On Tuesday, June 28, 2016 at 8:59:10 AM UTC-4, dvyukov wrote: > Hello, > > While running tools/testing/selftests test suite with KASAN I hit the > following use-after-free report: > > > > ================================================================== > BUG: KASAN: use-after-free in hist_unreg_all+0x1a1/0x1d0 at addr > ffff880031632cc0 > Read of size 8 by task ftracetest/7413 > ============================================================================= > BUG kmalloc-128 (Not tainted): kasan: bad access detected > ----------------------------------------------------------------------------- > > Disabling lock debugging due to kernel taint > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446712312426182376 cpu=0 pid=0 > [< inline >] kmalloc include/linux/slab.h:478 > [< inline >] kzalloc include/linux/slab.h:622 > [< none >] event_hist_trigger_func+0xfcd/0x2430 > kernel/trace/trace_events_hist.c:1552 > [< none >] ___slab_alloc+0x564/0x5e0 mm/slub.c:2446 > [< none >] __slab_alloc+0x68/0xc0 mm/slub.c:2475 > [< inline >] slab_alloc_node mm/slub.c:2538 > [< inline >] slab_alloc mm/slub.c:2580 > [< none >] kmem_cache_alloc_trace+0x263/0x3d0 mm/slub.c:2597 > [< inline >] kmalloc include/linux/slab.h:478 > [< inline >] kzalloc include/linux/slab.h:622 > [< none >] event_hist_trigger_func+0xfcd/0x2430 > kernel/trace/trace_events_hist.c:1552 > [< inline >] trigger_process_regex > kernel/trace/trace_events_trigger.c:234 > [< inline >] event_trigger_regex_write > kernel/trace/trace_events_trigger.c:271 > [< none >] event_trigger_write+0x244/0x3c0 > kernel/trace/trace_events_trigger.c:300 > [< none >] __vfs_write+0x10b/0x620 fs/read_write.c:510 > [< none >] vfs_write+0x170/0x4a0 fs/read_write.c:560 > [< inline >] SYSC_write fs/read_write.c:607 > [< none >] SyS_write+0xd4/0x1a0 fs/read_write.c:599 > [< none >] entry_SYSCALL_64_fastpath+0x23/0xc1 > arch/x86/entry/entry_64.S:207 > > INFO: Freed in 0xfffcb4bb age=18446712239411738348 cpu=0 pid=0 > [< none >] trigger_data_free+0x75/0x90 > kernel/trace/trace_events_trigger.c:37 > [< none >] __slab_free+0x1e8/0x300 mm/slub.c:2657 > [< inline >] slab_free mm/slub.c:2810 > [< none >] kfree+0x2fc/0x370 mm/slub.c:3662 > [< none >] trigger_data_free+0x75/0x90 > kernel/trace/trace_events_trigger.c:37 > [< none >] event_hist_trigger_free+0xb5/0x120 > kernel/trace/trace_events_hist.c:1256 > [< none >] hist_unreg_all+0x156/0x1d0 > kernel/trace/trace_events_hist.c:1511 > [< inline >] event_trigger_regex_open > kernel/trace/trace_events_trigger.c:205 > [< none >] event_trigger_open+0x1ee/0x2a0 > kernel/trace/trace_events_trigger.c:306 > [< none >] do_dentry_open+0x698/0xca0 fs/open.c:736 > [< none >] vfs_open+0x10f/0x210 fs/open.c:849 > [< inline >] do_last fs/namei.c:3360 > [< none >] path_openat+0x12f9/0x2a80 fs/namei.c:3483 > [< none >] do_filp_open+0x18c/0x250 fs/namei.c:3518 > [< none >] do_sys_open+0x1fc/0x420 fs/open.c:1016 > [< inline >] SYSC_open fs/open.c:1034 > [< none >] SyS_open+0x2d/0x40 fs/open.c:1029 > [< none >] entry_SYSCALL_64_fastpath+0x23/0xc1 > arch/x86/entry/entry_64.S:207 > INFO: Slab 0xffffea0000c58c80 objects=17 used=15 fp=0xffff880031632398 > flags=0xfffe0000004080 > INFO: Object 0xffff880031632c78 @offset=3192 fp=0xbbbbbbbbbbbbbbbb > > Redzone ffff880031632c70: d0 6f 81 81 ff ff ff ff > .o...... > Object ffff880031632c78: bb bb bb bb bb bb bb bb 00 00 00 00 00 00 00 > 00 ................ > Object ffff880031632c88: 00 00 00 00 00 00 00 00 c0 17 18 88 ff ff ff > ff ................ > Object ffff880031632c98: 00 17 18 88 ff ff ff ff 00 00 00 00 00 00 00 > 00 ................ > Object ffff880031632ca8: 00 00 00 00 00 00 00 00 98 23 63 31 00 88 ff > ff .........#c1.... > Object ffff880031632cb8: 00 00 00 00 00 00 00 00 40 e0 96 3e 00 88 ff > ff ........@..>.... > Object ffff880031632cc8: 00 02 00 00 00 00 ad de 00 00 00 00 00 00 00 > 00 ................ > Object ffff880031632cd8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > Object ffff880031632ce8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 ................ > Redzone ffff880031632cf8: 00 00 00 00 00 00 00 00 > ........ > Padding ffff880031632e30: aa b6 fc ff 00 00 00 00 > ........ > CPU: 0 PID: 7413 Comm: ftracetest Tainted: G B 4.7.0-rc4+ #6 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > ffffffff880b58e0 ffff88005ed1f8e8 ffffffff82cc83cf ffffffff00c58c80 > fffffbfff1016b1c ffff880031632000 ffff880031632c78 ffff88003e807480 > ffffea0000c58c80 ffffffff8160e820 ffff88005ed1f918 ffffffff817b3ec0 > > Call Trace: > [] __asan_report_load8_noabort+0x3e/0x40 > mm/kasan/report.c:319 > [< inline >] __read_once_size include/linux/compiler.h:222 > [] hist_unreg_all+0x1a1/0x1d0 > kernel/trace/trace_events_hist.c:1505 > [< inline >] event_trigger_regex_open > kernel/trace/trace_events_trigger.c:205 > [] event_trigger_open+0x1ee/0x2a0 > kernel/trace/trace_events_trigger.c:306 > [] do_dentry_open+0x698/0xca0 fs/open.c:736 > [] vfs_open+0x10f/0x210 fs/open.c:849 > [< inline >] do_last fs/namei.c:3360 > [] path_openat+0x12f9/0x2a80 fs/namei.c:3483 > [] do_filp_open+0x18c/0x250 fs/namei.c:3518 > [] do_sys_open+0x1fc/0x420 fs/open.c:1016 > [< inline >] SYSC_open fs/open.c:1034 > [] SyS_open+0x2d/0x40 fs/open.c:1029 > [] entry_SYSCALL_64_fastpath+0x23/0xc1 > arch/x86/entry/entry_64.S:207 > > Memory state around the buggy address: > ffff880031632b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff880031632c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > >ffff880031632c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff880031632d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff880031632d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > > > On commit 67016f6cdfd079e632bbc49e33178b2d558c120a (Jun 20).