* BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-14 18:00 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-14 18:00 UTC (permalink / raw)
To: linux-kernel; +Cc: david, xfs
[-- Attachment #1.1: Type: text/plain, Size: 12617 bytes --]
Hi everybody,
using dev kernel v4.4, I have this:
[40240.371807] ==================================================================
[40240.371826] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff88001ed15428
[40240.371832] Read of size 4 by task xfsaild/dm-0/332
[40240.371834] =============================================================================
[40240.371839] BUG xfs_ili (Tainted: G B ): kasan: bad access detected
[40240.371842] -----------------------------------------------------------------------------
[40240.371851] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=996 cpu=2 pid=11139
[40240.371858] ___slab_alloc.constprop.27+0x379/0x3a0
[40240.371863] __slab_alloc.isra.24.constprop.26+0x26/0x40
[40240.371867] kmem_cache_alloc+0x111/0x150
[40240.371871] kmem_zone_alloc+0x7c/0x180
[40240.371876] xfs_inode_item_init+0x22/0xb0
[40240.371881] xfs_trans_ijoin+0xa4/0x110
[40240.371885] xfs_rename+0x380/0xe70
[40240.371889] xfs_vn_rename+0x2a8/0x5c0
[40240.371893] vfs_rename+0xa64/0x1310
[40240.371899] SyS_renameat2+0x961/0xa70
[40240.371902] SyS_rename+0x19/0x20
[40240.371906] entry_SYSCALL_64_fastpath+0x16/0x75
[40240.371911] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=1 pid=40
[40240.371916] __slab_free+0x292/0x3d0
[40240.371919] kmem_cache_free+0x181/0x190
[40240.371923] xfs_inode_item_destroy+0x39/0x50
[40240.371927] xfs_inode_free+0xcd/0x360
[40240.371930] xfs_reclaim_inode+0x542/0x880
[40240.371933] xfs_reclaim_inodes_ag+0x356/0x710
[40240.371936] xfs_reclaim_inodes_nr+0x49/0x60
[40240.371940] xfs_fs_free_cached_objects+0x55/0x80
[40240.371944] super_cache_scan+0x329/0x410
[40240.371949] shrink_slab.part.7+0x2ee/0x510
[40240.371953] shrink_zone+0x7a0/0xae0
[40240.371956] kswapd+0x931/0x1010
[40240.371961] kthread+0x1c0/0x260
[40240.371964] ret_from_fork+0x3f/0x70
[40240.371968] INFO: Slab 0xffffea00007b4500 objects=17 used=14 fp=0xffff88001ed14c78 flags=0x4000000000004080
[40240.371971] INFO: Object 0xffff88001ed15398 @offset=5016 fp=0xffff88001ed151d0
[40240.371977] Bytes b4 ffff88001ed15388: 01 00 00 00 28 00 00 00 67 72 61 02 01 00 00 00 ....(...gra.....
[40240.371982] Object ffff88001ed15398: d0 51 d1 1e 00 88 ff ff 00 02 00 00 00 00 ad de .Q..............
[40240.371986] Object ffff88001ed153a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[40240.371989] Object ffff88001ed153b8: 20 b7 27 c8 00 88 ff ff 00 80 19 35 00 88 ff ff .'........5....
[40240.371993] Object ffff88001ed153c8: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[40240.371996] Object ffff88001ed153d8: 30 d8 82 81 ff ff ff ff c0 26 5b 82 ff ff ff ff 0........&[.....
[40240.371999] Object ffff88001ed153e8: e8 53 d1 1e 00 88 ff ff e8 53 d1 1e 00 88 ff ff .S.......S......
[40240.372003] Object ffff88001ed153f8: 00 00 00 00 00 00 00 00 73 0d 01 00 00 00 00 00 ........s.......
[40240.372006] Object ffff88001ed15408: c0 78 76 c8 00 88 ff ff 6b 2a 00 00 82 00 00 00 .xv.....k*......
[40240.372010] Object ffff88001ed15418: 73 0d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 s...............
[40240.372013] Object ffff88001ed15428: 00 00 00 00 00 00 00 00 ........
[40240.372019] CPU: 2 PID: 332 Comm: xfsaild/dm-0 Tainted: G B 4.4.0-rc4KASan-00110-g35bfb6c #13
[40240.372021] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA3WW (2.63 ) 04/16/2015
[40240.372024] ffff88001ed14000 ffff880384d679e0 ffffffff819c71d7 ffff880386778000
[40240.372029] ffff880384d67a10 ffffffff813e2504 ffff880386778000 ffffea00007b4500
[40240.372034] ffff88001ed15398 ffff8800c87678c0 ffff880384d67a38 ffffffff813e6bcf
[40240.372038] Call Trace:
[40240.372043] [<ffffffff819c71d7>] dump_stack+0x4b/0x74
[40240.372048] [<ffffffff813e2504>] print_trailer+0xf4/0x150
[40240.372052] [<ffffffff813e6bcf>] object_err+0x2f/0x40
[40240.372058] [<ffffffff813e880c>] kasan_report_error+0x21c/0x540
[40240.372063] [<ffffffff819d3900>] ? radix_tree_next_chunk+0x690/0x690
[40240.372068] [<ffffffff813e8bee>] __asan_report_load4_noabort+0x3e/0x40
[40240.372073] [<ffffffff817f2b47>] ? xfs_iflush_cluster+0x9d7/0xaf0
[40240.372077] [<ffffffff817f2b47>] xfs_iflush_cluster+0x9d7/0xaf0
[40240.372081] [<ffffffff817fb87a>] xfs_iflush+0x37a/0x5b0
[40240.372086] [<ffffffff817fb500>] ? xfs_rename+0xe70/0xe70
[40240.372092] [<ffffffff8120bd94>] ? del_timer_sync+0x64/0x80
[40240.372097] [<ffffffff824cada0>] ? schedule_timeout+0x230/0x3a0
[40240.372102] [<ffffffff8182d5ca>] xfs_inode_item_push+0x25a/0x390
[40240.372106] [<ffffffff8182d370>] ? xfs_inode_item_unlock+0x80/0x80
[40240.372111] [<ffffffff818444a3>] ? xfs_trans_ail_cursor_first+0x23/0x1a0
[40240.372115] [<ffffffff81844d1b>] xfsaild+0x6fb/0x12b0
[40240.372119] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372123] [<ffffffff824c3a92>] ? __schedule+0x642/0x19f0
[40240.372128] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372132] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372137] [<ffffffff81154320>] kthread+0x1c0/0x260
[40240.372141] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372146] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372150] [<ffffffff824ccf8f>] ret_from_fork+0x3f/0x70
[40240.372154] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372157] Memory state around the buggy address:
[40240.372161] ffff88001ed15300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40240.372164] ffff88001ed15380: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb
[40240.372168] >ffff88001ed15400: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[40240.372171] ^
[40240.372174] ffff88001ed15480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40240.372177] ffff88001ed15500: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00
[40240.372180] ==================================================================
Also with more recent commits, I've got it:
[25886.160963] ==================================================================
[25886.160981] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff880345ab67b0
[25886.160985] Read of size 4 by task xfsaild/dm-0/339
[25886.160987] =============================================================================
[25886.160991] BUG xfs_ili (Tainted: G OE ): kasan: bad access detected
[25886.160993] -----------------------------------------------------------------------------
[25886.160997] Disabling lock debugging due to kernel taint
[25886.161002] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=29338 cpu=2 pid=3748
[25886.161008] ___slab_alloc.constprop.27+0x379/0x3a0
[25886.161012] __slab_alloc.isra.24.constprop.26+0x26/0x40
[25886.161015] kmem_cache_alloc+0x111/0x150
[25886.161019] kmem_zone_alloc+0x7c/0x180
[25886.161023] xfs_inode_item_init+0x22/0xb0
[25886.161027] xfs_trans_ijoin+0xa4/0x110
[25886.161031] xfs_ialloc+0xa1d/0x1470
[25886.161034] xfs_dir_ialloc+0x106/0x670
[25886.161038] xfs_create+0x674/0x1070
[25886.161042] xfs_generic_create+0x375/0x500
[25886.161045] xfs_vn_mknod+0xf/0x20
[25886.161048] xfs_vn_create+0xe/0x10
[25886.161053] vfs_create+0x1ff/0x390
[25886.161057] path_openat+0x2d41/0x3e50
[25886.161061] do_filp_open+0x170/0x230
[25886.161065] do_sys_open+0x198/0x350
[25886.161069] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=3 pid=14453
[25886.161073] __slab_free+0x292/0x3d0
[25886.161077] kmem_cache_free+0x181/0x190
[25886.161080] xfs_inode_item_destroy+0x39/0x50
[25886.161083] xfs_inode_free+0xcd/0x360
[25886.161086] xfs_reclaim_inode+0x542/0x880
[25886.161089] xfs_reclaim_inodes_ag+0x356/0x710
[25886.161093] xfs_reclaim_inodes_nr+0x49/0x60
[25886.161097] xfs_fs_free_cached_objects+0x55/0x80
[25886.161101] super_cache_scan+0x329/0x410
[25886.161105] shrink_slab.part.7+0x2ee/0x510
[25886.161110] shrink_zone+0x7a0/0xae0
[25886.161113] do_try_to_free_pages+0x3d7/0xfd0
[25886.161117] try_to_free_pages+0x144/0x1d0
[25886.161120] __alloc_pages_nodemask+0x8dd/0x12b0
[25886.161124] do_huge_pmd_anonymous_page+0x240/0xae0
[25886.161129] handle_mm_fault+0x25fc/0x32f0
[25886.161133] INFO: Slab 0xffffea000d16ad80 objects=17 used=10 fp=0xffff880345ab7c80 flags=0x8000000000004080
[25886.161136] INFO: Object 0xffff880345ab6720 @offset=1824 fp=0xffff880345ab7008
[25886.161142] Bytes b4 ffff880345ab6710: 02 00 00 00 15 2b 00 00 74 5e 7a 01 01 00 00 00 .....+..t^z.....
[25886.161146] Object ffff880345ab6720: 08 70 ab 45 03 88 ff ff 00 02 00 00 00 00 ad de .p.E............
[25886.161150] Object ffff880345ab6730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[25886.161153] Object ffff880345ab6740: 10 65 e7 85 03 88 ff ff 00 7b ef 85 03 88 ff ff .e.......{......
[25886.161156] Object ffff880345ab6750: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[25886.161159] Object ffff880345ab6760: 00 d9 82 81 ff ff ff ff c0 26 5b 82 ff ff ff ff .........&[.....
[25886.161162] Object ffff880345ab6770: 70 67 ab 45 03 88 ff ff 70 67 ab 45 03 88 ff ff pg.E....pg.E....
[25886.161166] Object ffff880345ab6780: 00 00 00 00 00 00 00 00 aa 83 00 00 00 00 00 00 ................
[25886.161170] Object ffff880345ab6790: c0 e3 a5 8b 03 88 ff ff 0f af 07 00 90 00 00 00 ................
[25886.161172] Object ffff880345ab67a0: c9 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[25886.161174] Object ffff880345ab67b0: 00 00 00 00 00 00 00 00 ........
[25886.161178] CPU: 2 PID: 339 Comm: xfsaild/dm-0 Tainted: G B OE 4.4.0-rc4KASan-00274-g7bb2729 #1
[25886.161180] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
[25886.161182] ffff880345ab6000 ffff880384f579e0 ffffffff819c7397 ffff8803867a4000
[25886.161185] ffff880384f57a10 ffffffff813e2554 ffff8803867a4000 ffffea000d16ad80
[25886.161187] ffff880345ab6720 ffff88038ba5e3c0 ffff880384f57a38 ffffffff813e6c1f
[25886.161190] Call Trace:
[25886.161194] [<ffffffff819c7397>] dump_stack+0x4b/0x74
[25886.161197] [<ffffffff813e2554>] print_trailer+0xf4/0x150
[25886.161200] [<ffffffff813e6c1f>] object_err+0x2f/0x40
[25886.161203] [<ffffffff813e885c>] kasan_report_error+0x21c/0x540
[25886.161207] [<ffffffff811b39f0>] ? abort_exclusive_wait+0x1c0/0x1c0
[25886.161210] [<ffffffff813e8c3e>] __asan_report_load4_noabort+0x3e/0x40
[25886.161213] [<ffffffff817f2c17>] ? xfs_iflush_cluster+0x9d7/0xaf0
[25886.161215] [<ffffffff817f2c17>] xfs_iflush_cluster+0x9d7/0xaf0
[25886.161218] [<ffffffff817fb94a>] xfs_iflush+0x37a/0x5b0
[25886.161221] [<ffffffff817fb5d0>] ? xfs_rename+0xe70/0xe70
[25886.161225] [<ffffffff8120bd94>] ? del_timer_sync+0x64/0x80
[25886.161228] [<ffffffff824caeb0>] ? schedule_timeout+0x230/0x3a0
[25886.161231] [<ffffffff824cac80>] ? usleep_range+0xe0/0xe0
[25886.161234] [<ffffffff8182d69a>] xfs_inode_item_push+0x25a/0x390
[25886.161237] [<ffffffff8182d440>] ? xfs_inode_item_unlock+0x80/0x80
[25886.161239] [<ffffffff81844573>] ? xfs_trans_ail_cursor_first+0x23/0x1a0
[25886.161241] [<ffffffff81844deb>] xfsaild+0x6fb/0x12b0
[25886.161244] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161246] [<ffffffff824c3ba2>] ? __schedule+0x642/0x19f0
[25886.161248] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161251] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161254] [<ffffffff81154320>] kthread+0x1c0/0x260
[25886.161256] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161259] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161262] [<ffffffff824cd08f>] ret_from_fork+0x3f/0x70
[25886.161265] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161267] Memory state around the buggy address:
[25886.161270] ffff880345ab6680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[25886.161273] ffff880345ab6700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
[25886.161276] >ffff880345ab6780: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[25886.161278] ^
[25886.161281] ffff880345ab6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[25886.161284] ffff880345ab6880: fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00
[25886.161286] ==================================================================
The compiled kernel is a vanilla one, with a few patches pulled from BTRFS.
The XFS filesystem is running on LUKS, on a SSD.
No corruption or problems found at the moment.
Thanks a lot,
Andrea
[-- Attachment #1.2: config.txt.gz --]
[-- Type: application/gzip, Size: 40649 bytes --]
[-- Attachment #1.3: dmesg.txt.gz --]
[-- Type: application/gzip, Size: 30390 bytes --]
[-- Attachment #1.4: hdparm_sda.txt.gz --]
[-- Type: application/gzip, Size: 1666 bytes --]
[-- Attachment #1.5: lspci.txt.gz --]
[-- Type: application/gzip, Size: 501 bytes --]
[-- Attachment #1.6: dmidecode.txt.gz --]
[-- Type: application/gzip, Size: 4070 bytes --]
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-14 18:00 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-14 18:00 UTC (permalink / raw)
To: linux-kernel; +Cc: xfs
[-- Attachment #1.1.1: Type: text/plain, Size: 12617 bytes --]
Hi everybody,
using dev kernel v4.4, I have this:
[40240.371807] ==================================================================
[40240.371826] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff88001ed15428
[40240.371832] Read of size 4 by task xfsaild/dm-0/332
[40240.371834] =============================================================================
[40240.371839] BUG xfs_ili (Tainted: G B ): kasan: bad access detected
[40240.371842] -----------------------------------------------------------------------------
[40240.371851] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=996 cpu=2 pid=11139
[40240.371858] ___slab_alloc.constprop.27+0x379/0x3a0
[40240.371863] __slab_alloc.isra.24.constprop.26+0x26/0x40
[40240.371867] kmem_cache_alloc+0x111/0x150
[40240.371871] kmem_zone_alloc+0x7c/0x180
[40240.371876] xfs_inode_item_init+0x22/0xb0
[40240.371881] xfs_trans_ijoin+0xa4/0x110
[40240.371885] xfs_rename+0x380/0xe70
[40240.371889] xfs_vn_rename+0x2a8/0x5c0
[40240.371893] vfs_rename+0xa64/0x1310
[40240.371899] SyS_renameat2+0x961/0xa70
[40240.371902] SyS_rename+0x19/0x20
[40240.371906] entry_SYSCALL_64_fastpath+0x16/0x75
[40240.371911] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=1 pid=40
[40240.371916] __slab_free+0x292/0x3d0
[40240.371919] kmem_cache_free+0x181/0x190
[40240.371923] xfs_inode_item_destroy+0x39/0x50
[40240.371927] xfs_inode_free+0xcd/0x360
[40240.371930] xfs_reclaim_inode+0x542/0x880
[40240.371933] xfs_reclaim_inodes_ag+0x356/0x710
[40240.371936] xfs_reclaim_inodes_nr+0x49/0x60
[40240.371940] xfs_fs_free_cached_objects+0x55/0x80
[40240.371944] super_cache_scan+0x329/0x410
[40240.371949] shrink_slab.part.7+0x2ee/0x510
[40240.371953] shrink_zone+0x7a0/0xae0
[40240.371956] kswapd+0x931/0x1010
[40240.371961] kthread+0x1c0/0x260
[40240.371964] ret_from_fork+0x3f/0x70
[40240.371968] INFO: Slab 0xffffea00007b4500 objects=17 used=14 fp=0xffff88001ed14c78 flags=0x4000000000004080
[40240.371971] INFO: Object 0xffff88001ed15398 @offset=5016 fp=0xffff88001ed151d0
[40240.371977] Bytes b4 ffff88001ed15388: 01 00 00 00 28 00 00 00 67 72 61 02 01 00 00 00 ....(...gra.....
[40240.371982] Object ffff88001ed15398: d0 51 d1 1e 00 88 ff ff 00 02 00 00 00 00 ad de .Q..............
[40240.371986] Object ffff88001ed153a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[40240.371989] Object ffff88001ed153b8: 20 b7 27 c8 00 88 ff ff 00 80 19 35 00 88 ff ff .'........5....
[40240.371993] Object ffff88001ed153c8: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[40240.371996] Object ffff88001ed153d8: 30 d8 82 81 ff ff ff ff c0 26 5b 82 ff ff ff ff 0........&[.....
[40240.371999] Object ffff88001ed153e8: e8 53 d1 1e 00 88 ff ff e8 53 d1 1e 00 88 ff ff .S.......S......
[40240.372003] Object ffff88001ed153f8: 00 00 00 00 00 00 00 00 73 0d 01 00 00 00 00 00 ........s.......
[40240.372006] Object ffff88001ed15408: c0 78 76 c8 00 88 ff ff 6b 2a 00 00 82 00 00 00 .xv.....k*......
[40240.372010] Object ffff88001ed15418: 73 0d 01 00 00 00 00 00 00 00 00 00 00 00 00 00 s...............
[40240.372013] Object ffff88001ed15428: 00 00 00 00 00 00 00 00 ........
[40240.372019] CPU: 2 PID: 332 Comm: xfsaild/dm-0 Tainted: G B 4.4.0-rc4KASan-00110-g35bfb6c #13
[40240.372021] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA3WW (2.63 ) 04/16/2015
[40240.372024] ffff88001ed14000 ffff880384d679e0 ffffffff819c71d7 ffff880386778000
[40240.372029] ffff880384d67a10 ffffffff813e2504 ffff880386778000 ffffea00007b4500
[40240.372034] ffff88001ed15398 ffff8800c87678c0 ffff880384d67a38 ffffffff813e6bcf
[40240.372038] Call Trace:
[40240.372043] [<ffffffff819c71d7>] dump_stack+0x4b/0x74
[40240.372048] [<ffffffff813e2504>] print_trailer+0xf4/0x150
[40240.372052] [<ffffffff813e6bcf>] object_err+0x2f/0x40
[40240.372058] [<ffffffff813e880c>] kasan_report_error+0x21c/0x540
[40240.372063] [<ffffffff819d3900>] ? radix_tree_next_chunk+0x690/0x690
[40240.372068] [<ffffffff813e8bee>] __asan_report_load4_noabort+0x3e/0x40
[40240.372073] [<ffffffff817f2b47>] ? xfs_iflush_cluster+0x9d7/0xaf0
[40240.372077] [<ffffffff817f2b47>] xfs_iflush_cluster+0x9d7/0xaf0
[40240.372081] [<ffffffff817fb87a>] xfs_iflush+0x37a/0x5b0
[40240.372086] [<ffffffff817fb500>] ? xfs_rename+0xe70/0xe70
[40240.372092] [<ffffffff8120bd94>] ? del_timer_sync+0x64/0x80
[40240.372097] [<ffffffff824cada0>] ? schedule_timeout+0x230/0x3a0
[40240.372102] [<ffffffff8182d5ca>] xfs_inode_item_push+0x25a/0x390
[40240.372106] [<ffffffff8182d370>] ? xfs_inode_item_unlock+0x80/0x80
[40240.372111] [<ffffffff818444a3>] ? xfs_trans_ail_cursor_first+0x23/0x1a0
[40240.372115] [<ffffffff81844d1b>] xfsaild+0x6fb/0x12b0
[40240.372119] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372123] [<ffffffff824c3a92>] ? __schedule+0x642/0x19f0
[40240.372128] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372132] [<ffffffff81844620>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[40240.372137] [<ffffffff81154320>] kthread+0x1c0/0x260
[40240.372141] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372146] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372150] [<ffffffff824ccf8f>] ret_from_fork+0x3f/0x70
[40240.372154] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[40240.372157] Memory state around the buggy address:
[40240.372161] ffff88001ed15300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40240.372164] ffff88001ed15380: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb
[40240.372168] >ffff88001ed15400: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[40240.372171] ^
[40240.372174] ffff88001ed15480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[40240.372177] ffff88001ed15500: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00
[40240.372180] ==================================================================
Also with more recent commits, I've got it:
[25886.160963] ==================================================================
[25886.160981] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff880345ab67b0
[25886.160985] Read of size 4 by task xfsaild/dm-0/339
[25886.160987] =============================================================================
[25886.160991] BUG xfs_ili (Tainted: G OE ): kasan: bad access detected
[25886.160993] -----------------------------------------------------------------------------
[25886.160997] Disabling lock debugging due to kernel taint
[25886.161002] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=29338 cpu=2 pid=3748
[25886.161008] ___slab_alloc.constprop.27+0x379/0x3a0
[25886.161012] __slab_alloc.isra.24.constprop.26+0x26/0x40
[25886.161015] kmem_cache_alloc+0x111/0x150
[25886.161019] kmem_zone_alloc+0x7c/0x180
[25886.161023] xfs_inode_item_init+0x22/0xb0
[25886.161027] xfs_trans_ijoin+0xa4/0x110
[25886.161031] xfs_ialloc+0xa1d/0x1470
[25886.161034] xfs_dir_ialloc+0x106/0x670
[25886.161038] xfs_create+0x674/0x1070
[25886.161042] xfs_generic_create+0x375/0x500
[25886.161045] xfs_vn_mknod+0xf/0x20
[25886.161048] xfs_vn_create+0xe/0x10
[25886.161053] vfs_create+0x1ff/0x390
[25886.161057] path_openat+0x2d41/0x3e50
[25886.161061] do_filp_open+0x170/0x230
[25886.161065] do_sys_open+0x198/0x350
[25886.161069] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=3 pid=14453
[25886.161073] __slab_free+0x292/0x3d0
[25886.161077] kmem_cache_free+0x181/0x190
[25886.161080] xfs_inode_item_destroy+0x39/0x50
[25886.161083] xfs_inode_free+0xcd/0x360
[25886.161086] xfs_reclaim_inode+0x542/0x880
[25886.161089] xfs_reclaim_inodes_ag+0x356/0x710
[25886.161093] xfs_reclaim_inodes_nr+0x49/0x60
[25886.161097] xfs_fs_free_cached_objects+0x55/0x80
[25886.161101] super_cache_scan+0x329/0x410
[25886.161105] shrink_slab.part.7+0x2ee/0x510
[25886.161110] shrink_zone+0x7a0/0xae0
[25886.161113] do_try_to_free_pages+0x3d7/0xfd0
[25886.161117] try_to_free_pages+0x144/0x1d0
[25886.161120] __alloc_pages_nodemask+0x8dd/0x12b0
[25886.161124] do_huge_pmd_anonymous_page+0x240/0xae0
[25886.161129] handle_mm_fault+0x25fc/0x32f0
[25886.161133] INFO: Slab 0xffffea000d16ad80 objects=17 used=10 fp=0xffff880345ab7c80 flags=0x8000000000004080
[25886.161136] INFO: Object 0xffff880345ab6720 @offset=1824 fp=0xffff880345ab7008
[25886.161142] Bytes b4 ffff880345ab6710: 02 00 00 00 15 2b 00 00 74 5e 7a 01 01 00 00 00 .....+..t^z.....
[25886.161146] Object ffff880345ab6720: 08 70 ab 45 03 88 ff ff 00 02 00 00 00 00 ad de .p.E............
[25886.161150] Object ffff880345ab6730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[25886.161153] Object ffff880345ab6740: 10 65 e7 85 03 88 ff ff 00 7b ef 85 03 88 ff ff .e.......{......
[25886.161156] Object ffff880345ab6750: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[25886.161159] Object ffff880345ab6760: 00 d9 82 81 ff ff ff ff c0 26 5b 82 ff ff ff ff .........&[.....
[25886.161162] Object ffff880345ab6770: 70 67 ab 45 03 88 ff ff 70 67 ab 45 03 88 ff ff pg.E....pg.E....
[25886.161166] Object ffff880345ab6780: 00 00 00 00 00 00 00 00 aa 83 00 00 00 00 00 00 ................
[25886.161170] Object ffff880345ab6790: c0 e3 a5 8b 03 88 ff ff 0f af 07 00 90 00 00 00 ................
[25886.161172] Object ffff880345ab67a0: c9 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[25886.161174] Object ffff880345ab67b0: 00 00 00 00 00 00 00 00 ........
[25886.161178] CPU: 2 PID: 339 Comm: xfsaild/dm-0 Tainted: G B OE 4.4.0-rc4KASan-00274-g7bb2729 #1
[25886.161180] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
[25886.161182] ffff880345ab6000 ffff880384f579e0 ffffffff819c7397 ffff8803867a4000
[25886.161185] ffff880384f57a10 ffffffff813e2554 ffff8803867a4000 ffffea000d16ad80
[25886.161187] ffff880345ab6720 ffff88038ba5e3c0 ffff880384f57a38 ffffffff813e6c1f
[25886.161190] Call Trace:
[25886.161194] [<ffffffff819c7397>] dump_stack+0x4b/0x74
[25886.161197] [<ffffffff813e2554>] print_trailer+0xf4/0x150
[25886.161200] [<ffffffff813e6c1f>] object_err+0x2f/0x40
[25886.161203] [<ffffffff813e885c>] kasan_report_error+0x21c/0x540
[25886.161207] [<ffffffff811b39f0>] ? abort_exclusive_wait+0x1c0/0x1c0
[25886.161210] [<ffffffff813e8c3e>] __asan_report_load4_noabort+0x3e/0x40
[25886.161213] [<ffffffff817f2c17>] ? xfs_iflush_cluster+0x9d7/0xaf0
[25886.161215] [<ffffffff817f2c17>] xfs_iflush_cluster+0x9d7/0xaf0
[25886.161218] [<ffffffff817fb94a>] xfs_iflush+0x37a/0x5b0
[25886.161221] [<ffffffff817fb5d0>] ? xfs_rename+0xe70/0xe70
[25886.161225] [<ffffffff8120bd94>] ? del_timer_sync+0x64/0x80
[25886.161228] [<ffffffff824caeb0>] ? schedule_timeout+0x230/0x3a0
[25886.161231] [<ffffffff824cac80>] ? usleep_range+0xe0/0xe0
[25886.161234] [<ffffffff8182d69a>] xfs_inode_item_push+0x25a/0x390
[25886.161237] [<ffffffff8182d440>] ? xfs_inode_item_unlock+0x80/0x80
[25886.161239] [<ffffffff81844573>] ? xfs_trans_ail_cursor_first+0x23/0x1a0
[25886.161241] [<ffffffff81844deb>] xfsaild+0x6fb/0x12b0
[25886.161244] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161246] [<ffffffff824c3ba2>] ? __schedule+0x642/0x19f0
[25886.161248] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161251] [<ffffffff818446f0>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[25886.161254] [<ffffffff81154320>] kthread+0x1c0/0x260
[25886.161256] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161259] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161262] [<ffffffff824cd08f>] ret_from_fork+0x3f/0x70
[25886.161265] [<ffffffff81154160>] ? kthread_worker_fn+0x560/0x560
[25886.161267] Memory state around the buggy address:
[25886.161270] ffff880345ab6680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[25886.161273] ffff880345ab6700: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
[25886.161276] >ffff880345ab6780: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[25886.161278] ^
[25886.161281] ffff880345ab6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[25886.161284] ffff880345ab6880: fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00
[25886.161286] ==================================================================
The compiled kernel is a vanilla one, with a few patches pulled from BTRFS.
The XFS filesystem is running on LUKS, on a SSD.
No corruption or problems found at the moment.
Thanks a lot,
Andrea
[-- Attachment #1.1.2: config.txt.gz --]
[-- Type: application/gzip, Size: 40649 bytes --]
[-- Attachment #1.1.3: dmesg.txt.gz --]
[-- Type: application/gzip, Size: 30390 bytes --]
[-- Attachment #1.1.4: hdparm_sda.txt.gz --]
[-- Type: application/gzip, Size: 1666 bytes --]
[-- Attachment #1.1.5: lspci.txt.gz --]
[-- Type: application/gzip, Size: 501 bytes --]
[-- Attachment #1.1.6: dmidecode.txt.gz --]
[-- Type: application/gzip, Size: 4070 bytes --]
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2015-12-14 18:00 ` Andrea Gelmini
@ 2015-12-14 19:54 ` Dave Chinner
-1 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2015-12-14 19:54 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Mon, Dec 14, 2015 at 07:00:48PM +0100, Andrea Gelmini wrote:
> Hi everybody,
> using dev kernel v4.4, I have this:
>
> [40240.371807] ==================================================================
> [40240.371826] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff88001ed15428
> [40240.371832] Read of size 4 by task xfsaild/dm-0/332
> [40240.371834] =============================================================================
> [40240.371839] BUG xfs_ili (Tainted: G B ): kasan: bad access detected
> [40240.371842] -----------------------------------------------------------------------------
.....
What line of code does this address correspond to in your kernel?
xfs_iflush_cluster+0x9d7
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-14 19:54 ` Dave Chinner
0 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2015-12-14 19:54 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Mon, Dec 14, 2015 at 07:00:48PM +0100, Andrea Gelmini wrote:
> Hi everybody,
> using dev kernel v4.4, I have this:
>
> [40240.371807] ==================================================================
> [40240.371826] BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 at addr ffff88001ed15428
> [40240.371832] Read of size 4 by task xfsaild/dm-0/332
> [40240.371834] =============================================================================
> [40240.371839] BUG xfs_ili (Tainted: G B ): kasan: bad access detected
> [40240.371842] -----------------------------------------------------------------------------
.....
What line of code does this address correspond to in your kernel?
xfs_iflush_cluster+0x9d7
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2015-12-14 19:54 ` Dave Chinner
@ 2015-12-14 20:15 ` Andrea Gelmini
-1 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-14 20:15 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1: Type: text/plain, Size: 389 bytes --]
On Tue, Dec 15, 2015 at 06:54:22AM +1100, Dave Chinner wrote:
> What line of code does this address correspond to in your kernel?
>
> xfs_iflush_cluster+0x9d7
gelma@glen:~/dev/kernel/v4.4.x$ git grep -Iin xfs_iflush_cluster
fs/xfs/xfs_inode.c:3179:xfs_iflush_cluster(
fs/xfs/xfs_inode.c:3414: error = xfs_iflush_cluster(ip, bp);
Thanks a lot for your quick answer,
Andrea
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-14 20:15 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-14 20:15 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1.1: Type: text/plain, Size: 389 bytes --]
On Tue, Dec 15, 2015 at 06:54:22AM +1100, Dave Chinner wrote:
> What line of code does this address correspond to in your kernel?
>
> xfs_iflush_cluster+0x9d7
gelma@glen:~/dev/kernel/v4.4.x$ git grep -Iin xfs_iflush_cluster
fs/xfs/xfs_inode.c:3179:xfs_iflush_cluster(
fs/xfs/xfs_inode.c:3414: error = xfs_iflush_cluster(ip, bp);
Thanks a lot for your quick answer,
Andrea
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2015-12-14 20:15 ` Andrea Gelmini
@ 2015-12-14 21:22 ` Dave Chinner
-1 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2015-12-14 21:22 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Mon, Dec 14, 2015 at 09:15:26PM +0100, Andrea Gelmini wrote:
> On Tue, Dec 15, 2015 at 06:54:22AM +1100, Dave Chinner wrote:
> > What line of code does this address correspond to in your kernel?
> >
> > xfs_iflush_cluster+0x9d7
>
> gelma@glen:~/dev/kernel/v4.4.x$ git grep -Iin xfs_iflush_cluster
> fs/xfs/xfs_inode.c:3179:xfs_iflush_cluster(
> fs/xfs/xfs_inode.c:3414: error = xfs_iflush_cluster(ip, bp);
If that was what I needed, I wouldn't have needed to ask. :/
I need the translation of the memory address to line number, not the
line number of function call. This requires translation from your
built kernel object file. e.g. on a kernel I just built:
$ gdb vmlinux
....
(gdb) l *(xfs_iflush_cluster+0x9d7)
0xffffffff814df647 is in xfs_bulkstat_one_int (fs/xfs/xfs_itable.c:110).
105 buf->bs_dmevmask = dic->di_dmevmask;
106 buf->bs_dmstate = dic->di_dmstate;
107 buf->bs_aextents = dic->di_anextents;
108 buf->bs_forkoff = XFS_IFORK_BOFF(ip);
109
110 switch (dic->di_format) {
111 case XFS_DINODE_FMT_DEV:
112 buf->bs_rdev = ip->i_df.if_u2.if_rdev;
113 buf->bs_blksize = BLKDEV_IOSIZE;
114 buf->bs_blocks = 0;
That's clearly not code in xfs_iflush_cluster() or any function that
xfs_iflush_cluster() calls. Indeed, xfs_iflush_cluster() is only
0x411 bytes long on that kernel, so there's more than 2x the amount
of code in that function in your instrumented kernel than mine.
Hence I need the address-to-line number translation from your kernel
to tell me what line of code is being tripped over.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-14 21:22 ` Dave Chinner
0 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2015-12-14 21:22 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Mon, Dec 14, 2015 at 09:15:26PM +0100, Andrea Gelmini wrote:
> On Tue, Dec 15, 2015 at 06:54:22AM +1100, Dave Chinner wrote:
> > What line of code does this address correspond to in your kernel?
> >
> > xfs_iflush_cluster+0x9d7
>
> gelma@glen:~/dev/kernel/v4.4.x$ git grep -Iin xfs_iflush_cluster
> fs/xfs/xfs_inode.c:3179:xfs_iflush_cluster(
> fs/xfs/xfs_inode.c:3414: error = xfs_iflush_cluster(ip, bp);
If that was what I needed, I wouldn't have needed to ask. :/
I need the translation of the memory address to line number, not the
line number of function call. This requires translation from your
built kernel object file. e.g. on a kernel I just built:
$ gdb vmlinux
....
(gdb) l *(xfs_iflush_cluster+0x9d7)
0xffffffff814df647 is in xfs_bulkstat_one_int (fs/xfs/xfs_itable.c:110).
105 buf->bs_dmevmask = dic->di_dmevmask;
106 buf->bs_dmstate = dic->di_dmstate;
107 buf->bs_aextents = dic->di_anextents;
108 buf->bs_forkoff = XFS_IFORK_BOFF(ip);
109
110 switch (dic->di_format) {
111 case XFS_DINODE_FMT_DEV:
112 buf->bs_rdev = ip->i_df.if_u2.if_rdev;
113 buf->bs_blksize = BLKDEV_IOSIZE;
114 buf->bs_blocks = 0;
That's clearly not code in xfs_iflush_cluster() or any function that
xfs_iflush_cluster() calls. Indeed, xfs_iflush_cluster() is only
0x411 bytes long on that kernel, so there's more than 2x the amount
of code in that function in your instrumented kernel than mine.
Hence I need the address-to-line number translation from your kernel
to tell me what line of code is being tripped over.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2015-12-14 21:22 ` Dave Chinner
@ 2015-12-15 9:11 ` Andrea Gelmini
-1 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-15 9:11 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1: Type: text/plain, Size: 382 bytes --]
On Tue, Dec 15, 2015 at 08:22:20AM +1100, Dave Chinner wrote:
> $ gdb vmlinux
> ....
> (gdb) l *(xfs_iflush_cluster+0x9d7)
It's not working. Shame on me, I forgot to set "Compile the kernel with debug info".
I'm recompiling, to try it again.
Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
http://mail.gelma.net/xfs_kasan
Thanks a lot,
Andrea
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2015-12-15 9:11 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2015-12-15 9:11 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1.1: Type: text/plain, Size: 382 bytes --]
On Tue, Dec 15, 2015 at 08:22:20AM +1100, Dave Chinner wrote:
> $ gdb vmlinux
> ....
> (gdb) l *(xfs_iflush_cluster+0x9d7)
It's not working. Shame on me, I forgot to set "Compile the kernel with debug info".
I'm recompiling, to try it again.
Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
http://mail.gelma.net/xfs_kasan
Thanks a lot,
Andrea
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2015-12-15 9:11 ` Andrea Gelmini
@ 2016-01-03 20:47 ` Dave Chinner
-1 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2016-01-03 20:47 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Tue, Dec 15, 2015 at 10:11:45AM +0100, Andrea Gelmini wrote:
> On Tue, Dec 15, 2015 at 08:22:20AM +1100, Dave Chinner wrote:
> > $ gdb vmlinux
> > ....
> > (gdb) l *(xfs_iflush_cluster+0x9d7)
>
> It's not working. Shame on me, I forgot to set "Compile the kernel with debug info".
>
> I'm recompiling, to try it again.
> Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> http://mail.gelma.net/xfs_kasan
Any update on this problem, Andrea?
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2016-01-03 20:47 ` Dave Chinner
0 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2016-01-03 20:47 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Tue, Dec 15, 2015 at 10:11:45AM +0100, Andrea Gelmini wrote:
> On Tue, Dec 15, 2015 at 08:22:20AM +1100, Dave Chinner wrote:
> > $ gdb vmlinux
> > ....
> > (gdb) l *(xfs_iflush_cluster+0x9d7)
>
> It's not working. Shame on me, I forgot to set "Compile the kernel with debug info".
>
> I'm recompiling, to try it again.
> Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> http://mail.gelma.net/xfs_kasan
Any update on this problem, Andrea?
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2016-01-03 20:47 ` Dave Chinner
@ 2016-01-04 14:12 ` Andrea Gelmini
-1 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2016-01-04 14:12 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1.1: Type: text/plain, Size: 4976 bytes --]
On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > http://mail.gelma.net/xfs_kasan
>
> Any update on this problem, Andrea?
Hi Dave,
and thanks a lot for your interest.
So, to make long story short.
Recompiled kernel with debug info and all the rest.
Run it.
Then started a flood of this kind:
Dec 15 12:12:24 glen kernel: [ 5326.351571] BUG: KASAN: use-after-free in __check_element+0x1e0/0x200 at addr ffff88004a201ff5
Dec 15 12:12:24 glen kernel: [ 5326.351574] Read of size 1 by task kworker/u8:2/10221
Dec 15 12:12:24 glen kernel: [ 5326.351578] page:ffffea0001288040 count:1 mapcount:0 mapping: (null) index:0x0
Dec 15 12:12:24 glen kernel: [ 5326.351580] flags: 0x4000000000000000()
Dec 15 12:12:24 glen kernel: [ 5326.351583] page dumped because: kasan: bad access detected
Dec 15 12:12:24 glen kernel: [ 5326.351587] CPU: 1 PID: 10221 Comm: kworker/u8:2 Tainted: G B 4.4.0-rc5KASan #1
Dec 15 12:12:24 glen kernel: [ 5326.351590] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
Dec 15 12:12:24 glen kernel: [ 5326.351594] Workqueue: kcryptd kcryptd_crypt
Dec 15 12:12:24 glen kernel: [ 5326.351596] ffff88004a201ff5 ffff8801086bfa10 ffffffff819d2e3a 00000000ffffff6b
Dec 15 12:12:24 glen kernel: [ 5326.351601] ffff8801086bfa98 ffffffff813f4b61 0000000000000010 dffffc0000000000
Dec 15 12:12:24 glen kernel: [ 5326.351606] 0000000000000046 ffffed00094403fe 00000000813f42cd 0000000000000000
Dec 15 12:12:24 glen kernel: [ 5326.351610] Call Trace:
Dec 15 12:12:24 glen kernel: [ 5326.351614] [<ffffffff819d2e3a>] dump_stack+0x4e/0x84
Dec 15 12:12:24 glen kernel: [ 5326.351619] [<ffffffff813f4b61>] kasan_report_error+0x511/0x540
Dec 15 12:12:24 glen kernel: [ 5326.351623] [<ffffffff813f4bce>] __asan_report_load1_noabort+0x3e/0x40
Dec 15 12:12:24 glen kernel: [ 5326.351628] [<ffffffff8132e600>] ? __check_element+0x1e0/0x200
Dec 15 12:12:24 glen kernel: [ 5326.351632] [<ffffffff8132e600>] __check_element+0x1e0/0x200
Dec 15 12:12:24 glen kernel: [ 5326.351636] [<ffffffff8132e8b6>] remove_element+0x206/0x430
Dec 15 12:12:24 glen kernel: [ 5326.351640] [<ffffffff8132ec35>] mempool_alloc+0x155/0x2a0
Dec 15 12:12:24 glen kernel: [ 5326.351644] [<ffffffff813f40c8>] ? memset+0x28/0x30
Dec 15 12:12:24 glen kernel: [ 5326.351648] [<ffffffff8132eae0>] ? remove_element+0x430/0x430
Dec 15 12:12:24 glen kernel: [ 5326.351652] [<ffffffff81927cb0>] ? bvec_alloc+0x250/0x250
Dec 15 12:12:24 glen kernel: [ 5326.351656] [<ffffffff8103af40>] ? set_tsc_mode+0x60/0x60
Dec 15 12:12:24 glen kernel: [ 5326.351661] [<ffffffff8206075d>] kcryptd_crypt+0x5dd/0xea0
Dec 15 12:12:24 glen kernel: [ 5326.351667] [<ffffffff8114728a>] process_one_work+0x48a/0x1160
Dec 15 12:12:24 glen kernel: [ 5326.351671] [<ffffffff81148034>] worker_thread+0xd4/0x1170
Dec 15 12:12:24 glen kernel: [ 5326.351676] [<ffffffff81147f60>] ? process_one_work+0x1160/0x1160
Dec 15 12:12:24 glen kernel: [ 5326.351681] [<ffffffff81157d70>] kthread+0x1c0/0x260
Dec 15 12:12:24 glen kernel: [ 5326.351686] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351691] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351696] [<ffffffff824daf8f>] ret_from_fork+0x3f/0x70
Dec 15 12:12:24 glen kernel: [ 5326.351700] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351703] Memory state around the buggy address:
Dec 15 12:12:24 glen kernel: [ 5326.351707] ffff88004a201e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351711] ffff88004a201f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351715] >ffff88004a201f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351717] ^
Dec 15 12:12:24 glen kernel: [ 5326.351721] ffff88004a202000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dec 15 12:12:24 glen kernel: [ 5326.351725] ffff88004a202080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dec 15 12:12:24 glen kernel: [ 5326.351727] ==================================================================
Dec 15 12:12:24 glen kernel: [ 5326.351730] ==================================================================
Everytime it happened (usually when writing) I had a little stall of the system. After a few hours it was
impossible to work this way, so I got back to an Ubuntu vanilla kernel. (I guess it's related to my luks
partition).
Anyway, now I compile rc8 and try it again.
In attachment you can find my .config.
If you please can give it a look and tell me if it's good for you, about info you could need after.
Thanks again,
Andrea
[-- Attachment #1.2: config.gz --]
[-- Type: application/gzip, Size: 41187 bytes --]
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2016-01-04 14:12 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2016-01-04 14:12 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1.1.1: Type: text/plain, Size: 4976 bytes --]
On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > http://mail.gelma.net/xfs_kasan
>
> Any update on this problem, Andrea?
Hi Dave,
and thanks a lot for your interest.
So, to make long story short.
Recompiled kernel with debug info and all the rest.
Run it.
Then started a flood of this kind:
Dec 15 12:12:24 glen kernel: [ 5326.351571] BUG: KASAN: use-after-free in __check_element+0x1e0/0x200 at addr ffff88004a201ff5
Dec 15 12:12:24 glen kernel: [ 5326.351574] Read of size 1 by task kworker/u8:2/10221
Dec 15 12:12:24 glen kernel: [ 5326.351578] page:ffffea0001288040 count:1 mapcount:0 mapping: (null) index:0x0
Dec 15 12:12:24 glen kernel: [ 5326.351580] flags: 0x4000000000000000()
Dec 15 12:12:24 glen kernel: [ 5326.351583] page dumped because: kasan: bad access detected
Dec 15 12:12:24 glen kernel: [ 5326.351587] CPU: 1 PID: 10221 Comm: kworker/u8:2 Tainted: G B 4.4.0-rc5KASan #1
Dec 15 12:12:24 glen kernel: [ 5326.351590] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
Dec 15 12:12:24 glen kernel: [ 5326.351594] Workqueue: kcryptd kcryptd_crypt
Dec 15 12:12:24 glen kernel: [ 5326.351596] ffff88004a201ff5 ffff8801086bfa10 ffffffff819d2e3a 00000000ffffff6b
Dec 15 12:12:24 glen kernel: [ 5326.351601] ffff8801086bfa98 ffffffff813f4b61 0000000000000010 dffffc0000000000
Dec 15 12:12:24 glen kernel: [ 5326.351606] 0000000000000046 ffffed00094403fe 00000000813f42cd 0000000000000000
Dec 15 12:12:24 glen kernel: [ 5326.351610] Call Trace:
Dec 15 12:12:24 glen kernel: [ 5326.351614] [<ffffffff819d2e3a>] dump_stack+0x4e/0x84
Dec 15 12:12:24 glen kernel: [ 5326.351619] [<ffffffff813f4b61>] kasan_report_error+0x511/0x540
Dec 15 12:12:24 glen kernel: [ 5326.351623] [<ffffffff813f4bce>] __asan_report_load1_noabort+0x3e/0x40
Dec 15 12:12:24 glen kernel: [ 5326.351628] [<ffffffff8132e600>] ? __check_element+0x1e0/0x200
Dec 15 12:12:24 glen kernel: [ 5326.351632] [<ffffffff8132e600>] __check_element+0x1e0/0x200
Dec 15 12:12:24 glen kernel: [ 5326.351636] [<ffffffff8132e8b6>] remove_element+0x206/0x430
Dec 15 12:12:24 glen kernel: [ 5326.351640] [<ffffffff8132ec35>] mempool_alloc+0x155/0x2a0
Dec 15 12:12:24 glen kernel: [ 5326.351644] [<ffffffff813f40c8>] ? memset+0x28/0x30
Dec 15 12:12:24 glen kernel: [ 5326.351648] [<ffffffff8132eae0>] ? remove_element+0x430/0x430
Dec 15 12:12:24 glen kernel: [ 5326.351652] [<ffffffff81927cb0>] ? bvec_alloc+0x250/0x250
Dec 15 12:12:24 glen kernel: [ 5326.351656] [<ffffffff8103af40>] ? set_tsc_mode+0x60/0x60
Dec 15 12:12:24 glen kernel: [ 5326.351661] [<ffffffff8206075d>] kcryptd_crypt+0x5dd/0xea0
Dec 15 12:12:24 glen kernel: [ 5326.351667] [<ffffffff8114728a>] process_one_work+0x48a/0x1160
Dec 15 12:12:24 glen kernel: [ 5326.351671] [<ffffffff81148034>] worker_thread+0xd4/0x1170
Dec 15 12:12:24 glen kernel: [ 5326.351676] [<ffffffff81147f60>] ? process_one_work+0x1160/0x1160
Dec 15 12:12:24 glen kernel: [ 5326.351681] [<ffffffff81157d70>] kthread+0x1c0/0x260
Dec 15 12:12:24 glen kernel: [ 5326.351686] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351691] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351696] [<ffffffff824daf8f>] ret_from_fork+0x3f/0x70
Dec 15 12:12:24 glen kernel: [ 5326.351700] [<ffffffff81157bb0>] ? kthread_worker_fn+0x560/0x560
Dec 15 12:12:24 glen kernel: [ 5326.351703] Memory state around the buggy address:
Dec 15 12:12:24 glen kernel: [ 5326.351707] ffff88004a201e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351711] ffff88004a201f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351715] >ffff88004a201f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Dec 15 12:12:24 glen kernel: [ 5326.351717] ^
Dec 15 12:12:24 glen kernel: [ 5326.351721] ffff88004a202000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dec 15 12:12:24 glen kernel: [ 5326.351725] ffff88004a202080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Dec 15 12:12:24 glen kernel: [ 5326.351727] ==================================================================
Dec 15 12:12:24 glen kernel: [ 5326.351730] ==================================================================
Everytime it happened (usually when writing) I had a little stall of the system. After a few hours it was
impossible to work this way, so I got back to an Ubuntu vanilla kernel. (I guess it's related to my luks
partition).
Anyway, now I compile rc8 and try it again.
In attachment you can find my .config.
If you please can give it a look and tell me if it's good for you, about info you could need after.
Thanks again,
Andrea
[-- Attachment #1.1.2: config.gz --]
[-- Type: application/gzip, Size: 41187 bytes --]
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2016-01-03 20:47 ` Dave Chinner
@ 2016-01-05 16:30 ` Andrea Gelmini
-1 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2016-01-05 16:30 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1: Type: text/plain, Size: 8455 bytes --]
On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > I'm recompiling, to try it again.
> > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > http://mail.gelma.net/xfs_kasan
>
> Any update on this problem, Andrea?
Here we are!
Reproduced right now.
So, just to avoid confusion:
a) it's a vanilla kernel 4.4.0-rc8
b) plus some btrfs patches
c) plus some dri/intel/i915 patches
d) at the same URL above you can find git_files.txt.gz, where you have each commit I
applied above vanilla kernel (anyway, nothing related to vfs/xfs of course)
e) at the same URL you find the kernel binaries I used
f) to catch it, I had to copy a few gigs of files on my /home partition (xfs over Luks)
Anyway, here what you asked me for:
(gdb) l *(xfs_iflush_cluster+0xb73/0xc10)
0xffffffff8184c550 is in xfs_iflush_cluster (fs/xfs/xfs_inode.c:3182).
3177
3178 STATIC int
3179 xfs_iflush_cluster(
3180 xfs_inode_t *ip,
3181 xfs_buf_t *bp)
3182 {
3183 xfs_mount_t *mp = ip->i_mount;
3184 struct xfs_perag *pag;
3185 unsigned long first_index, mask;
3186 unsigned long inodes_per_cluster;
(gdb)
Thanks a lot for your patience,
Dave
[mar gen 5 16:58:19 2016] ==================================================================
[mar gen 5 16:58:19 2016] BUG: KASAN: use-after-free in xfs_iflush_cluster+0xb73/0xc10 at addr ffff880364721d10
[mar gen 5 16:58:19 2016] Read of size 4 by task xfsaild/dm-0/329
[mar gen 5 16:58:19 2016] =============================================================================
[mar gen 5 16:58:19 2016] BUG xfs_ili (Tainted: G W ): kasan: bad access detected
[mar gen 5 16:58:19 2016] -----------------------------------------------------------------------------
[mar gen 5 16:58:19 2016] Disabling lock debugging due to kernel taint
[mar gen 5 16:58:19 2016] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=496908 cpu=1 pid=6496
[mar gen 5 16:58:19 2016] ___slab_alloc.constprop.27+0x383/0x490
[mar gen 5 16:58:19 2016] __slab_alloc.isra.24.constprop.26+0x50/0xa0
[mar gen 5 16:58:19 2016] kmem_cache_alloc+0x174/0x1b0
[mar gen 5 16:58:19 2016] kmem_zone_alloc+0x7c/0x180
[mar gen 5 16:58:19 2016] xfs_inode_item_init+0x22/0xb0
[mar gen 5 16:58:19 2016] xfs_trans_ijoin+0xa4/0x110
[mar gen 5 16:58:19 2016] xfs_ialloc+0x9f9/0x1390
[mar gen 5 16:58:19 2016] xfs_dir_ialloc+0x106/0x670
[mar gen 5 16:58:19 2016] xfs_create+0x67e/0x1080
[mar gen 5 16:58:19 2016] xfs_generic_create+0x375/0x500
[mar gen 5 16:58:19 2016] xfs_vn_mknod+0xf/0x20
[mar gen 5 16:58:19 2016] xfs_vn_create+0xe/0x10
[mar gen 5 16:58:19 2016] vfs_create+0x1ff/0x390
[mar gen 5 16:58:19 2016] do_last+0x29a7/0x3900
[mar gen 5 16:58:19 2016] path_openat+0x15b/0x730
[mar gen 5 16:58:19 2016] do_filp_open+0x170/0x230
[mar gen 5 16:58:19 2016] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=3 pid=38
[mar gen 5 16:58:19 2016] __slab_free+0x36d/0x510
[mar gen 5 16:58:19 2016] kmem_cache_free+0x1ef/0x200
[mar gen 5 16:58:19 2016] xfs_inode_item_destroy+0x39/0x50
[mar gen 5 16:58:19 2016] xfs_inode_free+0xcd/0x360
[mar gen 5 16:58:19 2016] xfs_reclaim_inode+0x54b/0x890
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_ag+0x3e9/0x840
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_nr+0x49/0x60
[mar gen 5 16:58:19 2016] xfs_fs_free_cached_objects+0x55/0x80
[mar gen 5 16:58:19 2016] super_cache_scan+0x329/0x410
[mar gen 5 16:58:19 2016] shrink_slab.part.7+0x2f2/0x530
[mar gen 5 16:58:19 2016] shrink_zone+0x7a0/0xae0
[mar gen 5 16:58:19 2016] kswapd+0x9ad/0x1110
[mar gen 5 16:58:19 2016] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] INFO: Slab 0xffffea000d91c800 objects=35 used=29 fp=0xffff880364721c80 flags=0x8000000000004080
[mar gen 5 16:58:19 2016] INFO: Object 0xffff880364721c80 @offset=7296 fp=0xffff880364721560
[mar gen 5 16:58:19 2016] Bytes b4 ffff880364721c70: 03 00 00 00 3f 34 00 00 b8 51 cd 00 01 00 00 00 ....?4...Q......
[mar gen 5 16:58:19 2016] Object ffff880364721c80: 60 15 72 64 03 88 ff ff 00 02 00 00 00 00 ad de `.rd............
[mar gen 5 16:58:19 2016] Object ffff880364721c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[mar gen 5 16:58:19 2016] Object ffff880364721ca0: 00 00 3d 5e 03 88 ff ff 60 04 92 5d 03 88 ff ff ..=^....`..]....
[mar gen 5 16:58:19 2016] Object ffff880364721cb0: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[mar gen 5 16:58:19 2016] Object ffff880364721cc0: 30 84 88 86 ff ff ff ff 60 17 6f 87 ff ff ff ff 0.......`.o.....
[mar gen 5 16:58:19 2016] Object ffff880364721cd0: d0 1c 72 64 03 88 ff ff d0 1c 72 64 03 88 ff ff ..rd......rd....
[mar gen 5 16:58:19 2016] Object ffff880364721ce0: 00 00 00 00 00 00 00 00 68 76 00 00 00 00 00 00 ........hv......
[mar gen 5 16:58:19 2016] Object ffff880364721cf0: 80 6c 40 3e 01 88 ff ff db 4a 00 00 e2 00 00 00 .l@>.....J......
[mar gen 5 16:58:19 2016] Object ffff880364721d00: d6 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .y..............
[mar gen 5 16:58:19 2016] Object ffff880364721d10: 00 00 00 00 00 00 00 00 ........
[mar gen 5 16:58:19 2016] CPU: 0 PID: 329 Comm: xfsaild/dm-0 Tainted: G B W 4.4.0-rc8-KASan-01354-g3041cce #6
[mar gen 5 16:58:19 2016] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
[mar gen 5 16:58:19 2016] ffff880364720000 ffff88035f2ef968 ffffffff86a2adea ffff88035f498480
[mar gen 5 16:58:19 2016] ffff88035f2ef998 ffffffff86423ab4 ffff88035f498480 ffffea000d91c800
[mar gen 5 16:58:19 2016] ffff880364721c80 ffff88013e406c80 ffff88035f2ef9c0 ffffffff86428edf
[mar gen 5 16:58:19 2016] Call Trace:
[mar gen 5 16:58:19 2016] [<ffffffff86a2adea>] dump_stack+0x4e/0x84
[mar gen 5 16:58:19 2016] [<ffffffff86423ab4>] print_trailer+0xf4/0x150
[mar gen 5 16:58:19 2016] [<ffffffff86428edf>] object_err+0x2f/0x40
[mar gen 5 16:58:19 2016] [<ffffffff8642ab87>] kasan_report_error+0x207/0x530
[mar gen 5 16:58:19 2016] [<ffffffff8642af6e>] __asan_report_load4_noabort+0x3e/0x40
[mar gen 5 16:58:19 2016] [<ffffffff87585d00>] ? _raw_spin_lock_irqsave_nested+0x50/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] ? xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684c760>] ? xfs_iflush_cluster+0x210/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff86855eda>] xfs_iflush+0x37a/0x5b0
[mar gen 5 16:58:19 2016] [<ffffffff86855b60>] ? xfs_rename+0xe70/0xe70
[mar gen 5 16:58:19 2016] [<ffffffff868881ca>] xfs_inode_item_push+0x25a/0x390
[mar gen 5 16:58:19 2016] [<ffffffff86887f70>] ? xfs_inode_item_unlock+0x80/0x80
[mar gen 5 16:58:19 2016] [<ffffffff861d28e8>] ? up+0x68/0xb0
[mar gen 5 16:58:19 2016] [<ffffffff8681c6dd>] ? xfs_buf_unlock+0xd/0x10
[mar gen 5 16:58:19 2016] [<ffffffff8689fa4b>] xfsaild+0x8fb/0x1500
[mar gen 5 16:58:19 2016] [<ffffffff861ddbac>] ? trace_hardirqs_on_caller+0x28c/0x5e0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8615f3b8>] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff87586c2f>] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] Memory state around the buggy address:
[mar gen 5 16:58:19 2016] ffff880364721c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] >ffff880364721d00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ^
[mar gen 5 16:58:19 2016] ffff880364721d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721e00: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] ==================================================================
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2016-01-05 16:30 ` Andrea Gelmini
0 siblings, 0 replies; 18+ messages in thread
From: Andrea Gelmini @ 2016-01-05 16:30 UTC (permalink / raw)
To: Dave Chinner; +Cc: linux-kernel, xfs
[-- Attachment #1.1: Type: text/plain, Size: 8455 bytes --]
On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > I'm recompiling, to try it again.
> > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > http://mail.gelma.net/xfs_kasan
>
> Any update on this problem, Andrea?
Here we are!
Reproduced right now.
So, just to avoid confusion:
a) it's a vanilla kernel 4.4.0-rc8
b) plus some btrfs patches
c) plus some dri/intel/i915 patches
d) at the same URL above you can find git_files.txt.gz, where you have each commit I
applied above vanilla kernel (anyway, nothing related to vfs/xfs of course)
e) at the same URL you find the kernel binaries I used
f) to catch it, I had to copy a few gigs of files on my /home partition (xfs over Luks)
Anyway, here what you asked me for:
(gdb) l *(xfs_iflush_cluster+0xb73/0xc10)
0xffffffff8184c550 is in xfs_iflush_cluster (fs/xfs/xfs_inode.c:3182).
3177
3178 STATIC int
3179 xfs_iflush_cluster(
3180 xfs_inode_t *ip,
3181 xfs_buf_t *bp)
3182 {
3183 xfs_mount_t *mp = ip->i_mount;
3184 struct xfs_perag *pag;
3185 unsigned long first_index, mask;
3186 unsigned long inodes_per_cluster;
(gdb)
Thanks a lot for your patience,
Dave
[mar gen 5 16:58:19 2016] ==================================================================
[mar gen 5 16:58:19 2016] BUG: KASAN: use-after-free in xfs_iflush_cluster+0xb73/0xc10 at addr ffff880364721d10
[mar gen 5 16:58:19 2016] Read of size 4 by task xfsaild/dm-0/329
[mar gen 5 16:58:19 2016] =============================================================================
[mar gen 5 16:58:19 2016] BUG xfs_ili (Tainted: G W ): kasan: bad access detected
[mar gen 5 16:58:19 2016] -----------------------------------------------------------------------------
[mar gen 5 16:58:19 2016] Disabling lock debugging due to kernel taint
[mar gen 5 16:58:19 2016] INFO: Allocated in kmem_zone_alloc+0x7c/0x180 age=496908 cpu=1 pid=6496
[mar gen 5 16:58:19 2016] ___slab_alloc.constprop.27+0x383/0x490
[mar gen 5 16:58:19 2016] __slab_alloc.isra.24.constprop.26+0x50/0xa0
[mar gen 5 16:58:19 2016] kmem_cache_alloc+0x174/0x1b0
[mar gen 5 16:58:19 2016] kmem_zone_alloc+0x7c/0x180
[mar gen 5 16:58:19 2016] xfs_inode_item_init+0x22/0xb0
[mar gen 5 16:58:19 2016] xfs_trans_ijoin+0xa4/0x110
[mar gen 5 16:58:19 2016] xfs_ialloc+0x9f9/0x1390
[mar gen 5 16:58:19 2016] xfs_dir_ialloc+0x106/0x670
[mar gen 5 16:58:19 2016] xfs_create+0x67e/0x1080
[mar gen 5 16:58:19 2016] xfs_generic_create+0x375/0x500
[mar gen 5 16:58:19 2016] xfs_vn_mknod+0xf/0x20
[mar gen 5 16:58:19 2016] xfs_vn_create+0xe/0x10
[mar gen 5 16:58:19 2016] vfs_create+0x1ff/0x390
[mar gen 5 16:58:19 2016] do_last+0x29a7/0x3900
[mar gen 5 16:58:19 2016] path_openat+0x15b/0x730
[mar gen 5 16:58:19 2016] do_filp_open+0x170/0x230
[mar gen 5 16:58:19 2016] INFO: Freed in xfs_inode_item_destroy+0x39/0x50 age=0 cpu=3 pid=38
[mar gen 5 16:58:19 2016] __slab_free+0x36d/0x510
[mar gen 5 16:58:19 2016] kmem_cache_free+0x1ef/0x200
[mar gen 5 16:58:19 2016] xfs_inode_item_destroy+0x39/0x50
[mar gen 5 16:58:19 2016] xfs_inode_free+0xcd/0x360
[mar gen 5 16:58:19 2016] xfs_reclaim_inode+0x54b/0x890
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_ag+0x3e9/0x840
[mar gen 5 16:58:19 2016] xfs_reclaim_inodes_nr+0x49/0x60
[mar gen 5 16:58:19 2016] xfs_fs_free_cached_objects+0x55/0x80
[mar gen 5 16:58:19 2016] super_cache_scan+0x329/0x410
[mar gen 5 16:58:19 2016] shrink_slab.part.7+0x2f2/0x530
[mar gen 5 16:58:19 2016] shrink_zone+0x7a0/0xae0
[mar gen 5 16:58:19 2016] kswapd+0x9ad/0x1110
[mar gen 5 16:58:19 2016] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] INFO: Slab 0xffffea000d91c800 objects=35 used=29 fp=0xffff880364721c80 flags=0x8000000000004080
[mar gen 5 16:58:19 2016] INFO: Object 0xffff880364721c80 @offset=7296 fp=0xffff880364721560
[mar gen 5 16:58:19 2016] Bytes b4 ffff880364721c70: 03 00 00 00 3f 34 00 00 b8 51 cd 00 01 00 00 00 ....?4...Q......
[mar gen 5 16:58:19 2016] Object ffff880364721c80: 60 15 72 64 03 88 ff ff 00 02 00 00 00 00 ad de `.rd............
[mar gen 5 16:58:19 2016] Object ffff880364721c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[mar gen 5 16:58:19 2016] Object ffff880364721ca0: 00 00 3d 5e 03 88 ff ff 60 04 92 5d 03 88 ff ff ..=^....`..]....
[mar gen 5 16:58:19 2016] Object ffff880364721cb0: 3b 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ;...............
[mar gen 5 16:58:19 2016] Object ffff880364721cc0: 30 84 88 86 ff ff ff ff 60 17 6f 87 ff ff ff ff 0.......`.o.....
[mar gen 5 16:58:19 2016] Object ffff880364721cd0: d0 1c 72 64 03 88 ff ff d0 1c 72 64 03 88 ff ff ..rd......rd....
[mar gen 5 16:58:19 2016] Object ffff880364721ce0: 00 00 00 00 00 00 00 00 68 76 00 00 00 00 00 00 ........hv......
[mar gen 5 16:58:19 2016] Object ffff880364721cf0: 80 6c 40 3e 01 88 ff ff db 4a 00 00 e2 00 00 00 .l@>.....J......
[mar gen 5 16:58:19 2016] Object ffff880364721d00: d6 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .y..............
[mar gen 5 16:58:19 2016] Object ffff880364721d10: 00 00 00 00 00 00 00 00 ........
[mar gen 5 16:58:19 2016] CPU: 0 PID: 329 Comm: xfsaild/dm-0 Tainted: G B W 4.4.0-rc8-KASan-01354-g3041cce #6
[mar gen 5 16:58:19 2016] Hardware name: LENOVO 2356LRG/2356LRG, BIOS G7ETA4WW (2.64 ) 10/08/2015
[mar gen 5 16:58:19 2016] ffff880364720000 ffff88035f2ef968 ffffffff86a2adea ffff88035f498480
[mar gen 5 16:58:19 2016] ffff88035f2ef998 ffffffff86423ab4 ffff88035f498480 ffffea000d91c800
[mar gen 5 16:58:19 2016] ffff880364721c80 ffff88013e406c80 ffff88035f2ef9c0 ffffffff86428edf
[mar gen 5 16:58:19 2016] Call Trace:
[mar gen 5 16:58:19 2016] [<ffffffff86a2adea>] dump_stack+0x4e/0x84
[mar gen 5 16:58:19 2016] [<ffffffff86423ab4>] print_trailer+0xf4/0x150
[mar gen 5 16:58:19 2016] [<ffffffff86428edf>] object_err+0x2f/0x40
[mar gen 5 16:58:19 2016] [<ffffffff8642ab87>] kasan_report_error+0x207/0x530
[mar gen 5 16:58:19 2016] [<ffffffff8642af6e>] __asan_report_load4_noabort+0x3e/0x40
[mar gen 5 16:58:19 2016] [<ffffffff87585d00>] ? _raw_spin_lock_irqsave_nested+0x50/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] ? xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684d0c3>] xfs_iflush_cluster+0xb73/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff8684c760>] ? xfs_iflush_cluster+0x210/0xc10
[mar gen 5 16:58:19 2016] [<ffffffff86855eda>] xfs_iflush+0x37a/0x5b0
[mar gen 5 16:58:19 2016] [<ffffffff86855b60>] ? xfs_rename+0xe70/0xe70
[mar gen 5 16:58:19 2016] [<ffffffff868881ca>] xfs_inode_item_push+0x25a/0x390
[mar gen 5 16:58:19 2016] [<ffffffff86887f70>] ? xfs_inode_item_unlock+0x80/0x80
[mar gen 5 16:58:19 2016] [<ffffffff861d28e8>] ? up+0x68/0xb0
[mar gen 5 16:58:19 2016] [<ffffffff8681c6dd>] ? xfs_buf_unlock+0xd/0x10
[mar gen 5 16:58:19 2016] [<ffffffff8689fa4b>] xfsaild+0x8fb/0x1500
[mar gen 5 16:58:19 2016] [<ffffffff861ddbac>] ? trace_hardirqs_on_caller+0x28c/0x5e0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8689f150>] ? xfs_trans_ail_cursor_first+0x1a0/0x1a0
[mar gen 5 16:58:19 2016] [<ffffffff8615f3b8>] kthread+0x218/0x2e0
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] [<ffffffff87586c2f>] ret_from_fork+0x3f/0x70
[mar gen 5 16:58:19 2016] [<ffffffff8615f1a0>] ? kthread_create_on_node+0x460/0x460
[mar gen 5 16:58:19 2016] Memory state around the buggy address:
[mar gen 5 16:58:19 2016] ffff880364721c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] >ffff880364721d00: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ^
[mar gen 5 16:58:19 2016] ffff880364721d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[mar gen 5 16:58:19 2016] ffff880364721e00: fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
[mar gen 5 16:58:19 2016] ==================================================================
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
2016-01-05 16:30 ` Andrea Gelmini
@ 2016-01-05 20:58 ` Dave Chinner
-1 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2016-01-05 20:58 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Tue, Jan 05, 2016 at 05:30:55PM +0100, Andrea Gelmini wrote:
> On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > > I'm recompiling, to try it again.
> > > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > > http://mail.gelma.net/xfs_kasan
> >
> > Any update on this problem, Andrea?
>
> Here we are!
> Reproduced right now.
>
> So, just to avoid confusion:
> a) it's a vanilla kernel 4.4.0-rc8
> b) plus some btrfs patches
> c) plus some dri/intel/i915 patches
> d) at the same URL above you can find git_files.txt.gz, where you have each commit I
> applied above vanilla kernel (anyway, nothing related to vfs/xfs of course)
> e) at the same URL you find the kernel binaries I used
> f) to catch it, I had to copy a few gigs of files on my /home partition (xfs over Luks)
>
> Anyway, here what you asked me for:
>
> (gdb) l *(xfs_iflush_cluster+0xb73/0xc10)
> 0xffffffff8184c550 is in xfs_iflush_cluster (fs/xfs/xfs_inode.c:3182).
> 3177
> 3178 STATIC int
> 3179 xfs_iflush_cluster(
> 3180 xfs_inode_t *ip,
> 3181 xfs_buf_t *bp)
> 3182 {
> 3183 xfs_mount_t *mp = ip->i_mount;
> 3184 struct xfs_perag *pag;
> 3185 unsigned long first_index, mask;
> 3186 unsigned long inodes_per_cluster;
> (gdb)
Ok, so that tells us nothing about where the problem lies - the
function call is out of the preamble code that kasan instrumentation
adds to the function. I'll have a further think about this...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0
@ 2016-01-05 20:58 ` Dave Chinner
0 siblings, 0 replies; 18+ messages in thread
From: Dave Chinner @ 2016-01-05 20:58 UTC (permalink / raw)
To: Andrea Gelmini; +Cc: linux-kernel, xfs
On Tue, Jan 05, 2016 at 05:30:55PM +0100, Andrea Gelmini wrote:
> On Mon, Jan 04, 2016 at 07:47:58AM +1100, Dave Chinner wrote:
> > > I'm recompiling, to try it again.
> > > Maybe, in the meanwhile, you can do something with my files. You can find 'em here:
> > > http://mail.gelma.net/xfs_kasan
> >
> > Any update on this problem, Andrea?
>
> Here we are!
> Reproduced right now.
>
> So, just to avoid confusion:
> a) it's a vanilla kernel 4.4.0-rc8
> b) plus some btrfs patches
> c) plus some dri/intel/i915 patches
> d) at the same URL above you can find git_files.txt.gz, where you have each commit I
> applied above vanilla kernel (anyway, nothing related to vfs/xfs of course)
> e) at the same URL you find the kernel binaries I used
> f) to catch it, I had to copy a few gigs of files on my /home partition (xfs over Luks)
>
> Anyway, here what you asked me for:
>
> (gdb) l *(xfs_iflush_cluster+0xb73/0xc10)
> 0xffffffff8184c550 is in xfs_iflush_cluster (fs/xfs/xfs_inode.c:3182).
> 3177
> 3178 STATIC int
> 3179 xfs_iflush_cluster(
> 3180 xfs_inode_t *ip,
> 3181 xfs_buf_t *bp)
> 3182 {
> 3183 xfs_mount_t *mp = ip->i_mount;
> 3184 struct xfs_perag *pag;
> 3185 unsigned long first_index, mask;
> 3186 unsigned long inodes_per_cluster;
> (gdb)
Ok, so that tells us nothing about where the problem lies - the
function call is out of the preamble code that kasan instrumentation
adds to the function. I'll have a further think about this...
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2016-01-05 20:58 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-14 18:00 BUG: KASAN: use-after-free in xfs_iflush_cluster+0x9d7/0xaf0 Andrea Gelmini
2015-12-14 18:00 ` Andrea Gelmini
2015-12-14 19:54 ` Dave Chinner
2015-12-14 19:54 ` Dave Chinner
2015-12-14 20:15 ` Andrea Gelmini
2015-12-14 20:15 ` Andrea Gelmini
2015-12-14 21:22 ` Dave Chinner
2015-12-14 21:22 ` Dave Chinner
2015-12-15 9:11 ` Andrea Gelmini
2015-12-15 9:11 ` Andrea Gelmini
2016-01-03 20:47 ` Dave Chinner
2016-01-03 20:47 ` Dave Chinner
2016-01-04 14:12 ` Andrea Gelmini
2016-01-04 14:12 ` Andrea Gelmini
2016-01-05 16:30 ` Andrea Gelmini
2016-01-05 16:30 ` Andrea Gelmini
2016-01-05 20:58 ` Dave Chinner
2016-01-05 20:58 ` Dave Chinner
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.