| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 May 2022 17:12:56 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Dave Chinner <david@...morbit.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
linux-xfs@...r.kernel.org, lkp@...ts.01.org, chris@...he.net.au
Subject: [xfs] 55a3d6bbc5:
BUG:KASAN:use-after-free_in_xfs_attr3_node_inactive[xfs]
(please be noted we reported
"[xfs] 55a3d6bbc5: aim7.jobs-per-min 19.8% improvement",
but now we noticed a func issue)
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 55a3d6bbc5cc34a8e5aeb7ea5645a72cafddef2b ("[PATCH 1/2] xfs: bound maximum wait time for inodegc work")
url: https://github.com/intel-lab-lkp/linux/commits/Dave-Chinner/xfs-non-blocking-inodegc-pushes/20220524-144000
base: https://git.kernel.org/cgit/fs/xfs/xfs-linux.git for-next
patch link: https://lore.kernel.org/linux-xfs/20220524063802.1938505-2-david@fromorbit.com
in testcase: xfstests
version: xfstests-x86_64-48c5dbb-1_20220523
with following parameters:
disk: 4HDD
fs: xfs
test: xfs-group-43
ucode: 0x21
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 439.394273][ T16] ==================================================================
[ 439.394411][ T16] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x63c/0x900 [xfs]
[ 439.394716][ T16] Read of size 4 at addr ffff88817a448844 by task kworker/0:1/16
[ 439.394849][ T16]
[ 439.394897][ T16] CPU: 0 PID: 16 Comm: kworker/0:1 Not tainted 5.18.0-rc2-00158-g55a3d6bbc5cc #1
[ 439.395052][ T16] Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013
[ 439.395191][ T16] Workqueue: xfs-inodegc/sdb4 xfs_inodegc_worker [xfs]
[ 439.395460][ T16] Call Trace:
[ 439.395648][ T16] <TASK>
[ 439.395706][ T16] ? xfs_attr3_node_inactive+0x63c/0x900 [xfs]
[ 439.395948][ T16] dump_stack_lvl+0x34/0x44
[ 439.396033][ T16] print_address_description+0x1f/0x200
[ 439.396150][ T16] ? xfs_attr3_node_inactive+0x63c/0x900 [xfs]
[ 439.396387][ T16] print_report.cold+0x55/0x22c
[ 439.396479][ T16] ? _raw_spin_lock_irqsave+0x87/0x100
[ 439.396577][ T16] kasan_report+0xab/0x140
[ 439.396658][ T16] ? xfs_attr3_node_inactive+0x63c/0x900 [xfs]
[ 439.396892][ T16] xfs_attr3_node_inactive+0x63c/0x900 [xfs]
[ 439.397121][ T16] ? xfs_buf_set_ref+0x6c/0xc0 [xfs]
[ 439.397337][ T16] ? xfs_attr3_leaf_inactive+0x440/0x440 [xfs]
[ 439.397568][ T16] ? common_interrupt+0x17/0xc0
[ 439.397658][ T16] ? asm_common_interrupt+0x1e/0x40
[ 439.397751][ T16] ? xfs_trans_buf_set_type+0x91/0x200 [xfs]
[ 439.397985][ T16] ? xfs_trans_buf_set_type+0xc3/0x200 [xfs]
[ 439.398218][ T16] xfs_attr3_root_inactive+0x1a0/0x500 [xfs]
[ 439.398650][ T16] ? xfs_attr3_node_inactive+0x900/0x900 [xfs]
[ 439.398875][ T16] ? xfs_trans_alloc+0x325/0x780 [xfs]
[ 439.399098][ T16] xfs_attr_inactive+0x479/0x580 [xfs]
[ 439.399312][ T16] ? xfs_attr3_root_inactive+0x500/0x500 [xfs]
[ 439.399534][ T16] ? _raw_spin_lock+0x81/0x100
[ 439.399622][ T16] ? _raw_write_lock_irq+0x100/0x100
[ 439.399717][ T16] xfs_inactive+0x542/0x700 [xfs]
[ 439.400037][ T16] xfs_inodegc_worker+0x176/0x380 [xfs]
[ 439.400377][ T16] process_one_work+0x689/0x1040
[ 439.400481][ T16] worker_thread+0x5b3/0xf00
[ 439.400579][ T16] ? process_one_work+0x1040/0x1040
[ 439.400684][ T16] kthread+0x292/0x340
[ 439.400771][ T16] ? kthread_complete_and_exit+0x40/0x40
[ 439.400878][ T16] ret_from_fork+0x22/0x30
[ 439.400962][ T16] </TASK>
[ 439.401020][ T16]
[ 439.401065][ T16] Allocated by task 16:
[ 439.401141][ T16] kasan_save_stack+0x1e/0x40
[ 439.401226][ T16] __kasan_slab_alloc+0x66/0x80
[ 439.401313][ T16] kmem_cache_alloc+0x13c/0x300
[ 439.401400][ T16] _xfs_buf_alloc+0x61/0xd80 [xfs]
[ 439.401620][ T16] xfs_buf_get_map+0x12a/0xac0 [xfs]
[ 439.401831][ T16] xfs_buf_read_map+0xb7/0x980 [xfs]
[ 439.402042][ T16] xfs_trans_read_buf_map+0x441/0xb00 [xfs]
[ 439.402271][ T16] xfs_da_read_buf+0x1ce/0x2c0 [xfs]
[ 439.402474][ T16] xfs_da3_node_read+0x23/0x80 [xfs]
[ 439.402674][ T16] xfs_attr3_root_inactive+0xbf/0x500 [xfs]
[ 439.402891][ T16] xfs_attr_inactive+0x479/0x580 [xfs]
[ 439.403101][ T16] xfs_inactive+0x542/0x700 [xfs]
[ 439.403309][ T16] xfs_inodegc_worker+0x176/0x380 [xfs]
[ 439.403525][ T16] process_one_work+0x689/0x1040
[ 439.403615][ T16] worker_thread+0x5b3/0xf00
[ 439.403697][ T16] kthread+0x292/0x340
[ 439.403771][ T16] ret_from_fork+0x22/0x30
[ 439.403852][ T16]
[ 439.404243][ T16] Freed by task 16:
[ 439.404313][ T16] kasan_save_stack+0x1e/0x40
[ 439.404398][ T16] kasan_set_track+0x21/0x40
[ 439.404482][ T16] kasan_set_free_info+0x20/0x40
[ 439.404571][ T16] __kasan_slab_free+0x108/0x180
[ 439.404659][ T16] kmem_cache_free+0xb5/0x380
[ 439.404743][ T16] xfs_buf_rele+0x5d0/0xa00 [xfs]
[ 439.404963][ T16] xfs_attr3_node_inactive+0x1e2/0x900 [xfs]
[ 439.405288][ T16] xfs_attr3_root_inactive+0x1a0/0x500 [xfs]
[ 439.405632][ T16] xfs_attr_inactive+0x479/0x580 [xfs]
[ 439.405925][ T16] xfs_inactive+0x542/0x700 [xfs]
[ 439.406135][ T16] xfs_inodegc_worker+0x176/0x380 [xfs]
[ 439.406350][ T16] process_one_work+0x689/0x1040
[ 439.406440][ T16] worker_thread+0x5b3/0xf00
[ 439.406524][ T16] kthread+0x292/0x340
[ 439.406598][ T16] ret_from_fork+0x22/0x30
[ 439.406679][ T16]
[ 439.406724][ T16] Last potentially related work creation:
[ 439.406822][ T16] kasan_save_stack+0x1e/0x40
[ 439.406907][ T16] __kasan_record_aux_stack+0x96/0xc0
[ 439.407001][ T16] insert_work+0x4a/0x340
[ 439.407079][ T16] __queue_work+0x515/0xd40
[ 439.407160][ T16] queue_work_on+0x48/0x80
[ 439.407240][ T16] xfs_buf_bio_end_io+0x272/0x380 [xfs]
[ 439.407456][ T16] blk_update_request+0x2be/0xe80
[ 439.407553][ T16] scsi_end_request+0x71/0x600
[ 439.407641][ T16] scsi_io_completion+0x126/0xb00
[ 439.407731][ T16] blk_complete_reqs+0xaa/0x100
[ 439.407824][ T16] __do_softirq+0x1a2/0x5f7
[ 439.407916][ T16]
[ 439.407962][ T16] Second to last potentially related work creation:
[ 439.408083][ T16] kasan_save_stack+0x1e/0x40
[ 439.408184][ T16] __kasan_record_aux_stack+0x96/0xc0
[ 439.408294][ T16] insert_work+0x4a/0x340
[ 439.408381][ T16] __queue_work+0x515/0xd40
[ 439.408466][ T16] queue_work_on+0x48/0x80
[ 439.408546][ T16] xfs_buf_bio_end_io+0x272/0x380 [xfs]
[ 439.408773][ T16] blk_update_request+0x2be/0xe80
[ 439.408865][ T16] scsi_end_request+0x71/0x600
[ 439.408951][ T16] scsi_io_completion+0x126/0xb00
[ 439.409040][ T16] blk_complete_reqs+0xaa/0x100
[ 439.409127][ T16] __do_softirq+0x1a2/0x5f7
[ 439.409209][ T16]
[ 439.409254][ T16] The buggy address belongs to the object at ffff88817a448700
[ 439.409254][ T16] which belongs to the cache xfs_buf of size 360
[ 439.409486][ T16] The buggy address is located 324 bytes inside of
[ 439.409486][ T16] 360-byte region [ffff88817a448700, ffff88817a448868)
[ 439.409708][ T16]
[ 439.409754][ T16] The buggy address belongs to the physical page:
[ 439.409863][ T16] page:000000009a495195 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17a448
[ 439.410036][ T16] head:000000009a495195 order:1 compound_mapcount:0 compound_pincount:0
[ 439.410175][ T16] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 439.410318][ T16] raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888134c91400
[ 439.410466][ T16] raw: 0000000000000000 0000000080120012 00000001ffffffff 0000000000000000
[ 439.410609][ T16] page dumped because: kasan: bad access detected
[ 439.410718][ T16]
[ 439.410763][ T16] Memory state around the buggy address:
[ 439.410860][ T16] ffff88817a448700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 439.410996][ T16] ffff88817a448780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 439.411133][ T16] >ffff88817a448800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
[ 439.411268][ T16] ^
[ 439.411375][ T16] ffff88817a448880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 439.411515][ T16] ffff88817a448900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 439.411650][ T16] ==================================================================
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc2-00158-g55a3d6bbc5cc" of type "text/plain" (166089 bytes)
View attachment "job-script" of type "text/plain" (5885 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (7196 bytes)
View attachment "xfstests" of type "text/plain" (1586 bytes)
View attachment "job.yaml" of type "text/plain" (4819 bytes)
View attachment "reproduce" of type "text/plain" (933 bytes)
Powered by blists - more mailing lists