http://bugzilla.suse.com/show_bug.cgi?id=1133616 Bug ID: 1133616 Summary: use after free in list_lru_add Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: CONFIRMED Severity: Normal Priority: P5 - None Component: Kernel Assignee: jslaby@suse.com Reporter: jslaby@suse.com QA Contact: qa-bugs@suse.de CC: mkoutny@suse.com Found By: --- Blocker: --- On a specific hardware, we see 100 % reproducible crash while booting with fresh enough systemd. Systemd version matters as it does something special. The crash with KASAN-enabled kernel:
systemd[1]: Listening on Journal Socket. ================================================================== BUG: KASAN: slab-out-of-bounds in list_lru_add+0x5ec/0x6a0 Read of size 8 at addr ffff8880c42f0a18 by task (le-setup)/204
CPU: 3 PID: 204 Comm: (le-setup) Not tainted 5.0.9-0.g09ca824-default #1 openSUSE Tumbleweed (unreleased) Hardware name: Supermicro H8DSP-8/H8DSP-8, BIOS 080011 06/30/2006 Call Trace: dump_stack+0x9a/0xf0 ? list_lru_add+0x5ec/0x6a0 print_address_description+0x65/0x205 ? list_lru_add+0x5ec/0x6a0 ? list_lru_add+0x5ec/0x6a0 kasan_report.cold.4+0x1a/0x39 ? list_lru_add+0x5ec/0x6a0 list_lru_add+0x5ec/0x6a0 ? each_symbol_section+0x60/0x60 d_lru_add+0xd4/0x120 dput.part.27+0x2ba/0x330 __fput+0x333/0x7c0 ? _raw_write_lock_irq+0xe0/0xe0 task_work_run+0x11c/0x190 exit_to_usermode_loop+0x152/0x170 do_syscall_64+0x200/0x290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7faa5a7c57b7 Code: ff ff ff ff c3 48 8b 15 df 96 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb c0 66 2e 0f 1f 84 00 00 00 00 00 90 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 96 0c 00 f7 d8 64 89 02 b8 RSP: 002b:00007ffc7e72c8e8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000556dd36f6fd0 RCX: 00007faa5a7c57b7 RDX: 00007faa5a8907c0 RSI: 0000556dd36f7053 RDI: 0000000000000003 RBP: 00007faa5a8913c0 R08: 0000556dd36f70b0 R09: 00007ffc7e72c715 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000556dd36f90a0 R14: 00007ffc7e72c9ca R15: 0000000000000003
Allocated by task 1: __kasan_kmalloc.constprop.14+0xc1/0xd0 __list_lru_init+0x3cd/0x5e0 sget_userns+0x65c/0xba0 kernfs_mount_ns+0x120/0x7f0 cgroup_do_mount+0x93/0x2e0 cgroup1_mount+0x335/0x925 cgroup_mount+0x14a/0x7b0 mount_fs+0xce/0x304 vfs_kern_mount.part.33+0x58/0x370 do_mount+0x390/0x2540 ksys_mount+0xb6/0xd0 __x64_sys_mount+0xba/0x150 do_syscall_64+0xa5/0x290 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 0: (stack is not available)
The buggy address belongs to the object at ffff8880c42f0a00 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 24 bytes inside of 32-byte region [ffff8880c42f0a00, ffff8880c42f0a20) The buggy address belongs to the page: page:ffffea000310bc00 count:1 mapcount:0 mapping:ffff88800fc00900 index:0xffff8880c42f0fc1 flags: 0x9ffff800000200(slab) raw: 009ffff800000200 ffffea000310ba88 ffffea000310fb88 ffff88800fc00900 raw: ffff8880c42f0fc1 ffff8880c42f0000 000000010000003f 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff8880c42f0900: fb fb fb fb fc fc fc fc 00 00 02 fc fc fc fc fc ffff8880c42f0980: 00 00 fc fc fc fc fc fc 00 00 05 fc fc fc fc fc
ffff8880c42f0a00: 00 00 fc fc fc fc fc fc 00 05 fc fc fc fc fc fc ^ ffff8880c42f0a80: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc ffff8880c42f0b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================
This happens at least with kernels 4.12 and 5.0.x. -- You are receiving this mail because: You are on the CC list for the bug.