lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 24 Feb 2022 23:03:26 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Josef Bacik <josef@...icpanda.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, linux-btrfs@...r.kernel.org, kernel-team@...com
Subject: [btrfs]  0ac06c96a6: BUG:KASAN:use-after-free_in_btrfs_drop_snapshot



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 0ac06c96a62d33b94c264c6df6562e8c69942d6b ("[PATCH v2 1/3] btrfs: do not start relocation until in progress drops are done")
url: https://github.com/0day-ci/linux/commits/Josef-Bacik/btrfs-fix-problem-with-balance-recovery-and-snap-delete/20220220-181947
base: https://git.kernel.org/cgit/linux/kernel/git/kdave/linux.git for-next
patch link: https://lore.kernel.org/linux-btrfs/78d6f8e496b367fc520549ab00465cbd704ea22f.1645214059.git.josef@toxicpanda.com

in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:

	disk: 6HDD
	fs: btrfs
	test: btrfs-group-21
	ucode: 0x28

test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git


on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz with 8G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>



[   78.855835][ T9578] ==================================================================
[   78.863642][ T9578] BUG: KASAN: use-after-free in btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[   78.871945][ T9578] Read of size 8 at addr ffff88810acc1038 by task btrfs/9578
[   78.879066][ T9578]
[   78.881220][ T9578] CPU: 0 PID: 9578 Comm: btrfs Not tainted 5.17.0-rc4-00117-g0ac06c96a62d #1
[   78.889709][ T9578] Hardware name: Dell Inc. OptiPlex 9020/0DNKMN, BIOS A05 12/05/2013
[   78.897512][ T9578] Call Trace:
[   78.900607][ T9578]  <TASK>
[   78.903358][ T9578]  dump_stack_lvl+0x34/0x44
[   78.907656][ T9578]  print_address_description+0x21/0x180
[   78.914007][ T9578]  ? btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[   78.919979][ T9578]  kasan_report.cold+0x7f/0x11b
[   78.924616][ T9578]  ? btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[   78.930581][ T9578]  kasan_check_range+0x14d/0x200
[   78.935303][ T9578]  btrfs_drop_snapshot+0x1299/0x19c0 [btrfs]
[   78.941094][ T9578]  ? btrfs_commit_transaction+0x1bf1/0x3040 [btrfs]
[   78.947487][ T9578]  ? btrfs_alloc_tree_block+0x780/0x780 [btrfs]
[   78.953532][ T9578]  ? join_transaction+0x26e/0xec0 [btrfs]
[   78.959064][ T9578]  ? btrfs_apply_pending_changes+0x80/0x80 [btrfs]
[   78.965365][ T9578]  ? btrfs_record_root_in_trans+0x4d/0x180 [btrfs]
[   78.971670][ T9578]  clean_dirty_subvols+0x19f/0x400 [btrfs]
[   78.977301][ T9578]  relocate_block_group+0x732/0xb40 [btrfs]
[   78.983015][ T9578]  ? merge_reloc_roots+0x7c0/0x7c0 [btrfs]
[   78.988645][ T9578]  ? mutex_lock+0x80/0x100
[   78.992851][ T9578]  ? __mutex_lock_slowpath+0x40/0x40
[   78.997917][ T9578]  btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[   79.004143][ T9578]  ? block_group_cache_tree_search+0x156/0x300 [btrfs]
[   79.010802][ T9578]  btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[   79.016428][ T9578]  __btrfs_balance+0x8ef/0x1b00 [btrfs]
[   79.021795][ T9578]  ? describe_balance_start_or_resume.cold+0x91/0xa0 [btrfs]
[   79.028967][ T9578]  ? btrfs_relocate_chunk+0x280/0x280 [btrfs]
[   79.034848][ T9578]  ? mutex_unlock+0x80/0x100
[   79.039226][ T9578]  ? __mutex_unlock_slowpath+0x300/0x300
[   79.045235][ T9578]  ? __raw_callee_save___native_queued_spin_unlock+0x11/0x1e
[   79.052355][ T9578]  btrfs_balance+0xc65/0x17c0 [btrfs]
[   79.057553][ T9578]  btrfs_ioctl_balance+0x457/0x600 [btrfs]
[   79.063179][ T9578]  btrfs_ioctl+0x25f5/0x5200 [btrfs]
[   79.068291][ T9578]  ? folio_add_lru+0x4d/0x80
[   79.072672][ T9578]  ? do_anonymous_page+0x81c/0xfc0
[   79.077566][ T9578]  ? btrfs_ioctl_get_supported_features+0x40/0x40 [btrfs]
[   79.084473][ T9578]  ? __handle_mm_fault+0x1259/0x1640
[   79.089538][ T9578]  ? fiemap_prep+0x200/0x200
[   79.093919][ T9578]  ? copy_page_range+0x1040/0x1040
[   79.098813][ T9578]  ? userfaultfd_unmap_prep+0x440/0x440
[   79.104136][ T9578]  ? handle_mm_fault+0x1be/0x6c0
[   79.108858][ T9578]  ? __fget_light+0x57/0x540
[   79.113239][ T9578]  ? up_read+0x15/0xc0
[   79.117109][ T9578]  ? do_user_addr_fault+0x320/0xd80
[   79.122089][ T9578]  __x64_sys_ioctl+0x127/0x1c0
[   79.126643][ T9578]  do_syscall_64+0x3b/0xc0
[   79.130854][ T9578]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   79.136518][ T9578] RIP: 0033:0x7f5d5b9cb427
[   79.140729][ T9578] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48
[   79.159913][ T9578] RSP: 002b:00007ffd2e638178 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[   79.168061][ T9578] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f5d5b9cb427
[   79.175777][ T9578] RDX: 00007ffd2e638208 RSI: 00000000c4009420 RDI: 0000000000000004
[   79.183493][ T9578] RBP: 00007ffd2e638208 R08: 0000000000000003 R09: 0000000000000078
[   79.191208][ T9578] R10: fffffffffffffa4a R11: 0000000000000206 R12: 0000000000000004
[   79.198924][ T9578] R13: 00007ffd2e63a91b R14: 0000000000000001 R15: 0000000000000000
[   79.206639][ T9578]  </TASK>
[   79.209487][ T9578]
[   79.211641][ T9578] Allocated by task 9578:
[   79.215763][ T9578]  kasan_save_stack+0x1e/0x40
[   79.220228][ T9578]  __kasan_kmalloc+0x81/0xc0
[   79.224610][ T9578]  btrfs_alloc_root+0x4f/0xf80 [btrfs]
[   79.229879][ T9578]  read_tree_root_path+0xb4/0x3c0 [btrfs]
[   79.235404][ T9578]  btrfs_read_tree_root+0x34/0x80 [btrfs]
[   79.240944][ T9578]  create_reloc_root+0x49e/0xb40 [btrfs]
[   79.246395][ T9578]  btrfs_init_reloc_root+0x3f1/0x540 [btrfs]
[   79.252198][ T9578]  record_root_in_trans+0x25b/0x340 [btrfs]
[   79.257896][ T9578]  btrfs_record_root_in_trans+0xda/0x180 [btrfs]
[   79.264021][ T9578]  relocate_tree_blocks+0xa51/0x1600 [btrfs]
[   79.269815][ T9578]  relocate_block_group+0x4b0/0xb40 [btrfs]
[   79.275519][ T9578]  btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[   79.281741][ T9578]  btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[   79.287359][ T9578]  __btrfs_balance+0x8ef/0x1b00 [btrfs]
[   79.292722][ T9578]  btrfs_balance+0xc65/0x17c0 [btrfs]
[   79.297910][ T9578]  btrfs_ioctl_balance+0x457/0x600 [btrfs]
[   79.303530][ T9578]  btrfs_ioctl+0x25f5/0x5200 [btrfs]
[   79.308632][ T9578]  __x64_sys_ioctl+0x127/0x1c0
[   79.313186][ T9578]  do_syscall_64+0x3b/0xc0
[   79.317395][ T9578]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   79.323059][ T9578]
[   79.325210][ T9578] Freed by task 9578:
[   79.328991][ T9578]  kasan_save_stack+0x1e/0x40
[   79.333464][ T9578]  kasan_set_track+0x21/0x40
[   79.337844][ T9578]  kasan_set_free_info+0x20/0x40
[   79.342567][ T9578]  __kasan_slab_free+0xf9/0x140
[   79.347203][ T9578]  kfree+0x8e/0x400
[   79.350814][ T9578]  btrfs_drop_snapshot+0x12e7/0x19c0 [btrfs]
[   79.356596][ T9578]  clean_dirty_subvols+0x19f/0x400 [btrfs]
[   79.362217][ T9578]  relocate_block_group+0x732/0xb40 [btrfs]
[   79.367929][ T9578]  btrfs_relocate_block_group+0x46e/0xac0 [btrfs]
[   79.374149][ T9578]  btrfs_relocate_chunk+0xe1/0x280 [btrfs]
[   79.379766][ T9578]  __btrfs_balance+0x8ef/0x1b00 [btrfs]
[   79.385126][ T9578]  btrfs_balance+0xc65/0x17c0 [btrfs]
[   79.390316][ T9578]  btrfs_ioctl_balance+0x457/0x600 [btrfs]
[   79.395936][ T9578]  btrfs_ioctl+0x25f5/0x5200 [btrfs]
[   79.401039][ T9578]  __x64_sys_ioctl+0x127/0x1c0
[   79.405589][ T9578]  do_syscall_64+0x3b/0xc0
[   79.409796][ T9578]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   79.415463][ T9578]
[   79.417617][ T9578] Last potentially related work creation:
[   79.423109][ T9578]  kasan_save_stack+0x1e/0x40
[   79.427575][ T9578]  __kasan_record_aux_stack+0x97/0xc0
[   79.432727][ T9578]  call_rcu+0xd0/0x1200
[   79.436677][ T9578]  netlink_release+0x426/0x980
[   79.441231][ T9578]  __sock_release+0xc5/0x280
[   79.445612][ T9578]  sock_close+0x11/0x40
[   79.449563][ T9578]  __fput+0x1fd/0x8c0
[   79.453345][ T9578]  task_work_run+0xdb/0x180
[   79.457641][ T9578]  do_exit+0x92b/0x2640
[   79.461594][ T9578]  do_group_exit+0xab/0x280
[   79.465885][ T9578]  __x64_sys_exit_group+0x3a/0x80
[   79.470692][ T9578]  do_syscall_64+0x3b/0xc0
[   79.474902][ T9578]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   79.480566][ T9578]
[   79.482719][ T9578] The buggy address belongs to the object at ffff88810acc1000
[   79.482719][ T9578]  which belongs to the cache kmalloc-2k of size 2048
[   79.496428][ T9578] The buggy address is located 56 bytes inside of
[   79.496428][ T9578]  2048-byte region [ffff88810acc1000, ffff88810acc1800)
[   79.509369][ T9578] The buggy address belongs to the page:
[   79.514774][ T9578] page:00000000ba9d679b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10acc0
[   79.524718][ T9578] head:00000000ba9d679b order:3 compound_mapcount:0 compound_pincount:0
[   79.532779][ T9578] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[   79.540755][ T9578] raw: 0017ffffc0010200 ffffea0004c09800 dead000000000002 ffff888100042f00
[   79.549072][ T9578] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
[   79.557387][ T9578] page dumped because: kasan: bad access detected
[   79.563563][ T9578]
[   79.565716][ T9578] Memory state around the buggy address:
[   79.571123][ T9578]  ffff88810acc0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   79.578926][ T9578]  ffff88810acc0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   79.586726][ T9578] >ffff88810acc1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.594529][ T9578]                                         ^
[   79.600194][ T9578]  ffff88810acc1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.607995][ T9578]  ffff88810acc1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.615798][ T9578] ==================================================================



To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.17.0-rc4-00117-g0ac06c96a62d" of type "text/plain" (178930 bytes)

View attachment "job-script" of type "text/plain" (5843 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (31592 bytes)

View attachment "xfstests" of type "text/plain" (1954 bytes)

View attachment "job.yaml" of type "text/plain" (4802 bytes)

View attachment "reproduce" of type "text/plain" (1015 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ