| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211130135447.GB34540@xsang-OptiPlex-9020>
Date: Tue, 30 Nov 2021 21:54:47 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Qu Wenruo <wqu@...e.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, linux-btrfs@...r.kernel.org,
linux-block@...r.kernel.org, dm-devel@...hat.com
Subject: [btrfs] 675923ac06: BUG:KASAN:use-after-free_in__blk_queue_split
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 675923ac0693d080b3b769813cf9ca7f73fc0322 ("[PATCH RFC 09/11] btrfs: remove bio split operations in btrfs_submit_direct()")
url: https://github.com/0day-ci/linux/commits/Qu-Wenruo/btrfs-split-bio-at-btrfs_map_bio-time/20211128-135937
base: https://git.kernel.org/cgit/linux/kernel/git/kdave/linux.git for-next
patch link: https://lore.kernel.org/linux-btrfs/20211128055259.39249-10-wqu@suse.com
in testcase: xfstests
version: xfstests-x86_64-99bc497-1_20211129
with following parameters:
disk: 6HDD
fs: btrfs
test: btrfs-group-14
ucode: 0x28
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 44.231297][ T118] BUG: KASAN: use-after-free in __blk_queue_split (block/blk-merge.c:289 block/blk-merge.c:357)
[ 44.231305][ T118] Read of size 8 at addr ffff88810b4f8100 by task kworker/u17:0/118
[ 44.231308][ T118]
[ 44.231310][ T118] CPU: 1 PID: 118 Comm: kworker/u17:0 Not tainted 5.16.0-rc1-00057-g675923ac0693 #1
[ 44.231314][ T118] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[ 44.239216][ T335]
[ 44.242067][ T118] Workqueue: btrfs-worker-high btrfs_work_helper [btrfs]
[ 44.249883][ T335] ID SIZE PATH
[ 44.257166][ T118]
[ 44.257169][ T118] Call Trace:
[ 44.257172][ T118] <TASK>
[ 44.257173][ T118] dump_stack_lvl (lib/dump_stack.c:107)
[ 44.259361][ T335]
[ 44.268531][ T118] print_address_description+0x21/0x140
[ 44.268542][ T118] ? __blk_queue_split (block/blk-merge.c:289 block/blk-merge.c:357)
[ 44.277053][ T335] 1 300.00GiB /dev/sda2
[ 44.278613][ T118] kasan_report.cold (mm/kasan/report.c:434 mm/kasan/report.c:450)
[ 44.285479][ T335]
[ 44.289630][ T118] ? __blk_queue_split (block/blk-merge.c:289 block/blk-merge.c:357)
[ 44.289637][ T118] __blk_queue_split (block/blk-merge.c:289 block/blk-merge.c:357)
[ 44.289641][ T118] ? __blk_mq_delay_run_hw_queue (block/blk-mq.c:1806 (discriminator 1) block/blk-mq.c:1869 (discriminator 1))
[ 44.291854][ T335]
[ 44.294947][ T118] ? bio_attempt_discard_merge (block/blk-merge.c:340)
[ 44.294955][ T118] ? deadline_dispatch2_stop (block/mq-deadline.c:691)
[ 44.297748][ T335]
[ 44.302077][ T118] ? update_io_ticks (block/blk-core.c:1224)
[ 44.302087][ T118] blk_mq_submit_bio (block/blk-mq.c:2626)
[ 44.304635][ T335] btrfs-progs v5.15
[ 44.310680][ T118] ? mempool_alloc (mm/mempool.c:392)
[ 44.310689][ T118] ? blk_mq_try_issue_list_directly (block/blk-mq.c:2612)
[ 44.315664][ T335]
[ 44.320231][ T118] ? mempool_destroy (mm/mempool.c:375)
[ 44.325975][ T335] See http://btrfs.wiki.kernel.org for more information.
[ 44.327097][ T118] ? bio_alloc_bioset (block/bio.c:497)
[ 44.332050][ T335]
[ 44.336812][ T118] submit_bio_noacct (include/linux/bio.h:567 block/blk-core.c:925 block/blk-core.c:950 block/blk-core.c:939)
[ 44.336819][ T118] ? ktime_get (kernel/time/timekeeping.c:290 kernel/time/timekeeping.c:386 kernel/time/timekeeping.c:829 kernel/time/timekeeping.c:817)
[ 44.342571][ T335]
[ 44.344717][ T118] ? __submit_bio (block/blk-core.c:940)
[ 44.344725][ T118] ? __bio_clone_fast (include/linux/blk_types.h:225 include/linux/blk-cgroup.h:531 block/bio.c:734)
[ 44.344731][ T118] btrfs_map_bio (fs/btrfs/volumes.c:6850 fs/btrfs/volumes.c:6917) btrfs
[ 44.350377][ T335]
[ 44.355656][ T118] ? update_load_avg (kernel/sched/fair.c:3579 kernel/sched/fair.c:3816)
[ 44.355664][ T118] ? update_curr (arch/x86/include/asm/preempt.h:80 include/linux/rcupdate.h:68 include/linux/rcupdate.h:686 include/linux/cgroup.h:794 kernel/sched/fair.c:877)
[ 44.358854][ T335] Performing full device TRIM /dev/sda5 (300.00GiB) ...
[ 44.362519][ T118] ? btrfs_map_sblock (fs/btrfs/volumes.c:6881) btrfs
[ 44.367386][ T335]
[ 44.371023][ T118] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:513 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 44.371030][ T118] run_one_async_done (fs/btrfs/disk-io.c:831) btrfs
[ 44.377101][ T335] NOTE: several default settings have changed in version 5.15, please make sure
[ 44.381705][ T118] ? run_one_async_start (fs/btrfs/disk-io.c:796) btrfs
[ 44.383894][ T335]
[ 44.388476][ T118] btrfs_work_helper (fs/btrfs/async-thread.c:258 fs/btrfs/async-thread.c:335) btrfs
[ 44.396171][ T335] this does not affect your deployments:
[ 44.400189][ T118] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2303)
[ 44.402373][ T335]
[ 44.407135][ T118] worker_thread (include/linux/list.h:284 kernel/workqueue.c:2446)
[ 44.407141][ T118] ? process_one_work (kernel/workqueue.c:2388)
[ 44.411923][ T335] - DUP for metadata (-m dup)
[ 44.413480][ T118] kthread (kernel/kthread.c:327)
[ 44.418000][ T335]
[ 44.422844][ T118] ? set_kthread_struct (kernel/kthread.c:272)
[ 44.422850][ T118] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 44.428781][ T335] - enabled no-holes (-O no-holes)
[ 44.430229][ T118] </TASK>
[ 44.430231][ T118]
[ 44.430232][ T118] Allocated by task 2368:
[ 44.435095][ T335]
[ 44.439510][ T118] kasan_save_stack (mm/kasan/common.c:38)
[ 44.439516][ T118] __kasan_slab_alloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:467)
[ 44.447235][ T335] - enabled free-space-tree (-R free-space-tree)
[ 44.451652][ T118] kmem_cache_alloc (mm/slab.h:520 mm/slub.c:3234 mm/slub.c:3242 mm/slub.c:3247)
[ 44.453841][ T335]
[ 44.459120][ T118] bvec_alloc (block/bio.c:201)
[ 44.459124][ T118] bio_alloc_bioset (block/bio.c:481)
[ 44.459126][ T118] iomap_dio_bio_iter (include/linux/bio.h:371 fs/iomap/direct-io.c:311)
[ 44.464702][ T335]
[ 44.473508][ T118] __iomap_dio_rw (fs/iomap/direct-io.c:433 fs/iomap/direct-io.c:589)
[ 44.473513][ T118] iomap_dio_rw (fs/iomap/direct-io.c:679)
[ 44.473517][ T118] btrfs_file_write_iter (fs/btrfs/file.c:1999 fs/btrfs/file.c:2093) btrfs
[ 44.479252][ T335]
[ 44.481419][ T118] new_sync_write (fs/read_write.c:504 (discriminator 1))
[ 44.481423][ T118] vfs_write (fs/read_write.c:590)
[ 44.481426][ T118] ksys_pwrite64 (fs/read_write.c:697)
[ 44.481429][ T118] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 44.487379][ T335] Label: (null)
[ 44.492868][ T118] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
[ 44.492874][ T118]
[ 44.492875][ T118] Freed by task 0:
[ 44.492878][ T118] kasan_save_stack (mm/kasan/common.c:38)
[ 44.497663][ T335]
[ 44.499827][ T118] kasan_set_track (mm/kasan/common.c:46)
[ 44.499832][ T118] kasan_set_free_info (mm/kasan/generic.c:372)
[ 44.499834][ T118] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 44.505205][ T335] UUID: efe0957a-b115-4c51-b8cd-42bfeb15a87a
[ 44.509199][ T118] kmem_cache_free (mm/slub.c:1749 mm/slub.c:3513 mm/slub.c:3529)
[ 44.509204][ T118] bio_free (block/bio.c:238)
[ 44.514240][ T335]
[ 44.518134][ T118] btrfs_dio_private_put (fs/btrfs/inode.c:8091 fs/btrfs/inode.c:8070) btrfs
[ 44.520811][ T335] Node size: 16384
[ 44.525342][ T118] split_bio_endio (fs/btrfs/extent_io.c:3210) btrfs
[ 44.529603][ T335]
[ 44.535053][ T118] btrfs_end_bio (fs/btrfs/volumes.c:5946 fs/btrfs/volumes.c:6666 fs/btrfs/volumes.c:6718) btrfs
[ 44.538367][ T335] Sector size: 4096
[ 44.540102][ T118] blk_update_request (block/blk-mq.c:744)
[ 44.540108][ T118] scsi_end_request (drivers/scsi/scsi_lib.c:543)
[ 44.544287][ T335]
[ 44.546451][ T118] scsi_io_completion (drivers/scsi/scsi_lib.c:939)
[ 44.546457][ T118] blk_complete_reqs (block/blk-mq.c:890 (discriminator 3))
[ 44.551490][ T335] Filesystem size: 300.00GiB
[ 44.555649][ T118] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/irq.h:142 kernel/softirq.c:559)
[ 44.555654][ T118]
[ 44.555655][ T118] The buggy address belongs to the object at ffff88810b4f8000
[ 44.555655][ T118] which belongs to the cache biovec-64 of size 1024
[ 44.555658][ T118] The buggy address is located 256 bytes inside of
[ 44.555658][ T118] 1024-byte region [ffff88810b4f8000, ffff88810b4f8400)
[ 44.562340][ T335]
[ 44.567009][ T118] The buggy address belongs to the page:
[ 44.567010][ T118] page:000000000e7fa944 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b4f8
[ 44.567014][ T118] head:000000000e7fa944 order:3 compound_mapcount:0 compound_pincount:0
[ 44.567017][ T118] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 44.569626][ T335] Block group profiles:
[ 44.573269][ T118] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100e12780
[ 44.573272][ T118] raw: 0000000000000000 00000000801c001c 00000001ffffffff 0000000000000000
[ 44.573273][ T118] page dumped because: kasan: bad access detected
[ 44.573275][ T118]
[ 44.573276][ T118] Memory state around the buggy address:
[ 44.573278][ T118] ffff88810b4f8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.577971][ T335]
[ 44.582902][ T118] ffff88810b4f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.582904][ T118] >ffff88810b4f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.582905][ T118] ^
[ 44.582907][ T118] ffff88810b4f8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.582909][ T118] ffff88810b4f8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 44.582911][ T118] ==================================================================
[ 44.585982][ T335] Data: single 8.00MiB
[ 44.589677][ T118] Disabling lock debugging due to kernel taint
[ 44.590244][ C5] ------------[ cut here ]------------
[ 44.593963][ T335]
[ 44.599569][ C5] refcount_t: underflow; use-after-free.
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc1-00057-g675923ac0693" of type "text/plain" (177692 bytes)
View attachment "job-script" of type "text/plain" (5877 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (32100 bytes)
View attachment "xfstests" of type "text/plain" (1976 bytes)
View attachment "job.yaml" of type "text/plain" (4801 bytes)
View attachment "reproduce" of type "text/plain" (1015 bytes)
Powered by blists - more mailing lists