BUG in depot_save_stack #35

dvyukov · 2016-07-05T09:29:46Z

I am getting the following BUGs on 1a0a02d:

------------[ cut here ]------------
kernel BUG at mm/mempolicy.c:1697!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 11267 Comm: syz-executor Not tainted 4.7.0-rc5+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800384444c0 ti: ffff880038dc0000 task.ti: ffff880038dc0000
RIP: 0010:[<ffffffff817a356e>]
 [<ffffffff817a356e>] policy_zonelist+0xbe/0x1a0 mm/mempolicy.c:1697
RSP: 0000:ffff880038dc76f0  EFLAGS: 00010097
RAX: ffff8800384444c0 RBX: ffff88006448a230 RCX: 00000000e41703bb
RDX: 0000000000000000 RSI: ffff88006448a230 RDI: ffff88006448a234
RBP: ffff880038dc7710 R08: 000000000000000c R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff89f06360 R12: 0000000000000001
R13: 0000000002000000 R14: ffff880038445520 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88006d500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000810000 CR3: 0000000063d7d000 CR4: 00000000000006e0
Stack:
 ffff88006448a230 0000000002000000 ffff8800384444c0 ffff880038445520
 ffff880038dc7778 ffffffff817a5158 ffffffff86c55e00 ffff880038dc77f0
 ffffffff86c55e00 ffff8800384444c0 ffff880000000000 0000000203dc7798
Call Trace:
 [<ffffffff817a5158>] alloc_pages_current+0xd8/0x4f0 mm/mempolicy.c:2070
 [<     inline     >] alloc_pages include/linux/gfp.h:468
 [<ffffffff82d8db6f>] depot_save_stack+0x4ff/0x5b0 lib/stackdepot.c:258
 [<ffffffff817b8951>] save_stack+0xb1/0xd0 mm/kasan/kasan.c:482
 [<     inline     >] set_track mm/kasan/kasan.c:488
 [<ffffffff817b90cb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<     inline     >] __cache_free mm/slab.c:3551
 [<ffffffff817b62f6>] kmem_cache_free+0x76/0x310 mm/slab.c:3811
 [<ffffffff817a7723>] __mpol_put+0x33/0x40 mm/mempolicy.c:299
 [<     inline     >] mpol_put include/linux/mempolicy.h:67
 [<ffffffff8137ba63>] do_exit+0x16f3/0x2c80 kernel/exit.c:773
 [<ffffffff8137d168>] do_group_exit+0x108/0x330 kernel/exit.c:878
 [<ffffffff813a0634>] get_signal+0x634/0x15e0 kernel/signal.c:2307
 [<ffffffff811fa943>] do_signal+0x83/0x1f20 arch/x86/kernel/signal.c:783
 [<ffffffff81006695>] exit_to_usermode_loop+0x1a5/0x210 arch/x86/entry/common.c:229
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:264
 [<ffffffff8100885f>] syscall_return_slowpath+0x2bf/0x340 arch/x86/entry/common.c:329
 [<ffffffff86a94e9c>] entry_SYSCALL_64_fastpath+0xbf/0xc1 arch/x86/entry/entry_64.S:241
Code: 45 85 ed 4a 8b 14 e5 80 8f f4 88 0f 95 c0 48 69 c0 10 14 00 00 5b 41 5c 41 5d 48 8d 84 02 c0 26 00 00 41 5e 5d c3 e8 72 22 df ff <0f> 0b e8 6b 22 df ff 48 8d 7b 06 48 b8 00 00 00 00 00 fc ff df
RIP  [<ffffffff817a356e>] policy_zonelist+0xbe/0x1a0 mm/mempolicy.c:1697
 RSP <ffff880038dc76f0>
---[ end trace fa599a524816f07d ]---

do_exit frees current mempolicy here:

    mpol_put(tsk->mempolicy);

And that same free tries to allocate pages in depot_save_stack and accesses the freed mempolicy.

The text was updated successfully, but these errors were encountered:

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>

This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

xairy · 2018-01-26T15:14:01Z

These don't happen anymore.

dvyukov assigned ramosian-glider Jul 5, 2016

xairy closed this as completed Jan 26, 2018

xairy added the KASAN KASAN-related issues label Dec 21, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BUG in depot_save_stack #35

BUG in depot_save_stack #35

dvyukov commented Jul 5, 2016

xairy commented Jan 26, 2018

BUG in depot_save_stack #35

BUG in depot_save_stack #35

Comments

dvyukov commented Jul 5, 2016

xairy commented Jan 26, 2018