From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx2.suse.de ([195.135.220.15]:56929 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932248AbeBTAJg (ORCPT ); Mon, 19 Feb 2018 19:09:36 -0500 From: NeilBrown To: kernel test robot Date: Tue, 20 Feb 2018 11:09:25 +1100 Cc: Trond Myklebust , Anna Schumaker , linux-nfs@vger.kernel.org, lkp@01.org Subject: Re: [SUNRPC] e22c8d3cf4: BUG:KASAN:use-after-free_in_r In-Reply-To: <20180219163912.25h6tn5l2gwcx5nv@inn> References: <20180219163912.25h6tn5l2gwcx5nv@inn> Message-ID: <87371wldxm.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Sender: linux-nfs-owner@vger.kernel.org List-ID: --=-=-= Content-Type: text/plain On Tue, Feb 20 2018, kernel test robot wrote: > FYI, we noticed the following commit (built with gcc-7): > > commit: e22c8d3cf4cd6307228c9946a670fa548c359611 ("SUNRPC: add side channel to use non-generic cred for rpc call.") > url: https://github.com/0day-ci/linux/commits/NeilBrown/Remove-generic-rpc-credentials-and-associated-changed-V3/20180219-190836 > base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next > > in testcase: boot > > on test machine: qemu-system-x86_64 -enable-kvm -cpu host -smp 2 -m 1G > > caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): > > > +-------------------------------+------------+------------+ > | | a79c51c9c3 | e22c8d3cf4 | > +-------------------------------+------------+------------+ > | boot_successes | 6 | 4 | > | boot_failures | 0 | 4 | > | BUG:KASAN:use-after-free_in_r | 0 | 4 | > +-------------------------------+------------+------------+ > > > > [ 66.551598] BUG: KASAN: use-after-free in rpc_free_task+0x5e/0x86 > [ 66.552963] Read of size 8 at addr ffff8800093e93a8 by task kworker/0:3/201 Thanks. The patch had rpc_release_calldata(task->tk_ops, task->tk_calldata); + put_rpccred(task->tk_op_cred); It should have had + put_rpccred(task->tk_op_cred); rpc_release_calldata(task->tk_ops, task->tk_calldata); as the rpc_release_calldata might free the task. I'll send a revised patch. Thanks, NeilBrown --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEG8Yp69OQ2HB7X0l6Oeye3VZigbkFAlqLZzUACgkQOeye3VZi gbnqzg/7Bz+fdQ073WHhoF4Jl4eRhcu8M/pzj/UDBpdnZtqoEA82V7AxLI1joOBa CNvgFfgv9IUmbiGjtOZJcEBW3npD/YD+PLiLc1GgdiShx66NyZBvwVvsEDQ8LPQ3 qkDFwr9fjviMe+5ZgjELeD7d2y1WWHBltfzjjt0PM0Xms3oM6CAN0h34gVuMGMuj e0itLAgOAlo7LpnbNY8ZpuqVIrZVrXcfQ85D1Z03Bpkp8QKUwKS8lsPVMguipRLf 2cIbuIX+ELTX0R1TF5fHuF9rhQjODypQBw7zG7D9yu9HFjVsQgVEzW4uPvnAHX8x lGepewTH+gwvt942kIlJFxycmYOJ3seeXuL+6wg1A3PJeY8hTtED55C+q9gO5pbS N4RYYnoFPDLgS7XA/wEkAPctpcSyxjOy3I2olVHVkMJt/500J/0hPkMncfv0YtSv h9foNm+Qqo3byeyJ4Ld5C1ofJ1nCX3RtNQBuIrpYWbliv7hc6HeTwYE07YOXuEZ7 3aphzhdWlYIYwXQxfIMRw6YDZgtpQFiUnOxf4rGNvPnTW2fOJF9vmrZbyDLmzaik JsQzdOoIObTp4n/4/uDDIB+5/KSWSaaW/9+nWEP+C6ENZlN2DLhmS9/HhOmrQ3pA 7h3H9cbYdCCe753ODzaq5y9skU+Ue+678LR7DyjdBwA5C++bOfk= =AqDy -----END PGP SIGNATURE----- --=-=-=-- From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============5759073032980537967==" MIME-Version: 1.0 From: NeilBrown To: lkp@lists.01.org Subject: Re: [SUNRPC] e22c8d3cf4: BUG:KASAN:use-after-free_in_r Date: Tue, 20 Feb 2018 11:09:25 +1100 Message-ID: <87371wldxm.fsf@notabene.neil.brown.name> In-Reply-To: <20180219163912.25h6tn5l2gwcx5nv@inn> List-Id: --===============5759073032980537967== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Tue, Feb 20 2018, kernel test robot wrote: > FYI, we noticed the following commit (built with gcc-7): > > commit: e22c8d3cf4cd6307228c9946a670fa548c359611 ("SUNRPC: add side chann= el to use non-generic cred for rpc call.") > url: https://github.com/0day-ci/linux/commits/NeilBrown/Remove-generic-rp= c-credentials-and-associated-changed-V3/20180219-190836 > base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next > > in testcase: boot > > on test machine: qemu-system-x86_64 -enable-kvm -cpu host -smp 2 -m 1G > > caused below changes (please refer to attached dmesg/kmsg for entire log/= backtrace): > > > +-------------------------------+------------+------------+ > | | a79c51c9c3 | e22c8d3cf4 | > +-------------------------------+------------+------------+ > | boot_successes | 6 | 4 | > | boot_failures | 0 | 4 | > | BUG:KASAN:use-after-free_in_r | 0 | 4 | > +-------------------------------+------------+------------+ > > > > [ 66.551598] BUG: KASAN: use-after-free in rpc_free_task+0x5e/0x86 > [ 66.552963] Read of size 8 at addr ffff8800093e93a8 by task kworker/0:= 3/201 Thanks. The patch had rpc_release_calldata(task->tk_ops, task->tk_calldata); + put_rpccred(task->tk_op_cred); It should have had + put_rpccred(task->tk_op_cred); rpc_release_calldata(task->tk_ops, task->tk_calldata); as the rpc_release_calldata might free the task. I'll send a revised patch. Thanks, NeilBrown --===============5759073032980537967== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ0FBZEZpRUVHOFlwNjlPUTJI QjdYMGw2T2V5ZTNWWmlnYmtGQWxxTFp6VUFDZ2tRT2V5ZTNWWmkKZ2JucXpnLzdCeitmZFEwNzNX SGhvRjRKbDRlUmhjdThNL3B6ai9VREJwZG5adHFvRUE4MlY3QXhMSTFqb09CYQpDTnZnRmZndjlJ VW1iaUdqdE9aSmNFQlczbnBEL1lEK1BMaUxjMUdnZGlTaHg2Nk55WkJ2d1Z2c0VEUThMUFEzCnFr REZ3cjlmanZpTWUrNVpnakVMZUQ3ZDJ5MVdXSEJsdGZ6amp0MFBNMFhtczNvTTZDQU4waDM0Z1Z1 TUdNdWoKZTBpdExBZ09BbG83THBuYk5ZOFpwdXFWSXJaVnJYY2ZRODVEMVowM0Jwa3A4UUtVd0tT OGxzUFZNZ3VpcFJMZgoyY0lidUlYK0VMVFgwUjFURjVmSHVGOXJoUWpPRHlwUUJ3N3pHN0Q5eXU5 SEZqVnNRZ1ZFelc0dVB2bkFIWDh4CmxHZXBld1RIK2d3dnQ5NDJrSWxKRnh5Y21ZT0ozc2VlWHVM KzZ3ZzFBM1BKZVk4aFR0RUQ1NUMrcTlnTzVwYlMKTjRSWVlub0ZQRExnUzdYQS93RWtBUGN0cGNT eXhqT3kzSTJvbFZIVmtNSnQvNTAwSi8waFBrTW5jZnYwWXRTdgpoOWZvTm0rUXFvM2J5ZXlKNExk NUMxb2ZKMW5DWDNSdE5RQnVJcnBZV2JsaXY3aGM2SGVUd1lFMDdZT1h1RVo3CjNhcGh6aGRXbFlJ WXdYUXhmSU1SdzZZRFpndHBRRmlVbk94ZjRyR052UG5UVzJmT0pGOXZtclpieURMbXphaWsKSnNR emRPb0lPYlRwNG4vNC91RERJQis1L0tTV1NhYVcvOStuV0VQK0M2RU5abE4yRExobVM5L0hoT21y UTNwQQo3aDNIOWNiWWRDQ2U3NTNPRHphcTV5OXNrVStVZSs2NzhMUjdEeWpkQndBNUMrK2JPZms9 Cj1BcUR5Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ== --===============5759073032980537967==--