From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753662AbcG2USM (ORCPT <rfc822;w@1wt.eu>);
	Fri, 29 Jul 2016 16:18:12 -0400
Received: from userp1040.oracle.com ([156.151.31.81]:35961 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752036AbcG2UR7 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 29 Jul 2016 16:17:59 -0400
To: kasan-dev <kasan-dev@googlegroups.com>
Cc: LKML <linux-kernel@vger.kernel.org>
From: Vegard Nossum <vegard.nossum@oracle.com>
Subject: KASAN use-after-free not showing freed stacktrace?
Message-ID: <579BB9F0.8080700@oracle.com>
Date: Fri, 29 Jul 2016 22:17:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi again,

I am seeing some KASAN use-after-free bugs now but there is no
stacktrace for where they were freed anymore:

BUG: KASAN: use-after-free in acct_collect+0x7d5/0x830 at addr 
ffff88010e129b08
Read of size 8 by task trinity-c0/13609
CPU: 0 PID: 13609 Comm: trinity-c0 Not tainted 4.7.0+ #65
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 
Ubuntu-1.8.2-1ubuntu1 04/01/2014
  ffff88010e129b00 ffff88011482f8f0 ffffffff81d701c1 ffff88011482f980
  ffff88010d4d5c00 ffff88011482f970 ffffffff81477d5e 0000000000000001
  0000000000000000 0000000000000296 0000000000000246 ffffffff8126347d
Call Trace:
  [<ffffffff81d701c1>] dump_stack+0x65/0x84
  [<ffffffff81477d5e>] kasan_report_error+0x22e/0x5e0
  [<ffffffff8126347d>] ? acct_collect+0x12d/0x830
  [<ffffffff8147824e>] __asan_report_load8_noabort+0x3e/0x40
  [<ffffffff81263b25>] ? acct_collect+0x7d5/0x830
  [<ffffffff81263b25>] acct_collect+0x7d5/0x830
  [<ffffffff81263350>] ? acct_exit_ns+0x70/0x70
  [<ffffffff812c9ba0>] ? xacct_add_tsk+0x670/0x670
  [<ffffffff81231b80>] ? hrtimer_active+0x340/0x340
  [<ffffffff8112bf40>] ? get_signal+0x1120/0x1120
  [<ffffffff8115d1e1>] ? creds_are_invalid.part.1+0x11/0xb0
  [<ffffffff8115f5f2>] ? __validate_process_creds+0x242/0x3e0
  [<ffffffff81109421>] do_exit+0xca1/0x2c90
  [<ffffffff81367984>] ? ___perf_sw_event+0x284/0x330
  [<ffffffff813677f4>] ? ___perf_sw_event+0xf4/0x330
  [<ffffffff81367700>] ? perf_swevent_put_recursion_context+0x90/0x90
  [<ffffffff81108780>] ? mm_update_next_owner+0x720/0x720
  [<ffffffff8105a026>] ? print_context_stack+0x76/0xe0
  [<ffffffff8112afc2>] ? get_signal+0x1a2/0x1120
  [<ffffffff8110b544>] do_group_exit+0xf4/0x2f0
  [<ffffffff8112b35d>] get_signal+0x53d/0x1120
  [<ffffffff811e21f2>] ? __lock_acquire.isra.32+0xc2/0x1a30
  [<ffffffff81051673>] do_signal+0x83/0x1f10
  [<ffffffff81dcf247>] ? debug_smp_processor_id+0x17/0x20
  [<ffffffff810515f0>] ? setup_sigcontext+0x7d0/0x7d0
  [<ffffffff810ce68b>] ? __do_page_fault+0x53b/0x8f0
  [<ffffffff8134dcc7>] ? perf_iterate_sb+0x97/0x6d0
  [<ffffffff810cec7d>] ? trace_do_page_fault+0x18d/0x310
  [<ffffffff81308d40>] ? ftrace_syscall_exit+0x550/0x550
  [<ffffffff838a1258>] ? async_page_fault+0x28/0x30
  [<ffffffff81002aa2>] exit_to_usermode_loop+0xa2/0x120
  [<ffffffff81005224>] syscall_return_slowpath+0x144/0x170
  [<ffffffff8389f56f>] ret_from_fork+0x2f/0x40
Object at ffff88010e129b00, in cache vm_area_struct
Object allocated with size 192 bytes.
Allocation:
PID = 1334
  [<ffffffff81077ed6>] save_stack_trace+0x26/0x50
  [<ffffffff814769d6>] save_stack+0x46/0xd0
  [<ffffffff814771ca>] kasan_kmalloc+0xda/0x100
  [<ffffffff81477202>] kasan_slab_alloc+0x12/0x20
  [<ffffffff81472909>] kmem_cache_alloc+0xe9/0x290
  [<ffffffff810f7e57>] copy_process.part.39+0x1e07/0x5390
  [<ffffffff810fb87a>] _do_fork+0x17a/0xa70
  [<ffffffff810fc1f4>] SyS_clone+0x14/0x20
  [<ffffffff810053f1>] do_syscall_64+0x1a1/0x460
  [<ffffffff8389f3ea>] return_from_SYSCALL_64+0x0/0x6a
Memory state around the buggy address:
  ffff88010e129a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88010e129a80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 >ffff88010e129b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                       ^
  ffff88010e129b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
  ffff88010e129c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Disabling lock debugging due to kernel taint
==================================================================

That seems like a regression, maybe related to memory quarantine
for SLUB? Or is there something else going on?


Vegard