Bug 218020
| Summary: | KASAN: slab-use-after-free Read in reweight_entity in v6.6-rc6 | ||
|---|---|---|---|
| Product: | Linux | Reporter: | 0599jiangyc |
| Component: | Kernel | Assignee: | Virtual assignee for kernel bugs (linux-kernel) |
| Status: | RESOLVED CODE_FIX | ||
| Severity: | normal | CC: | bagasdotme |
| Priority: | P3 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | v6.6-rc6 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | poc | ||
|
Description
0599jiangyc
2023-10-17 05:55:25 UTC
(In reply to 0599jiangyc from comment #0) > Created attachment 305240 [details] > poc > > ================================================================== > BUG: KASAN: slab-use-after-free in __update_min_deadline > kernel/sched/fair.c:805 [inline] > BUG: KASAN: slab-use-after-free in min_deadline_update > kernel/sched/fair.c:819 [inline] > BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate > kernel/sched/fair.c:825 [inline] > BUG: KASAN: slab-use-after-free in reweight_entity+0x9d5/0xcd0 > kernel/sched/fair.c:3660 > Read of size 8 at addr ffff888004b96830 by task systemd-udevd/100 > > CPU: 0 PID: 100 Comm: systemd-udevd Not tainted 6.6.0-rc6 #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 > 04/01/2014 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x50/0x70 lib/dump_stack.c:106 > print_address_description mm/kasan/report.c:364 [inline] > print_report+0xd0/0x620 mm/kasan/report.c:475 > kasan_report+0xb6/0xf0 mm/kasan/report.c:588 > __update_min_deadline kernel/sched/fair.c:805 [inline] > min_deadline_update kernel/sched/fair.c:819 [inline] > min_deadline_cb_propagate kernel/sched/fair.c:825 [inline] > reweight_entity+0x9d5/0xcd0 kernel/sched/fair.c:3660 > entity_tick kernel/sched/fair.c:5317 [inline] > task_tick_fair+0xb3/0x710 kernel/sched/fair.c:12392 > scheduler_tick+0x133/0x360 kernel/sched/core.c:5657 > update_process_times+0xe4/0x120 kernel/time/timer.c:2076 > tick_sched_handle.isra.0+0xf8/0x140 kernel/time/tick-sched.c:254 > tick_sched_timer+0xce/0x100 kernel/time/tick-sched.c:1492 > __run_hrtimer kernel/time/hrtimer.c:1688 [inline] > __hrtimer_run_queues+0x2d0/0x6c0 kernel/time/hrtimer.c:1752 > hrtimer_interrupt+0x2cd/0x6e0 kernel/time/hrtimer.c:1814 > local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline] > __sysvec_apic_timer_interrupt+0x7d/0x290 arch/x86/kernel/apic/apic.c:1080 > sysvec_apic_timer_interrupt+0x33/0x90 arch/x86/kernel/apic/apic.c:1074 > asm_sysvec_apic_timer_interrupt+0x1a/0x20 > arch/x86/include/asm/idtentry.h:645 > RIP: 0033:0x7ff04eb7ed6f > Code: 85 46 01 00 00 48 85 ff 0f 88 1d 01 00 00 48 8d 47 17 31 db 48 83 f8 > 1f 0f 87 7d 00 00 00 4c 8b 25 0e 80 14 00 64 49 8b 04 24 <48> 85 c0 0f 84 80 > 00 00 00 48 3b 1d 51 85 14 00 0f 82 ab 00 00 00 > RSP: 002b:00007ffe54f63260 EFLAGS: 00000203 > RAX: 000055d9dcece010 RBX: 0000000000000802 RCX: 00007ffe54f632b0 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000008030 > RBP: 0000000000008030 R08: 0000000000000001 R09: 000055d9dd73d350 > R10: 0000000000000000 R11: 0000000000000246 R12: fffffffffffffe30 > R13: 0000000000000001 R14: 000055d9dd73d350 R15: 000055d9dd710a30 > </TASK> > > Allocated by task 50: > kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 > kasan_set_track+0x25/0x30 mm/kasan/common.c:52 > __kasan_slab_alloc+0x59/0x70 mm/kasan/common.c:328 > kasan_slab_alloc include/linux/kasan.h:188 [inline] > slab_post_alloc_hook mm/slab.h:762 [inline] > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x106/0x270 mm/slub.c:3523 > alloc_task_struct_node kernel/fork.c:173 [inline] > dup_task_struct kernel/fork.c:1110 [inline] > copy_process+0x529/0x6800 kernel/fork.c:2327 > kernel_clone+0xc6/0x7c0 kernel/fork.c:2909 > user_mode_thread+0xb1/0xf0 kernel/fork.c:2987 > call_usermodehelper_exec_sync kernel/umh.c:133 [inline] > call_usermodehelper_exec_work+0x5f/0x160 kernel/umh.c:164 > process_one_work kernel/workqueue.c:2630 [inline] > process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2703 > worker_thread+0x56c/0xc10 kernel/workqueue.c:2784 > kthread+0x2c8/0x3c0 kernel/kthread.c:388 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304 > > Freed by task 4107: > kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 > kasan_set_track+0x25/0x30 mm/kasan/common.c:52 > kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 > ____kasan_slab_free mm/kasan/common.c:236 [inline] > ____kasan_slab_free mm/kasan/common.c:200 [inline] > __kasan_slab_free+0x10e/0x190 mm/kasan/common.c:244 > kasan_slab_free include/linux/kasan.h:164 [inline] > slab_free_hook mm/slub.c:1800 [inline] > slab_free_freelist_hook mm/slub.c:1826 [inline] > slab_free mm/slub.c:3809 [inline] > kmem_cache_free+0xa5/0x380 mm/slub.c:3831 > put_task_struct include/linux/sched/task.h:136 [inline] > delayed_put_task_struct+0x145/0x190 kernel/exit.c:226 > rcu_do_batch kernel/rcu/tree.c:2139 [inline] > rcu_core+0x629/0x1930 kernel/rcu/tree.c:2403 > __do_softirq+0x162/0x52a kernel/softirq.c:553 > > Last potentially related work creation: > kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 > __kasan_record_aux_stack+0x8e/0xa0 mm/kasan/generic.c:492 > __call_rcu_common.constprop.0+0x6b/0x8b0 kernel/rcu/tree.c:2653 > put_task_struct_rcu_user+0x69/0xb0 kernel/exit.c:232 > wait_task_zombie kernel/exit.c:1210 [inline] > wait_consider_task+0x24ca/0x2d80 kernel/exit.c:1437 > do_wait_pid kernel/exit.c:1568 [inline] > do_wait+0x4f2/0xa10 kernel/exit.c:1610 > kernel_wait+0xa0/0x140 kernel/exit.c:1797 > call_usermodehelper_exec_sync kernel/umh.c:137 [inline] > call_usermodehelper_exec_work+0xd8/0x160 kernel/umh.c:164 > process_one_work kernel/workqueue.c:2630 [inline] > process_scheduled_works+0x252/0xe10 kernel/workqueue.c:2703 > worker_thread+0x56c/0xc10 kernel/workqueue.c:2784 > kthread+0x2c8/0x3c0 kernel/kthread.c:388 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304 > > Second to last potentially related work creation: > kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 > __kasan_record_aux_stack+0x8e/0xa0 mm/kasan/generic.c:492 > task_work_add+0x7e/0x270 kernel/task_work.c:48 > scheduler_tick+0x149/0x360 kernel/sched/core.c:5662 > update_process_times+0xe4/0x120 kernel/time/timer.c:2076 > tick_sched_handle.isra.0+0xf8/0x140 kernel/time/tick-sched.c:254 > tick_sched_timer+0xce/0x100 kernel/time/tick-sched.c:1492 > __run_hrtimer kernel/time/hrtimer.c:1688 [inline] > __hrtimer_run_queues+0x2d0/0x6c0 kernel/time/hrtimer.c:1752 > hrtimer_interrupt+0x2cd/0x6e0 kernel/time/hrtimer.c:1814 > local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1063 [inline] > __sysvec_apic_timer_interrupt+0x7d/0x290 arch/x86/kernel/apic/apic.c:1080 > sysvec_apic_timer_interrupt+0x69/0x90 arch/x86/kernel/apic/apic.c:1074 > asm_sysvec_apic_timer_interrupt+0x1a/0x20 > arch/x86/include/asm/idtentry.h:645 > > The buggy address belongs to the object at ffff888004b96780 > which belongs to the cache task_struct of size 4160 > The buggy address is located 176 bytes inside of > freed 4160-byte region [ffff888004b96780, ffff888004b977c0) > > The buggy address belongs to the physical page: > page:00000000117e0ccf refcount:1 mapcount:0 mapping:0000000000000000 > index:0x0 pfn:0x4b90 > head:00000000117e0ccf order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0x100000000000840(slab|head|node=0|zone=1) > page_type: 0xffffffff() > raw: 0100000000000840 ffff88800117b140 ffffea0000136600 dead000000000002 > raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff888004b96700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888004b96780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff888004b96800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888004b96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888004b96900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== How can above bug be triggered? Have you checked the patch? I cannot reproduce it stably. More details at https://syzkaller.appspot.com/bug?extid=3908cdfd655fd839c82f. Fixed by
d2929762cc3f ("sched/eevdf: Fix heap corruption more")
|