All of lore.kernel.org
 help / color / mirror / Atom feed
* v6.9-rc1 bug?
@ 2024-03-16  4:23 Itaru Kitayama
  0 siblings, 0 replies; only message in thread
From: Itaru Kitayama @ 2024-03-16  4:23 UTC (permalink / raw)
  To: linux-arm-kernel

On FVP with the latest v6.9-rc1 kernel, when mounting a host directory
via the 9p virtual filesystem it splats buggy addresses:

[  101.148388] ==================================================================
[  101.148706] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x804/0x984
[  101.149185] Read of size 8 at addr ffff000805f06788 by task mount/158
[  101.149548]
[  101.149742] CPU: 2 PID: 158 Comm: mount Not tainted 6.8.0-11409-gf6cef5f8c37f #85
[  101.150163] Hardware name: FVP Base RevC (DT)
[  101.150436] Call trace:
[  101.150658]  dump_backtrace+0x94/0xf0
[  101.150999]  show_stack+0x1c/0x2c
[  101.151327]  dump_stack_lvl+0xf0/0x178
[  101.151740]  print_report+0xdc/0x57c
[  101.152117]  kasan_report+0xb4/0x100
[  101.152498]  __asan_report_load8_noabort+0x24/0x34
[  101.152931]  v9fs_stat2inode_dotl+0x804/0x984
[  101.153355]  v9fs_fid_iget_dotl+0x174/0x208
[  101.153767]  v9fs_mount+0x37c/0x740
[  101.154143]  legacy_get_tree+0xd4/0x198
[  101.154545]  vfs_get_tree+0x78/0x284
[  101.154890]  path_mount+0x738/0x1500
[  101.155226]  __arm64_sys_mount+0x48c/0x5c4
[  101.155579]  invoke_syscall+0xd4/0x24c
[  101.156002]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.156458]  do_el0_svc+0x44/0x60
[  101.156869]  el0_svc+0x3c/0x84
[  101.157189]  el0t_64_sync_handler+0x128/0x134
[  101.157556]  el0t_64_sync+0x1b0/0x1b4
[  101.157897]
[  101.158089] Allocated by task 158 on cpu 2 at 101.140412s:
[  101.158429]  kasan_save_stack+0x40/0x6c
[  101.158797]  kasan_save_track+0x24/0x44
[  101.159167]  kasan_save_alloc_info+0x44/0x5c
[  101.159581]  __kasan_kmalloc+0xe0/0xe4
[  101.159946]  kmalloc_trace+0x164/0x300
[  101.160310]  p9_client_getattr_dotl+0x50/0x19c
[  101.160739]  v9fs_fid_iget_dotl+0xb4/0x208
[  101.161140]  v9fs_mount+0x37c/0x740
[  101.161508]  legacy_get_tree+0xd4/0x198
[  101.161902]  vfs_get_tree+0x78/0x284
[  101.162239]  path_mount+0x738/0x1500
[  101.162567]  __arm64_sys_mount+0x48c/0x5c4
[  101.162912]  invoke_syscall+0xd4/0x24c
[  101.163327]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.163775]  do_el0_svc+0x44/0x60
[  101.164171]  el0_svc+0x3c/0x84
[  101.164490]  el0t_64_sync_handler+0x128/0x134
[  101.164848]  el0t_64_sync+0x1b0/0x1b4
[  101.165180]
[  101.165372] Freed by task 158 on cpu 2 at 101.148373s:
[  101.165705]  kasan_save_stack+0x40/0x6c
[  101.166074]  kasan_save_track+0x24/0x44
[  101.166443]  kasan_save_free_info+0x50/0x7c
[  101.166855]  poison_slab_object+0x11c/0x170
[  101.167235]  __kasan_slab_free+0x40/0x7c
[  101.167611]  kfree+0xf0/0x298
[  101.167945]  v9fs_fid_iget_dotl+0x138/0x208
[  101.168349]  v9fs_mount+0x37c/0x740
[  101.168717]  legacy_get_tree+0xd4/0x198
[  101.169111]  vfs_get_tree+0x78/0x284
[  101.169448]  path_mount+0x738/0x1500
[  101.169775]  __arm64_sys_mount+0x48c/0x5c4
[  101.170119]  invoke_syscall+0xd4/0x24c
[  101.170536]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.170984]  do_el0_svc+0x44/0x60
[  101.171387]  el0_svc+0x3c/0x84
[  101.171699]  el0t_64_sync_handler+0x128/0x134
[  101.172058]  el0t_64_sync+0x1b0/0x1b4
[  101.172389]
[  101.172581] The buggy address belongs to the object at ffff000805f06788
[  101.172581]  which belongs to the cache kmalloc-192 of size 192
[  101.173042] The buggy address is located 0 bytes inside of
[  101.173042]  freed 192-byte region [ffff000805f06788, ffff000805f06848)
[  101.173528]
[  101.173714] The buggy address belongs to the physical page:
[  101.174005] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000805f068c8 pfn:0x885f06
[  101.174426] head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  101.174770] flags: 0x5ffff0000000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1ffff)
[  101.175187] page_type: 0xffffffff()
[  101.175519] raw: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850
[  101.175933] raw: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000
[  101.176359] head: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850
[  101.176775] head: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000
[  101.177199] head: 05ffff0000000001 fffffdffe017c181 dead000000000122 00000000ffffffff
[  101.177611] head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000
[  101.177960] page dumped because: kasan: bad access detected
[  101.178248]
[  101.178440] Memory state around the buggy address:
[  101.178731]  ffff000805f06680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
[  101.179100]  ffff000805f06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  101.179469] >ffff000805f06780: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  101.179806]                       ^
[  101.180081]  ffff000805f06800: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[  101.180450]  ffff000805f06880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  101.180787] ==================================================================
[  101.181384] Disabling lock debugging due to kernel taint
[80713.750745] 9pnet_virtio: no channels available for device FM

After this I can see the directory contents but not execute shell
scripts.

Thanks,
Itaru.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2024-03-18  4:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-16  4:23 v6.9-rc1 bug? Itaru Kitayama

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.