Re: [syzbot] [mm?] [kasan?] WARNING in __kfence_free (3)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marco Elver <elver@google.com>
To: syzbot <syzbot+59f37b0ab4c558a5357c@syzkaller.appspotmail.com>,
	Muchun Song <muchun.song@linux.dev>
Cc: akpm@linux-foundation.org, dvyukov@google.com, glider@google.com,
	kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
	Andrey Konovalov <andreyknvl@gmail.com>
Subject: Re: [syzbot] [mm?] [kasan?] WARNING in __kfence_free (3)
Date: Wed, 18 Oct 2023 11:20:37 +0200	[thread overview]
Message-ID: <ZS-jZQFcQwb8o8qs@elver.google.com> (raw)
In-Reply-To: <000000000000bc90a60607f41fc3@google.com>

On Tue, Oct 17, 2023 at 07:09PM -0700, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    213f891525c2 Merge tag 'probes-fixes-v6.6-rc6' of git://gi..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14a731f9680000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a4436b383d761e86
> dashboard link: https://syzkaller.appspot.com/bug?extid=59f37b0ab4c558a5357c
> compiler:       aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> 
> Unfortunately, I don't have any reproducer for this issue yet.
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-213f8915.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/98b9a78b6226/vmlinux-213f8915.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/8ed2ef54968f/Image-213f8915.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+59f37b0ab4c558a5357c@syzkaller.appspotmail.com
> 
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 3252 at mm/kfence/core.c:1147 __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147

This has happened before:
https://lore.kernel.org/all/FC29C538-1446-4A3F-A6FA-857295D7DEB3@linux.dev/T/#u

And is this warning:

	| void __kfence_free(void *addr)
	| {
	| 	struct kfence_metadata *meta = addr_to_metadata((unsigned long)addr);
	| 
	| #ifdef CONFIG_MEMCG
	| 	KFENCE_WARN_ON(meta->objcg);           <--------
	| #endif

Which is this assembly in the vmlinux provided by syzbot:

	ffff8000802bed9c: 22 40 42 f9   ldr     x2, [x1, #1152]
	ffff8000802beda0: 02 fe ff b4   cbz     x2, 0xffff8000802bed60 <__kfence_free+0x38>
	ffff8000802beda4: 00 00 21 d4   brk     #0x800

So we know the pointer is in x2, and from the below we know it's fcff000006a24ec0.

Muchun, last time you said:

> Maybe we could improve the warning message,
> e.g. print the current value of "meta->objcg".

Does this somehow help you better understand what's going on?

Also this is a KASAN_HW_TAGS instance (using arm64 MTE), not sure that's
relevant though.

> Modules linked in:
> CPU: 1 PID: 3252 Comm: syz-executor.1 Not tainted 6.6.0-rc6-syzkaller-00029-g213f891525c2 #0
> Hardware name: linux,dummy-virt (DT)
> pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
> pc : __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147
> lr : kfence_free include/linux/kfence.h:187 [inline]
> lr : __slab_free+0x48c/0x508 mm/slub.c:3614
> sp : ffff800082cebb50
> x29: ffff800082cebb50 x28: f7ff000002c0c400 x27: ffff8000818ca8a8
> x26: ffff8000821f0620 x25: 0000000000000001 x24: ffff00007ffa3000
> x23: 0000000000000001 x22: ffff00007ffa3000 x21: ffff00007ffa3000
> x20: ffff80008004191c x19: fffffc0001ffe8c0 x18: ffffffffffffffff
> x17: ffff800080027b40 x16: ffff800080027a34 x15: ffff800080318514
> x14: ffff8000800469c8 x13: ffff800080011558 x12: ffff800081897ff4
> x11: ffff800081897b28 x10: ffff800080027bfc x9 : 0000000000400cc0
> x8 : ffff800082cebc30 x7 : 0000000000000000 x6 : 0000000000000000
> x5 : ffff80008004191c x4 : ffff00007f869000 x3 : ffff800082420338
> x2 : fcff000006a24ec0 x1 : ffff00007f8a50a0 x0 : ffff00007ffa3000
> Call trace:
>  __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147
>  kfence_free include/linux/kfence.h:187 [inline]
>  __slab_free+0x48c/0x508 mm/slub.c:3614
>  do_slab_free mm/slub.c:3757 [inline]
>  slab_free mm/slub.c:3810 [inline]
>  __kmem_cache_free+0x220/0x230 mm/slub.c:3822
>  kfree+0x5c/0x74 mm/slab_common.c:1072
>  kvm_uevent_notify_change.part.0+0x10c/0x174 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5908
>  kvm_uevent_notify_change arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5878 [inline]
>  kvm_dev_ioctl_create_vm arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5107 [inline]
>  kvm_dev_ioctl+0x3e8/0x91c arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5131
>  vfs_ioctl fs/ioctl.c:51 [inline]
>  __do_sys_ioctl fs/ioctl.c:871 [inline]
>  __se_sys_ioctl fs/ioctl.c:857 [inline]
>  __arm64_sys_ioctl+0xac/0xf0 fs/ioctl.c:857
>  __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
>  invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
>  el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
>  do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
>  el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
>  el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
>  el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
> ---[ end trace 0000000000000000 ]---

next prev parent reply	other threads:[~2023-10-18  9:20 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-18  2:09 [syzbot] [mm?] [kasan?] WARNING in __kfence_free (3) syzbot
2023-10-18  9:20 ` Marco Elver [this message]
2023-11-16  4:47 ` [syzbot] [kasan?] [mm?] " syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZS-jZQFcQwb8o8qs@elver.google.com \
    --to=elver@google.com \
    --cc=akpm@linux-foundation.org \
    --cc=andreyknvl@gmail.com \
    --cc=dvyukov@google.com \
    --cc=glider@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=muchun.song@linux.dev \
    --cc=syzbot+59f37b0ab4c558a5357c@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.