KASAN: slab-out-of-bounds in kafl_fuzz_buffer Write of size N at addr M by task sh/79

[ereshetova]

Found on kernel 6.0.0-rc2 via US_RESUME_SUSPEND harness.

BUG: KASAN: slab-out-of-bounds in kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) Write of size 140 at addr ffff888006843688 by task sh/79

CPU: 0 PID: 79 Comm: sh Not tainted 6.0.0-rc2-g1d588de205f8 Call Trace:

dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) print_report.cold (mm/kasan/report.c:325 mm/kasan/report.c:440) ? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) kasan_report (mm/kasan/report.c:504) ? kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) kasan_check_range (mm/kasan/generic.c:190) memcpy (mm/kasan/shadow.c:65 (discriminator 1)) kafl_fuzz_buffer (arch/x86/coco/tdx/kafl-agent.c:438 arch/x86/coco/tdx/kafl-agent.c:495) virtqueue_get_buf (drivers/virtio/virtio_ring.c:2299) get_inbuf (drivers/char/virtio_console.c:478) ? remove_port (drivers/char/virtio_console.c:470) ? msi_get_virq (kernel/irq/msi.c:345) discard_port_data (drivers/char/virtio_console.c:526) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24

All code

0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq
33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64

Code starting with the faulting instruction

0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq
9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0

Allocated by task 23: kasan_save_stack (mm/kasan/common.c:39) __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) alloc_buf (include/linux/slab.h:605 drivers/char/virtio_console.c:424) fill_queue (drivers/char/virtio_console.c:1335) add_port (drivers/char/virtio_console.c:1426) handle_control_message (drivers/char/virtio_console.c:1601) control_work_handler (include/linux/spinlock.h:349 drivers/char/virtio_console.c:1720) process_one_work (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294) worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437) kthread (kernel/kthread.c:376) ret_from_fork (arch/x86/entry/entry_64.S:312)

The buggy address belongs to the object at ffff888006843688 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 0 bytes inside of 96-byte region [ffff888006843688, ffff8880068436e8)

The buggy address belongs to the physical page: page:ffffea00001a10c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6843 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 ffffea00001a06c8 ffffea00001a0f08 ffff888005c41940 raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffff888006843580: fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 ffff888006843600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

ffff888006843680: fc 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ^ ffff888006843700: fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 ffff888006843780: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc

Disabling lock debugging due to kernel taint

[ereshetova]

Likely related one:

WARNING: CPU: 0 PID: 79 at mm/slub.c:3567 kfree (mm/slub.c:3567 mm/slub.c:4558) Modules linked in: CPU: 0 PID: 79 Comm: sh Not tainted 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:kfree (mm/slub.c:3567 mm/slub.c:4558) Code: ff 49 8b 04 24 a9 00 00 01 00 0f 84 2e ff ff ff 49 8b 44 24 48 a8 01 0f 84 21 ff ff ff 48 83 e8 01 49 39 c4 0f 84 14 ff ff ff <0f> 0b 80 3d 67 5f 9f 03 00 0f 84 fe da 93 01 48 8b 75 08 48 89 df

All code

0: ff 49 8b decl -0x75(%rcx) 3: 04 24 add $0x24,%al 5: a9 00 00 01 00 test $0x10000,%eax a: 0f 84 2e ff ff ff je 0xffffffffffffff3e 10: 49 8b 44 24 48 mov 0x48(%r12),%rax 15: a8 01 test $0x1,%al 17: 0f 84 21 ff ff ff je 0xffffffffffffff3e 1d: 48 83 e8 01 sub $0x1,%rax 21: 49 39 c4 cmp %rax,%r12 24: 0f 84 14 ff ff ff je 0xffffffffffffff3e 2a:* 0f 0b ud2 <-- trapping instruction 2c: 80 3d 67 5f 9f 03 00 cmpb $0x0,0x39f5f67(%rip) # 0x39f5f9a 33: 0f 84 fe da 93 01 je 0x193db37 39: 48 8b 75 08 mov 0x8(%rbp),%rsi 3d: 48 89 df mov %rbx,%rdi

Code starting with the faulting instruction

0: 0f 0b ud2
2: 80 3d 67 5f 9f 03 00 cmpb $0x0,0x39f5f67(%rip) # 0x39f5f70 9: 0f 84 fe da 93 01 je 0x193db0d f: 48 8b 75 08 mov 0x8(%rbp),%rsi 13: 48 89 df mov %rbx,%rdi RSP: 0018:ffffc9000028f708 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 000010ff0000008f RCX: 0000000000000096 RDX: 1ffff11000d086d1 RSI: 0000000000000000 RDI: ffffec21fc000000 RBP: ffffc9000028f728 R08: ffff888009f16696 R09: 0000000000000066 R10: ffffc9000028f5e9 R11: fffff52000051ebd R12: ffffec21fc000000 R13: 0000000000000000 R14: ffff888006843688 R15: ffff88802c488858 FS: 00000000006168c0(0000) GS:ffffffff83cac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006168a0 CR3: 0000000009988006 CR4: 00000000001706f0 Call Trace:

free_buf (drivers/char/virtio_console.c:370) discard_port_data (drivers/char/virtio_console.c:523) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? __suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) __device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? __kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? __mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? __kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code 0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0

---[ end trace 0000000000000000 ]--- object pointer: 0x000010ff0000008f

BUG: KASAN: invalid-free in free_buf (drivers/char/virtio_console.c:370)

CPU: 0 PID: 79 Comm: sh Tainted: G W 6.0.0-rc2-g1d588de205f8 #1 Call Trace:

dump_stack_lvl (arch/x86/include/asm/irqflags.h:137 lib/dump_stack.c:107) ? free_buf (drivers/char/virtio_console.c:370) print_report.cold (mm/kasan/report.c:445) ? free_buf (drivers/char/virtio_console.c:370) kasan_report_invalid_free (mm/kasan/report.c:471) ? free_buf (drivers/char/virtio_console.c:370) ? free_buf (drivers/char/virtio_console.c:370) kasan_kfree_large (mm/kasan/common.c:401) kfree (include/linux/page-flags.h:304 include/linux/mm.h:1248 include/linux/mm.h:1428 include/linux/vmstat.h:595 mm/slub.c:3571 mm/slub.c:4558) free_buf (drivers/char/virtio_console.c:370) discard_port_data (drivers/char/virtio_console.c:523) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24

All code

0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq
33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64

Code starting with the faulting instruction

0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq
9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0

Disabling lock debugging due to kernel taint

[ereshetova]

Another trace:

------------[ cut here ]------------ WARNING: CPU: 0 PID: 79 at mm/slub.c:3567 kfree (mm/slub.c:3567 mm/slub.c:4558) Modules linked in: CPU: 0 PID: 79 Comm: sh Not tainted 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:kfree (mm/slub.c:3567 mm/slub.c:4558) Code: ff 49 8b 04 24 a9 00 00 01 00 0f 84 2e ff ff ff 49 8b 44 24 48 a8 01 0f 84 21 ff ff ff 48 83 e8 01 49 39 c4 0f 84 14 ff ff ff <0f> 0b 80 3d 67 5f 9f 03 00 0f 84 fe da 93 01 48 8b 75 08 48 89 df All code

0: ff 49 8b decl -0x75(%rcx) 3: 04 24 add $0x24,%al 5: a9 00 00 01 00 test $0x10000,%eax a: 0f 84 2e ff ff ff je 0xffffffffffffff3e 10: 49 8b 44 24 48 mov 0x48(%r12),%rax 15: a8 01 test $0x1,%al 17: 0f 84 21 ff ff ff je 0xffffffffffffff3e 1d: 48 83 e8 01 sub $0x1,%rax 21: 49 39 c4 cmp %rax,%r12 24: 0f 84 14 ff ff ff je 0xffffffffffffff3e 2a:* 0f 0b ud2 <-- trapping instruction 2c: 80 3d 67 5f 9f 03 00 cmpb $0x0,0x39f5f67(%rip) # 0x39f5f9a 33: 0f 84 fe da 93 01 je 0x193db37 39: 48 8b 75 08 mov 0x8(%rbp),%rsi 3d: 48 89 df mov %rbx,%rdi

Code starting with the faulting instruction

0: 0f 0b ud2
2: 80 3d 67 5f 9f 03 00 cmpb $0x0,0x39f5f67(%rip) # 0x39f5f70 9: 0f 84 fe da 93 01 je 0x193db0d f: 48 8b 75 08 mov 0x8(%rbp),%rsi 13: 48 89 df mov %rbx,%rdi RSP: 0018:ffffc9000028f708 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 000010ff00000000 RCX: 0000000000000096 RDX: 1ffff11000d086d1 RSI: 0000000000000000 RDI: ffffec21fc000000 RBP: ffffc9000028f728 R08: ffff888009f16696 R09: 0000000000000066 R10: ffffc9000028f5e9 R11: fffff52000051ebd R12: ffffec21fc000000 R13: 0000000000000000 R14: ffff888006843688 R15: ffff88802c488858 FS: 00000000006168c0(0000) GS:ffffffff83cac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006168a0 CR3: 0000000009988006 CR4: 00000000001706f0 Call Trace:

free_buf (drivers/char/virtio_console.c:370) discard_port_data (drivers/char/virtio_console.c:523) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? __suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) __device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? __kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? __mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? __kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code 0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0

---[ end trace 0000000000000000 ]--- object pointer: 0x000010ff00000000 general protection fault, probably for non-canonical address 0xdffffe1fe0000000: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN KASAN: probably user-memory-access in range [0x000010ff00000000-0x000010ff00000007] CPU: 0 PID: 79 Comm: sh Tainted: G W 6.0.0-rc2-g1d588de205f8 #1 RIP: 0010:kasan_byte_accessible (mm/kasan/generic.c:194) Code: 89 e5 48 8b 4d 08 e8 fe fd ff ff 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 c3 66 0f 1f 44 00 00 55 48 89 e5 e8 97 11

All code 0: 89 e5 mov %esp,%ebp 2: 48 8b 4d 08 mov 0x8(%rbp),%rcx 6: e8 fe fd ff ff callq 0xfffffffffffffe09 b: 5d pop %rbp c: c3 retq
d: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 14: 00 00 00 00 18: 90 nop 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 48 c1 ef 03 shr $0x3,%rdi 27: 48 01 c7 add %rax,%rdi 2a:* 0f b6 07 movzbl (%rdi),%eax <-- trapping instruction 2d: 3c 07 cmp $0x7,%al 2f: 0f 96 c0 setbe %al 32: c3 retq
33: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 39: 55 push %rbp 3a: 48 89 e5 mov %rsp,%rbp 3d: e8 .byte 0xe8 3e: 97 xchg %eax,%edi 3f: 11 .byte 0x11

Code starting with the faulting instruction

0: 0f b6 07 movzbl (%rdi),%eax 3: 3c 07 cmp $0x7,%al 5: 0f 96 c0 setbe %al 8: c3 retq
9: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) f: 55 push %rbp 10: 48 89 e5 mov %rsp,%rbp 13: e8 .byte 0xe8 14: 97 xchg %eax,%edi 15: 11 .byte 0x11 RSP: 0018:ffffc9000028f6e0 EFLAGS: 00010086 RAX: dffffc0000000000 RBX: 000010ff00000000 RCX: ffff888000000000 RDX: 0000000000000000 RSI: ffffea0000000000 RDI: dffffe1fe0000000 RBP: ffffc9000028f6f8 R08: 0000000000000000 R09: fffffbfff0a40605 R10: ffffffff83a08d70 R11: fffffbfff0a40604 R12: 000010ff00000000 R13: ffffffff820562de R14: ffff888006843688 R15: ffff88802c488858 FS: 00000000006168c0(0000) GS:ffffffff83cac000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006168a0 CR3: 0000000009988006 CR4: 00000000001706f0 Call Trace:

? __kasan_kfree_large (mm/kasan/common.c:385 mm/kasan/common.c:400) kfree (include/linux/page-flags.h:304 include/linux/mm.h:1248 include/linux/mm.h:1428 include/linux/vmstat.h:595 mm/slub.c:3571 mm/slub.c:4558) free_buf (drivers/char/virtio_console.c:370) discard_port_data (drivers/char/virtio_console.c:523) ? virtio_pci_restore (include/linux/device.h:762 include/linux/pci.h:1957 drivers/virtio/virtio_pci_common.c:469) remove_port_data (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 include/linux/spinlock.h:399 drivers/char/virtio_console.c:1499) virtcons_freeze (drivers/char/virtio_console.c:2176 (discriminator 3)) virtio_device_freeze (drivers/virtio/virtio.c:510) virtio_pci_freeze (drivers/virtio/virtio_pci_common.c:474) pci_pm_suspend (drivers/pci/pci-driver.c:811) ? pci_pm_freeze (drivers/pci/pci-driver.c:773) dpm_run_callback (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 include/linux/jump_label.h:269 include/trace/events/power.h:226 drivers/base/power/main.c:487) ? __suspend_report_result (drivers/base/power/main.c:475) ? dev_pm_disarm_wake_irq (drivers/base/power/main.c:346) __device_suspend (drivers/base/power/main.c:1704) ? async_suspend_late (drivers/base/power/main.c:1607) ? __mutex_unlock_slowpath (kernel/locking/mutex.c:538) ? __kasan_check_write (mm/kasan/shadow.c:38) dpm_suspend (drivers/base/power/main.c:1777) ? pci_pm_resume (drivers/pci/pci-driver.c:704) ? dpm_suspend_end (drivers/base/power/main.c:1755) ? __mutex_lock_slowpath (kernel/locking/mutex.c:282) dpm_suspend_start (drivers/base/power/main.c:1957) suspend_devices_and_enter (kernel/power/suspend.c:494) ? swsusp_check.cold (kernel/printk/printk.c:2291) ? arch_suspend_enable_irqs+0x10/0x10 ? try_to_freeze_tasks.cold (kernel/power/process.c:110) pm_suspend.cold (kernel/power/suspend.c:585 kernel/power/suspend.c:612) state_store (kernel/power/main.c:644) ? kobj_attr_show (lib/kobject.c:823) kobj_attr_store (lib/kobject.c:826) ? __kmalloc (include/linux/kasan.h:234 mm/slub.c:4424) sysfs_kf_write (fs/sysfs/file.c:137) ? __kasan_check_write (mm/kasan/shadow.c:38) kernfs_fop_write_iter (fs/kernfs/file.c:358) vfs_write (fs/read_write.c:492 fs/read_write.c:578) ? vfs_read (fs/read_write.c:559) ksys_write (fs/read_write.c:631) ? __ia32_sys_read (fs/read_write.c:621) ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:376) __x64_sys_write (fs/read_write.c:640) ? syscall_exit_to_user_mode (arch/x86/include/asm/atomic.h:29 include/linux/jump_label.h:259 arch/x86/include/asm/nospec-branch.h:384 arch/x86/include/asm/entry-common.h:94 kernel/entry/common.c:133 kernel/entry/common.c:296) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) RIP: 0033:0x49a257 Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 All code 0: 64 89 02 mov %eax,%fs:(%rdx) 3: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax a: eb bb jmp 0xffffffffffffffc7 c: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 13: f3 0f 1e fa endbr64 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax 1e: 00 1f: 85 c0 test %eax,%eax 21: 75 10 jne 0x33 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 77 51 ja 0x83 32: c3 retq 33: 48 83 ec 28 sub $0x28,%rsp 37: 48 89 54 24 18 mov %rdx,0x18(%rsp) 3c: 48 rex.W 3d: 89 .byte 0x89 3e: 74 24 je 0x64 Code starting with the faulting instruction 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 77 51 ja 0x59 8: c3 retq 9: 48 83 ec 28 sub $0x28,%rsp d: 48 89 54 24 18 mov %rdx,0x18(%rsp) 12: 48 rex.W 13: 89 .byte 0x89 14: 74 24 je 0x3a RSP: 002b:00007ffdf226f738 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 000000000049a257 RDX: 0000000000000004 RSI: 0000000000618e90 RDI: 0000000000000001 RBP: 0000000000618e90 R08: 0000000000618e90 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000006168a0 R14: 0000000000609c01 R15: 00007ffdf226f7a0

Modules linked in: ---[ end trace 0000000000000000 ]---

[ereshetova]

This one is also false positive, linked to the wrong fuzzing of virtqueue_get_buf for virtio console. Closing.