All of lore.kernel.org
 help / color / mirror / Atom feed
* BUG: KASAN: use-after-free in find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
@ 2021-06-02 18:13 David Wysochanski
  2021-06-02 20:04 ` J. Bruce Fields
  0 siblings, 1 reply; 2+ messages in thread
From: David Wysochanski @ 2021-06-02 18:13 UTC (permalink / raw)
  To: J. Bruce Fields; +Cc: linux-nfs

Bruce,

I was testing your nfsd-next branch (plus my modified v3 callback
address and state patch I just sent) and saw this on console after a
simple test of mount, umount, mount cycle of a NFSv4.1 mount.


==================================================================
[ 8523.413808] BUG: KASAN: use-after-free in
find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.417537] Read of size 4 at addr ffff888117a6cee8 by task nfsd/1132
[ 8523.420320]
[ 8523.421012] CPU: 7 PID: 1132 Comm: nfsd Kdump: loaded Not tainted
5.13.0-rc2-bfields-nfsd+ #16
[ 8523.424499] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 8523.426785] Call Trace:
[ 8523.427880]  dump_stack+0x9c/0xcf
[ 8523.429375]  print_address_description.constprop.0+0x18/0x130
[ 8523.431756]  ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.434160]  kasan_report.cold+0x7f/0x111
[ 8523.435795]  ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.438207]  find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.440519]  ? _raw_write_lock_bh+0xb0/0xb0
[ 8523.442284]  nfsd4_exchange_id+0x7f5/0x1730 [nfsd]
[ 8523.444290]  ? nfsd4_mach_creds_match+0x210/0x210 [nfsd]
[ 8523.446479]  ? svcauth_unix_set_client+0xab8/0x1370 [sunrpc]
[ 8523.449121]  nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.451187]  nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.453053]  ? svc_reserve+0x10c/0x220 [sunrpc]
[ 8523.454986]  svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.457119]  ? svc_set_num_threads+0x440/0x440 [sunrpc]
[ 8523.459318]  ? nfsd_svc+0x9a0/0x9a0 [nfsd]
[ 8523.461044]  ? svc_xprt_release+0x2fd/0x720 [sunrpc]
[ 8523.463135]  svc_process+0x353/0x4f0 [sunrpc]
[ 8523.464998]  nfsd+0x2a1/0x410 [nfsd]
[ 8523.466526]  ? __kthread_parkme+0x85/0x100
[ 8523.468251]  ? nfsd_shutdown_threads+0x1f0/0x1f0 [nfsd]
[ 8523.470409]  kthread+0x31c/0x3e0
[ 8523.471725]  ? __kthread_bind_mask+0x90/0x90
[ 8523.473440]  ret_from_fork+0x22/0x30
[ 8523.474924]
[ 8523.475571] Allocated by task 1132:
[ 8523.477010]  kasan_save_stack+0x1b/0x40
[ 8523.478564]  __kasan_slab_alloc+0x61/0x80
[ 8523.480185]  kmem_cache_alloc+0xec/0x250
[ 8523.481795]  create_client+0x1bf/0xe00 [nfsd]
[ 8523.483639]  nfsd4_exchange_id+0x2b8/0x1730 [nfsd]
[ 8523.485646]  nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.487677]  nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.489487]  svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.491608]  svc_process+0x353/0x4f0 [sunrpc]
[ 8523.493564]  nfsd+0x2a1/0x410 [nfsd]
[ 8523.507991]  kthread+0x31c/0x3e0
[ 8523.509297]  ret_from_fork+0x22/0x30
[ 8523.510734]
[ 8523.511358] Last potentially related work creation:
[ 8523.513263]  kasan_save_stack+0x1b/0x40
[ 8523.514771]  kasan_record_aux_stack+0xa5/0xb0
[ 8523.516476]  insert_work+0x4a/0x350
[ 8523.517852]  __queue_work+0x4db/0xc20
[ 8523.519288]  queue_work_on+0x59/0x80
[ 8523.520707]  nfsd4_run_cb+0x51/0x80 [nfsd]
[ 8523.522799]  nfsd4_shutdown_callback+0xbf/0x2a0 [nfsd]
[ 8523.524889]  __destroy_client+0x48a/0x6d0 [nfsd]
[ 8523.526738]  nfsd4_destroy_clientid+0x2da/0x4c0 [nfsd]
[ 8523.528823]  nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.530826]  nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.532594]  svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.534988]  svc_process+0x353/0x4f0 [sunrpc]
[ 8523.536774]  nfsd+0x2a1/0x410 [nfsd]
[ 8523.538258]  kthread+0x31c/0x3e0
[ 8523.539539]  ret_from_fork+0x22/0x30
[ 8523.540949]
[ 8523.541571] Second to last potentially related work creation:
[ 8523.543778]  kasan_save_stack+0x1b/0x40
[ 8523.545281]  kasan_record_aux_stack+0xa5/0xb0
[ 8523.546992]  insert_work+0x4a/0x350
[ 8523.548352]  __queue_work+0x4db/0xc20
[ 8523.549778]  queue_work_on+0x59/0x80
[ 8523.551178]  nfsd4_run_cb+0x51/0x80 [nfsd]
[ 8523.552830]  nfsd4_probe_callback_sync+0xa/0x20 [nfsd]
[ 8523.554900]  nfsd4_destroy_session+0x658/0x920 [nfsd]
[ 8523.556956]  nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.558949]  nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.560707]  svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.562777]  svc_process+0x353/0x4f0 [sunrpc]
[ 8523.564587]  nfsd+0x2a1/0x410 [nfsd]
[ 8523.566065]  kthread+0x31c/0x3e0
[ 8523.567338]  ret_from_fork+0x22/0x30
[ 8523.568747]
[ 8523.569405] The buggy address belongs to the object at ffff888117a6ce50
[ 8523.569405]  which belongs to the cache nfsd4_clients of size 1304
[ 8523.574309] The buggy address is located 152 bytes inside of
[ 8523.574309]  1304-byte region [ffff888117a6ce50, ffff888117a6d368)
[ 8523.578794] The buggy address belongs to the page:
[ 8523.580661] page:000000005a8edc90 refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff888117a6ce50 pfn:0x117a68
[ 8523.584734] head:000000005a8edc90 order:3 compound_mapcount:0
compound_pincount:0
[ 8523.587613] flags:
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 8523.590475] raw: 0017ffffc0010200 dead000000000100 dead000000000122
ffff88810ca21180
[ 8523.593442] raw: ffff888117a6ce50 0000000080160015 00000001ffffffff
0000000000000000
[ 8523.596406] page dumped because: kasan: bad access detected
[ 8523.598551]
[ 8523.599168] Memory state around the buggy address:
[ 8523.601043]  ffff888117a6cd80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 8523.603798]  ffff888117a6ce00: fc fc fc fc fc fc fc fc fc fc fb fb
fb fb fb fb
[ 8523.614732] >ffff888117a6ce80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.617540]                                                           ^
[ 8523.620077]  ffff888117a6cf00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.622826]  ffff888117a6cf80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.625586] ==================================================================
[ 8523.628381] Disabling lock debugging due to kernel taint


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: BUG: KASAN: use-after-free in find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
  2021-06-02 18:13 BUG: KASAN: use-after-free in find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] David Wysochanski
@ 2021-06-02 20:04 ` J. Bruce Fields
  0 siblings, 0 replies; 2+ messages in thread
From: J. Bruce Fields @ 2021-06-02 20:04 UTC (permalink / raw)
  To: David Wysochanski; +Cc: linux-nfs

On Wed, Jun 02, 2021 at 02:13:02PM -0400, David Wysochanski wrote:
> I was testing your nfsd-next branch (plus my modified v3 callback
> address and state patch I just sent) and saw this on console after a
> simple test of mount, umount, mount cycle of a NFSv4.1 mount.

Oops, thanks, it just needs this, I think; maybe I'd've caught that bug
earlier if I'd actually posted that patch.  Doing that now....

--b.

commit 70d6ebca5248
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Wed Jun 2 15:50:45 2021 -0400

    foldme

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 967912b4a7dd..6c64ce93510f 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2841,6 +2841,7 @@ move_to_confirmed(struct nfs4_client *clp)
 	list_move(&clp->cl_idhash, &nn->conf_id_hashtbl[idhashval]);
 	rb_erase(&clp->cl_namenode, &nn->unconf_name_tree);
 	add_clp_to_name_tree(clp, &nn->conf_name_tree);
+	set_bit(NFSD4_CLIENT_CONFIRMED, &clp->cl_flags);
 	trace_nfsd_clid_confirmed(&clp->cl_clientid);
 	renew_client_locked(clp);
 }

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-06-02 20:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-02 18:13 BUG: KASAN: use-after-free in find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd] David Wysochanski
2021-06-02 20:04 ` J. Bruce Fields

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.