btrfs: invalid stack access with Linux 4.3

From: conchur
Date: Tue Dec 01 2015 - 03:42:57 EST

Next message: Jessica Yu: "Re: livepatch: reuse module loader code to write relocations"
Previous message: Peter Ujfalusi: "Re: [RFC v02 02/15] dmaengine: core: Move and merge the code paths using private_candidate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just got following with a a kernel with kasan enabled:

==================================================================
BUG: KASan: out of bounds on stack in setup_cluster_bitmap+0x8a4/0x9e0 [btrfs] at addr ffff8801cc73f488
Read of size 8 by task dpkg/2711
page:ffffea000731cfc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x2ffff8000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 2711 Comm: dpkg Not tainted 4.3.0-trunk-amd64 #1 Debian 4.3-1~exp2
Hardware name:
ffff8801cc73f488 0000000048c7fce0 ffff8801cc73f288 ffffffff81907207
ffff8801cc73f310 ffff8801cc73f300 ffffffff815509d8 ffff8800d470da28
ffff8800d470d910 0000000000000292 4431e091688b0454 ffff8800d470d908
Call Trace:
[<ffffffff81907207>] dump_stack+0x4b/0x64
[<ffffffff815509d8>] kasan_report_error+0x3b8/0x3f0
[<ffffffff81550bc1>] __asan_report_load8_noabort+0x61/0x70
[<ffffffffa0bf81a4>] ? setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
[<ffffffffa0bf81a4>] setup_cluster_bitmap+0x8a4/0x9e0 [btrfs]
[<ffffffffa0bfdee6>] btrfs_find_space_cluster+0x6b6/0xaa0 [btrfs]
[<ffffffffa0bfd830>] ? btrfs_alloc_from_cluster+0x880/0x880 [btrfs]
[<ffffffff8224bdd7>] ? _raw_spin_unlock+0x27/0x40
[<ffffffffa0afbc4e>] find_free_extent+0xeae/0x24d0 [btrfs]
[<ffffffffa0afada0>] ? btrfs_delalloc_reserve_space+0x60/0x60 [btrfs]
[<ffffffffa0ad1428>] ? get_alloc_profile+0x288/0x560 [btrfs]
[<ffffffffa0afd392>] btrfs_reserve_extent+0x122/0x360 [btrfs]
[<ffffffffa0afda0a>] btrfs_alloc_tree_block+0x43a/0xf60 [btrfs]
[<ffffffff81242a13>] ? __lock_acquire+0x1583/0x5290
[<ffffffffa0afd5d0>] ? btrfs_reserve_extent+0x360/0x360 [btrfs]
[<ffffffff81550106>] ? memcpy+0x36/0x40
[<ffffffffa0b98be1>] ? read_extent_buffer+0x101/0x230 [btrfs]
[<ffffffffa0ab8ff0>] __btrfs_cow_block+0x3b0/0x1130 [btrfs]
[<ffffffffa0bdda0e>] ? btrfs_tree_lock+0x2ce/0x6f0 [btrfs]
[<ffffffffa0ab8c40>] ? update_ref_for_cow+0x9d0/0x9d0 [btrfs]
[<ffffffffa0aba1aa>] btrfs_cow_block+0x28a/0x710 [btrfs]
[<ffffffffa0ac4568>] btrfs_search_slot+0x4f8/0x1e50 [btrfs]
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0ac4070>] ? split_leaf+0x1550/0x1550 [btrfs]
[<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
[<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
[<ffffffff8154ad69>] ? kmem_cache_alloc+0x1a9/0x280
[<ffffffffa0ab6a88>] ? btrfs_alloc_path+0x38/0x50 [btrfs]
[<ffffffffa0b0571c>] btrfs_update_root+0xbc/0x810 [btrfs]
[<ffffffff81240832>] ? mark_held_locks+0xd2/0x130
[<ffffffffa0b05660>] ? btrfs_set_root_node+0x250/0x250 [btrfs]
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0bed1f6>] btrfs_sync_log+0x776/0x1ec0 [btrfs]
[<ffffffffa0beca80>] ? btrfs_log_inode_parent+0x29a0/0x29a0 [btrfs]
[<ffffffff822471cc>] ? __mutex_unlock_slowpath+0x17c/0x2f0
[<ffffffff81240e6d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffffa0b730e5>] btrfs_sync_file+0x845/0x9f0 [btrfs]
[<ffffffff81970440>] ? debug_object_active_state+0x370/0x370
[<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
[<ffffffff81292953>] ? rcu_read_lock_sched_held+0xa3/0x120
[<ffffffff815c1241>] ? putname+0xc1/0xf0
[<ffffffffa0b728a0>] ? start_ordered_ops+0x30/0x30 [btrfs]
[<ffffffff8162f1b2>] vfs_fsync_range+0xf2/0x290
[<ffffffff812927a7>] ? debug_lockdep_rcu_enabled+0x77/0x90
[<ffffffff815e77a9>] ? __fget_light+0x139/0x200
[<ffffffff8162f3ad>] do_fsync+0x3d/0x70
[<ffffffff8162fad0>] SyS_fsync+0x10/0x20
[<ffffffff8224c936>] system_call_fast_compare_end+0xc/0x6c
Memory state around the buggy address:
ffff8801cc73f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cc73f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cc73f480: f1 f1 f1 f1 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00
^
ffff8801cc73f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cc73f580: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
==================================================================

The thing I did was:

sudo dpkg -i linux-kbuild-4.3_4.3\~rc5-1\~exp2_amd64.deb linux-compiler-gcc-5-x86_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-amd64_4.3-1\~exp2_amd64.deb linux-headers-4.3.0-trunk-common_4.3-1\~exp2_amd64.deb

config of the Kernel is attached. The rest of the kernel sources can be found here but have to be build with the attached config to get the kasan kernel:

dget http://snapshot.debian.org/archive/debian/20151106T162707Z/pool/main/l/linux/linux_4.3-1~exp1.dsc

Attachment: config-4.3.0-trunk-amd64
Description: Binary data

Next message: Jessica Yu: "Re: livepatch: reuse module loader code to write relocations"
Previous message: Peter Ujfalusi: "Re: [RFC v02 02/15] dmaengine: core: Move and merge the code paths using private_candidate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]