[RFC PATCH v1 0/1] possibile regression in the mm_types

From: Vincenzo Palazzo
Date: Sun Mar 12 2023 - 18:42:07 EST

Next message: Vincenzo Palazzo: "[RFC PATCH v1 1/1] linux: mm_types: allow to modified the vm_flags in vm_area_struct"
Previous message: William Breathitt Gray: "Re: [PATCH v2] counter: 104-quad-8: Fix race condition between FLAG and CNTR reads"
Next in thread: John Hubbard: "Re: [RFC PATCH v1 0/1] possibile regression in the mm_types"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I was testing the last rc1 version on my build machine
I noticed that I was not able to build my nvidia driver and
also, the vboxhost/7.0.6_OSE driver while I was building [1].

So I noticed that this change was introduced in the 6.3-rc1
and proposed by [2]. However, I think I can miss important
around this change, there may be some motivation to
have the `const` constraint here,
and this change needs to be done in the out-of-tree driver
(this is the reason for the RFC) and not on the kernel itself.

Therefore with the current path I was able to build and run
all the drivers mentioned, and before sending the email
I tested also with linux-next if the bug persists, and it does.

Except for the nvidia driver that has this double-free exception
but I guess it is unrelated

[1] https://github.com/linux-kdevops/linux-kdevops
[2] https://lore.kernel.org/all/20230126193752.297968-3-surenb@xxxxxxxxxx/T/#u

----
[Mar11 18:59] ==================================================================
[ +0.000008] BUG: KASAN: slab-use-after-free in nv_match_dev_state+0x74/0xa0 [nvidia]
[ +0.001054] Read of size 8 at addr ffff88810dae4b38 by task cinnamon/791

[ +0.000007] CPU: 6 PID: 791 Comm: cinnamon Tainted: P OE 6.3.0-rc1-vincenzopalazzo-ge208f19e7da1-dirty #2 d6f374db04afea9926e4fb922b3f0658d8f082d0
[ +0.000005] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./H97M Pro4, BIOS P1.20 07/29/2014
[ +0.000003] Call Trace:
[ +0.000003] <TASK>
[ +0.000002] dump_stack_lvl+0x47/0x60
[ +0.000007] print_report+0xcf/0x660
[ +0.000006] ? __virt_addr_valid+0xf8/0x180
[ +0.000006] ? nv_match_dev_state+0x74/0xa0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001048] kasan_report+0xc9/0x100
[ +0.000006] ? nv_match_dev_state+0x74/0xa0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001045] nv_match_dev_state+0x74/0xa0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001036] ? __pfx_nv_match_dev_state+0x10/0x10 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001043] iterate_fd+0x89/0xd0
[ +0.000007] nv_is_gpu_accessible+0x48/0x60 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001046] _nv017347rm+0x24b/0x490 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001173] _nv002227rm+0x4e/0x70 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001075] _nv003800rm+0x7a/0xd0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001076] _nv003495rm+0x4c/0x70 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001096] _nv039310rm+0x8c/0x160 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001059] _nv009851rm+0x259/0x520 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001088] _nv041137rm+0x40a/0x830 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001056] _nv041135rm+0x29d/0x2b0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001091] _nv039423rm+0x15a/0x2e0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001051] _nv039424rm+0x5b/0x90 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001066] ? _nv039424rm+0x31/0x90 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001051] ? cap_capable+0xaf/0xe0
[ +0.000006] _nv000559rm+0x5a/0x70 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001071] ? _nv000559rm+0x33/0x70 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001076] _nv000694rm+0x94a/0xc80 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001056] rm_ioctl+0x54/0xb0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001051] nvidia_ioctl+0xaa3/0xd90 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001027] ? __pfx_nvidia_ioctl+0x10/0x10 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001023] ? __rcu_read_unlock+0x4c/0x70
[ +0.000005] nvidia_frontend_unlocked_ioctl+0x82/0xb0 [nvidia a203532645cde567719e13f62d588b43ee43cdbf]
[ +0.001042] __x64_sys_ioctl+0xc3/0x100
[ +0.000005] do_syscall_64+0x5f/0x90
[ +0.000006] ? __x64_sys_ioctl+0xdb/0x100
[ +0.000004] ? syscall_exit_to_user_mode+0x1b/0x40
[ +0.000005] ? do_syscall_64+0x6b/0x90
[ +0.000004] ? syscall_exit_to_user_mode+0x1b/0x40
[ +0.000004] ? do_syscall_64+0x6b/0x90
[ +0.000004] ? syscall_exit_to_user_mode+0x1b/0x40
[ +0.000004] ? syscall_exit_to_user_mode+0x1b/0x40
[ +0.000004] ? do_syscall_64+0x6b/0x90
[ +0.000004] ? do_syscall_64+0x6b/0x90
[ +0.000003] ? exc_page_fault+0x5e/0xd0
[ +0.000005] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ +0.000006] RIP: 0033:0x7fb3d2b9453f
[ +0.000004] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ +0.000003] RSP: 002b:00007ffd30cd2f60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ +0.000005] RAX: ffffffffffffffda RBX: 0000000000000028 RCX: 00007fb3d2b9453f
[ +0.000003] RDX: 00007ffd30cd30c0 RSI: 00000000c028462b RDI: 000000000000000c
[ +0.000003] RBP: 00007ffd30cd30c0 R08: 00007ffd30cd30c0 R09: 00007ffd30cd30e4
[ +0.000003] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c
[ +0.000002] R13: 00000000c028462b R14: 000000000000002b R15: 00007ffd30cd2fc0
[ +0.000005] </TASK>

[ +0.000004] Allocated by task 791:
[ +0.000002] kasan_save_stack+0x33/0x60
[ +0.000005] kasan_set_track+0x25/0x30
[ +0.000004] __kasan_kmalloc+0xaa/0xb0
[ +0.000004] __kmalloc+0x5e/0xd0
[ +0.000003] os_alloc_mem+0x11a/0x140 [nvidia]
[ +0.001050] _nv012306rm+0x23/0x30 [nvidia]
[ +0.001089] _nv012307rm+0x27/0xe0 [nvidia]
[ +0.001086] _nv013141rm+0x1b/0x90 [nvidia]
[ +0.001090] _nv043333rm+0x65/0xb0 [nvidia]
[ +0.001100] _nv039461rm+0xf9/0x1d0 [nvidia]
[ +0.001070] _nv041190rm+0x45/0xd0 [nvidia]
[ +0.001064] _nv041135rm+0x142/0x2b0 [nvidia]
[ +0.001093] _nv039423rm+0x15a/0x2e0 [nvidia]
[ +0.001062] _nv039424rm+0x5b/0x90 [nvidia]
[ +0.001056] _nv000560rm+0x59/0x70 [nvidia]
[ +0.001065] _nv000694rm+0x4ae/0xc80 [nvidia]
[ +0.001051] rm_ioctl+0x54/0xb0 [nvidia]
[ +0.001050] nvidia_ioctl+0xaa3/0xd90 [nvidia]
[ +0.001026] nvidia_frontend_unlocked_ioctl+0x82/0xb0 [nvidia]
[ +0.001028] __x64_sys_ioctl+0xc3/0x100
[ +0.000003] do_syscall_64+0x5f/0x90
[ +0.000003] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[ +0.000006] Freed by task 791:
[ +0.000002] kasan_save_stack+0x33/0x60
[ +0.000004] kasan_set_track+0x25/0x30
[ +0.000004] kasan_save_free_info+0x2e/0x50
[ +0.000004] ____kasan_slab_free+0x169/0x1c0
[ +0.000004] slab_free_freelist_hook+0xcd/0x190
[ +0.000003] __kmem_cache_free+0x1a6/0x2f0
[ +0.000004] _nv013138rm+0xbe/0x100 [nvidia]
[ +0.001087] _nv039463rm+0xa7/0xe0 [nvidia]
[ +0.001055] _nv041189rm+0x45/0x60 [nvidia]
[ +0.001049] _nv041135rm+0xbb/0x2b0 [nvidia]
[ +0.001086] _nv039423rm+0x15a/0x2e0 [nvidia]
[ +0.001062] _nv039424rm+0x5b/0x90 [nvidia]
[ +0.001056] _nv000560rm+0x59/0x70 [nvidia]
[ +0.001065] _nv000694rm+0x4ae/0xc80 [nvidia]
[ +0.001060] rm_ioctl+0x54/0xb0 [nvidia]
[ +0.001050] nvidia_ioctl+0xaa3/0xd90 [nvidia]
[ +0.001020] nvidia_frontend_unlocked_ioctl+0x82/0xb0 [nvidia]
[ +0.001038] __x64_sys_ioctl+0xc3/0x100
[ +0.000004] do_syscall_64+0x5f/0x90
[ +0.000003] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[ +0.000005] Last potentially related work creation:
[ +0.000002] kasan_save_stack+0x33/0x60
[ +0.000004] __kasan_record_aux_stack+0xb6/0xd0
[ +0.000004] kvfree_call_rcu+0x7c/0x530
[ +0.000003] kernfs_unlink_open_file+0x1ac/0x1c0
[ +0.000005] kernfs_fop_release+0x6f/0x160
[ +0.000003] __fput+0x10c/0x420
[ +0.000004] task_work_run+0xfc/0x170
[ +0.000006] exit_to_user_mode_prepare+0x1a7/0x1d0
[ +0.000006] syscall_exit_to_user_mode+0x1b/0x40
[ +0.000003] do_syscall_64+0x6b/0x90
[ +0.000003] entry_SYSCALL_64_after_hwframe+0x72/0xdc

[ +0.000005] The buggy address belongs to the object at ffff88810dae4b00
which belongs to the cache kmalloc-96 of size 96
[ +0.000004] The buggy address is located 56 bytes inside of
freed 96-byte region [ffff88810dae4b00, ffff88810dae4b60)

[ +0.000005] The buggy address belongs to the physical page:
[ +0.000002] page:00000000b6b0fdcc refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10dae4
[ +0.000004] anon flags: 0x2ffff0000000200(slab|node=0|zone=2|lastcpupid=0xffff)
[ +0.000006] raw: 02ffff0000000200 ffff888100042780 0000000000000000 dead000000000001
[ +0.000003] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ +0.000002] page dumped because: kasan: bad access detected

[ +0.000003] Memory state around the buggy address:
[ +0.000002] ffff88810dae4a00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[ +0.000003] ffff88810dae4a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[ +0.000003] >ffff88810dae4b00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ +0.000002] ^
[ +0.000003] ffff88810dae4b80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ +0.000003] ffff88810dae4c00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ +0.000002] ==================================================================

Vincenzo Palazzo (1):
linux: mm_types: allow to modified the vm_flags in vm_area_struct

include/linux/mm_types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--
2.39.2

Next message: Vincenzo Palazzo: "[RFC PATCH v1 1/1] linux: mm_types: allow to modified the vm_flags in vm_area_struct"
Previous message: William Breathitt Gray: "Re: [PATCH v2] counter: 104-quad-8: Fix race condition between FLAG and CNTR reads"
Next in thread: John Hubbard: "Re: [RFC PATCH v1 0/1] possibile regression in the mm_types"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]