linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Qian Cai <cai@redhat.com>
To: Vivek Goyal <vgoyal@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Miklos Szeredi <miklos@szeredi.hu>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	virtio-fs@redhat.com
Subject: virtiofs: WARN_ON(out_sgs + in_sgs != total_sgs)
Date: Fri, 02 Oct 2020 12:28:17 -0400	[thread overview]
Message-ID: <5ea77e9f6cb8c2db43b09fbd4158ab2d8c066a0a.camel@redhat.com> (raw)

Running some fuzzing on virtiofs from a non-privileged user could trigger a
warning in virtio_fs_enqueue_req():

WARN_ON(out_sgs + in_sgs != total_sgs);

# /usr/libexec/virtiofsd --socket-path=/tmp/vhostqemu -o source=$TESTDIR -o cache=always -o no_posix_lock
...
# mount -t virtiofs myfs /tmp
$ cd /tmp
$ trinity -C 48 --arch 64

From the log, the final piece of the code from the process was:

ioctl(fd=343, cmd=0x5a004000, arg=0x40000000);

[ 4327.977314] WARNING: CPU: 2 PID: 12259 at fs/fuse/virtio_fs.c:1151 virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs]
[ 4327.983910] Modules linked in: cmtp kernelcapi hidp bnep bridge stp llc dlci pppoe rfcomm nfnetlink pptp gre can_bcm bluetooth ecdh_generic ecc l2tp_ppp l2tp_netlink l2tp_core ip6_udp_tunnel udp_tunnel pppoxw
[ 4327.984068]  sunrpc dm_mirror dm_region_hash dm_log dm_mod
[ 4328.046826] CPU: 2 PID: 12259 Comm: trinity-c20 Kdump: loaded Not tainted 5.9.0-rc7-next-20201002+ #5
[ 4328.053714] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014
[ 4328.059513] RIP: 0010:virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs]
[ 4328.063812] Code: c1 e7 05 48 03 7c 24 10 6a 00 e8 85 a4 ff ff 8d 48 01 58 41 8d 54 0d 00 e9 d2 fb ff ff 48 89 ef e8 8f 33 5e f9 e9 42 fe ff ff <0f> 0b e9 c7 fb ff ff 48 8b 7c 24 08 e8 c9 49 cf f8 0f b6 45 19
[ 4328.076709] RSP: 0018:ffff8889fbb4f9c0 EFLAGS: 00010297
[ 4328.079112] RAX: 0000000000000000 RBX: ffff8889c9ad88a8 RCX: 0000000000000003
[ 4328.083725] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88810575c1cc
[ 4328.089156] RBP: ffff8889fbb4fe20 R08: ffffed1020aeb83c R09: 0000000000001000
[ 4328.095906] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
[ 4328.101870] R13: 0000000000000004 R14: 0000000000000003 R15: ffff8889c9ad88d8
[ 4328.106674] FS:  00007f1129d21740(0000) GS:ffff888a7e900000(0000) knlGS:0000000000000000
[ 4328.111642] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4328.114333] CR2: 000000000000002f CR3: 000000090f4ea005 CR4: 0000000000770ee0
[ 4328.117623] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4328.122782] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4328.128516] PKRU: 55555550
[ 4328.130769] Call Trace:
[ 4328.131992]  ? virtio_fs_probe+0x14d0/0x14d0 [virtiofs]
[ 4328.134465]  ? trace_hardirqs_on+0x1c/0x110
[ 4328.136419]  ? make_kprojid+0x20/0x20
[ 4328.138936]  ? __is_kernel_percpu_address+0x63/0x1e0
[ 4328.141899]  ? __module_address+0x3f/0x370
[ 4328.143835]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 4328.146248]  ? virtio_fs_wake_pending_and_unlock+0x18b/0x610 [virtiofs]
[ 4328.149323]  ? lock_downgrade+0x730/0x730
[ 4328.151217]  ? lock_acquire+0x17f/0x7e0
[ 4328.152998]  ? fuse_simple_request+0x233/0x9f0 [fuse]
[ 4328.155360]  ? rcu_read_unlock+0x40/0x40
[ 4328.157169]  virtio_fs_wake_pending_and_unlock+0x1f0/0x610 [virtiofs]
virtio_fs_wake_pending_and_unlock at fs/fuse/virtio_fs.c:1227 (discriminator 10)
[ 4328.160173]  ? queue_request_and_unlock+0x11e/0x290 [fuse]
[ 4328.162685]  fuse_simple_request+0x3b2/0x9f0 [fuse]
__fuse_request_send at fs/fuse/dev.c:421
(inlined by) fuse_simple_request at fs/fuse/dev.c:503
[ 4328.164933]  fuse_do_ioctl+0x6c6/0x1280 [fuse]
[ 4328.166992]  ? fuse_readahead+0x1410/0x1410 [fuse]
[ 4328.169213]  ? hrtimer_forward+0x1b0/0x1b0
[ 4328.171113]  ? hrtimer_cancel+0x20/0x20
[ 4328.172903]  ? ioctl_file_clone+0x120/0x120
[ 4328.174849]  ? _raw_spin_unlock_irq+0x24/0x30
[ 4328.176871]  ? fuse_allow_current_process+0x235/0x2a0 [fuse]
[ 4328.181615]  __x64_sys_ioctl+0x128/0x190
[ 4328.184832]  do_syscall_64+0x33/0x40
[ 4328.190405]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4328.196680] RIP: 0033:0x7f112963478d
[ 4328.200415] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08
[ 4328.214734] RSP: 002b:00007ffd75a76ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 4328.220222] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007f112963478d
[ 4328.224383] RDX: 0000000040000000 RSI: 000000005a004000 RDI: 0000000000000157
[ 4328.228838] RBP: 0000000000000010 R08: 00000000000000a6 R09: 000000002e2e2e2e
[ 4328.233241] R10: fffffffffffffffc R11: 0000000000000246 R12: 0000000000000002
[ 4328.237136] R13: 00007f1129c8e058 R14: 00007f1129d216c0 R15: 00007f1129c8e000
[ 4328.240635] CPU: 2 PID: 12259 Comm: trinity-c20 Kdump: loaded Not tainted 5.9.0-rc7-next-20201002+ #5
[ 4328.248370] Hardware name: Red Hat KVM, BIOS 1.14.0-1.module+el8.3.0+7638+07cf13d2 04/01/2014
[ 4328.254499] Call Trace:
[ 4328.256522]  dump_stack+0x99/0xcb
[ 4328.259336]  __warn.cold.11+0xe/0x55
[ 4328.261944]  ? virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs]
[ 4328.264929]  report_bug+0x1af/0x260
[ 4328.266673]  handle_bug+0x44/0x80
[ 4328.270439]  exc_invalid_op+0x13/0x40
[ 4328.273490]  asm_exc_invalid_op+0x12/0x20
[ 4328.276814] RIP: 0010:virtio_fs_enqueue_req+0xa86/0xdb0 [virtiofs]
[ 4328.281866] Code: c1 e7 05 48 03 7c 24 10 6a 00 e8 85 a4 ff ff 8d 48 01 58 41 8d 54 0d 00 e9 d2 fb ff ff 48 89 ef e8 8f 33 5e f9 e9 42 fe ff ff <0f> 0b e9 c7 fb ff ff 48 8b 7c 24 08 e8 c9 49 cf f8 0f b6 45 19
[ 4328.294322] RSP: 0018:ffff8889fbb4f9c0 EFLAGS: 00010297
[ 4328.299571] RAX: 0000000000000000 RBX: ffff8889c9ad88a8 RCX: 0000000000000003
[ 4328.305197] RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88810575c1cc
[ 4328.308930] RBP: ffff8889fbb4fe20 R08: ffffed1020aeb83c R09: 0000000000001000
[ 4328.313548] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000008
[ 4328.318783] R13: 0000000000000004 R14: 0000000000000003 R15: ffff8889c9ad88d8
[ 4328.322338]  ? virtio_fs_probe+0x14d0/0x14d0 [virtiofs]
[ 4328.324902]  ? trace_hardirqs_on+0x1c/0x110
[ 4328.328759]  ? make_kprojid+0x20/0x20
[ 4328.331336]  ? __is_kernel_percpu_address+0x63/0x1e0
[ 4328.333882]  ? __module_address+0x3f/0x370
[ 4328.337281]  ? lockdep_hardirqs_on_prepare+0x4d0/0x4d0
[ 4328.341248]  ? virtio_fs_wake_pending_and_unlock+0x18b/0x610 [virtiofs]
[ 4328.345799]  ? lock_downgrade+0x730/0x730
[ 4328.348017]  ? lock_acquire+0x17f/0x7e0
[ 4328.350546]  ? fuse_simple_request+0x233/0x9f0 [fuse]
[ 4328.355082]  ? rcu_read_unlock+0x40/0x40
[ 4328.358741]  virtio_fs_wake_pending_and_unlock+0x1f0/0x610 [virtiofs]
[ 4328.362663]  ? queue_request_and_unlock+0x11e/0x290 [fuse]
[ 4328.366070]  fuse_simple_request+0x3b2/0x9f0 [fuse]
[ 4328.368684]  fuse_do_ioctl+0x6c6/0x1280 [fuse]
[ 4328.371398]  ? fuse_readahead+0x1410/0x1410 [fuse]
[ 4328.373750]  ? hrtimer_forward+0x1b0/0x1b0
[ 4328.375807]  ? hrtimer_cancel+0x20/0x20
[ 4328.378899]  ? ioctl_file_clone+0x120/0x120
[ 4328.380978]  ? _raw_spin_unlock_irq+0x24/0x30
[ 4328.383097]  ? fuse_allow_current_process+0x235/0x2a0 [fuse]
[ 4328.387317]  __x64_sys_ioctl+0x128/0x190
[ 4328.390560]  do_syscall_64+0x33/0x40
[ 4328.393175]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 4328.396953] RIP: 0033:0x7f112963478d
[ 4328.399000] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 08
[ 4328.411726] RSP: 002b:00007ffd75a76ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 4328.417652] RAX: ffffffffffffffda RBX: 0000000000000010 RCX: 00007f112963478d
[ 4328.422766] RDX: 0000000040000000 RSI: 000000005a004000 RDI: 0000000000000157
[ 4328.427831] RBP: 0000000000000010 R08: 00000000000000a6 R09: 000000002e2e2e2e
[ 4328.433501] R10: fffffffffffffffc R11: 0000000000000246 R12: 0000000000000002
[ 4328.438662] R13: 00007f1129c8e058 R14: 00007f1129d216c0 R15: 00007f1129c8e000
[ 4328.443667] irq event stamp: 0
[ 4328.446682] hardirqs last  enabled at (0): [<0000000000000000>] 0x0
[ 4328.451788] hardirqs last disabled at (0): [<ffffffffb8fa08d7>] copy_process+0x18a7/0x5f00
[ 4328.456792] softirqs last  enabled at (0): [<ffffffffb8fa0913>] copy_process+0x18e3/0x5f00
[ 4328.462852] softirqs last disabled at (0): [<0000000000000000>] 0x0
[ 4328.467521] ---[ end trace d6b440e9dac66d6a ]---


             reply	other threads:[~2020-10-02 16:28 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-02 16:28 Qian Cai [this message]
2020-10-03  2:44 ` virtiofs: WARN_ON(out_sgs + in_sgs != total_sgs) Qian Cai
2020-10-04 14:31   ` Vivek Goyal
2020-10-06  9:04     ` Stefan Hajnoczi
2020-10-06 13:06       ` Vivek Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5ea77e9f6cb8c2db43b09fbd4158ab2d8c066a0a.camel@redhat.com \
    --to=cai@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=stefanha@redhat.com \
    --cc=vgoyal@redhat.com \
    --cc=virtio-fs@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).