From: syzbot <syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read in vhost_task_fn
Date: Tue, 30 Apr 2024 04:09:04 -0700 [thread overview]
Message-ID: <000000000000dcc0ca06174e65d4@google.com> (raw)
In-Reply-To: <tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: suspicious RCU usage in __do_softirq
=============================
WARNING: suspicious RCU usage
6.9.0-rc5-next-20240426-syzkaller-dirty #0 Not tainted
-----------------------------
kernel/rcu/tree.c:276 Illegal rcu_softirq_qs() in RCU read-side critical section!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by ksoftirqd/0/16:
#0: ffffffff8e333b20 (rcu_read_lock_sched){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
#0: ffffffff8e333b20 (rcu_read_lock_sched){....}-{1:2}, at: rcu_read_lock_sched include/linux/rcupdate.h:933 [inline]
#0: ffffffff8e333b20 (rcu_read_lock_sched){....}-{1:2}, at: pfn_valid include/linux/mmzone.h:2022 [inline]
#0: ffffffff8e333b20 (rcu_read_lock_sched){....}-{1:2}, at: __virt_addr_valid+0x183/0x520 arch/x86/mm/physaddr.c:65
stack backtrace:
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.9.0-rc5-next-20240426-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
lockdep_rcu_suspicious+0x221/0x340 kernel/locking/lockdep.c:6712
rcu_softirq_qs+0xd9/0x370 kernel/rcu/tree.c:273
__do_softirq+0x5fd/0x980 kernel/softirq.c:568
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:check_preemption_disabled+0x2/0x120 lib/smp_processor_id.c:13
Code: c4 1f 8c 48 c7 c6 c0 c4 1f 8c eb 1c 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 41 57 <41> 56 41 54 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24
RSP: 0018:ffffc900001578f0 EFLAGS: 00000287
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8172cd10
RDX: 0000000000000000 RSI: ffffffff8c1fc4c0 RDI: ffffffff8c1fc480
RBP: ffffc90000157a48 R08: ffffffff8fac7fef R09: 1ffffffff1f58ffd
R10: dffffc0000000000 R11: fffffbfff1f58ffe R12: 1ffff9200002af30
R13: ffffffff81423f93 R14: ffffffff81423f93 R15: dffffc0000000000
rcu_dynticks_curr_cpu_in_eqs include/linux/context_tracking.h:122 [inline]
rcu_is_watching+0x15/0xb0 kernel/rcu/tree.c:725
trace_lock_release include/trace/events/lock.h:69 [inline]
lock_release+0xbf/0x9f0 kernel/locking/lockdep.c:5765
rcu_lock_release include/linux/rcupdate.h:339 [inline]
rcu_read_unlock_sched include/linux/rcupdate.h:954 [inline]
pfn_valid include/linux/mmzone.h:2032 [inline]
__virt_addr_valid+0x41e/0x520 arch/x86/mm/physaddr.c:65
kasan_addr_to_slab+0xd/0x80 mm/kasan/common.c:37
__kasan_record_aux_stack+0x11/0xc0 mm/kasan/generic.c:526
__call_rcu_common kernel/rcu/tree.c:3103 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3207
context_switch kernel/sched/core.c:5411 [inline]
__schedule+0x17f0/0x4a50 kernel/sched/core.c:6745
__schedule_loop kernel/sched/core.c:6822 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6837
smpboot_thread_fn+0x61e/0xa30 kernel/smpboot.c:160
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 48 c7 c6 c0 c4 1f 8c mov $0xffffffff8c1fc4c0,%rsi
7: eb 1c jmp 0x25
9: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
10: 00 00 00
13: 66 90 xchg %ax,%ax
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: 90 nop
1c: 90 nop
1d: 90 nop
1e: 90 nop
1f: 90 nop
20: 90 nop
21: 90 nop
22: 90 nop
23: 90 nop
24: 90 nop
25: 41 57 push %r15
* 27: 41 56 push %r14 <-- trapping instruction
29: 41 54 push %r12
2b: 53 push %rbx
2c: 48 83 ec 10 sub $0x10,%rsp
30: 65 48 8b 04 25 28 00 mov %gs:0x28,%rax
37: 00 00
39: 48 rex.W
3a: 89 .byte 0x89
3b: 44 rex.R
3c: 24 .byte 0x24
Tested on:
commit: bb7a2467 Add linux-next specific files for 20240426
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12a94f0f180000
kernel config: https://syzkaller.appspot.com/x/.config?x=5c6a0288262dd108
dashboard link: https://syzkaller.appspot.com/bug?extid=98edc2df894917b3431f
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16df8838980000
next prev parent reply other threads:[~2024-04-30 11:09 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-30 8:25 [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read in vhost_task_fn syzbot
2024-04-30 9:31 ` Edward Adam Davis
2024-04-30 11:09 ` syzbot [this message]
2024-05-01 20:33 ` Michael S. Tsirkin
2024-04-30 11:02 ` Hillf Danton
2024-04-30 15:47 ` syzbot
2024-04-30 11:57 ` Edward Adam Davis
2024-04-30 15:34 ` syzbot
2024-04-30 13:05 ` [PATCH next] vhost_task: after freeing vhost_task it should not be accessed " Edward Adam Davis
2024-04-30 16:23 ` Mike Christie
2024-04-30 18:06 ` Michael S. Tsirkin
2024-05-01 0:15 ` Hillf Danton
2024-05-01 1:01 ` Mike Christie
2024-05-01 5:52 ` Michael S. Tsirkin
2024-05-01 6:01 ` Michael S. Tsirkin
2024-05-01 7:50 ` Hillf Danton
2024-05-01 15:57 ` Mike Christie
2024-05-01 16:04 ` Michael S. Tsirkin
2024-05-01 16:15 ` Michael S. Tsirkin
2024-04-30 22:50 ` [syzbot] [net?] [virt?] [kvm?] KASAN: slab-use-after-free Read " Hillf Danton
2024-04-30 23:21 ` syzbot
2024-05-01 3:44 ` Edward Adam Davis
2024-05-01 10:13 ` syzbot
2024-05-01 16:12 ` Michael S. Tsirkin
2024-05-01 16:56 ` syzbot
2024-05-05 3:07 ` Edward Adam Davis
2024-05-05 3:40 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000dcc0ca06174e65d4@google.com \
--to=syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).