search

multipath-tcp / mptcp_net-next

Development version of the Upstream MultiPath TCP Linux kernel 🐧
https://mptcp.dev
Other
292 stars 42 forks source link

`BUG: KASAN: slab-use-after-free in kernfs_test_super (fs/kernfs/mount.c:286)` #433

Closed matttbe closed 1 year ago

matttbe commented 1 year ago

The public CI just reported the following bug:

+ cd /opt/packetdrill/gtests/net/
+ PYTHONUNBUFFERED=1
+ _tap /tmp/cirrus-ci-build/packetdrill_fastopen ./packetdrill/run_all.py -l -v mptcp/fastopen
+ local out out_subtests tmp fname rc
+ out=/tmp/cirrus-ci-build/packetdrill_fastopen.tap
+ out_subtests=/tmp/cirrus-ci-build/packetdrill_fastopen_subtests.tap
+ shift
+ rm -f /tmp/cirrus-ci-build/packetdrill_fastopen.tap /tmp/cirrus-ci-build/packetdrill_fastopen_subtests.tap
+ tmp=/tmp/cirrus-ci-build/packetdrill_fastopen.tap.tmp
++ basename /tmp/cirrus-ci-build/packetdrill_fastopen.tap
+ fname=packetdrill_fastopen.tap
+ echo 'TAP version 13'
+ echo 1..1
+ tee /tmp/cirrus-ci-build/packetdrill_fastopen.tap
TAP version 13
1..1
+ ./packetdrill/run_all.py -l -v mptcp/fastopen
+ /tmp/cirrus-ci-build/tools/testing/selftests/kselftest/prefix.pl
+ tee /tmp/cirrus-ci-build/packetdrill_fastopen.tap.tmp
[ 1532.009249][T14157] ==================================================================
[1532.014970][T14157] BUG: KASAN: slab-use-after-free in kernfs_test_super (fs/kernfs/mount.c:286) 
[ 1532.020757][T14157] Read of size 8 at addr ffff888012f2ce08 by task ip/14157
[ 1532.025735][T14157] 
[ 1532.027584][T14157] CPU: 3 PID: 14157 Comm: ip Tainted: G                 N 6.5.0-g11e939008329 #1
[ 1532.034058][T14157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 1532.040689][T14157] Call Trace:
[ 1532.043419][T14157]  <TASK>
[1532.045685][T14157] dump_stack_lvl (lib/dump_stack.c:107) 
[1532.049004][T14157] print_address_description.constprop.0 (mm/kasan/report.c:365) 
[1532.053734][T14157] ? kernfs_test_super (fs/kernfs/mount.c:286) 
[1532.057585][T14157] print_report (mm/kasan/report.c:476) 
[1532.060958][T14157] ? kasan_addr_to_slab (arch/x86/include/asm/bitops.h:207) 
[1532.064125][T14157] kasan_report (mm/kasan/report.c:590) 
[1532.067039][T14157] ? kernfs_test_super (fs/kernfs/mount.c:286) 
[1532.070539][T14157] ? kernfs_encode_fh (fs/kernfs/mount.c:282) 
[1532.073791][T14157] kernfs_test_super (fs/kernfs/mount.c:286) 
[1532.077018][T14157] ? kernfs_encode_fh (fs/kernfs/mount.c:282) 
[1532.080224][T14157] sget_fc (fs/super.c:778) 
[1532.082689][T14157] ? kernfs_sop_show_path (fs/kernfs/mount.c:290) 
[1532.086020][T14157] ? kasan_set_track (mm/kasan/common.c:52) 
[1532.089396][T14157] kernfs_get_tree (fs/kernfs/mount.c:337) 
[1532.092244][T14157] ? _raw_spin_unlock (arch/x86/include/asm/preempt.h:95) 
[1532.095085][T14157] sysfs_get_tree (fs/sysfs/mount.c:32) 
[1532.098118][T14157] vfs_get_tree (fs/super.c:1712) 
[1532.101031][T14157] ? ns_capable (kernel/capability.c:362) 
[1532.103598][T14157] do_new_mount (fs/namespace.c:3335) 
[1532.106649][T14157] ? do_add_mount (fs/namespace.c:3296) 
[1532.110018][T14157] ? security_capable (security/security.c:945 (discriminator 13)) 
[1532.113050][T14157] path_mount (fs/namespace.c:3662) 
[1532.115983][T14157] ? user_path_at_empty (fs/namei.c:2914) 
[1532.119256][T14157] ? finish_automount (fs/namespace.c:3589) 
[1532.122492][T14157] __x64_sys_mount (fs/namespace.c:3676) 
[1532.125377][T14157] ? copy_mnt_ns (fs/namespace.c:3861) 
[1532.128134][T14157] do_syscall_64 (arch/x86/entry/common.c:50) 
[1532.130814][T14157] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1532.134309][T14157] RIP: 0033:0x7f3fb77deeae
[ 1532.137065][T14157] Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 1f 0f 00 f7 d8 64 89 01 48
All code
========
   0:   48 8b 0d 85 1f 0f 00    mov    0xf1f85(%rip),%rcx        # 0xf1f8c
   7:   f7 d8                   neg    %eax
   9:   64 89 01                mov    %eax,%fs:(%rcx)
   c:   48 83 c8 ff             or     $0xffffffffffffffff,%rax
  10:   c3                      ret    
  11:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
  18:   00 00 00 
  1b:   90                      nop
  1c:   f3 0f 1e fa             endbr64 
  20:   49 89 ca                mov    %rcx,%r10
  23:   b8 a5 00 00 00          mov    $0xa5,%eax
  28:   0f 05                   syscall 
  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax     <-- trapping instruction
  30:   73 01                   jae    0x33
  32:   c3                      ret    
  33:   48 8b 0d 52 1f 0f 00    mov    0xf1f52(%rip),%rcx        # 0xf1f8c
  3a:   f7 d8                   neg    %eax
  3c:   64 89 01                mov    %eax,%fs:(%rcx)
  3f:   48                      rex.W

Code starting with the faulting instruction
===========================================
   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
   6:   73 01                   jae    0x9
   8:   c3                      ret    
   9:   48 8b 0d 52 1f 0f 00    mov    0xf1f52(%rip),%rcx        # 0xf1f62
  10:   f7 d8                   neg    %eax
  12:   64 89 01                mov    %eax,%fs:(%rcx)
  15:   48                      rex.W
[ 1532.148681][T14157] RSP: 002b:00007fffe8f0b668 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 1532.154482][T14157] RAX: ffffffffffffffda RBX: 00005594d772fb1a RCX: 00007f3fb77deeae
[ 1532.159802][T14157] RDX: 00005594d7740a4a RSI: 00005594d7740a45 RDI: 00007fffe8f0fd2d
[ 1532.164935][T14157] RBP: 00005594d7740a45 R08: 0000000000000000 R09: 0000000000000000
[ 1532.169680][T14157] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffe8f0fd37
[ 1532.174972][T14157] R13: 00007fffe8f0ebb8 R14: 00007fffe8f0fd2d R15: 00007fffe8f0fd22
[ 1532.180384][T14157]  </TASK>
[ 1532.182459][T14157] 
[ 1532.183890][T14157] Allocated by task 14151:
[1532.186549][T14157] kasan_save_stack (mm/kasan/common.c:46) 
[1532.189432][T14157] kasan_set_track (mm/kasan/common.c:52) 
[1532.192183][T14157] __kasan_kmalloc (mm/kasan/common.c:384) 
[1532.195254][T14157] kernfs_get_tree (include/linux/slab.h:582) 
[1532.198517][T14157] sysfs_get_tree (fs/sysfs/mount.c:32) 
[1532.201705][T14157] vfs_get_tree (fs/super.c:1712) 
[1532.204804][T14157] do_new_mount (fs/namespace.c:3335) 
[1532.207595][T14157] path_mount (fs/namespace.c:3662) 
[1532.210446][T14157] __x64_sys_mount (fs/namespace.c:3676) 
[1532.213773][T14157] do_syscall_64 (arch/x86/entry/common.c:50) 
[1532.216511][T14157] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1532.220049][T14157] 
[ 1532.221681][T14157] Freed by task 14151:
[1532.224526][T14157] kasan_save_stack (mm/kasan/common.c:46) 
[1532.227816][T14157] kasan_set_track (mm/kasan/common.c:52) 
[1532.230937][T14157] kasan_save_free_info (mm/kasan/generic.c:524) 
[1532.233951][T14157] ____kasan_slab_free (mm/kasan/common.c:238) 
[1532.237414][T14157] slab_free_freelist_hook (mm/slub.c:1818) 
[1532.241059][T14157] __kmem_cache_free (mm/slub.c:3801) 
[1532.244019][T14157] sysfs_kill_sb (fs/sysfs/mount.c:87) 
[1532.246898][T14157] deactivate_locked_super (fs/super.c:461) 
[1532.250348][T14157] cleanup_mnt (fs/namespace.c:139) 
[1532.253418][T14157] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[1532.256570][T14157] do_exit (kernel/exit.c:875) 
[1532.259409][T14157] do_group_exit (kernel/exit.c:1005) 
[1532.262362][T14157] __x64_sys_exit_group (kernel/exit.c:1033) 
[1532.265332][T14157] do_syscall_64 (arch/x86/entry/common.c:50) 
[1532.268335][T14157] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1532.272108][T14157] 
[ 1532.273602][T14157] The buggy address belongs to the object at ffff888012f2ce00
[ 1532.273602][T14157]  which belongs to the cache kmalloc-64 of size 64
[ 1532.281683][T14157] The buggy address is located 8 bytes inside of
[ 1532.281683][T14157]  freed 64-byte region [ffff888012f2ce00, ffff888012f2ce40)
[ 1532.289907][T14157] 
[ 1532.291567][T14157] The buggy address belongs to the physical page:
[ 1532.295909][T14157] page:00000000768c766c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888012f2cf80 pfn:0x12f2c
[ 1532.302812][T14157] anon flags: 0x100000000000200(slab|node=0|zone=1)
[ 1532.306923][T14157] page_type: 0xffffffff()
[ 1532.309845][T14157] raw: 0100000000000200 ffff888001042640 ffffea00001aae40 dead000000000003
[ 1532.315584][T14157] raw: ffff888012f2cf80 000000008020001d 00000001ffffffff 0000000000000000
===========================================
matttbe commented 1 year ago

it doesn't seem to be due to MPTCP code, closing for now.

(this bug has been opened just to be able to track issues reported by the public CI that affect results when testing our own patches)

matttbe commented 1 year ago

it seems easy to reproduce this bug because we had it in export-net too:

[ 1502.520319][T14140] ==================================================================
[1502.527398][T14140] BUG: KASAN: slab-use-after-free in kernfs_test_super (fs/kernfs/mount.c:286) 
[ 1502.534436][T14140] Read of size 8 at addr ffff88800853aa88 by task ip/14140
[ 1502.541084][T14140] 
[ 1502.543122][T14140] CPU: 1 PID: 14140 Comm: ip Tainted: G                 N 6.5.0-g7088bf643393 #1
[ 1502.550591][T14140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[ 1502.558322][T14140] Call Trace:
[ 1502.561155][T14140]  <TASK>
[1502.563628][T14140] dump_stack_lvl (lib/dump_stack.c:107) 
[1502.567645][T14140] print_address_description.constprop.0 (mm/kasan/report.c:365) 
[1502.573319][T14140] ? kernfs_test_super (fs/kernfs/mount.c:286) 
[1502.577712][T14140] print_report (mm/kasan/report.c:476) 
[1502.581903][T14140] ? kasan_addr_to_slab (arch/x86/include/asm/bitops.h:207) 
[1502.586379][T14140] kasan_report (mm/kasan/report.c:590) 
[1502.590618][T14140] ? kernfs_test_super (fs/kernfs/mount.c:286) 
[1502.595539][T14140] ? kernfs_encode_fh (fs/kernfs/mount.c:282) 
[1502.599965][T14140] kernfs_test_super (fs/kernfs/mount.c:286) 
[1502.604124][T14140] ? kernfs_encode_fh (fs/kernfs/mount.c:282) 
[1502.608634][T14140] sget_fc (fs/super.c:778) 
[1502.612390][T14140] ? kernfs_sop_show_path (fs/kernfs/mount.c:290) 
[1502.617166][T14140] ? kasan_set_track (mm/kasan/common.c:52) 
[1502.621288][T14140] kernfs_get_tree (fs/kernfs/mount.c:337) 
[1502.625359][T14140] ? _raw_spin_unlock (arch/x86/include/asm/preempt.h:95) 
[1502.629431][T14140] sysfs_get_tree (fs/sysfs/mount.c:32) 
[1502.633411][T14140] vfs_get_tree (fs/super.c:1712) 
[1502.637319][T14140] ? ns_capable (kernel/capability.c:362) 
[1502.641074][T14140] do_new_mount (fs/namespace.c:3335) 
[1502.644983][T14140] ? do_add_mount (fs/namespace.c:3296) 
[1502.649066][T14140] ? security_capable (security/security.c:945 (discriminator 13)) 
[1502.653405][T14140] path_mount (fs/namespace.c:3662) 
[1502.657363][T14140] ? user_path_at_empty (fs/namei.c:2914) 
[1502.661377][T14140] ? finish_automount (fs/namespace.c:3589) 
[1502.665271][T14140] __x64_sys_mount (fs/namespace.c:3676) 
[1502.669846][T14140] ? copy_mnt_ns (fs/namespace.c:3861) 
[1502.673806][T14140] do_syscall_64 (arch/x86/entry/common.c:50) 
[1502.677653][T14140] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1502.682596][T14140] RIP: 0033:0x7fbec04d7eae
[ 1502.686381][T14140] Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 1f 0f 00 f7 d8 64 89 01 48
All code
========
   0:   48 8b 0d 85 1f 0f 00    mov    0xf1f85(%rip),%rcx        # 0xf1f8c
   7:   f7 d8                   neg    %eax
   9:   64 89 01                mov    %eax,%fs:(%rcx)
   c:   48 83 c8 ff             or     $0xffffffffffffffff,%rax
  10:   c3                      ret    
  11:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
  18:   00 00 00 
  1b:   90                      nop
  1c:   f3 0f 1e fa             endbr64 
  20:   49 89 ca                mov    %rcx,%r10
  23:   b8 a5 00 00 00          mov    $0xa5,%eax
  28:   0f 05                   syscall 
  2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax     <-- trapping instruction
  30:   73 01                   jae    0x33
  32:   c3                      ret    
  33:   48 8b 0d 52 1f 0f 00    mov    0xf1f52(%rip),%rcx        # 0xf1f8c
  3a:   f7 d8                   neg    %eax
  3c:   64 89 01                mov    %eax,%fs:(%rcx)
  3f:   48                      rex.W

Code starting with the faulting instruction
===========================================
   0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
   6:   73 01                   jae    0x9
   8:   c3                      ret    
   9:   48 8b 0d 52 1f 0f 00    mov    0xf1f52(%rip),%rcx        # 0xf1f62
  10:   f7 d8                   neg    %eax
  12:   64 89 01                mov    %eax,%fs:(%rcx)
  15:   48                      rex.W
[ 1502.702790][T14140] RSP: 002b:00007ffe03c33328 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 1502.709819][T14140] RAX: ffffffffffffffda RBX: 0000561a01988b1a RCX: 00007fbec04d7eae
[ 1502.716234][T14140] RDX: 0000561a01999a4a RSI: 0000561a01999a45 RDI: 00007ffe03c37e4f
[ 1502.722692][T14140] RBP: 0000561a01999a45 R08: 0000000000000000 R09: 0000000000000000
[ 1502.729362][T14140] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe03c36680
[ 1502.735506][T14140] R13: 0000561a01984020 R14: 00007ffe03c37e4f R15: 00007ffe03c37e48
[ 1502.742037][T14140]  </TASK>
[ 1502.744918][T14140] 
[ 1502.746995][T14140] Allocated by task 14128:
[1502.750851][T14140] kasan_save_stack (mm/kasan/common.c:46) 
[1502.755027][T14140] kasan_set_track (mm/kasan/common.c:52) 
[1502.759331][T14140] __kasan_kmalloc (mm/kasan/common.c:384) 
[1502.763380][T14140] kernfs_get_tree (include/linux/slab.h:582) 
[1502.767417][T14140] sysfs_get_tree (fs/sysfs/mount.c:32) 
[1502.771271][T14140] vfs_get_tree (fs/super.c:1712) 
[1502.775134][T14140] do_new_mount (fs/namespace.c:3335) 
[1502.779247][T14140] path_mount (fs/namespace.c:3662) 
[1502.783143][T14140] __x64_sys_mount (fs/namespace.c:3676) 
[1502.787832][T14140] do_syscall_64 (arch/x86/entry/common.c:50) 
[1502.791680][T14140] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1502.796807][T14140] 
[ 1502.798986][T14140] Freed by task 14128:
[1502.802368][T14140] kasan_save_stack (mm/kasan/common.c:46) 
[1502.806474][T14140] kasan_set_track (mm/kasan/common.c:52) 
[1502.810442][T14140] kasan_save_free_info (mm/kasan/generic.c:524) 
[1502.814751][T14140] ____kasan_slab_free (mm/kasan/common.c:238) 
[1502.819413][T14140] slab_free_freelist_hook (mm/slub.c:1818) 
[1502.823676][T14140] __kmem_cache_free (mm/slub.c:3801) 
[1502.827932][T14140] sysfs_kill_sb (fs/sysfs/mount.c:87) 
[1502.831531][T14140] deactivate_locked_super (fs/super.c:461) 
[1502.836323][T14140] cleanup_mnt (fs/namespace.c:139) 
[1502.840232][T14140] task_work_run (kernel/task_work.c:181 (discriminator 1)) 
[1502.843986][T14140] do_exit (kernel/exit.c:875) 
[1502.847377][T14140] do_group_exit (kernel/exit.c:1005) 
[1502.851029][T14140] __x64_sys_exit_group (kernel/exit.c:1033) 
[1502.855401][T14140] do_syscall_64 (arch/x86/entry/common.c:50) 
[1502.859259][T14140] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[ 1502.864303][T14140] 
[ 1502.866468][T14140] Last potentially related work creation:
[1502.871587][T14140] kasan_save_stack (mm/kasan/common.c:46) 
[1502.875716][T14140] __kasan_record_aux_stack (mm/kasan/generic.c:492) 
[1502.880531][T14140] __call_rcu_common.constprop.0 (arch/x86/include/asm/irqflags.h:26) 
[1502.885671][T14140] nf_unregister_net_hook (net/netfilter/core.c:536) 
[1502.890273][T14140] __nf_tables_abort+0x1843/0x2e30 nf_tables]
[1502.896320][T14140] nf_tables_abort+0x73/0xd0 nf_tables]
[1502.901484][T14140] nfnetlink_rcv_batch (net/netfilter/nfnetlink.c:564) 
[1502.905883][T14140] nfnetlink_rcv (net/netfilter/nfnetlink.c:639) 
[1502.909716][T14140] netlink_unicast (net/netlink/af_netlink.c:1343) 
[1502.913569][T14140] netlink_sendmsg (net/netlink/af_netlink.c:1910) 
==========================================
matttbe commented 1 year ago

From what I read, this has already been reported on lore:

It should be fixed by this series: https://lore.kernel.org/all/20230828-vfs-super-fixes-v1-0-b37a4a04a88f@kernel.org/

matttbe commented 1 year ago

It should be fixed by this series: https://lore.kernel.org/all/20230828-vfs-super-fixes-v1-0-b37a4a04a88f@kernel.org/

I just applied this series not to have our CI being impacted by these external issues:

New patches for t/upstream-net and t/upstream:

Tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export-net/20230831T090704 https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20230831T090704

Cheers, Matt