Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0

From: Andrea Gelmini
Date: Tue Jan 05 2016 - 11:31:05 EST

Next message: Thierry Reding: "Re: linux-next: build failure after merge of the mmc-uh tree"
Previous message: Alan Stern: "Re: [PATCH 09/17] usb: host: ehci-dbg: fix up function definitions"
In reply to: Andrea Gelmini: "Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0"
Next in thread: Dave Chinner: "Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > I'm recompiling, to try it again.
> > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > http://mail.gelma.net/xfs_kasan
>
> Any update on this problem, Andrea?

Here we are!
Reproduced right now.

So, just to avoid confusion:
a) it's a vanilla kernel 4.4.0-rc8
b) plus some btrfs patches
c) plus some dri/intel/i915 patches
d) at the same URL above you can find git_files.txt.gz, where you have each commit I
applied above vanilla kernel (anyway, nothing related to vfs/xfs of course)
e) at the same URL you find the kernel binaries I used
f) to catch it, I had to copy a few gigs of files on my /home partition (xfs over Luks)

Anyway, here what you asked me for:

(gdb) l *(xfs_iflush_cluster+0xb73/0xc10)
0xffffffff8184c550 is in xfs_iflush_cluster (fs/xfs/xfs_inode.c:3182).
3177
3178 STATIC int
3179 xfs_iflush_cluster(
3180 xfs_inode_t *ip,
3181 xfs_buf_t *bp)
3182 {
3183 xfs_mount_t *mp = ip->i_mount;
3184 struct xfs_perag *pag;
3185 unsigned long first_index, mask;
3186 unsigned long inodes_per_cluster;
(gdb)

Thanks a lot for your patience,
Dave

[mar gen 5 16:58:19 2016] ==================================================================
[mar gen 5 16:58:19 2016] BUG: KASAN: use-after-free in xfs_iflush_cluster+0xb73/0xc10 at addr ffff880364721d10
[mar gen 5 16:58:19 2016] Read of size 4 by task xfsaild/dm-0/329
[mar gen 5 16:58:19 2016] =============================================================================
[mar gen 5 16:58:19 2016] BUG xfs_ili (Tainted: G W ): kasan: bad access detected
[mar gen 5 16:58:19 2016] -----------------------------------------------------------------------------

[mar gen 5 16:58:19 2016] Disabling lock debugging due to kernel taint
[mar gen 5 16:58:19 2016] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=496908 cpu=1 pid=6496
[mar gen 5 16:58:19 2016] ___slab_alloc.constprop.27+0x383/0x490
[mar gen 5 16:58:19 2016] __slab_alloc.isra.24.constprop.26+0x50/0xa0
[mar gen 5 16:58:19 2016] kmem_cache_alloc+0x174/0x1b0
[mar gen 5 16:58:19 2016] kmem_zone_alloc+0x7c/0x180
[mar gen 5 16:58:19 2016] xfs_inode_item_init+0x22/0xb0
[mar gen 5 16:58:19 2016] xfs_trans_ijoin+0xa4/0x110
[mar gen 5 16:58:19 2016] xfs_ialloc+0x9f9/0x1390
[mar gen 5 16:58:19 2016] xfs_dir_ialloc+0x106/0x670
[mar gen 5 16:58:19 2016] xfs_create+0x67e/0x1080
[mar gen 5 16:58:19 2016] xfs_generic_create+0x375/0x500
[mar gen 5 16:58:19 2016] xfs_vn_mknod+0xf/0x20
[mar gen 5 16:58:19 2016] xfs_vn_create+0xe/0x10
[mar gen 5 16:58:19 2016] vfs_create+0x1ff/0x390
[mar gen 5 16:58:19 2016] do_last+0x29a7/0x3900
[mar gen 5 16:58:19 2016] path_openat+0x15b/0x730
[mar gen 5 16:58:19 2016] do_filp_open+0x170/0x230
[mar gen 5 16:58:19 2016] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=3 pid=38
[mar gen 5 16:58:19 2016] __slab_free+0x36d/0x510
[mar gen 5 16:58:19 2016] kmem_cache_free+0x1ef/0x200
[mar gen 5 16:58:19 2016] xfs_inode_item_destroy+0x39/0x50
[mar gen 5 16:58:19 2016] xfs_inode_free+0xcd/0x360
[mar gen 5 16:58:19 2016] xfs_reclaim_inode+0x54b/0x890
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_ag+0x3e9/0x840
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_nr+0x49/0x60
[mar gen 5 16:58:19 2016] xfs_fs_free_cached_objects+0x55/0x80
[mar gen 5 16:58:19 2016] super_cache_scan+0x329/0x410
[mar gen 5 16:58:19 2016] shrink_slab.part.7+0x2f2/0x530
[mar gen 5 16:58:19 2016] shrink_zone+0x7a0/0xae0
[mar gen 5 16:58:19 2016] kswapd+0x9ad/0x1110
[mar gen 5 16:58:19 2016] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] INFO: Slab 0xffffea000d91c800 objects=35 used=29 fp=0xffff880364721c80 flags=0x8000000000004080
[mar gen 5 16:58:19 2016] INFO: Object 0xffff880364721c80 @offset=7296 fp=0xffff880364721560

[mar gen 5 16:58:19 2016] Bytes b4 ffff880364721c70: 03 00 00 00 3f 34 00 00 b8 51 cd 00 01 00 00 00 ....?4...Q......
[mar gen 5 16:58:19 2016] Object ffff880364721c80: 60 15 72 64 03 88 ff ff 00 02 00 00 00 00 ad de `.rd............
[mar gen 5 16:58:19 2016] Object ffff880364721c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[mar gen 5 16:58:19 2016] Object ffff880364721ca0: 00 00 3d 5e 03 88 ff ff 60 04 92 5d 03 88 ff ff ..=^....`..]....
[mar gen 5 16:58:19 2016] Object ffff880364721cb0: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[mar gen 5 16:58:19 2016] Object ffff880364721cc0: 30 84 88 86 ff ff ff ff 60 17 6f 87 ff ff ff ff 0.......`.o.....
[mar gen 5 16:58:19 2016] Object ffff880364721cd0: d0 1c 72 64 03 88 ff ff d0 1c 72 64 03 88 ff ff ..rd......rd....
[mar gen 5 16:58:19 2016] Object ffff880364721ce0: 00 00 00 00 00 00 00 00 68 76 00 00 00 00 00 00 ........hv......
[mar gen 5 16:58:19 2016] Object ffff880364721cf0: 80 6c 40 3e 01 88 ff ff db 4a 00 00 e2 00 00 00 .l@>.....J......
[mar gen 5 16:58:19 2016] Object ffff880364721d00: d6 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .y..............
[mar gen 5 16:58:19 2016] Object ffff880364721d10: 00 00 00 00 00 00 00 00 ........
[mar gen 5 16:58:19 2016] CPU: 0 PID: 329 Comm: xfsaild/dm-0 Tainted: G B W 4.4.0-rc8-KASan-01354-g3041cce #6
[mar gen 5 16:58:19 2016] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
[mar gen 5 16:58:19 2016] ffff880364720000 ffff88035f2ef968 ffffffff86a2adea ffff88035f498480
[mar gen 5 16:58:19 2016] ffff88035f2ef998 ffffffff86423ab4 ffff88035f498480 ffffea000d91c800
[mar gen 5 16:58:19 2016] ffff880364721c80 ffff88013e406c80 ffff88035f2ef9c0 ffffffff86428edf
[mar gen 5 16:58:19 2016] Call Trace:
[mar gen 5 16:58:19 2016] [<ffffffff86a2adea>] dump_stack+0x4e/0x84
[mar gen 5 16:58:19 2016] [<ffffffff86423ab4>] print_trailer+0xf4/0x150
[mar gen 5 16:58:19 2016] [<ffffffff86428edf>] object_err+0x2f/0x40
[mar gen 5 16:58:19 2016] [<ffffffff8642ab87>] kasan_report_error+0x207/0x530
[mar gen 5 16:58:19 2016] [<ffffffff8642af6e>] __asan_report_load4_noabort+0x3e/0x40
[mar gen 5 16:58:19 2016] [<ffffffff87585d00>] ? _raw_spin_lock_irqsave_nested+0x50/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] ? xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684c760>] ? xfs_iflush_cluster+0x210/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff86855eda>] xfs_iflush+0x37a/0x5b0
[mar gen 5 16:58:19 2016] [<ffffffff86855b60>] ? xfs_rename+0xe70/0xe70
[mar gen 5 16:58:19 2016] [<ffffffff868881ca>] xfs_inode_item_push+0x25a/0x390
[mar gen 5 16:58:19 2016] [<ffffffff86887f70>] ? xfs_inode_item_unlock+0x80/0x80
[mar gen 5 16:58:19 2016] [<ffffffff861d28e8>] ? up+0x68/0xb0
[mar gen 5 16:58:19 2016] [<ffffffff8681c6dd>] ? xfs_buf_unlock+0xd/0x10
[mar gen 5 16:58:19 2016] [<ffffffff8689fa4b>] xfsaild+0x8fb/0x1500
[mar gen 5 16:58:19 2016] [<ffffffff861ddbac>] ? trace_hardirqs_on_caller+0x28c/0x5e0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8615f3b8>] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff87586c2f>] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] Memory state around the buggy address:
[mar gen 5 16:58:19 2016] ffff880364721c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] >ffff880364721d00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ^
[mar gen 5 16:58:19 2016] ffff880364721d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721e00: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] ==================================================================

Attachment: signature.asc
Description: Digital signature

Next message: Thierry Reding: "Re: linux-next: build failure after merge of the mmc-uh tree"
Previous message: Alan Stern: "Re: [PATCH 09/17] usb: host: ehci-dbg: fix up function definitions"
In reply to: Andrea Gelmini: "Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0"
Next in thread: Dave Chinner: "Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]