All of lore.kernel.org
 help / color / mirror / Atom feed
* logfs: GPF in logfs_alloc_inode
@ 2016-11-18 10:09 Dmitry Vyukov
  2016-11-18 18:45 ` Omar Sandoval
  0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2016-11-18 10:09 UTC (permalink / raw)
  To: joern, Prasad Joshi, logfs, LKML, Al Viro, linux-fsdevel; +Cc: syzkaller

Hello,

The following program triggers GPF in logfs_alloc_inode:
https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt


general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 2 PID: 6602 Comm: a.out Not tainted 4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003604c400 task.stack: ffff880035380000
RIP: 0010:[<ffffffff82514115>]  [<     inline     >] i_uid_write
./include/linux/fs.h:1469
RIP: 0010:[<ffffffff82514115>]  [<ffffffff82514115>]
logfs_init_inode.isra.5+0x155/0x480 fs/logfs/inode.c:212
RSP: 0018:ffff880035387838  EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800640af9e0 RCX: 0000000000000000
RDX: 000000000000011b RSI: ffffffff8995e940 RDI: 00000000000008d8
RBP: ffff8800353878c0 R08: 00000000000004d0 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff8800640afe00
R13: 1ffff10006a70f07 R14: 0000000000000000 R15: ffff88006b563700
FS:  0000000001b3b940(0000) GS:ffff88006d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f8526a449de CR3: 0000000034106000 CR4: 00000000000006e0
Stack:
 0000000041b58ab3 ffffffff894c4c0b ffffffff82513fc0 000000000000aa81
 ffffffff819efe35 ffff88006a63a7ff 1ffff1000d4c7500 ffffe8ffffc18490
 00000001819effad 0000000000000003 ffff88000000000c 0000000000000282
Call Trace:
 [<ffffffff82514475>] logfs_alloc_inode+0x35/0x40 fs/logfs/inode.c:234
 [<ffffffff81ade226>] alloc_inode+0x66/0x180 fs/inode.c:207
 [<ffffffff81ae57de>] new_inode_pseudo+0x6e/0x190 fs/inode.c:889
 [<ffffffff81ae5921>] new_inode+0x21/0x50 fs/inode.c:918
 [<ffffffff82514986>] logfs_new_meta_inode+0x26/0x120 fs/logfs/inode.c:267
 [<ffffffff82533f97>] logfs_init_mapping+0x47/0x160 fs/logfs/segment.c:912
 [<     inline     >] logfs_read_sb fs/logfs/super.c:446
 [<     inline     >] logfs_get_sb_device fs/logfs/super.c:546
 [<ffffffff825375f0>] logfs_mount+0x690/0x1e50 fs/logfs/super.c:600
 [<ffffffff81a7d62c>] mount_fs+0x9c/0x2e0 fs/super.c:1177
 [<ffffffff81af4e9c>] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954
 [<     inline     >] vfs_kern_mount fs/namespace.c:2433
 [<     inline     >] do_new_mount fs/namespace.c:2436
 [<ffffffff81afe3dd>] do_mount+0x41d/0x2db0 fs/namespace.c:2758
 [<     inline     >] SYSC_mount fs/namespace.c:2974
 [<ffffffff81b016d0>] SyS_mount+0xb0/0x120 fs/namespace.c:2951
 [<ffffffff88147985>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 13 03 00 00 4c 8b 73 28 48 b8
00 00 00 00 00 fc ff df 49 8d be d8 08 00 00 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 e3 02 00 00 48 8d 7b 04 48 b8 00 00 00 00 00
RIP  [<     inline     >] i_uid_write ./include/linux/fs.h:1469
RIP  [<ffffffff82514115>] logfs_init_inode.isra.5+0x155/0x480
fs/logfs/inode.c:212
 RSP <ffff880035387838>
---[ end trace a44003de9322a2bc ]---
LogFS: Start mount 1
==================================================================
BUG: KASAN: use-after-free in
__rwsem_down_write_failed_common+0xde7/0xf90 at addr ffff88003604c430
Read of size 4 by task a.out/6605
CPU: 1 PID: 6605 Comm: a.out Tainted: G    B D         4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88003cf6f130 ffffffff834c2a59 ffffffff00000001 1ffff100079eddb9
 ffffed00079eddb1 0000000041b58ab3 ffffffff895758d0 ffffffff834c276b
 ffffffff894f179e ffffffff815774c0 ffff88003cf6eff0 dffffc0000000000
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff834c2a59>] dump_stack+0x2ee/0x3f5 lib/dump_stack.c:51
 [<ffffffff819f09f1>] kasan_object_err+0x21/0x70 mm/kasan/report.c:159
 [<     inline     >] print_address_description mm/kasan/report.c:197
 [<     inline     >] kasan_report_error mm/kasan/report.c:286
 [<ffffffff819f0cdb>] kasan_report+0x1eb/0x4c0 mm/kasan/report.c:306
 [<ffffffff819f1009>] __asan_report_load4_noabort+0x19/0x20
mm/kasan/report.c:331
 [<     inline     >] rwsem_optimistic_spin kernel/locking/rwsem-xadd.c:339
 [<ffffffff8157a567>] __rwsem_down_write_failed_common+0xde7/0xf90
kernel/locking/rwsem-xadd.c:470
 [<ffffffff881426f3>] rwsem_down_write_failed+0x13/0x20
kernel/locking/rwsem-xadd.c:555
 [<ffffffff83504657>] call_rwsem_down_write_failed+0x17/0x30
arch/x86/lib/rwsem.S:105
 [<     inline     >] __down_write ./arch/x86/include/asm/rwsem.h:125
 [<ffffffff88140a4c>] down_write+0xac/0x120 kernel/locking/rwsem.c:54
 [<ffffffff81a79bc8>] grab_super+0xa8/0x290 fs/super.c:364
 [<ffffffff81a7ab58>] sget_userns+0x1f8/0xd40 fs/super.c:491
 [<ffffffff81a7b764>] sget+0xc4/0x100 fs/super.c:548
 [<     inline     >] logfs_get_sb_device fs/logfs/super.c:522
 [<ffffffff825372ee>] logfs_mount+0x38e/0x1e50 fs/logfs/super.c:600
 [<ffffffff81a7d62c>] mount_fs+0x9c/0x2e0 fs/super.c:1177
 [<ffffffff81af4e9c>] vfs_kern_mount.part.22+0x6c/0x2f0 fs/namespace.c:954
 [<     inline     >] vfs_kern_mount fs/namespace.c:2433
 [<     inline     >] do_new_mount fs/namespace.c:2436
 [<ffffffff81afe3dd>] do_mount+0x41d/0x2db0 fs/namespace.c:2758
 [<     inline     >] SYSC_mount fs/namespace.c:2974
 [<ffffffff81b016d0>] SyS_mount+0xb0/0x120 fs/namespace.c:2951
 [<ffffffff88147985>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Object at ffff88003604c400, in cache task_struct size: 5632
Allocated:
PID = 6598
 [  204.878017] [<ffffffff8127101b>] save_stack_trace+0x1b/0x20
 [  204.878017] [<ffffffff819efce3>] save_stack+0x43/0xd0
 [  204.878017] [<ffffffff819effad>] kasan_kmalloc+0xad/0xe0
 [  204.878017] [<ffffffff819f0582>] kasan_slab_alloc+0x12/0x20
 [  204.878017] [<ffffffff819e9b48>] kmem_cache_alloc_node+0x138/0x740
 [  204.878017] [<ffffffff813f63a5>] copy_process.part.38+0x1995/0x4920
 [  204.878017] [<ffffffff813f9825>] _do_fork+0x205/0x1070
 [  204.878017] [<ffffffff813fa76c>] SyS_clone+0x3c/0x50
 [  204.878017] [<ffffffff81009a24>] do_syscall_64+0x2f4/0x940
 [  204.878017] [<ffffffff88147a4d>] return_from_SYSCALL_64+0x0/0x7a
Freed:
PID = 0
 [  204.878017] [<ffffffff8127101b>] save_stack_trace+0x1b/0x20
 [  204.878017] [<ffffffff819efce3>] save_stack+0x43/0xd0
 [  204.878017] [<ffffffff819f0602>] kasan_slab_free+0x72/0xc0
 [  204.878017] [<ffffffff819ed5ab>] kmem_cache_free+0x7b/0x2f0
 [  204.878017] [<ffffffff813f3504>] free_task+0x114/0x190
 [  204.878017] [<ffffffff813f37d8>] __put_task_struct+0x258/0x610
 [  204.878017] [<ffffffff8140a024>] delayed_put_task_struct+0xe4/0x4b0
 [  204.878017] [<ffffffff815cbced>] rcu_do_batch.isra.70+0x9ed/0xe20
 [  204.878017] [<ffffffff815cc5ac>] rcu_process_callbacks+0x48c/0xd70
 [  204.878017] [<ffffffff8814b0fb>] __do_softirq+0x32b/0xca8
Memory state around the buggy address:
 ffff88003604c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88003604c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88003604c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88003604c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88003604c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


On commit a25f0944ba9b1d8a6813fd6f1a86f1bd59ac25a6 (4.9-rc5).

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: logfs: GPF in logfs_alloc_inode
  2016-11-18 10:09 logfs: GPF in logfs_alloc_inode Dmitry Vyukov
@ 2016-11-18 18:45 ` Omar Sandoval
  2016-11-18 18:54   ` Dmitry Vyukov
  0 siblings, 1 reply; 6+ messages in thread
From: Omar Sandoval @ 2016-11-18 18:45 UTC (permalink / raw)
  To: Dmitry Vyukov, Christoph Hellwig
  Cc: joern, Prasad Joshi, logfs, LKML, Al Viro, linux-fsdevel, syzkaller

On Fri, Nov 18, 2016 at 11:09:54AM +0100, Dmitry Vyukov wrote:
> Hello,
> 
> The following program triggers GPF in logfs_alloc_inode:
> https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt

That should be fixed by this patch:
http://marc.info/?l=linux-kernel&m=147359909329298&w=2 ;)

-- 
Omar

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: logfs: GPF in logfs_alloc_inode
  2016-11-18 18:45 ` Omar Sandoval
@ 2016-11-18 18:54   ` Dmitry Vyukov
  2016-11-20  9:57     ` Dmitry Vyukov
  0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2016-11-18 18:54 UTC (permalink / raw)
  To: syzkaller
  Cc: Christoph Hellwig, joern, Prasad Joshi, logfs, LKML, Al Viro,
	linux-fsdevel

On Fri, Nov 18, 2016 at 7:45 PM, Omar Sandoval <osandov@osandov.com> wrote:
> On Fri, Nov 18, 2016 at 11:09:54AM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program triggers GPF in logfs_alloc_inode:
>> https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt
>
> That should be fixed by this patch:
> http://marc.info/?l=linux-kernel&m=147359909329298&w=2 ;)


Nice!

When will it merged into mainline?

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: logfs: GPF in logfs_alloc_inode
  2016-11-18 18:54   ` Dmitry Vyukov
@ 2016-11-20  9:57     ` Dmitry Vyukov
  2016-11-20 21:05       ` Richard Weinberger
  0 siblings, 1 reply; 6+ messages in thread
From: Dmitry Vyukov @ 2016-11-20  9:57 UTC (permalink / raw)
  To: syzkaller
  Cc: Christoph Hellwig, joern, Prasad Joshi, logfs, LKML, Al Viro,
	linux-fsdevel

On Fri, Nov 18, 2016 at 7:54 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Fri, Nov 18, 2016 at 7:45 PM, Omar Sandoval <osandov@osandov.com> wrote:
>> On Fri, Nov 18, 2016 at 11:09:54AM +0100, Dmitry Vyukov wrote:
>>> Hello,
>>>
>>> The following program triggers GPF in logfs_alloc_inode:
>>> https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt
>>
>> That should be fixed by this patch:
>> http://marc.info/?l=linux-kernel&m=147359909329298&w=2 ;)
>
>
> Nice!
>
> When will it merged into mainline?


Yes, delivery to joern@logfs.org and logfs@logfs.org fails.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: logfs: GPF in logfs_alloc_inode
  2016-11-20  9:57     ` Dmitry Vyukov
@ 2016-11-20 21:05       ` Richard Weinberger
  2016-11-20 23:48         ` Omar Sandoval
  0 siblings, 1 reply; 6+ messages in thread
From: Richard Weinberger @ 2016-11-20 21:05 UTC (permalink / raw)
  To: Dmitry Vyukov
  Cc: syzkaller, Christoph Hellwig, Jörn Engel, Prasad Joshi,
	logfs, LKML, Al Viro, linux-fsdevel

On Sun, Nov 20, 2016 at 10:57 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Fri, Nov 18, 2016 at 7:54 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> On Fri, Nov 18, 2016 at 7:45 PM, Omar Sandoval <osandov@osandov.com> wrote:
>>> On Fri, Nov 18, 2016 at 11:09:54AM +0100, Dmitry Vyukov wrote:
>>>> Hello,
>>>>
>>>> The following program triggers GPF in logfs_alloc_inode:
>>>> https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt
>>>
>>> That should be fixed by this patch:
>>> http://marc.info/?l=linux-kernel&m=147359909329298&w=2 ;)
>>
>>
>> Nice!
>>
>> When will it merged into mainline?
>
>
> Yes, delivery to joern@logfs.org and logfs@logfs.org fails.

Wasn't the plan to remove logfs?

-- 
Thanks,
//richard

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: logfs: GPF in logfs_alloc_inode
  2016-11-20 21:05       ` Richard Weinberger
@ 2016-11-20 23:48         ` Omar Sandoval
  0 siblings, 0 replies; 6+ messages in thread
From: Omar Sandoval @ 2016-11-20 23:48 UTC (permalink / raw)
  To: Richard Weinberger
  Cc: Dmitry Vyukov, syzkaller, Christoph Hellwig, Prasad Joshi, LKML,
	Al Viro, linux-fsdevel

On Sun, Nov 20, 2016 at 10:05:16PM +0100, Richard Weinberger wrote:
> On Sun, Nov 20, 2016 at 10:57 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> > On Fri, Nov 18, 2016 at 7:54 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
> >> On Fri, Nov 18, 2016 at 7:45 PM, Omar Sandoval <osandov@osandov.com> wrote:
> >>> On Fri, Nov 18, 2016 at 11:09:54AM +0100, Dmitry Vyukov wrote:
> >>>> Hello,
> >>>>
> >>>> The following program triggers GPF in logfs_alloc_inode:
> >>>> https://gist.githubusercontent.com/dvyukov/64a2113e4cb484d9b7e0ef4ff8a522d0/raw/fffdfb8b781ec758563e08765a258da71e6ff2a1/gistfile1.txt
> >>>
> >>> That should be fixed by this patch:
> >>> http://marc.info/?l=linux-kernel&m=147359909329298&w=2 ;)
> >>
> >>
> >> Nice!
> >>
> >> When will it merged into mainline?
> >
> >
> > Yes, delivery to joern@logfs.org and logfs@logfs.org fails.
> 
> Wasn't the plan to remove logfs?

Yes, that's the patch I linked to.

-- 
Omar

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-11-20 23:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-18 10:09 logfs: GPF in logfs_alloc_inode Dmitry Vyukov
2016-11-18 18:45 ` Omar Sandoval
2016-11-18 18:54   ` Dmitry Vyukov
2016-11-20  9:57     ` Dmitry Vyukov
2016-11-20 21:05       ` Richard Weinberger
2016-11-20 23:48         ` Omar Sandoval

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.