From: kernel test robot <oliver.sang@intel.com>
To: David Howells <dhowells@redhat.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
Linux Memory Management List <linux-mm@kvack.org>,
Christian Brauner <brauner@kernel.org>,
Jeff Layton <jlayton@kernel.org>, <netfs@lists.linux.dev>,
<linux-fsdevel@vger.kernel.org>, <oliver.sang@intel.com>
Subject: [linux-next:master] [netfs] a05b682d49: BUG:KASAN:slab-use-after-free_in_copy_from_iter
Date: Fri, 13 Sep 2024 15:24:01 +0800 [thread overview]
Message-ID: <202409131438.3f225fbf-oliver.sang@intel.com> (raw)
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_copy_from_iter" on:
commit: a05b682d498a81ca12f1dd964f06f3aec48af595 ("netfs: Use new folio_queue data type and iterator instead of xarray iter")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 32ffa5373540a8d1c06619f52d019c6cdc948bb4]
in testcase: xfstests
version: xfstests-x86_64-b1465280-1_20240909
with following parameters:
disk: 4HDD
fs: ext4
fs2: smbv2
test: generic-group-07
compiler: gcc-12
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202409131438.3f225fbf-oliver.sang@intel.com
[ 364.731854][ T2434] BUG: KASAN: slab-use-after-free in _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 364.739592][ T2434] Read of size 8 at addr ffff8881b2af7d20 by task fstest/2434
[ 364.746901][ T2434]
[ 364.749086][ T2434] CPU: 1 UID: 0 PID: 2434 Comm: fstest Not tainted 6.11.0-rc6-00065-ga05b682d498a #1
[ 364.758405][ T2434] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 364.766511][ T2434] Call Trace:
[ 364.769650][ T2434] <TASK>
[ 364.772441][ T2434] dump_stack_lvl (lib/dump_stack.c:122 (discriminator 1))
[ 364.776796][ T2434] print_address_description+0x2c/0x3a0
[ 364.783231][ T2434] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 364.788188][ T2434] print_report (mm/kasan/report.c:489)
[ 364.792453][ T2434] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 364.797237][ T2434] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 364.802196][ T2434] kasan_report (mm/kasan/report.c:603)
[ 364.806461][ T2434] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 364.811420][ T2434] _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 364.816205][ T2434] ? __pfx_try_charge_memcg (mm/memcontrol.c:2158)
[ 364.821438][ T2434] ? __pfx__copy_from_iter (lib/iov_iter.c:254)
[ 364.826569][ T2434] ? __mod_memcg_state (mm/memcontrol.c:555 mm/memcontrol.c:669)
[ 364.831529][ T2434] ? check_heap_object (arch/x86/include/asm/bitops.h:206 arch/x86/include/asm/bitops.h:238 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/page-flags.h:827 include/linux/page-flags.h:848 include/linux/mm.h:1126 include/linux/mm.h:2142 mm/usercopy.c:199)
[ 364.836485][ T2434] ? 0xffffffff81000000
[ 364.840490][ T2434] ? __check_object_size (mm/memremap.c:167)
[ 364.846143][ T2434] skb_do_copy_data_nocache (include/linux/uio.h:219 include/linux/uio.h:236 include/net/sock.h:2167)
[ 364.851533][ T2434] ? __pfx_skb_do_copy_data_nocache (include/net/sock.h:2158)
[ 364.857443][ T2434] ? __sk_mem_schedule (net/core/sock.c:3194)
[ 364.862229][ T2434] tcp_sendmsg_locked (include/net/sock.h:2195 net/ipv4/tcp.c:1218)
[ 364.867274][ T2434] ? __pfx_tcp_sendmsg_locked (net/ipv4/tcp.c:1049)
[ 364.872665][ T2434] ? _raw_spin_lock_bh (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178)
[ 364.877447][ T2434] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177)
[ 364.882751][ T2434] tcp_sendmsg (net/ipv4/tcp.c:1355)
[ 364.886840][ T2434] sock_sendmsg (net/socket.c:730 net/socket.c:745 net/socket.c:768)
[ 364.891192][ T2434] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177)
[ 364.896495][ T2434] ? __pfx_sock_sendmsg (net/socket.c:757)
[ 364.901387][ T2434] ? recalc_sigpending (arch/x86/include/asm/bitops.h:75 include/asm-generic/bitops/instrumented-atomic.h:42 include/linux/thread_info.h:94 kernel/signal.c:178 kernel/signal.c:175)
[ 364.906379][ T2434] smb_send_kvec (fs/smb/client/transport.c:215) cifs
[ 364.911543][ T2434] __smb_send_rqst (fs/smb/client/transport.c:361) cifs
[ 364.916848][ T2434] ? __pfx___smb_send_rqst (fs/smb/client/transport.c:274) cifs
[ 364.922668][ T2434] ? __pfx_mempool_alloc_noprof (mm/mempool.c:385)
[ 364.928234][ T2434] ? __asan_memset (mm/kasan/shadow.c:84)
[ 364.932672][ T2434] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 364.937195][ T2434] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
[ 364.942239][ T2434] ? smb2_setup_async_request (fs/smb/client/smb2transport.c:903) cifs
[ 364.948496][ T2434] cifs_call_async (fs/smb/client/transport.c:841) cifs
[ 364.953800][ T2434] ? __pfx_cifs_call_async (fs/smb/client/transport.c:787) cifs
[ 364.959623][ T2434] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 364.964148][ T2434] ? __asan_memset (mm/kasan/shadow.c:84)
[ 364.968586][ T2434] ? __smb2_plain_req_init (arch/x86/include/asm/atomic.h:53 include/linux/atomic/atomic-arch-fallback.h:992 include/linux/atomic/atomic-instrumented.h:436 fs/smb/client/smb2pdu.c:555) cifs
[ 364.974672][ T2434] smb2_async_writev (fs/smb/client/smb2pdu.c:5026) cifs
[ 364.980242][ T2434] ? __pfx_smb2_async_writev (fs/smb/client/smb2pdu.c:4894) cifs
[ 364.986252][ T2434] ? cifs_pick_channel (fs/smb/client/transport.c:1068) cifs
[ 364.991910][ T2434] ? cifs_prepare_write (fs/smb/client/file.c:77) cifs
[ 364.997652][ T2434] ? netfs_advance_write (fs/netfs/write_issue.c:300)
[ 365.002792][ T2434] netfs_advance_write (fs/netfs/write_issue.c:300)
[ 365.007758][ T2434] ? netfs_buffer_append_folio (arch/x86/include/asm/bitops.h:206 (discriminator 3) arch/x86/include/asm/bitops.h:238 (discriminator 3) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 3) include/linux/page-flags.h:827 (discriminator 3) include/linux/page-flags.h:848 (discriminator 3) include/linux/mm.h:1126 (discriminator 3) include/linux/folio_queue.h:102 (discriminator 3) fs/netfs/misc.c:43 (discriminator 3))
[ 365.013434][ T2434] netfs_write_folio (fs/netfs/write_issue.c:468)
[ 365.018306][ T2434] ? writeback_iter (mm/page-writeback.c:2591)
[ 365.023007][ T2434] netfs_writepages (fs/netfs/write_issue.c:540)
[ 365.027705][ T2434] ? __pfx_netfs_writepages (fs/netfs/write_issue.c:499)
[ 365.032922][ T2434] do_writepages (mm/page-writeback.c:2683)
[ 365.037377][ T2434] ? rcu_segcblist_enqueue (arch/x86/include/asm/atomic64_64.h:25 include/linux/atomic/atomic-arch-fallback.h:2672 include/linux/atomic/atomic-long.h:121 include/linux/atomic/atomic-instrumented.h:3261 kernel/rcu/rcu_segcblist.c:214 kernel/rcu/rcu_segcblist.c:231 kernel/rcu/rcu_segcblist.c:343)
[ 365.042510][ T2434] ? __pfx_do_writepages (mm/page-writeback.c:2673)
[ 365.047466][ T2434] ? __call_rcu_common+0x321/0x9e0
[ 365.053466][ T2434] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 365.057988][ T2434] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
[ 365.063030][ T2434] ? wbc_attach_and_unlock_inode (arch/x86/include/asm/jump_label.h:27 include/linux/backing-dev.h:176 fs/fs-writeback.c:737)
[ 365.068766][ T2434] filemap_fdatawrite_wbc (mm/filemap.c:398 mm/filemap.c:387)
[ 365.073983][ T2434] __filemap_fdatawrite_range (mm/filemap.c:422)
[ 365.079385][ T2434] ? __pfx___filemap_fdatawrite_range (mm/filemap.c:422)
[ 365.085489][ T2434] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 365.090015][ T2434] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
[ 365.095058][ T2434] filemap_write_and_wait_range (mm/filemap.c:685 mm/filemap.c:676)
[ 365.100621][ T2434] cifs_flush (fs/smb/client/file.c:2763) cifs
[ 365.105493][ T2434] filp_flush (fs/open.c:1526)
[ 365.109586][ T2434] __x64_sys_close (fs/open.c:1566 fs/open.c:1551 fs/open.c:1551)
[ 365.114025][ T2434] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 365.118385][ T2434] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 365.124149][ T2434] RIP: 0033:0x7fc02c3878e0
[ 365.128414][ T2434] Code: 0d 00 00 00 eb b2 e8 ff f7 01 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3d 01 1d 0e 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c
All code
========
0: 0d 00 00 00 eb or $0xeb000000,%eax
5: b2 e8 mov $0xe8,%dl
7: ff f7 push %rdi
9: 01 00 add %eax,(%rax)
b: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
12: 00 00 00
15: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1a: 80 3d 01 1d 0e 00 00 cmpb $0x0,0xe1d01(%rip) # 0xe1d22
21: 74 17 je 0x3a
23: b8 03 00 00 00 mov $0x3,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 48 ja 0x7a
32: c3 retq
33: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
3a: 48 83 ec 18 sub $0x18,%rsp
3e: 89 .byte 0x89
3f: 7c .byte 0x7c
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 48 ja 0x50
8: c3 retq
9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
10: 48 83 ec 18 sub $0x18,%rsp
14: 89 .byte 0x89
15: 7c .byte 0x7c
[ 365.147838][ T2434] RSP: 002b:00007fffcdbaed28 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
[ 365.156089][ T2434] RAX: ffffffffffffffda RBX: 000055ea7a5142b0 RCX: 00007fc02c3878e0
[ 365.163904][ T2434] RDX: 000000000001dd50 RSI: 0000000000000000 RDI: 0000000000000004
[ 365.171718][ T2434] RBP: 0000000000000004 R08: 0000000000000004 R09: 0000000000000000
[ 365.179535][ T2434] R10: 0000000000000001 R11: 0000000000000202 R12: 000000000000000a
[ 365.187349][ T2434] R13: 0000000000a00000 R14: 0000000000a00000 R15: 0000000000002000
[ 365.195186][ T2434] </TASK>
[ 365.198063][ T2434]
[ 365.200249][ T2434] Allocated by task 2434:
[ 365.204436][ T2434] kasan_save_stack (mm/kasan/common.c:48)
[ 365.208958][ T2434] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 365.213492][ T2434] __kasan_kmalloc (mm/kasan/common.c:370 mm/kasan/common.c:387)
[ 365.217927][ T2434] netfs_buffer_append_folio (include/linux/slab.h:681 fs/netfs/misc.c:25)
[ 365.223428][ T2434] netfs_write_folio (fs/netfs/write_issue.c:434)
[ 365.228306][ T2434] netfs_writepages (fs/netfs/write_issue.c:540)
[ 365.233013][ T2434] do_writepages (mm/page-writeback.c:2683)
[ 365.237456][ T2434] filemap_fdatawrite_wbc (mm/filemap.c:398 mm/filemap.c:387)
[ 365.242681][ T2434] __filemap_fdatawrite_range (mm/filemap.c:422)
[ 365.248079][ T2434] filemap_write_and_wait_range (mm/filemap.c:685 mm/filemap.c:676)
[ 365.253643][ T2434] cifs_flush (fs/smb/client/file.c:2763) cifs
[ 365.258510][ T2434] filp_flush (fs/open.c:1526)
[ 365.262604][ T2434] __x64_sys_close (fs/open.c:1566 fs/open.c:1551 fs/open.c:1551)
[ 365.267040][ T2434] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 365.271391][ T2434] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 365.277142][ T2434]
[ 365.279326][ T2434] Freed by task 11:
[ 365.282983][ T2434] kasan_save_stack (mm/kasan/common.c:48)
[ 365.287505][ T2434] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69)
[ 365.292028][ T2434] kasan_save_free_info (mm/kasan/generic.c:582)
[ 365.296899][ T2434] poison_slab_object (mm/kasan/common.c:242)
[ 365.301768][ T2434] __kasan_slab_free (mm/kasan/common.c:256)
[ 365.306399][ T2434] kfree (mm/slub.c:4478 mm/slub.c:4598)
[ 365.310057][ T2434] netfs_delete_buffer_head (fs/netfs/misc.c:60)
[ 365.315379][ T2434] netfs_writeback_unlock_folios (fs/netfs/write_collect.c:144)
[ 365.321202][ T2434] netfs_collect_write_results (fs/netfs/write_collect.c:558)
[ 365.326937][ T2434] netfs_write_collection_worker (include/linux/instrumented.h:68 include/asm-generic/bitops/instrumented-non-atomic.h:141 fs/netfs/write_collect.c:648)
[ 365.332759][ T2434] process_one_work (kernel/workqueue.c:3231)
[ 365.337542][ T2434] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3389)
[ 365.341980][ T2434] kthread (kernel/kthread.c:389)
[ 365.345895][ T2434] ret_from_fork (arch/x86/kernel/process.c:147)
[ 365.350158][ T2434] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 365.354767][ T2434]
[ 365.356949][ T2434] The buggy address belongs to the object at ffff8881b2af7c00
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240913/202409131438.3f225fbf-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2024-09-13 7:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-13 7:24 kernel test robot [this message]
2024-09-13 7:59 ` David Howells
2024-09-13 8:11 ` Christian Brauner
2024-09-18 2:24 ` Oliver Sang
2024-09-18 10:34 ` David Howells
2024-09-18 11:27 ` David Howells
2024-09-19 2:23 ` Oliver Sang
2024-09-19 7:14 ` David Howells
2024-09-20 6:36 ` Oliver Sang
2024-09-20 7:55 ` David Howells
2024-09-18 14:03 ` David Howells
2024-09-19 2:50 ` Oliver Sang
2024-09-24 21:47 ` David Howells
2024-09-24 23:19 ` Steve French
2024-09-26 2:20 ` Oliver Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202409131438.3f225fbf-oliver.sang@intel.com \
--to=oliver.sang@intel.com \
--cc=brauner@kernel.org \
--cc=dhowells@redhat.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=netfs@lists.linux.dev \
--cc=oe-lkp@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox