmscan.c:4929 [inline]
> > lru_gen_shrink_node mm/vmscan.c:5007 [inline]
> > shrink_node+0x2355/0x3c10 mm/vmscan.c:5978
> > kswapd_shrink_node mm/vmscan.c:6807 [inline]
> > balance_pgdat+0xa85/0x1740 mm/vmscan.c:6999
> > kswapd+0x4c0/0xbe0 mm/vmscan.c:7264
> > kthread+0x427/0x880 kernel/kthread.c:464
> > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148
> > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> > </task>
> >
> > The buggy address belongs to the physical page:
> > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x564c9cd0a pfn:0x4e78e
> > flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
> > raw: 04fff00000000000 ffffea000139e508 ffffea000139e248 0000000000000000
> > raw: 0000000564c9cd0a 0000000000000000 00000000ffffffff 0000000000000000
> > page dumped because: kasan: bad access detected
> > page_owner tracks the page as freed
> > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12800(GFP_NOWAIT|__GFP_NORETRY), pid 98, tgid 98 (kswapd0), ts 431124924160, free_ts 431131252025
> > set_page_owner include/linux/page_owner.h:32 [inline]
> > post_alloc_hook mm/page_alloc.c:1551 [inline]
> > prep_new_page+0x1b0/0x1e0 mm/page_alloc.c:1559
> > get_page_from_freelist+0x19a2/0x3250 mm/page_alloc.c:3477
> > __alloc_frozen_pages_noprof+0x324/0x6b0 mm/page_alloc.c:4739
> > alloc_pages_mpol+0x20a/0x550 mm/mempolicy.c:2270
> > alloc_pages_noprof+0x1c/0x250 mm/mempolicy.c:2361
> > z3fold_alloc mm/z3fold.c:1036 [inline]
> > z3fold_zpool_malloc+0x7aa/0x1410 mm/z3fold.c:1388
> > zswap_compress mm/zswap.c:971 [inline]
> > zswap_store_page mm/zswap.c:1462 [inline]
> > zswap_store+0xe46/0x41e0 mm/zswap.c:1571
> > swap_writepage+0x3a7/0x1430 mm/page_io.c:278
> > pageout+0x3bf/0xac0 mm/vmscan.c:696
> > shrink_folio_list+0x3509/0x4480 mm/vmscan.c:1402
> > evict_folios+0x849/0x2100 mm/vmscan.c:4660
> > try_to_shrink_lruvec+0x608/0x9b0 mm/vmscan.c:4821
> > shrink_one+0x412/0x7d0 mm/vmscan.c:4866
> > shrink_many mm/vmscan.c:4929 [inline]
> > lru_gen_shrink_node mm/vmscan.c:5007 [inline]
> > shrink_node+0x2355/0x3c10 mm/vmscan.c:5978
> > kswapd_shrink_node mm/vmscan.c:6807 [inline]
> > balance_pgdat+0xa85/0x1740 mm/vmscan.c:6999
> > kswapd+0x4c0/0xbe0 mm/vmscan.c:7264
> > page last free pid 38 tgid 38 stack trace:
>
> It looks like the z3fold doesn't handle the migration correctly?
> But it's suggested that we should use zsmalloc as zswap allocator,
> and the z3fold/zbud will be deleted.
Yeah this code should be gone in v6.15.
prev parent reply other threads:[~2025-03-17 18:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 0:13 Linux6.14-rc5: KASAN: use-after-free Read in zswap_store ffhgfv
2025-03-17 2:33 ` Chengming Zhou
2025-03-17 18:18 ` Yosry Ahmed [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9hnf0Zv7_1vkh3n@google.com \
--to=yosry.ahmed@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=chengming.zhou@linux.dev \
--cc=hannes@cmpxchg.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=nphamcs@gmail.com \
--cc=xnxc22xnxc22@qq.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.