-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG in depot_save_stack #35
Labels
KASAN
KASAN-related issues
Comments
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Aug 19, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
koct9i
pushed a commit
to koct9i/linux
that referenced
this issue
Aug 21, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Aug 22, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Aug 24, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Aug 26, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
koct9i
pushed a commit
to koct9i/linux
that referenced
this issue
Aug 27, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Sep 2, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Sep 6, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Sep 11, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
0day-ci
pushed a commit
to 0day-ci/linux
that referenced
this issue
Sep 16, 2016
This patch fixes the following: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c Read of size 2 by task trinity-c2/15425 CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ torvalds#140 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-proje ct.org 04/01/2014 ffff88010b481040 ffff88010b557650 ffffffff81f08d11 ffff88011a40d380 ffff88010b481028 ffff88010b557678 ffffffff815dac7c ffff88010b557708 ffff88010b481028 ffff88011a40d380 ffff88010b5576f8 ffffffff815daf15 Call Trace: [<ffffffff81f08d11>] dump_stack+0x65/0x84 [<ffffffff815dac7c>] kasan_object_err+0x1c/0x70 [<ffffffff815daf15>] kasan_report_error+0x1f5/0x4c0 [<ffffffff815db2fe>] __asan_report_load2_noabort+0x3e/0x40 [<ffffffff815cb903>] alloc_pages_current+0x363/0x370 <---- use-after-free [<ffffffff81fa9954>] depot_save_stack+0x3f4/0x490 [<ffffffff815d9bb5>] save_stack+0xb5/0xd0 [<ffffffff815da211>] kasan_slab_free+0x71/0xb0 [<ffffffff815d6643>] kmem_cache_free+0xa3/0x290 [<ffffffff815c8149>] __mpol_put+0x19/0x20 <---- free [<ffffffff81260635>] do_exit+0x1515/0x2b70 [<ffffffff81261dc4>] do_group_exit+0xf4/0x2f0 [<ffffffff81281c5d>] get_signal+0x53d/0x1120 [<ffffffff8119e993>] do_signal+0x83/0x1e20 [<ffffffff810027af>] exit_to_usermode_loop+0xaf/0x140 [<ffffffff810051e4>] syscall_return_slowpath+0x144/0x170 [<ffffffff83ae406f>] ret_from_fork+0x2f/0x40 Read of size 2 by task trinity-c2/15425 The problem is that we may be calling alloc_pages() in a code path where current->mempolicy has already been freed. By passing __GFP_THISNODE we will always use default_mempolicy (which cannot be freed). Link: https://lkml.org/lkml/2016/7/29/277 Link: google/kernel-sanitizers#35 Link: http://lkml.kernel.org/r/1471603265-31804-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Dmitry Vyukov <dvyukov@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
These don't happen anymore. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am getting the following BUGs on 1a0a02d:
do_exit
frees current mempolicy here:And that same free tries to allocate pages in depot_save_stack and accesses the freed mempolicy.
The text was updated successfully, but these errors were encountered: