From: kernel test robot <oliver.sang@intel.com>
To: Justin Suess <utilityemal77@gmail.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>, <bpf@vger.kernel.org>,
<oliver.sang@intel.com>
Subject: Re: [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown
Date: Wed, 20 May 2026 13:37:01 +0800 [thread overview]
Message-ID: <202605200724.c2adcd3c-lkp@intel.com> (raw)
In-Reply-To: <20260428201422.1518903-3-utilityemal77@gmail.com>
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__flush_work" on:
commit: ce0e78544f0e36b457f7130aa69ed6787760c7b6 ("bpf: Use rcu_work in BTF teardown")
url: https://github.com/intel-lab-lkp/linux/commits/Justin-Suess/bpf-Limit-fields-used-in-btf_record_equal-comparisons/20260430-120417
patch link: https://lore.kernel.org/all/20260428201422.1518903-3-utilityemal77@gmail.com/
patch subject: [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown
in testcase: boot
config: x86_64-rhel-9.4-bpf
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 32G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202605200724.c2adcd3c-lkp@intel.com
[ 146.626030][ T116] BUG: KASAN: slab-use-after-free in __flush_work (workqueue.c:4315)
[ 146.626925][ T116] Read of size 8 at addr ffff8882dde72080 by task udevd/116
[ 146.627704][ T116]
[ 146.628032][ T116] CPU: 1 UID: 0 PID: 116 Comm: udevd Not tainted 7.0.0+ #1 PREEMPT(full)
[ 146.628041][ T116] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 146.628045][ T116] Call Trace:
[ 146.628051][ T116] <TASK>
[ 146.628057][ T116] dump_stack_lvl (dump_stack.c:94 dump_stack.c:120)
[ 146.628071][ T116] print_address_description+0x70/0x300
[ 146.628079][ T116] ? lock_acquire (trace/events/lock.h:24 (discriminator 21) locking/lockdep.c:5831 (discriminator 21))
[ 146.628086][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628093][ T116] print_report (kasan/report.c:482)
[ 146.628097][ T116] ? __virt_addr_valid (linux/rcupdate.h:963 linux/mmzone.h:2279 x86/mm/physaddr.c:54)
[ 146.628103][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628107][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628111][ T116] kasan_report (kasan/report.c:595)
[ 146.628120][ T116] ? __flush_work (workqueue.c:4315)
[ 146.628127][ T116] __flush_work (workqueue.c:4315)
[ 146.628133][ T116] ? __pfx___flush_work (linux/rcupdate.h:867 (discriminator 7))
[ 146.628138][ T116] ? flush_rcu_work (workqueue.c:4412)
[ 146.628142][ T116] ? lock_release (locking/lockdep.c:5889 locking/lockdep.c:5875)
[ 146.628146][ T116] ? __mutex_unlock_slowpath (linux/instrumented.h:55 linux/atomic/atomic-instrumented.h:4480 locking/mutex.c:993)
[ 146.628156][ T116] ? __pfx___mutex_unlock_slowpath (usercopy_64.c:?)
[ 146.628160][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628167][ T116] ? _find_next_bit (find_bit.c:157 (discriminator 2))
[ 146.628175][ T116] ? lock_is_held_type (locking/lockdep.c:5601 locking/lockdep.c:5940)
[ 146.628182][ T116] ? __might_resched (sched/core.c:9127 (discriminator 1))
[ 146.628190][ T116] flush_rcu_work (workqueue.c:4375 workqueue.c:4413)
[ 146.628195][ T116] btf_module_notify (bpf/btf.c:8454)
[ 146.628212][ T116] notifier_call_chain (notifier.c:85)
[ 146.628220][ T116] blocking_notifier_call_chain (notifier.c:380 notifier.c:368)
[ 146.628227][ T116] do_init_module (module/main.c:3202)
[ 146.628238][ T116] ? __pfx_do_init_module (trace/events/module.h:50 (discriminator 1))
[ 146.628242][ T116] ? load_module (module/main.c:2528 module/main.c:2523 module/main.c:3575)
[ 146.628247][ T116] ? kfree (linux/kasan.h:235 slub.c:2689 slub.c:6246 slub.c:6561)
[ 146.628256][ T116] load_module (module/main.c:3580)
[ 146.628266][ T116] ? __pfx_load_module (module/main.c:3020)
[ 146.628272][ T116] ? __pfx_kernel_read_file (??:?)
[ 146.628278][ T116] ? userfaultfd_unmap_complete (userfaultfd.c:864)
[ 146.628286][ T116] ? __pfx_generic_file_mmap_prepare (filemap.c:3995)
[ 146.628296][ T116] init_module_from_file (module/main.c:3777)
[ 146.628302][ T116] ? __pfx_init_module_from_file (module/main.c:3634)
[ 146.628312][ T116] ? idempotent_init_module (linux/spinlock.h:390 module/main.c:3688 module/main.c:3788)
[ 146.628317][ T116] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 146.628323][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628327][ T116] ? preempt_count_sub (sched/core.c:5873 (discriminator 2) sched/core.c:5870 (discriminator 2) sched/core.c:5892 (discriminator 2))
[ 146.628334][ T116] idempotent_init_module (module/main.c:3789)
[ 146.628341][ T116] ? __pfx_idempotent_init_module (module/main.c:3778)
[ 146.628351][ T116] ? security_capable (security.c:660 (discriminator 20))
[ 146.628358][ T116] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 146.628364][ T116] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 146.628372][ T116] ? trace_hardirqs_on_prepare (trace/trace_preemptirq.c:63 (discriminator 1) trace/trace_preemptirq.c:59 (discriminator 1))
[ 146.628376][ T116] ? do_syscall_64 (linux/irq-entry-common.h:285 (discriminator 1) linux/entry-common.h:330 (discriminator 1) x86/entry/syscall_64.c:100 (discriminator 1))
[ 146.628380][ T116] ? do_syscall_64 (linux/irq-entry-common.h:285 (discriminator 1) linux/entry-common.h:330 (discriminator 1) x86/entry/syscall_64.c:100 (discriminator 1))
[ 146.628383][ T116] ? exc_page_fault (x86/mm/fault.c:1474 x86/mm/fault.c:1527)
[ 146.628387][ T116] ? __lock_release+0x5d/0x1b0
[ 146.628391][ T116] ? handle_mm_fault (memory.c:6604 (discriminator 1) memory.c:6744 (discriminator 1))
[ 146.628397][ T116] ? exc_page_fault (x86/mm/fault.c:1474 x86/mm/fault.c:1527)
[ 146.628401][ T116] ? rcu_is_watching (x86/include/asm/atomic.h:23 linux/atomic/atomic-arch-fallback.h:457 linux/context_tracking.h:128 rcu/tree.c:752)
[ 146.628405][ T116] ? trace_preempt_on (trace/events/preemptirq.h:53 (discriminator 21) trace/trace_preemptirq.c:120 (discriminator 21))
[ 146.628408][ T116] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 146.628412][ T116] ? preempt_count_sub (sched/core.c:5873 (discriminator 2) sched/core.c:5870 (discriminator 2) sched/core.c:5892 (discriminator 2))
[ 146.628417][ T116] ? do_syscall_64 (linux/randomize_kstack.h:58 x86/entry/syscall_64.c:92)
[ 146.628421][ T116] ? irqentry_exit (linux/irq-entry-common.h:280 linux/irq-entry-common.h:325 entry/common.c:162)
[ 146.628426][ T116] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 146.628432][ T116] RIP: 0033:0x7fa4ddc65b99
[ 146.628439][ T116] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c7 12 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d c7 12 0c 00 mov 0xc12c7(%rip),%rcx # 0xc1301
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d c7 12 0c 00 mov 0xc12c7(%rip),%rcx # 0xc12d7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 146.628444][ T116] RSP: 002b:00007ffe04c429e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 146.628450][ T116] RAX: ffffffffffffffda RBX: 00005645ffd83ba0 RCX: 00007fa4ddc65b99
[ 146.628453][ T116] RDX: 0000000000000000 RSI: 00007fa4ddd3e1e3 RDI: 0000000000000007
[ 146.628456][ T116] RBP: 0000000000000000 R08: 0000000000000000 R09: 00005645ffd83ba0
[ 146.628459][ T116] R10: 0000000000000007 R11: 0000000000000246 R12: 00007fa4ddd3e1e3
[ 146.628461][ T116] R13: 0000000000020000 R14: 00007ffe04c42ae0 R15: 0000000000000000
[ 146.628469][ T116] </TASK>
[ 146.628471][ T116]
[ 146.634074][ T123] ata2: found unknown device (class 0)
[ 146.637503][ T116] Allocated by task 116:
[ 146.637516][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.637532][ T116] kasan_save_track (kasan/common.c:78)
[ 146.637537][ T116] __kasan_kmalloc (kasan/common.c:398 kasan/common.c:415)
[ 146.637542][ T116] btf_parse_module (linux/slab.h:950 linux/slab.h:1188 bpf/btf.c:6493)
[ 146.637549][ T116] btf_module_notify (bpf/btf.c:8371)
[ 146.637554][ T116] notifier_call_chain (notifier.c:85)
[ 146.637561][ T116] blocking_notifier_call_chain_robust (notifier.c:120 notifier.c:345 notifier.c:333)
[ 146.644370][ T123] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 146.644393][ T116] load_module (module/main.c:3357 module/main.c:3542)
[ 146.700116][ T116] init_module_from_file (module/main.c:3777)
[ 146.705423][ T116] idempotent_init_module (module/main.c:3789)
[ 146.706087][ T116] __x64_sys_finit_module (module/main.c:3815 module/main.c:3799 module/main.c:3799)
[ 146.706706][ T116] do_syscall_64 (x86/entry/syscall_64.c:63 x86/entry/syscall_64.c:94)
[ 146.707263][ T116] entry_SYSCALL_64_after_hwframe (x86/entry/entry_64.S:121)
[ 146.713649][ T116]
[ 146.713982][ T116] Freed by task 26:
[ 146.714445][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.715029][ T116] kasan_save_track (kasan/common.c:78)
[ 146.715582][ T116] kasan_save_free_info (kasan/generic.c:584)
[ 146.716161][ T116] __kasan_slab_free (kasan/common.c:253 kasan/common.c:285)
[ 146.721405][ T116] kfree (linux/kasan.h:235 slub.c:2689 slub.c:6246 slub.c:6561)
[ 146.721927][ T116] process_one_work (workqueue.c:3302)
[ 146.722483][ T116] worker_thread (workqueue.c:3385 workqueue.c:3466)
[ 146.723018][ T116] kthread (kthread.c:436)
[ 146.723505][ T116] ret_from_fork (x86/kernel/process.c:158)
[ 146.724036][ T116] ret_from_fork_asm (x86/entry/entry_64.S:245)
[ 146.724581][ T116]
[ 146.724896][ T116] Last potentially related work creation:
[ 146.725544][ T116] kasan_save_stack (kasan/common.c:57)
[ 146.726082][ T116] kasan_record_aux_stack (kasan/generic.c:556)
[ 146.726665][ T116] insert_work (workqueue.c:2226)
[ 146.727162][ T116] __queue_work (workqueue.c:2381)
[ 146.727687][ T116] rcu_work_rcufn (workqueue.c:2649)
[ 146.728204][ T116] rcu_do_batch (rcu/tree.c:2617)
[ 146.728763][ T116] rcu_core (rcu/tree.c:2869)
[ 146.729259][ T116] handle_softirqs (softirq.c:622)
[ 146.729810][ T116] __irq_exit_rcu (softirq.c:656 softirq.c:496 softirq.c:735)
[ 146.730337][ T116] irq_exit_rcu ()
[ 146.733532][ T116] sysvec_apic_timer_interrupt+0x6d/0xb0
[ 146.734178][ T116] asm_sysvec_apic_timer_interrupt+0x16/0x20
[ 146.734850][ T116]
[ 146.735169][ T116] Second to last potentially related work creation:
[ 146.737858][ T116] kasan_save_stack (kasan/common.c:57)
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260520/202605200724.c2adcd3c-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next prev parent reply other threads:[~2026-05-20 5:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 20:14 [PATCH bpf-next 0/4] bpf: Fix NMI deadlock in referenced kptr destructors Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 1/4] bpf: Limit fields used in btf_record_equal comparisons Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown Justin Suess
2026-04-29 1:49 ` sashiko-bot
2026-05-20 5:37 ` kernel test robot [this message]
2026-04-28 20:14 ` [PATCH bpf-next 3/4] bpf: Fix deadlock in kptr dtor in nmi Justin Suess
2026-04-29 2:29 ` sashiko-bot
2026-04-29 9:37 ` Alexei Starovoitov
2026-04-29 16:21 ` Justin Suess
2026-05-02 14:33 ` Justin Suess
2026-04-28 20:14 ` [PATCH bpf-next 4/4] selftests/bpf: Add kptr nmi deadlock reproducer Justin Suess
2026-04-29 3:39 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202605200724.c2adcd3c-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=bpf@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox