[jgunthorpe:iommu-fwspec] [iommu] cca42a9b53: BUG:KASAN:slab-use-after-free_in_intel_iommu_is_attach_deferred

iommu.lists.linux-foundation.org archive mirror
 help / color / mirror / Atom feed

From: kernel test robot <oliver.sang@intel.com>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
	<iommu@lists.linux.dev>, <oliver.sang@intel.com>
Subject: [jgunthorpe:iommu-fwspec] [iommu]  cca42a9b53: BUG:KASAN:slab-use-after-free_in_intel_iommu_is_attach_deferred
Date: Sat, 4 Oct 2025 14:39:11 +0800	[thread overview]
Message-ID: <202510040814.19c7bd7e-lkp@intel.com> (raw)



Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_intel_iommu_is_attach_deferred" on:

commit: cca42a9b5325b96bfd3d74e24628511f537afbe9 ("iommu: Add a probe_device_fwspec() op")
https://github.com/jgunthorpe/linux iommu-fwspec

in testcase: ocfs2test
version: ocfs2test-x86_64-d802bf7-1_20210827
with following parameters:

	disk: 1SSD
	test: test-reflink



config: x86_64-rhel-9.4-func
compiler: gcc-14
test machine: 22 threads 1 sockets Intel(R) Core(TM) Ultra 9 185H @ 4.5GHz (Meteor Lake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202510040814.19c7bd7e-lkp@intel.com


kern  :err   : [   10.461010] BUG: KASAN: slab-use-after-free in intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010] Read of size 8 at addr ffff8881399e86a8 by task swapper/0/1

kern  :err   : [   10.461010] CPU: 17 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-00001-gcca42a9b5325 #1 PREEMPT(voluntary)
kern  :err   : [   10.461010] Call Trace:
kern  :err   : [   10.461010]  <TASK>
kern  :err   : [   10.461010]  dump_stack_lvl (lib/dump_stack.c:122)
kern  :err   : [   10.461010]  print_address_description+0x88/0x320
kern  :err   : [   10.461010]  ? intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010]  print_report (mm/kasan/report.c:483)
kern  :err   : [   10.461010]  ? pci_bus_read_config_word (drivers/pci/access.c:75 (discriminator 2))
kern  :err   : [   10.461010]  ? intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010]  ? intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010]  kasan_report (mm/kasan/report.c:597)
kern  :err   : [   10.461010]  ? intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010]  intel_iommu_is_attach_deferred (drivers/iommu/intel/iommu.c:4026)
kern  :err   : [   10.461010]  iommu_init_device (drivers/iommu/iommu.c:523)
kern  :err   : [   10.461010]  ? __pfx_iommu_init_device (drivers/iommu/iommu.c:479)
kern  :err   : [   10.461010]  ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:111 (discriminator 4) kernel/locking/spinlock.c:162 (discriminator 4))
kern  :err   : [   10.461010]  __iommu_probe_device (drivers/iommu/iommu.c:623)
kern  :err   : [   10.461010]  ? __pfx_probe_iommu_group (drivers/iommu/iommu.c:1775)
kern  :err   : [   10.461010]  probe_iommu_group (drivers/iommu/iommu.c:1781)
kern  :err   : [   10.461010]  bus_for_each_dev (drivers/base/bus.c:370)
kern  :err   : [   10.461010]  ? __pfx_bus_for_each_dev (drivers/base/bus.c:358)
kern  :err   : [   10.461010]  ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:134 (discriminator 4) kernel/locking/spinlock.c:154 (discriminator 4))
kern  :err   : [   10.461010]  ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
kern  :err   : [   10.461010]  iommu_device_register (drivers/iommu/iommu.c:1934 drivers/iommu/iommu.c:279)
kern  :err   : [   10.461010]  ? up_read (arch/x86/include/asm/atomic64_64.h:79 (discriminator 5) include/linux/atomic/atomic-arch-fallback.h:2749 (discriminator 5) include/linux/atomic/atomic-long.h:184 (discriminator 5) include/linux/atomic/atomic-instrumented.h:3317 (discriminator 5) kernel/locking/rwsem.c:1358 (discriminator 5) kernel/locking/rwsem.c:1633 (discriminator 5))
kern  :err   : [   10.461010]  ? __pfx_iommu_device_register (drivers/iommu/iommu.c:263)
kern  :err   : [   10.461010]  ? __pfx_up_read (kernel/locking/rwsem.c:1631)
kern  :err   : [   10.461010]  ? dmar_set_interrupt (include/linux/topology.h:93 drivers/iommu/intel/dmar.c:2052)
kern  :err   : [   10.461010]  intel_iommu_init (drivers/iommu/intel/iommu.c:3137)
kern  :err   : [   10.461010]  ? __wake_up (kernel/sched/wait.c:129 kernel/sched/wait.c:146)
kern  :err   : [   10.461010]  ? __pfx_pci_iommu_init (arch/x86/kernel/pci-dma.c:173)
kern  :err   : [   10.461010]  pci_iommu_init (arch/x86/kernel/pci-dma.c:178)
kern  :err   : [   10.461010]  do_one_initcall (init/main.c:1269)
kern  :err   : [   10.461010]  ? __pfx_do_one_initcall (init/main.c:1260)
kern  :err   : [   10.461010]  ? __pfx_parse_args (kernel/params.c:168)
kern  :err   : [   10.461010]  ? __kasan_kmalloc (mm/kasan/common.c:378 mm/kasan/common.c:405)
kern  :err   : [   10.461010]  ? do_initcalls (init/main.c:1341)
kern  :err   : [   10.461010]  do_initcalls (init/main.c:1330 (discriminator 3) init/main.c:1347 (discriminator 3))
kern  :err   : [   10.461010]  kernel_init_freeable (init/main.c:1583)
kern  :err   : [   10.461010]  ? __pfx_kernel_init_freeable (init/main.c:1551)
kern  :err   : [   10.461010]  ? __pfx_schedule_timeout (kernel/time/sleep_timeout.c:62)
kern  :err   : [   10.461010]  ? __pfx__raw_spin_lock_irq (kernel/locking/spinlock.c:169)
kern  :err   : [   10.461010]  ? __pfx_kernel_init (init/main.c:1461)
kern  :err   : [   10.461010]  ? __pfx_kernel_init (init/main.c:1461)
kern  :err   : [   10.461010]  kernel_init (init/main.c:1471)
kern  :err   : [   10.461010]  ? __pfx_kernel_init (init/main.c:1461)
kern  :err   : [   10.461010]  ret_from_fork (arch/x86/kernel/process.c:148)
kern  :err   : [   10.461010]  ? __pfx_kernel_init (init/main.c:1461)
kern  :err   : [   10.461010]  ret_from_fork_asm (arch/x86/entry/entry_64.S:258)
kern  :err   : [   10.461010]  </TASK>

kern  :err   : [   10.461010] Allocated by task 1:
kern  :warn  : [   10.461010]  kasan_save_stack (mm/kasan/common.c:48)
kern  :warn  : [   10.461010]  kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
kern  :warn  : [   10.461010]  __kasan_kmalloc (mm/kasan/common.c:388 mm/kasan/common.c:405)
kern  :warn  : [   10.461010]  intel_iommu_probe_device (include/linux/slab.h:905 include/linux/slab.h:1039 drivers/iommu/intel/iommu.c:3777)
kern  :warn  : [   10.461010]  iommu_init_device (drivers/iommu/iommu.c:456 drivers/iommu/iommu.c:502)
kern  :warn  : [   10.461010]  __iommu_probe_device (drivers/iommu/iommu.c:623)
kern  :warn  : [   10.461010]  probe_iommu_group (drivers/iommu/iommu.c:1781)
kern  :warn  : [   10.461010]  bus_for_each_dev (drivers/base/bus.c:370)
kern  :warn  : [   10.461010]  iommu_device_register (drivers/iommu/iommu.c:1934 drivers/iommu/iommu.c:279)
kern  :warn  : [   10.461010]  intel_iommu_init (drivers/iommu/intel/iommu.c:3137)
kern  :warn  : [   10.461010]  pci_iommu_init (arch/x86/kernel/pci-dma.c:178)
kern  :warn  : [   10.461010]  do_one_initcall (init/main.c:1269)
kern  :warn  : [   10.461010]  do_initcalls (init/main.c:1330 (discriminator 3) init/main.c:1347 (discriminator 3))
kern  :warn  : [   10.461010]  kernel_init_freeable (init/main.c:1583)
kern  :warn  : [   10.461010]  kernel_init (init/main.c:1471)
kern  :warn  : [   10.461010]  ret_from_fork (arch/x86/kernel/process.c:148)
kern  :warn  : [   10.461010]  ret_from_fork_asm (arch/x86/entry/entry_64.S:258)

kern  :err   : [   10.461010] Freed by task 1:
kern  :warn  : [   10.461010]  kasan_save_stack (mm/kasan/common.c:48)
kern  :warn  : [   10.461010]  kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
kern  :warn  : [   10.461010]  kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1))
kern  :warn  : [   10.461010]  __kasan_slab_free (mm/kasan/common.c:282)
kern  :warn  : [   10.461010]  kfree (mm/slub.c:4695 (discriminator 3) mm/slub.c:4894 (discriminator 3))
kern  :warn  : [   10.461010]  iommu_init_device (drivers/iommu/iommu.c:470 drivers/iommu/iommu.c:502)
kern  :warn  : [   10.461010]  __iommu_probe_device (drivers/iommu/iommu.c:623)
kern  :warn  : [   10.461010]  probe_iommu_group (drivers/iommu/iommu.c:1781)
kern  :warn  : [   10.461010]  bus_for_each_dev (drivers/base/bus.c:370)
kern  :warn  : [   10.461010]  iommu_device_register (drivers/iommu/iommu.c:1934 drivers/iommu/iommu.c:279)
kern  :warn  : [   10.461010]  intel_iommu_init (drivers/iommu/intel/iommu.c:3137)
kern  :warn  : [   10.461010]  pci_iommu_init (arch/x86/kernel/pci-dma.c:178)
kern  :warn  : [   10.461010]  do_one_initcall (init/main.c:1269)
kern  :warn  : [   10.461010]  do_initcalls (init/main.c:1330 (discriminator 3) init/main.c:1347 (discriminator 3))
kern  :warn  : [   10.461010]  kernel_init_freeable (init/main.c:1583)
kern  :warn  : [   10.461010]  kernel_init (init/main.c:1471)
kern  :warn  : [   10.461010]  ret_from_fork (arch/x86/kernel/process.c:148)
kern  :warn  : [   10.461010]  ret_from_fork_asm (arch/x86/entry/entry_64.S:258)

kern  :err   : [   10.461010] The buggy address belongs to the object at ffff8881399e8680
which belongs to the cache kmalloc-96 of size 96
kern  :err   : [   10.461010] The buggy address is located 40 bytes inside of
freed 96-byte region [ffff8881399e8680, ffff8881399e86e0)

kern  :err   : [   10.461010] The buggy address belongs to the physical page:
kern  :warn  : [   10.461010] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1399e8
kern  :warn  : [   10.461010] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251004/202510040814.19c7bd7e-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

                 reply	other threads:[~2025-10-04  6:39 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202510040814.19c7bd7e-lkp@intel.com \
    --to=oliver.sang@intel.com \
    --cc=iommu@lists.linux.dev \
    --cc=jgg@nvidia.com \
    --cc=lkp@intel.com \
    --cc=oe-lkp@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).