diff mbox

d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to initialize shadow"): BUG: KASAN: use-after-scope in __drm_mm_interval_first

Message ID CACT4Y+bxW3HrYArjAbh+eriTnTzVsSaUf7d1ZY0_6HNnnsUYZw@mail.gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Dmitry Vyukov Nov. 29, 2017, 7 p.m. UTC
On Wed, Nov 29, 2017 at 6:21 AM, Fengguang Wu <fengguang.wu@intel.com> wrote:
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>
> commit d17a1d97dc208d664c91cc387ffb752c7f85dc61
> Author:     Andrey Ryabinin <aryabinin@virtuozzo.com>
> AuthorDate: Wed Nov 15 17:36:35 2017 -0800
> Commit:     Linus Torvalds <torvalds@linux-foundation.org>
> CommitDate: Wed Nov 15 18:21:05 2017 -0800
>
>      x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
>
>      The kasan shadow is currently mapped using vmemmap_populate() since that
>      provides a semi-convenient way to map pages into init_top_pgt.  However,
>      since that no longer zeroes the mapped pages, it is not suitable for
>      kasan, which requires zeroed shadow memory.
>
>      Add kasan_populate_shadow() interface and use it instead of
>      vmemmap_populate().  Besides, this allows us to take advantage of
>      gigantic pages and use them to populate the shadow, which should save us
>      some memory wasted on page tables and reduce TLB pressure.
>
>      Link: http://lkml.kernel.org/r/20171103185147.2688-2-pasha.tatashin@oracle.com
>      Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
>      Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
>      Cc: Steven Sistare <steven.sistare@oracle.com>
>      Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
>      Cc: Bob Picco <bob.picco@oracle.com>
>      Cc: Michal Hocko <mhocko@suse.com>
>      Cc: Alexander Potapenko <glider@google.com>
>      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>      Cc: Catalin Marinas <catalin.marinas@arm.com>
>      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
>      Cc: David S. Miller <davem@davemloft.net>
>      Cc: Dmitry Vyukov <dvyukov@google.com>
>      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
>      Cc: "H. Peter Anvin" <hpa@zytor.com>
>      Cc: Ingo Molnar <mingo@redhat.com>
>      Cc: Mark Rutland <mark.rutland@arm.com>
>      Cc: Matthew Wilcox <willy@infradead.org>
>      Cc: Mel Gorman <mgorman@techsingularity.net>
>      Cc: Michal Hocko <mhocko@kernel.org>
>      Cc: Sam Ravnborg <sam@ravnborg.org>
>      Cc: Thomas Gleixner <tglx@linutronix.de>
>      Cc: Will Deacon <will.deacon@arm.com>
>      Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
>      Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> a4a3ede213  mm: zero reserved and unavailable struct pages
> d17a1d97dc  x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
> 43570f0383  Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
> 5bef2980ad  Add linux-next specific files for 20171128
> +-------------------------------------------------------+------------+------------+------------+---------------+
> |                                                       | a4a3ede213 | d17a1d97dc | 43570f0383 | next-20171128 |
> +-------------------------------------------------------+------------+------------+------------+---------------+
> | boot_successes                                        | 30         | 0          | 0          | 0             |
> | boot_failures                                         | 8          | 15         | 19         | 2             |
> | WARNING:at_drivers/pci/pci-sysfs.c:#pci_mmap_resource | 8          |            |            |               |
> | RIP:pci_mmap_resource                                 | 8          |            |            |               |
> | BUG:KASAN:use-after-scope_in__drm_mm_interval_first   | 0          | 15         | 19         | 2             |
> +-------------------------------------------------------+------------+------------+------------+---------------+
>
> [   27.628251] AMD IOMMUv2 functionality not available on this system
> [   27.631925] drm_mm: Testing DRM range manger (struct drm_mm), with random_seed=0x248e657d max_iterations=8192 max_prime=128
> [   27.633191] drm_mm: igt_sanitycheck - ok!
> [   79.880445] Writes:  Total: 2  Max/Min: 0/0   Fail: 0
> [  103.749567] ==================================================================
> [  103.750064] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xbb/0x1bf
> [  103.750064] Read of size 8 at addr ffff880016577c08 by task swapper/0/1
> [  103.750064]
> [  103.750064] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-04319-gd17a1d9 #1
> [  103.750064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
> [  103.750064] Call Trace:
> [  103.750064]  ? dump_stack+0xd1/0x16c
> [  103.750064]  ? _atomic_dec_and_lock+0x10f/0x10f
> [  103.750064]  ? print_address_description+0x93/0x22e
> [  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
> [  103.750064]  ? kasan_report+0x219/0x23f
> [  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
> [  103.750064]  ? assert_continuous+0x13c/0x22f
> [  103.750064]  ? drm_mm_replace_node+0x210/0x3ed
> [  103.750064]  ? __igt_insert+0x5af/0xb3a
> [  103.750064]  ? igt_bottomup+0x9e6/0x9e6
> [  103.750064]  ? kvm_clock_read+0x21/0x29
> [  103.750064]  ? kvm_sched_clock_read+0x5/0xd
> [  103.750064]  ? sched_clock+0x5/0x8
> [  103.750064]  ? sched_clock_local+0x36/0xe8
> [  103.750064]  ? sched_clock_cpu+0x123/0x13f
> [  103.750064]  ? rcu_irq_enter_disabled+0x8/0x8
> [  103.750064]  ? next_prime_number+0x33f/0x368
> [  103.750064]  ? rcu_note_context_switch+0x267/0x267
> [  103.750064]  ? igt_replace+0x45/0xa9
> [  103.750064]  ? test_drm_mm_init+0x112/0x164
> [  103.750064]  ? drm_kms_helper_init+0x5/0x5
> [  103.750064]  ? do_one_initcall+0xe7/0x1ef
> [  103.750064]  ? initcall_blacklisted+0x15d/0x15d
> [  103.750064]  ? up_read+0x2c/0x2c
> [  103.750064]  ? kasan_unpoison_shadow+0xf/0x2e
> [  103.750064]  ? kernel_init_freeable+0x2a8/0x33b
> [  103.750064]  ? rest_init+0x24f/0x24f
> [  103.750064]  ? kernel_init+0x7/0xfe
> [  103.750064]  ? rest_init+0x24f/0x24f
> [  103.750064]  ? ret_from_fork+0x24/0x30
> [  103.750064]
> [  103.750064] The buggy address belongs to the page:
> [  103.750064] page:ffff88001b1e3208 count:0 mapcount:0 mapping:          (null) index:0x0
> [  103.750064] flags: 0x401fff800000()
> [  103.750064] raw: 0000401fff800000 0000000000000000 0000000000000000 00000000ffffffff


Hi,

I hacked a quick prototype of improvemet for KASAN for printing frame info:



And this gave me:


[   26.763495] ==================================================================
[   26.764454] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xc0/0x1e2
[   26.765297] Read of size 8 at addr ffff88006cb3fbe0 by task swapper/0/1
[   26.766081]
[   26.766278] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
4.14.0-04319-gd17a1d97dc20-dirty #12
[   26.767760] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS Bochs 01/01/2011
[   26.769419] Call Trace:
[   26.769895]  dump_stack+0xdb/0x17a
[   26.770152]  ? _atomic_dec_and_lock+0x12f/0x12f
[   26.770152]  ? show_regs_print_info+0x5b/0x5b
[   26.770152]  ? kasan_report+0x4d/0x247
[   26.770152]  ? __drm_mm_interval_first+0xc0/0x1e2
[   26.770152]  print_address_description+0x9a/0x232
[   26.770152]  ? __drm_mm_interval_first+0xc0/0x1e2
[   26.770152]  kasan_report+0x21e/0x247
[   26.770152]  __asan_report_load8_noabort+0x14/0x16
[   26.770152]  __drm_mm_interval_first+0xc0/0x1e2
[   26.770152]  assert_continuous+0x13e/0x22f
[   26.770152]  __igt_insert+0x665/0xc87
[   26.770152]  ? igt_bottomup+0xaa0/0xaa0
[   26.770152]  ? sched_clock_local+0x3c/0xfb
[   26.770152]  ? find_held_lock+0x33/0x103
[   26.770152]  ? next_prime_number+0x318/0x362
[   26.770152]  ? rcu_irq_enter_disabled+0xd/0xd
[   26.770152]  ? next_prime_number+0x337/0x362
[   26.770152]  igt_replace+0x4b/0xb3
[   26.770152]  test_drm_mm_init+0x118/0x172
[   26.770152]  ? drm_kms_helper_init+0xb/0xb
[   26.770152]  do_one_initcall+0x10f/0x21f
[   26.770152]  ? initcall_blacklisted+0x185/0x185
[   26.770152]  ? down_write_nested+0xa1/0x164
[   26.770152]  ? kasan_poison_shadow+0x2f/0x31
[   26.770152]  ? kasan_unpoison_shadow+0x14/0x35
[   26.770152]  kernel_init_freeable+0x2ae/0x339
[   26.770152]  ? rest_init+0x250/0x250
[   26.770152]  kernel_init+0xc/0x105
[   26.770152]  ? rest_init+0x250/0x250
[   26.770152]  ret_from_fork+0x24/0x30
[   26.770152]
[   26.770152] The buggy address belongs to the page:
[   26.770152] page:ffff88007f39c5c8 count:0 mapcount:0 mapping:
   (null) index:0x0
[   26.770152] flags: 0x1a01fff800000()
[   26.770152] raw: 0001a01fff800000 0000000000000000 0000000000000000
00000000ffffffff
[   26.770152] raw: ffff88007f39c5e8 ffff88007f39c5e8 0000000000000000
[   26.770152] page dumped because: kasan: bad access detected
[   26.790299]
[   26.790299] Memory state around the buggy address:
[   26.790299]  ffff88006cb3fa80: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 f1
[   26.790299]  ffff88006cb3fb00: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00
00 f2 f2 f2
[   26.790299] >ffff88006cb3fb80: f2 f2 f2 f8 f8 f2 f2 f2 f2 f2 f2 f8
f8 f8 f8 f8
[   26.790299]                                                        ^
[   26.790299]  ffff88006cb3fc00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
f8 f8 f8 f2
[   26.790299]  ffff88006cb3fc80: f2 f2 f2 00 00 00 00 00 00 00 00 00
00 00 00 00
[   26.790299]
[   26.790299] frame offset: 232
[   26.790299] desc: '5 32 8 3 __u 96 16 4 prng 160 16 7 state__ 224
160 3 tmp 416 224 2 mm '
[   26.790299] func: __igt_insert+0x0/0xc87
[   26.790299] ==================================================================


That desc string is: number of local objects, then for each object:
offset, size, name length, name.

So that's variable tmp in __igt_insert.

Looks very much like a real use-after-scope.

Comments

Chris Wilson Dec. 4, 2017, 11:57 a.m. UTC | #1
Quoting Dmitry Vyukov (2017-11-29 19:00:59)
> On Wed, Nov 29, 2017 at 6:21 AM, Fengguang Wu <fengguang.wu@intel.com> wrote:
> > Greetings,
> >
> > 0day kernel testing robot got the below dmesg and the first bad commit is
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> >
> > commit d17a1d97dc208d664c91cc387ffb752c7f85dc61
> > Author:     Andrey Ryabinin <aryabinin@virtuozzo.com>
> > AuthorDate: Wed Nov 15 17:36:35 2017 -0800
> > Commit:     Linus Torvalds <torvalds@linux-foundation.org>
> > CommitDate: Wed Nov 15 18:21:05 2017 -0800
> >
> >      x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
> >
> >      The kasan shadow is currently mapped using vmemmap_populate() since that
> >      provides a semi-convenient way to map pages into init_top_pgt.  However,
> >      since that no longer zeroes the mapped pages, it is not suitable for
> >      kasan, which requires zeroed shadow memory.
> >
> >      Add kasan_populate_shadow() interface and use it instead of
> >      vmemmap_populate().  Besides, this allows us to take advantage of
> >      gigantic pages and use them to populate the shadow, which should save us
> >      some memory wasted on page tables and reduce TLB pressure.
> >
> >      Link: http://lkml.kernel.org/r/20171103185147.2688-2-pasha.tatashin@oracle.com
> >      Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
> >      Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
> >      Cc: Steven Sistare <steven.sistare@oracle.com>
> >      Cc: Daniel Jordan <daniel.m.jordan@oracle.com>
> >      Cc: Bob Picco <bob.picco@oracle.com>
> >      Cc: Michal Hocko <mhocko@suse.com>
> >      Cc: Alexander Potapenko <glider@google.com>
> >      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> >      Cc: Catalin Marinas <catalin.marinas@arm.com>
> >      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
> >      Cc: David S. Miller <davem@davemloft.net>
> >      Cc: Dmitry Vyukov <dvyukov@google.com>
> >      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> >      Cc: "H. Peter Anvin" <hpa@zytor.com>
> >      Cc: Ingo Molnar <mingo@redhat.com>
> >      Cc: Mark Rutland <mark.rutland@arm.com>
> >      Cc: Matthew Wilcox <willy@infradead.org>
> >      Cc: Mel Gorman <mgorman@techsingularity.net>
> >      Cc: Michal Hocko <mhocko@kernel.org>
> >      Cc: Sam Ravnborg <sam@ravnborg.org>
> >      Cc: Thomas Gleixner <tglx@linutronix.de>
> >      Cc: Will Deacon <will.deacon@arm.com>
> >      Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> >      Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> >
> > a4a3ede213  mm: zero reserved and unavailable struct pages
> > d17a1d97dc  x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
> > 43570f0383  Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
> > 5bef2980ad  Add linux-next specific files for 20171128
> > +-------------------------------------------------------+------------+------------+------------+---------------+
> > |                                                       | a4a3ede213 | d17a1d97dc | 43570f0383 | next-20171128 |
> > +-------------------------------------------------------+------------+------------+------------+---------------+
> > | boot_successes                                        | 30         | 0          | 0          | 0             |
> > | boot_failures                                         | 8          | 15         | 19         | 2             |
> > | WARNING:at_drivers/pci/pci-sysfs.c:#pci_mmap_resource | 8          |            |            |               |
> > | RIP:pci_mmap_resource                                 | 8          |            |            |               |
> > | BUG:KASAN:use-after-scope_in__drm_mm_interval_first   | 0          | 15         | 19         | 2             |
> > +-------------------------------------------------------+------------+------------+------------+---------------+
> >
> > [   27.628251] AMD IOMMUv2 functionality not available on this system
> > [   27.631925] drm_mm: Testing DRM range manger (struct drm_mm), with random_seed=0x248e657d max_iterations=8192 max_prime=128
> > [   27.633191] drm_mm: igt_sanitycheck - ok!
> > [   79.880445] Writes:  Total: 2  Max/Min: 0/0   Fail: 0
> > [  103.749567] ==================================================================
> > [  103.750064] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xbb/0x1bf
> > [  103.750064] Read of size 8 at addr ffff880016577c08 by task swapper/0/1
> > [  103.750064]
> > [  103.750064] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-04319-gd17a1d9 #1
> > [  103.750064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
> > [  103.750064] Call Trace:
> > [  103.750064]  ? dump_stack+0xd1/0x16c
> > [  103.750064]  ? _atomic_dec_and_lock+0x10f/0x10f
> > [  103.750064]  ? print_address_description+0x93/0x22e
> > [  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
> > [  103.750064]  ? kasan_report+0x219/0x23f
> > [  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
> > [  103.750064]  ? assert_continuous+0x13c/0x22f
> > [  103.750064]  ? drm_mm_replace_node+0x210/0x3ed
> > [  103.750064]  ? __igt_insert+0x5af/0xb3a
> > [  103.750064]  ? igt_bottomup+0x9e6/0x9e6
> > [  103.750064]  ? kvm_clock_read+0x21/0x29
> > [  103.750064]  ? kvm_sched_clock_read+0x5/0xd
> > [  103.750064]  ? sched_clock+0x5/0x8
> > [  103.750064]  ? sched_clock_local+0x36/0xe8
> > [  103.750064]  ? sched_clock_cpu+0x123/0x13f
> > [  103.750064]  ? rcu_irq_enter_disabled+0x8/0x8
> > [  103.750064]  ? next_prime_number+0x33f/0x368
> > [  103.750064]  ? rcu_note_context_switch+0x267/0x267
> > [  103.750064]  ? igt_replace+0x45/0xa9
> > [  103.750064]  ? test_drm_mm_init+0x112/0x164
> > [  103.750064]  ? drm_kms_helper_init+0x5/0x5
> > [  103.750064]  ? do_one_initcall+0xe7/0x1ef
> > [  103.750064]  ? initcall_blacklisted+0x15d/0x15d
> > [  103.750064]  ? up_read+0x2c/0x2c
> > [  103.750064]  ? kasan_unpoison_shadow+0xf/0x2e
> > [  103.750064]  ? kernel_init_freeable+0x2a8/0x33b
> > [  103.750064]  ? rest_init+0x24f/0x24f
> > [  103.750064]  ? kernel_init+0x7/0xfe
> > [  103.750064]  ? rest_init+0x24f/0x24f
> > [  103.750064]  ? ret_from_fork+0x24/0x30
> > [  103.750064]
> > [  103.750064] The buggy address belongs to the page:
> > [  103.750064] page:ffff88001b1e3208 count:0 mapcount:0 mapping:          (null) index:0x0
> > [  103.750064] flags: 0x401fff800000()
> > [  103.750064] raw: 0000401fff800000 0000000000000000 0000000000000000 00000000ffffffff
> 
> 
> Hi,
> 
> I hacked a quick prototype of improvemet for KASAN for printing frame info:
> 
> --- a/mm/kasan/report.c
> +++ b/mm/kasan/report.c
> @@ -289,6 +289,7 @@ static void print_shadow_for_address(const void *addr)
>         int i;
>         const void *shadow = kasan_mem_to_shadow(addr);
>         const void *shadow_row;
> +       unsigned long *ptr;
> 
>         shadow_row = (void *)round_down((unsigned long)shadow,
>                                         SHADOW_BYTES_PER_ROW)
> @@ -320,6 +321,18 @@ static void print_shadow_for_address(const void *addr)
> 
>                 shadow_row += SHADOW_BYTES_PER_ROW;
>         }
> +
> +
> +       ptr = (unsigned long *)((unsigned long)addr & ~7);
> +       for (i = 0; i < 1000; i++, ptr--) {
> +               if (*ptr == 0x41b58ab3) {
> +                       pr_err("\n");
> +                       pr_err("frame offset: %lu\n", (unsigned
> long)addr - (unsigned long)ptr);
> +                       pr_err("desc: '%s'\n", (const char*)*(ptr+1));
> +                       pr_err("func: %pS\n", (void*)*(ptr+2));
> +                       break;
> +               }
> +       }
>  }
> 
> 
> 
> And this gave me:
> 
> 
> [   26.763495] ==================================================================
> [   26.764454] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xc0/0x1e2
> [   26.765297] Read of size 8 at addr ffff88006cb3fbe0 by task swapper/0/1
> [   26.766081]
> [   26.766278] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
> 4.14.0-04319-gd17a1d97dc20-dirty #12
> [   26.767760] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
> BIOS Bochs 01/01/2011
> [   26.769419] Call Trace:
> [   26.769895]  dump_stack+0xdb/0x17a
> [   26.770152]  ? _atomic_dec_and_lock+0x12f/0x12f
> [   26.770152]  ? show_regs_print_info+0x5b/0x5b
> [   26.770152]  ? kasan_report+0x4d/0x247
> [   26.770152]  ? __drm_mm_interval_first+0xc0/0x1e2
> [   26.770152]  print_address_description+0x9a/0x232
> [   26.770152]  ? __drm_mm_interval_first+0xc0/0x1e2
> [   26.770152]  kasan_report+0x21e/0x247
> [   26.770152]  __asan_report_load8_noabort+0x14/0x16
> [   26.770152]  __drm_mm_interval_first+0xc0/0x1e2
> [   26.770152]  assert_continuous+0x13e/0x22f
> [   26.770152]  __igt_insert+0x665/0xc87
> [   26.770152]  ? igt_bottomup+0xaa0/0xaa0
> [   26.770152]  ? sched_clock_local+0x3c/0xfb
> [   26.770152]  ? find_held_lock+0x33/0x103
> [   26.770152]  ? next_prime_number+0x318/0x362
> [   26.770152]  ? rcu_irq_enter_disabled+0xd/0xd
> [   26.770152]  ? next_prime_number+0x337/0x362
> [   26.770152]  igt_replace+0x4b/0xb3
> [   26.770152]  test_drm_mm_init+0x118/0x172
> [   26.770152]  ? drm_kms_helper_init+0xb/0xb
> [   26.770152]  do_one_initcall+0x10f/0x21f
> [   26.770152]  ? initcall_blacklisted+0x185/0x185
> [   26.770152]  ? down_write_nested+0xa1/0x164
> [   26.770152]  ? kasan_poison_shadow+0x2f/0x31
> [   26.770152]  ? kasan_unpoison_shadow+0x14/0x35
> [   26.770152]  kernel_init_freeable+0x2ae/0x339
> [   26.770152]  ? rest_init+0x250/0x250
> [   26.770152]  kernel_init+0xc/0x105
> [   26.770152]  ? rest_init+0x250/0x250
> [   26.770152]  ret_from_fork+0x24/0x30
> [   26.770152]
> [   26.770152] The buggy address belongs to the page:
> [   26.770152] page:ffff88007f39c5c8 count:0 mapcount:0 mapping:
>    (null) index:0x0
> [   26.770152] flags: 0x1a01fff800000()
> [   26.770152] raw: 0001a01fff800000 0000000000000000 0000000000000000
> 00000000ffffffff
> [   26.770152] raw: ffff88007f39c5e8 ffff88007f39c5e8 0000000000000000
> [   26.770152] page dumped because: kasan: bad access detected
> [   26.790299]
> [   26.790299] Memory state around the buggy address:
> [   26.790299]  ffff88006cb3fa80: 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 f1
> [   26.790299]  ffff88006cb3fb00: f1 f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00
> 00 f2 f2 f2
> [   26.790299] >ffff88006cb3fb80: f2 f2 f2 f8 f8 f2 f2 f2 f2 f2 f2 f8
> f8 f8 f8 f8
> [   26.790299]                                                        ^
> [   26.790299]  ffff88006cb3fc00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
> f8 f8 f8 f2
> [   26.790299]  ffff88006cb3fc80: f2 f2 f2 00 00 00 00 00 00 00 00 00
> 00 00 00 00
> [   26.790299]
> [   26.790299] frame offset: 232
> [   26.790299] desc: '5 32 8 3 __u 96 16 4 prng 160 16 7 state__ 224
> 160 3 tmp 416 224 2 mm '
> [   26.790299] func: __igt_insert+0x0/0xc87
> [   26.790299] ==================================================================
> 
> 
> That desc string is: number of local objects, then for each object:
> offset, size, name length, name.
> 
> So that's variable tmp in __igt_insert.
> 
> Looks very much like a real use-after-scope.

The fix should already be in mmotm:

commit 3e6e51217dd14dcda10d4bc9a38b1440e2d42c14
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date:   Thu Nov 9 21:24:34 2017 +0000

    lib/rbtree,drm/mm: Add rbtree_replace_node_cached()
    
    Add a variant of rbtree_replace_node() that maintains the leftmost
    cache of struct rbtree_root_cached when replacing nodes within the
    rbtree.
-Chris
diff mbox

Patch

--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -289,6 +289,7 @@  static void print_shadow_for_address(const void *addr)
        int i;
        const void *shadow = kasan_mem_to_shadow(addr);
        const void *shadow_row;
+       unsigned long *ptr;

        shadow_row = (void *)round_down((unsigned long)shadow,
                                        SHADOW_BYTES_PER_ROW)
@@ -320,6 +321,18 @@  static void print_shadow_for_address(const void *addr)

                shadow_row += SHADOW_BYTES_PER_ROW;
        }
+
+
+       ptr = (unsigned long *)((unsigned long)addr & ~7);
+       for (i = 0; i < 1000; i++, ptr--) {
+               if (*ptr == 0x41b58ab3) {
+                       pr_err("\n");
+                       pr_err("frame offset: %lu\n", (unsigned
long)addr - (unsigned long)ptr);
+                       pr_err("desc: '%s'\n", (const char*)*(ptr+1));
+                       pr_err("func: %pS\n", (void*)*(ptr+2));
+                       break;
+               }
+       }
 }