Re: 6.12/BUG: KASAN: slab-use-after-free in m_next at fs/proc/task_mmu.c:187

From: Mikhail Gavrilov
Date: Thu Oct 03 2024 - 17:25:38 EST


On Thu, Oct 3, 2024 at 1:45 AM Mikhail Gavrilov
<mikhail.v.gavrilov@xxxxxxxxx> wrote:
>
> On Wed, Oct 2, 2024 at 10:56 PM Lorenzo Stoakes
> <lorenzo.stoakes@xxxxxxxxxx> wrote:
> > We can reliably repro it with CONFIG_DEBUG_VM_MAPLE_TREE, CONFIG_DEBUG_VM, and
> > CONFIG_DEBUG_MAPLE_TREE set, if you set these you should see a report more
> > quickly (let us know if you do).
>
> mikhail@primary-ws ~/dmesg> cat .config | grep 'CONFIG_DEBUG_VM_MAPLE_TREE'
> # CONFIG_DEBUG_VM_MAPLE_TREE is not set
> mikhail@primary-ws ~/dmesg> cat .config | grep 'CONFIG_DEBUG_VM'
> CONFIG_DEBUG_VM_IRQSOFF=y
> CONFIG_DEBUG_VM=y
> # CONFIG_DEBUG_VM_MAPLE_TREE is not set
> # CONFIG_DEBUG_VM_RB is not set
> CONFIG_DEBUG_VM_PGFLAGS=y
> CONFIG_DEBUG_VM_PGTABLE=y
> mikhail@primary-ws ~/dmesg> cat .config | grep 'CONFIG_DEBUG_MAPLE_TREE'
> # CONFIG_DEBUG_MAPLE_TREE is not set
>
> Fedora's kernel build uses only CONFIG_DEBUG_VM and it's enough for
> reproducing this issue.
> Anyway I enabled all three options. I'll try to live for a day without
> steam launching. In a day I'll write whether it is reproducing without
> steam or not.

A day passed, and as expected, the problem did not occur until I launch Steam.
But with suggested options the stacktrace looks different.
Instead of "KASAN: slab-use-after-free in m_next+0x13b" I see this:

[88841.586167] node00000000b4c54d84: data_end 9 != the last slot offset 8
[88841.586315] BUG at mas_validate_limits:7523 (1)
[88841.586320] maple_tree(0000000067811125) flags 30F, height 3 root
0000000040e0c786
[88841.586324] 0-ffffffffffffffff: node 000000009b462d47 depth 0 type
3 parent 00000000db18456d contents: 10000 11400000 1e000 1f000 1f000
75e15000 0 0 0 ffffffff00283000 | 09 09| 000000005518cec0 67FFFFFF
0000000085840a0a 79970FFF 00000000975349aa 79F50FFF 00000000afe6ddd8
7B140FFF 0000000083c903b1 7BB96FFF 00000000335e109c F605AFFF
000000007e7333d1 F6570FFF 00000000d8e9900e F6C92FFF 00000000250ada8a
F76E1FFF 00000000e567baed
[88841.586357] 0-67ffffff: node 000000005c64e204 depth 1 type 3
parent 0000000069e1180e contents: 10000 0 0 0 0 0 0 0 0 0 | 05 00|
000000000cfac463 16FFFF 00000000f0522fec 400FFF 00000000cd8938b8
94FFFF 00000000d2bcb2e3 E9FFFF 00000000ed8d307e 173FFFF
0000000056285bf1 67FFFFFF 0000000000000000 0 0000000000000000 0
0000000000000000 0 0000000000000000
[88841.586388] 0-16ffff: node 0000000037648f62 depth 2 type 1
parent 00000000978387fd contents: 0000000000000000 FFFF
000000000bc2e123 10FFFF 0000000049345b43 11FFFF 000000008940e7cb
126FFF 000000007c2365c0 12FFFF 00000000cfc1c890 142FFF
00000000b64ae6ea 14FFFF 00000000f8f8f6c9 165FFF 000000008460c3ec
16FFFF 0000000000000000 0 0000000000000000 0 0000000000000000 0
0000000000000000 0 0000000000000000 0 0000000000000000 0
000000009d394510
[88841.586413] 0-ffff: 0000000000000000
[88841.586417] 10000-10ffff: 000000000bc2e123
[88841.586420] 110000-11ffff: 0000000049345b43
[88841.586424] 120000-126fff: 000000008940e7cb
[88841.586428] 127000-12ffff: 000000007c2365c0
[88841.586431] 130000-142fff: 00000000cfc1c890
[88841.586435] 143000-14ffff: 00000000b64ae6ea
[88841.586438] 150000-165fff: 00000000f8f8f6c9
[88841.586442] 166000-16ffff: 000000008460c3ec
[88841.586445] 170000-400fff: node 0000000030a5de34 depth 2 type 1
parent 00000000161b9281 contents: 0000000090f8ff7b 171FFF
00000000a90cdf09 17FFFF 00000000ad657f59 190FFF 0000000026397ca7
19FFFF 000000003413c0f4 1B0FFF 000000000ca6dd7d 1BFFFF
00000000cf83b99b 1CEFFF 0000000096a06890 1CFFFF 00000000ed96cdbd
1E5FFF 00000000e6e9d2cb 1EFFFF 00000000bc54b9f4 1FFFFF
000000006e42b324 3DFFFF 00000000afd4728b 3FFFFF 0000000082572c0c
400FFF 0000000000000000 0 00000000e89e29fc
[88841.586471] 170000-171fff: 0000000090f8ff7b
[88841.586474] 172000-17ffff: 00000000a90cdf09
[88841.586478] 180000-190fff: 00000000ad657f59
[88841.586481] 191000-19ffff: 0000000026397ca7
[88841.586485] 1a0000-1b0fff: 000000003413c0f4
[88841.586511] 1b1000-1bffff: 000000000ca6dd7d
[88841.586515] 1c0000-1cefff: 00000000cf83b99b
[88841.586519] 1cf000-1cffff: 0000000096a06890
[88841.586522] 1d0000-1e5fff: 00000000ed96cdbd
[88841.586526] 1e6000-1effff: 00000000e6e9d2cb
[88841.586529] 1f0000-1fffff: 00000000bc54b9f4
[88841.586533] 200000-3dffff: 000000006e42b324
[88841.586537] 3e0000-3fffff: 00000000afd4728b
[88841.586540] 400000-400fff: 0000000082572c0c
[88841.586544] 401000-94ffff: node 00000000f4ffb374 depth 2 type 1
parent 000000005fb58d4e contents: 000000004eafabe6 403FFF
00000000104e2e73 404FFF 000000004dbe1ca9 406FFF 00000000ffb92c1b
407FFF 00000000cffd3517 409FFF 000000009ef45250 40FFFF
00000000373dd145 410FFF 00000000eaff67b3 50FFFF 000000002e632fe1
511FFF 000000001839285f 60FFFF 0000000043d54299 611FFF
00000000da2961ba 80FFFF 00000000155e68ba 8C9FFF 0000000010bfe63e
8CFFFF 00000000a4834cd3 94FFFF 000000000e628eae
[88841.586569] 401000-403fff: 000000004eafabe6
[88841.586572] 404000-404fff: 00000000104e2e73
[88841.586576] 405000-406fff: 000000004dbe1ca9
[88841.586579] 407000-407fff: 00000000ffb92c1b
[88841.586583] 408000-409fff: 00000000cffd3517
[88841.586586] 40a000-40ffff: 000000009ef45250
[88841.586590] 410000-410fff: 00000000373dd145
[88841.586594] 411000-50ffff: 00000000eaff67b3
[88841.586597] 510000-511fff: 000000002e632fe1
[88841.586601] 512000-60ffff: 000000001839285f
[88841.586604] 610000-611fff: 0000000043d54299
[88841.586608] 612000-80ffff: 00000000da2961ba
[88841.586611] 810000-8c9fff: 00000000155e68ba
[88841.586615] 8ca000-8cffff: 0000000010bfe63e
[88841.586618] 8d0000-94ffff: 00000000a4834cd3
***
[88841.592355] Pass: 3886705433 Run:3886705434
[88841.592359] CPU: 22 UID: 1000 PID: 273842 Comm: rundll32.exe
Tainted: G W L
6.11.0-rc6-13b-f8d112a4e657c65c888e6b8a8435ef61a66e4ab8+ #720
[88841.592364] Tainted: [W]=WARN, [L]=SOFTLOCKUP
[88841.592366] Hardware name: ASUS System Product Name/ROG STRIX
B650E-I GAMING WIFI, BIOS 3040 09/12/2024
[88841.592369] Call Trace:
[88841.592372] <TASK>
[88841.592376] dump_stack_lvl+0x84/0xd0
[88841.592384] mt_validate+0x2932/0x2980
[88841.592397] ? __pfx_mt_validate+0x10/0x10
[88841.592408] validate_mm+0xa5/0x310
[88841.592414] ? __pfx_validate_mm+0x10/0x10
[88841.592427] vms_complete_munmap_vmas+0x572/0x9b0
[88841.592431] ? __pfx_mas_prev+0x10/0x10
[88841.592438] mmap_region+0x10f9/0x24a0
[88841.592447] ? __pfx_mmap_region+0x10/0x10
[88841.592450] ? __pfx_mark_lock+0x10/0x10
[88841.592459] ? mark_lock+0xf5/0x16d0
[88841.592474] ? mm_get_unmapped_area_vmflags+0x48/0xc0
[88841.592482] ? security_mmap_addr+0x57/0x90
[88841.592487] ? __get_unmapped_area+0x191/0x2c0
[88841.592492] do_mmap+0x8cf/0xff0
[88841.592500] ? __pfx_do_mmap+0x10/0x10
[88841.592503] ? down_write_killable+0x19d/0x280
[88841.592506] ? __pfx_down_write_killable+0x10/0x10
[88841.592513] vm_mmap_pgoff+0x178/0x2f0
[88841.592521] ? __pfx_vm_mmap_pgoff+0x10/0x10
[88841.592524] ? lockdep_hardirqs_on+0x7c/0x100
[88841.592528] ? seqcount_lockdep_reader_access.constprop.0+0xa5/0xb0
[88841.592537] __do_fast_syscall_32+0x86/0x110
[88841.592540] ? kfree+0x257/0x3a0
[88841.592547] ? audit_reset_context+0x8c5/0xee0
[88841.592555] ? lockdep_hardirqs_on_prepare+0x171/0x400
[88841.592558] ? __do_fast_syscall_32+0x92/0x110
[88841.592561] ? lockdep_hardirqs_on+0x7c/0x100
[88841.592564] ? __do_fast_syscall_32+0x92/0x110
[88841.592571] ? lockdep_hardirqs_on_prepare+0x171/0x400
[88841.592574] ? __do_fast_syscall_32+0x92/0x110
[88841.592577] ? lockdep_hardirqs_on+0x7c/0x100
[88841.592580] ? __do_fast_syscall_32+0x92/0x110
[88841.592583] ? audit_reset_context+0x8c5/0xee0
[88841.592590] ? lockdep_hardirqs_on_prepare+0x171/0x400
[88841.592593] ? __do_fast_syscall_32+0x92/0x110
[88841.592596] ? lockdep_hardirqs_on+0x7c/0x100
[88841.592600] ? rcu_is_watching+0x12/0xc0
[88841.592603] ? trace_irq_disable.constprop.0+0xce/0x110
[88841.592609] do_fast_syscall_32+0x32/0x80
[88841.592612] entry_SYSCALL_compat_after_hwframe+0x75/0x75
[88841.592616] RIP: 0023:0xf7f3e5a9
[88841.592632] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08
03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 cd 0f
05 cd 80 <5d> 5a 59 c3 cc 90 90 90 2e 8d b4 26 00 00 00 00 8d b4 26 00
00 00
[88841.592635] RSP: 002b:000000000050f450 EFLAGS: 00000256 ORIG_RAX:
00000000000000c0
[88841.592639] RAX: ffffffffffffffda RBX: 0000000001b90000 RCX: 000000000001f000
[88841.592641] RDX: 0000000000000000 RSI: 0000000000004032 RDI: 00000000ffffffff
[88841.592644] RBP: 0000000000000000 R08: 000000000050f450 R09: 0000000000000000
[88841.592646] R10: 0000000000000000 R11: 0000000000000256 R12: 0000000000000000
[88841.592648] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[88841.592658] </TASK>
[88841.592668] 00000000b4c54d84[9] should not have entry 00000000f0273bd5

Full kernel log attached here below as archive.

--
Best Regards,
Mike Gavrilov.

Attachment: dmesg-6.11.0-rc6-13b-f8d112a4e657c65c888e6b8a8435ef61a66e4ab8.zip
Description: Zip archive