Re: fs: pipe: memory corruption in inode_cache

From: Sasha Levin
Date: Tue Mar 18 2014 - 14:45:23 EST

Ping? this is still showing up in -next.

On 03/02/2014 09:13 PM, Sasha Levin wrote:
Hi all,

While fuzzing with trinity inside a KVM tools guest running latest -next kernel I've stumbled
on the following spew:

[ 315.799264] =============================================================================
[ 315.800055] BUG inode_cache (Tainted: G B W ): Object padding overwritten
[ 315.800055] -----------------------------------------------------------------------------
[ 315.800055]
[ 315.800055] INFO: 0xffff880229a67030-0xffff880229a67033. First byte 0x1e instead of 0x5a
[ 315.800055] INFO: Allocated in alloc_inode+0x41/0xa0 age=2328 cpu=33 pid=9788
[ 315.800055] __slab_alloc+0x413/0x4d0
[ 315.800055] kmem_cache_alloc+0x12f/0x2e0
[ 315.800055] alloc_inode+0x41/0xa0
[ 315.800055] new_inode_pseudo+0x1b/0x70
[ 315.800055] get_pipe_inode+0x1c/0xf0
[ 315.800055] create_pipe_files+0x2c/0x170
[ 315.800055] __do_pipe_flags+0x41/0xf0
[ 315.800055] SyS_pipe2+0x2b/0xb0
[ 315.800055] tracesys+0xdd/0xe2
[ 315.800055] INFO: Freed in free_inode_nonrcu+0x18/0x20 age=2516 cpu=33 pid=9819
[ 315.800055] __slab_free+0x41/0x5e0
[ 315.800055] kmem_cache_free+0x27b/0x380
[ 315.800055] free_inode_nonrcu+0x18/0x20
[ 315.800055] destroy_inode+0x4b/0x70
[ 315.800055] evict+0x188/0x1a0
[ 315.800055] iput_final+0x163/0x180
[ 315.814864] iput+0x4f/0x60
[ 315.814864] dentry_iput+0xc8/0xf0
[ 315.814864] d_kill+0x4e/0xc0
[ 315.814864] dentry_kill+0xdb/0x100
[ 315.814864] dput+0x10d/0x130
[ 315.814864] __fput+0x2a7/0x2c0
[ 315.814864] ____fput+0xe/0x10
[ 315.814864] task_work_run+0xae/0xf0
[ 315.814864] do_notify_resume+0x8e/0xe0
[ 315.814864] int_signal+0x12/0x17
[ 315.814864] INFO: Slab 0xffffea0008a69800 objects=23 used=13 fp=0xffff880229a62568 flags=0x6fffff80004081
[ 315.814864] INFO: Object 0xffff880229a66ae0 @offset=27360 fp=0xffff880229a66588
[ 315.814864]
[ 315.814864] Bytes b4 ffff880229a66ad0: 56 ff ff ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a V.......ZZZZZZZZ
[ 315.814864] Object ffff880229a66ae0: 80 11 04 00 ff bf ff ff 00 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66af0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
[ 315.814864] Object ffff880229a66b00: 80 3b 51 88 ff ff ff ff 48 91 07 29 01 88 ff ff .;Q.....H..)....
[ 315.814864] Object ffff880229a66b10: f0 6c a6 29 02 88 ff ff 00 00 00 00 00 00 00 00 .l.)............
[ 315.814864] Object ffff880229a66b20: 89 08 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66b30: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66b40: 00 87 93 03 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66b50: 00 87 93 03 00 00 00 00 01 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66b60: 00 87 93 03 00 00 00 00 12 00 12 00 ad 4e ad de .............N..
[ 315.814864] Object ffff880229a66b70: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
[ 315.814864] Object ffff880229a66b80: e8 4d ae 86 ff ff ff ff 00 00 00 00 00 00 00 00 .M..............
[ 315.814864] Object ffff880229a66b90: 00 00 00 00 00 00 00 00 f7 63 77 85 ff ff ff ff .........cw.....
[ 315.814864] Object ffff880229a66ba0: 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !...............
[ 315.814864] Object ffff880229a66bb0: 00 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66bc0: 60 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 `...............
[ 315.814864] Object ffff880229a66bd0: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
[ 315.814864] Object ffff880229a66be0: ff ff ff ff ff ff ff ff 20 42 76 87 ff ff ff ff ........ Bv.....
[ 315.814864] Object ffff880229a66bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66c00: 66 fe 6b 85 ff ff ff ff 21 00 00 00 00 00 00 00 f.k.....!.......
[ 315.814864] Object ffff880229a66c10: 00 00 00 00 00 00 00 00 18 6c a6 29 02 88 ff ff .........l.)....
[ 315.814864] Object ffff880229a66c20: 18 6c a6 29 02 88 ff ff 00 00 00 00 00 00 00 00 .l.)............
[ 315.814864] Object ffff880229a66c30: 00 00 00 00 00 00 00 00 c8 6b a6 29 02 88 ff ff .........k.)....
[ 315.814864] Object ffff880229a66c40: f0 4d ae 86 ff ff ff ff 00 00 00 00 00 00 00 00 .M..............
[ 315.814864] Object ffff880229a66c50: 00 00 00 00 00 00 00 00 0f 64 77 85 ff ff ff ff .........dw.....
[ 315.814864] Object ffff880229a66c60: 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !...............
[ 315.814864] Object ffff880229a66c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66c80: 00 00 00 00 00 00 00 00 88 6c a6 29 02 88 ff ff .........l.)....
[ 315.814864] Object ffff880229a66c90: 88 6c a6 29 02 88 ff ff 98 6c a6 29 02 88 ff ff .l.).....l.)....
[ 315.814864] Object ffff880229a66ca0: 98 6c a6 29 02 88 ff ff a8 6c a6 29 02 88 ff ff .l.).....l.)....
[ 315.814864] Object ffff880229a66cb0: a8 6c a6 29 02 88 ff ff 00 00 00 00 00 00 00 00 .l.)............
[ 315.814864] Object ffff880229a66cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.814864] Object ffff880229a66cd0: 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................
[ 315.814864] Object ffff880229a66ce0: 00 1e 66 84 ff ff ff ff 00 00 00 00 00 00 00 00 ..f.............
[ 315.814864] Object ffff880229a66cf0: e0 6a a6 29 02 88 ff ff 00 00 00 00 20 00 00 00 .j.)........ ...
[ 315.814864] Object ffff880229a66d00: 00 00 00 00 00 00 00 00 06 00 06 00 ad 4e ad de .............N..
[ 315.879593] Object ffff880229a66d10: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
[ 315.879593] Object ffff880229a66d20: 58 3a 51 88 ff ff ff ff 00 00 00 00 00 00 00 00 X:Q.............
[ 315.879593] Object ffff880229a66d30: 00 00 00 00 00 00 00 00 a9 63 77 85 ff ff ff ff .........cw.....
[ 315.879593] Object ffff880229a66d40: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66d60: 60 6d a6 29 02 88 ff ff 60 6d a6 29 02 88 ff ff `m.)....`m.)....
[ 315.879593] Object ffff880229a66d70: 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N..
[ 315.879593] Object ffff880229a66d80: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
[ 315.879593] Object ffff880229a66d90: 20 42 76 87 ff ff ff ff 00 00 00 00 00 00 00 00 Bv.............
[ 315.879593] Object ffff880229a66da0: 00 00 00 00 00 00 00 00 66 fe 6b 85 ff ff ff ff ........f.k.....
[ 315.879593] Object ffff880229a66db0: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66dc0: c0 6d a6 29 02 88 ff ff c0 6d a6 29 02 88 ff ff .m.).....m.)....
[ 315.879593] Object ffff880229a66dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66de0: 70 6d a6 29 02 88 ff ff 50 3a 51 88 ff ff ff ff pm.)....P:Q.....
[ 315.879593] Object ffff880229a66df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66e00: c7 63 77 85 ff ff ff ff 06 00 00 00 00 00 00 00 .cw.............
[ 315.879593] Object ffff880229a66e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66e30: 60 22 66 84 ff ff ff ff da 00 02 40 00 00 00 00 `"f........@....
[ 315.879593] Object ffff880229a66e40: c0 32 ad 86 ff ff ff ff 00 00 00 00 ad 4e ad de .2...........N..
[ 315.879593] Object ffff880229a66e50: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
[ 315.879593] Object ffff880229a66e60: 48 3a 51 88 ff ff ff ff 00 00 00 00 00 00 00 00 H:Q.............
[ 315.879593] Object ffff880229a66e70: 00 00 00 00 00 00 00 00 00 ef 6c 85 ff ff ff ff ..........l.....
[ 315.879593] Object ffff880229a66e80: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66e90: 90 6e a6 29 02 88 ff ff 90 6e a6 29 02 88 ff ff .n.).....n.)....
[ 315.879593] Object ffff880229a66ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.879593] Object ffff880229a66eb0: 00 00 00 00 00 00 00 00 b8 6e a6 29 02 88 ff ff .........n.)....
[ 315.914258] Object ffff880229a66ec0: b8 6e a6 29 02 88 ff ff 00 00 00 00 00 00 00 00 .n.)............
[ 315.914258] Object ffff880229a66ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.914258] Object ffff880229a66ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 315.914258] Redzone ffff880229a66ef0: cc cc cc cc cc cc cc cc ........
[ 315.914258] Padding ffff880229a67030: 1e 00 00 00 5a 5a 5a 5a ....ZZZZ
[ 315.914258] CPU: 33 PID: 9788 Comm: trinity-c42 Tainted: G B W 3.14.0-rc4-next-20140228-sasha-00012-g311cf87 #40
[ 315.914258] ffffea0008a69800 ffff8802f278f928 ffffffff84469f23 0000000000000008
[ 315.914258] ffff88012b4da580 ffff8802f278f958 ffffffff812cc51a ffff880229a67030
[ 315.914258] 000000000000005a ffffffff856cdb3f ffff880229a67033 ffff8802f278f9b8
[ 315.914258] Call Trace:
[ 315.914258] [<ffffffff84469f23>] dump_stack+0x52/0x7f
[ 315.914258] [<ffffffff812cc51a>] print_trailer+0x13a/0x150
[ 315.914258] [<ffffffff812cc981>] check_bytes_and_report+0xe1/0x130
[ 315.914258] [<ffffffff812ceac1>] check_object+0x161/0x220
[ 315.914258] [<ffffffff812d29f3>] free_debug_processing+0x163/0x2e0
[ 315.914258] [<ffffffff81317278>] ? free_inode_nonrcu+0x18/0x20
[ 315.914258] [<ffffffff81317278>] ? free_inode_nonrcu+0x18/0x20
[ 315.914258] [<ffffffff812d2bb1>] __slab_free+0x41/0x5e0
[ 315.914258] [<ffffffff8447186c>] ? _raw_spin_unlock_irqrestore+0x9c/0xc0
[ 315.914258] [<ffffffff81b1699f>] ? __debug_check_no_obj_freed+0x15f/0x220
[ 315.914258] [<ffffffff81317278>] ? free_inode_nonrcu+0x18/0x20
[ 315.914258] [<ffffffff81317278>] ? free_inode_nonrcu+0x18/0x20
[ 315.914258] [<ffffffff812d4b7b>] kmem_cache_free+0x27b/0x380
[ 315.914258] [<ffffffff81317278>] free_inode_nonrcu+0x18/0x20
[ 315.914258] [<ffffffff8131799b>] destroy_inode+0x4b/0x70
[ 315.914258] [<ffffffff81317b48>] evict+0x188/0x1a0
[ 315.914258] [<ffffffff81317cc3>] iput_final+0x163/0x180
[ 315.914258] [<ffffffff81317d2f>] iput+0x4f/0x60
[ 315.914258] [<ffffffff81af5a31>] ? lockref_put_or_lock+0x11/0x40
[ 315.914258] [<ffffffff81311518>] dentry_iput+0xc8/0xf0
[ 315.914258] [<ffffffff81311e0e>] d_kill+0x4e/0xc0
[ 315.914258] [<ffffffff8131309c>] ? dentry_kill+0x3c/0x100
[ 315.914258] [<ffffffff8131313b>] dentry_kill+0xdb/0x100
[ 315.914258] [<ffffffff8131326d>] dput+0x10d/0x130
[ 315.914258] [<ffffffff812fb067>] __fput+0x2a7/0x2c0
[ 315.914258] [<ffffffff812fb13e>] ____fput+0xe/0x10
[ 315.914258] [<ffffffff8116bf9e>] task_work_run+0xae/0xf0
[ 315.914258] [<ffffffff8114659a>] do_exit+0x32a/0x520
[ 315.914258] [<ffffffff81146839>] do_group_exit+0xa9/0xe0
[ 315.952435] [<ffffffff8115c072>] get_signal_to_deliver+0x4e2/0x570
[ 315.952435] [<ffffffff8106fc3b>] do_signal+0x4b/0x120
[ 315.952435] [<ffffffff8118a526>] ? vtime_account_user+0x96/0xb0
[ 315.952435] [<ffffffff810c180f>] ? is_prefetch+0xef/0x2c0
[ 315.952435] [<ffffffff81268de5>] ? context_tracking_user_exit+0x195/0x1d0
[ 315.952435] [<ffffffff811aaf96>] ? trace_hardirqs_on_caller+0x16/0x270
[ 315.952435] [<ffffffff811ab1fd>] ? trace_hardirqs_on+0xd/0x10
[ 315.952435] [<ffffffff8106ff8a>] do_notify_resume+0x5a/0xe0
[ 315.952435] [<ffffffff84471ebb>] retint_signal+0x4d/0x92
[ 315.952435] FIX inode_cache: Restoring 0xffff880229a67030-0xffff880229a67033=0x5a


Thanks,
Sasha

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/