* [BUG] KASAN: global-out-of-bounds in __fuse_write_file_get.isra.0+0x81/0xe0
@ 2021-02-21 1:26 Marios Makassikis
2021-02-22 10:43 ` Miklos Szeredi
0 siblings, 1 reply; 3+ messages in thread
From: Marios Makassikis @ 2021-02-21 1:26 UTC (permalink / raw)
To: linux-fsdevel; +Cc: Marios Makassikis
Hello,
I hope this is the correct list to report this bug I've been seeing.
Background: I am testing a kernel SMB server implementation
("ksmbd": https://github.com/cifsd-team/cifsd).
As part of my tests, I tried having a Windows client store a backup on a SMB
share that is backed by an NTFS formatted disk. In doing so, the kernel
reports a BUG and locks up (either immediately, or after a few minutes).
I can reliably reproduce the crash by rsync'ing a large directory (kernel git
tree for example) over ksmbd.
If I replace ksmbd with samba (which handles everything in userland), I can't
trigger the crash.
If I format the disk using ext4 or xfs I don't see any crashes either (whether
I use ksmbd or samba). This suggests there may be an issue in FUSE, or in
the in-kernel interaction between FUSE and KSMBD.
I have tried the latest stable kernel (5.10) as well as the LTS release (v5.4).
On the userland side, I am using:
* libntfs-3g883 1:2017.3.23AR.3-3
* ntfs-3g 1:2017.3.23AR.3-3
* fuse 2.9.9-1+deb10u1
* libfuse2 2.9.9-1+deb10u1
I have included two dmesg logs below from a KASAN enabled kernel, as
well as the addr2line output from a couple of symbols that appear in the
stacktrace.
I tried looking at what might be wrong in fuse_write_inode() but I came
up empty-handed. If anyone has a clue at what I might try to fix this,
let me know.
Regards,
Marios
$ ./scripts/faddr2line vmlinux __fuse_write_file_get.isra.0+0x81/0xe0
__fuse_write_file_get.isra.0+0x81/0xe0:
arch_atomic_fetch_add at arch/x86/include/asm/atomic.h:184
(inlined by) atomic_fetch_add_relaxed at
include/asm-generic/atomic-instrumented.h:143
(inlined by) __refcount_add at include/linux/refcount.h:193
(inlined by) __refcount_inc at include/linux/refcount.h:250
(inlined by) refcount_inc at include/linux/refcount.h:267
(inlined by) fuse_file_get at fs/fuse/file.c:99
(inlined by) __fuse_write_file_get at fs/fuse/file.c:1798
$ ./scripts/faddr2line vmlinux fuse_write_inode+0x10/0x40
fuse_write_inode+0x10/0x40:
fuse_write_inode at fs/fuse/file.c:1821
[ 652.650120] ==================================================================
[ 652.651166] BUG: KASAN: global-out-of-bounds in
__fuse_write_file_get.isra.0+0x81/0xe0
[ 652.652157] Write of size 4 at addr ffffffffaab233f8 by task kworker/u2:0/7
[ 652.653003]
[ 652.653221] CPU: 0 PID: 7 Comm: kworker/u2:0 Not tainted 5.10.0+ #57
[ 652.654014] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 652.655120] Workqueue: writeback wb_workfn (flush-8:17-fuseblk)
[ 652.655874] Call Trace:
[ 652.656206] dump_stack+0x9a/0xcc
[ 652.656634] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 652.657261] print_address_description.constprop.0+0x1e/0x220
[ 652.658079] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 652.658705] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 652.659347] kasan_report.cold+0x37/0x7c
[ 652.659869] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 652.660513] check_memory_region+0x17c/0x1e0
[ 652.661055] __fuse_write_file_get.isra.0+0x81/0xe0
[ 652.661670] fuse_write_inode+0x10/0x40
[ 652.662165] __writeback_single_inode+0x7e0/0xbc0
[ 652.662858] writeback_sb_inodes+0x49c/0xb20
[ 652.663504] ? __writeback_single_inode+0xbc0/0xbc0
[ 652.664120] ? down_read_trylock+0x19a/0x370
[ 652.664650] ? trylock_super+0x16/0xc0
[ 652.665139] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 652.665751] __writeback_inodes_wb+0xb7/0x200
[ 652.666372] wb_writeback+0x585/0x870
[ 652.666911] ? __writeback_inodes_wb+0x200/0x200
[ 652.667481] ? cpumask_next+0x16/0x20
[ 652.667933] ? get_nr_dirty_inodes+0xc1/0x160
[ 652.668445] wb_workfn+0x776/0xcd0
[ 652.668873] ? inode_wait_for_writeback+0x30/0x30
[ 652.669434] ? lock_acquire+0x1e3/0x9e0
[ 652.669901] ? process_one_work+0x6f2/0x1410
[ 652.670561] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 652.671237] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 652.671787] ? lockdep_hardirqs_on_prepare+0x286/0x400
[ 652.672415] process_one_work+0x79c/0x1410
[ 652.672930] ? check_flags+0x60/0x60
[ 652.673368] ? pwq_dec_nr_in_flight+0x320/0x320
[ 652.673926] ? rwlock_bug.part.0+0x90/0x90
[ 652.674553] worker_thread+0x8f/0xc70
[ 652.675019] ? trace_hardirqs_off+0x93/0x100
[ 652.675539] ? process_one_work+0x1410/0x1410
[ 652.676077] kthread+0x32b/0x3f0
[ 652.676478] ? _raw_spin_unlock_irq+0x24/0x30
[ 652.677004] ? kthread_mod_delayed_work+0x180/0x180
[ 652.677607] ret_from_fork+0x1f/0x30
[ 652.678079]
[ 652.678281] The buggy address belongs to the variable:
[ 652.678825] fscontext_fops+0x358/0x9c0
[ 652.679236]
[ 652.679487] Memory state around the buggy address:
[ 652.680093] ffffffffaab23280: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9
00 00 05 f9
[ 652.680846] ffffffffaab23300: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
00 00 00 00
[ 652.681728] >ffffffffaab23380: 00 00 00 07 f9 f9 f9 f9 00 00 00 01
f9 f9 f9 f9
[ 652.682924] ^
[ 652.684149] ffffffffaab23400: 00 00 00 00 00 00 05 f9 f9 f9 f9 f9
00 00 06 f9
[ 652.685336] ffffffffaab23480: f9 f9 f9 f9 00 00 00 00 00 03 f9 f9
f9 f9 f9 f9
[ 652.686530] ==================================================================
[ 652.687710] Disabling lock debugging due to kernel taint
[ 652.688625] BUG: unable to handle page fault for address: ffffffffaab233f8
[ 652.689787] #PF: supervisor write access in kernel mode
[ 652.690667] #PF: error_code(0x0003) - permissions violation
[ 652.691626] PGD 59a29067 P4D 59a29067 PUD 59a2a063 PMD 8000000058e001e1
[ 652.692773] Oops: 0003 [#1] SMP KASAN NOPTI
[ 652.693461] CPU: 0 PID: 7 Comm: kworker/u2:0 Tainted: G B
5.10.0+ #57
[ 652.694722] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 652.696187] Workqueue: writeback wb_workfn (flush-8:17-fuseblk)
[ 652.697102] RIP: 0010:__fuse_write_file_get.isra.0+0x86/0xe0
[ 652.698014] Code: c1 ea 03 80 3c 02 00 75 6e 48 8b 9b 10 04 00 00
be 04 00 00 00 4c 8d 6b f8 4c 8d 63 d0 4c 89 ef 8
[ 652.700983] RSP: 0018:ffffc9000007f820 EFLAGS: 00010246
[ 652.701799] RAX: 0000000000000001 RBX: ffffffffaab23400 RCX: 1ffffffff5868337
[ 652.702957] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffaa484559
[ 652.704131] RBP: ffff888021cb8ba8 R08: 0000000000000000 R09: 0000000000000000
[ 652.705271] R10: ffffffffaba89aa3 R11: fffffbfff5751354 R12: ffffffffaab233d0
[ 652.706360] R13: ffffffffaab233f8 R14: ffff888021cb86a8 R15: ffff888021cb8708
[ 652.707507] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 652.708826] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 652.709754] CR2: ffffffffaab233f8 CR3: 0000000007610000 CR4: 00000000000006f0
[ 652.710845] Call Trace:
[ 652.711259] fuse_write_inode+0x10/0x40
[ 652.711921] __writeback_single_inode+0x7e0/0xbc0
[ 652.712708] writeback_sb_inodes+0x49c/0xb20
[ 652.713429] ? __writeback_single_inode+0xbc0/0xbc0
[ 652.714215] ? down_read_trylock+0x19a/0x370
[ 652.714865] ? trylock_super+0x16/0xc0
[ 652.715471] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 652.716257] __writeback_inodes_wb+0xb7/0x200
[ 652.716990] wb_writeback+0x585/0x870
[ 652.717611] ? __writeback_inodes_wb+0x200/0x200
[ 652.718384] ? cpumask_next+0x16/0x20
[ 652.718967] ? get_nr_dirty_inodes+0xc1/0x160
[ 652.719653] wb_workfn+0x776/0xcd0
[ 652.720229] ? inode_wait_for_writeback+0x30/0x30
[ 652.720991] ? lock_acquire+0x1e3/0x9e0
[ 652.721639] ? process_one_work+0x6f2/0x1410
[ 652.722359] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 652.723130] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 652.723844] ? lockdep_hardirqs_on_prepare+0x286/0x400
[ 652.724647] process_one_work+0x79c/0x1410
[ 652.725319] ? check_flags+0x60/0x60
[ 652.725924] ? pwq_dec_nr_in_flight+0x320/0x320
[ 652.726682] ? rwlock_bug.part.0+0x90/0x90
[ 652.727373] worker_thread+0x8f/0xc70
[ 652.727981] ? trace_hardirqs_off+0x93/0x100
[ 652.728634] ? process_one_work+0x1410/0x1410
[ 652.729326] kthread+0x32b/0x3f0
[ 652.729870] ? _raw_spin_unlock_irq+0x24/0x30
[ 652.730597] ? kthread_mod_delayed_work+0x180/0x180
[ 652.731411] ret_from_fork+0x1f/0x30
[ 652.732034] Modules linked in:
[ 652.732551] CR2: ffffffffaab233f8
[ 652.733066] ---[ end trace 79aef9476ece9373 ]---
[ 652.733808] RIP: 0010:__fuse_write_file_get.isra.0+0x86/0xe0
[ 652.734733] Code: c1 ea 03 80 3c 02 00 75 6e 48 8b 9b 10 04 00 00
be 04 00 00 00 4c 8d 6b f8 4c 8d 63 d0 4c 89 ef 8
[ 652.737745] RSP: 0018:ffffc9000007f820 EFLAGS: 00010246
[ 652.738583] RAX: 0000000000000001 RBX: ffffffffaab23400 RCX: 1ffffffff5868337
[ 652.739699] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffaa484559
[ 652.740515] RBP: ffff888021cb8ba8 R08: 0000000000000000 R09: 0000000000000000
[ 652.741330] R10: ffffffffaba89aa3 R11: fffffbfff5751354 R12: ffffffffaab233d0
[ 652.742146] R13: ffffffffaab233f8 R14: ffff888021cb86a8 R15: ffff888021cb8708
[ 652.742962] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 652.743900] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 652.744564] CR2: ffffffffaab233f8 CR3: 0000000007610000 CR4: 00000000000006f0
[ 652.745385] note: kworker/u2:0[7] exited with preempt_count 1
[ 679.621562] rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
[ 679.622369] (detected by 0, t=26002 jiffies, g=539609, q=13)
[ 679.623070] rcu: All QSes seen, last rcu_sched kthread activity
26002 (4295346524-4295320522), jiffies_till_next_f0
[ 679.624560] rcu: rcu_sched kthread starved for 26002 jiffies!
g539609 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
[ 679.625819] rcu: Unless rcu_sched kthread gets sufficient CPU
time, OOM is now expected behavior.
[ 679.626931] rcu: RCU grace-period kthread stack dump:
[ 679.627616] task:rcu_sched state:R running task
stack:29664 pid: 10 ppid: 2 flags:0x00004000
[ 679.628885] Call Trace:
[ 679.629204] __schedule+0x863/0x1df0
[ 679.629782] ? pci_mmcfg_check_reserved+0x150/0x150
[ 679.630390] ? internal_add_timer+0xb4/0x100
[ 679.630930] ? calc_wheel_index+0x420/0x420
[ 679.631446] schedule+0xd0/0x270
[ 679.631859] schedule_timeout+0x352/0x7d0
[ 679.632334] ? usleep_range+0x110/0x110
[ 679.632791] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 679.633443] ? trace_hardirqs_on+0x1c/0x110
[ 679.634057] ? __next_timer_interrupt+0x160/0x160
[ 679.634716] ? __note_gp_changes+0x2e9/0xc20
[ 679.635362] rcu_gp_kthread+0xc05/0x2ac0
[ 679.635898] ? lock_downgrade+0x6c0/0x6c0
[ 679.636531] ? note_gp_changes+0x150/0x150
[ 679.637136] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 679.637729] ? trace_hardirqs_on+0x1c/0x110
[ 679.638227] ? note_gp_changes+0x150/0x150
[ 679.638711] kthread+0x32b/0x3f0
[ 679.639103] ? _raw_spin_unlock_irq+0x24/0x30
[ 679.639754] ? kthread_mod_delayed_work+0x180/0x180
[ 679.640370] ret_from_fork+0x1f/0x30
[ 704.526547] watchdog: BUG: soft lockup - CPU#0 stuck for 23s!
[kworker/0:74:413]
[ 704.527470] Modules linked in:
[ 704.527872] irq event stamp: 3870620
[ 704.528343] hardirqs last enabled at (3870619):
[<ffffffffaa600b9e>] asm_common_interrupt+0x1e/0x40
[ 704.529440] hardirqs last disabled at (3870620):
[<ffffffffaa473fe7>] __schedule+0xea7/0x1df0
[ 704.530468] softirqs last enabled at (3870618):
[<ffffffffaa80055c>] __do_softirq+0x55c/0x902
[ 704.531505] softirqs last disabled at (3870573):
[<ffffffffaa600f6f>] asm_call_irq_on_stack+0xf/0x20
[ 704.532637] CPU: 0 PID: 413 Comm: kworker/0:74 Tainted: G B D
5.10.0+ #57
[ 704.533567] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 704.534645] Workqueue: ksmbd-io handle_ksmbd_work
[ 704.535217] RIP: 0010:queued_spin_lock_slowpath+0x28a/0x8e0
[ 704.535983] Code: 00 85 c0 74 3d 8b 03 84 c0 74 37 48 b8 00 00 00
00 00 fc ff df 49 89 dd 48 89 dd 49 c1 ed 03 83 0
[ 704.538130] RSP: 0018:ffffc90000967328 EFLAGS: 00000202
[ 704.538744] RAX: 0000000000000101 RBX: ffff888021cb8ba8 RCX: ffffffffa8288b52
[ 704.539580] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888021cb8ba8
[ 704.540423] RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed1004397176
[ 704.541239] R10: ffff888021cb8bab R11: ffffed1004397175 R12: 1ffff9200012ce67
[ 704.542205] R13: ffffed1004397175 R14: ffffc900009674d8 R15: ffff888021cb8680
[ 704.543046] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 704.543999] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 704.544671] CR2: 000055b7ab2b0028 CR3: 0000000007610000 CR4: 00000000000006f0
[ 704.545507] Call Trace:
[ 704.545825] ? lock_acquire+0x6a1/0x9e0
[ 704.546293] ? osq_unlock+0x1a0/0x1a0
[ 704.546732] ? lock_release+0x511/0x720
[ 704.547192] ? lock_acquire+0x6a1/0x9e0
[ 704.547662] ? check_flags+0x60/0x60
[ 704.548095] do_raw_spin_lock+0x1dd/0x290
[ 704.548567] ? rwlock_bug.part.0+0x90/0x90
[ 704.549056] ? _raw_spin_unlock+0x1f/0x30
[ 704.549537] fuse_dentry_revalidate+0x5b6/0x7c0
[ 704.550117] ? fuse_invalid_attr+0xc0/0xc0
[ 704.550702] ? lock_release+0x511/0x720
[ 704.551228] ? rwlock_bug.part.0+0x90/0x90
[ 704.551796] ? lockref_get_not_dead+0x4a/0x60
[ 704.552394] lookup_fast+0x47b/0x5d0
[ 704.552892] ? unlazy_child+0x370/0x370
[ 704.553410] ? lock_downgrade+0x6c0/0x6c0
[ 704.553963] walk_component+0xb6/0x5e0
[ 704.554472] ? handle_dots.part.0+0x1480/0x1480
[ 704.555082] ? set_root+0x29e/0x4f0
[ 704.555497] ? generic_permission+0x40/0x390
[ 704.556008] link_path_walk+0x4ed/0xa40
[ 704.556472] ? orc_find.part.0+0x330/0x330
[ 704.556954] ? walk_component+0x5e0/0x5e0
[ 704.557429] path_lookupat+0x119/0x3b0
[ 704.557878] filename_lookup+0x176/0x3a0
[ 704.558344] ? ret_from_fork+0x1f/0x30
[ 704.558795] ? may_linkat+0x180/0x180
[ 704.559224] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 704.559820] ? trace_hardirqs_on+0x1c/0x110
[ 704.560316] ? create_object+0x677/0xb30
[ 704.560783] ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 704.561365] ? memcpy+0x39/0x60
[ 704.561745] ? getname_kernel+0xe2/0x330
[ 704.562250] ksmbd_vfs_fp_rename+0x131/0x270
[ 704.562899] ? ksmbd_vfs_link+0x1d0/0x1d0
[ 704.563400] ? dput+0x30/0x8c0
[ 704.563840] ? dput+0x1f0/0x8c0
[ 704.564262] ? do_raw_spin_unlock+0x54/0x250
[ 704.564799] smb2_set_info+0x1fac/0x31f0
[ 704.565343] ? smb2_echo+0x150/0x150
[ 704.565799] ? lock_release+0x511/0x720
[ 704.566303] ? memset+0x20/0x40
[ 704.566765] ? is_chained_smb2_message+0x617/0x1540
[ 704.567435] ? rwlock_bug.part.0+0x90/0x90
[ 704.568013] handle_ksmbd_work+0x316/0xfa0
[ 704.568561] process_one_work+0x79c/0x1410
[ 704.569109] ? check_flags+0x60/0x60
[ 704.569538] ? pwq_dec_nr_in_flight+0x320/0x320
[ 704.570189] ? rwlock_bug.part.0+0x90/0x90
[ 704.571032] worker_thread+0x8f/0xc70
[ 704.571658] ? trace_hardirqs_off+0x93/0x100
[ 704.572308] ? process_one_work+0x1410/0x1410
[ 704.572907] kthread+0x32b/0x3f0
[ 704.573318] ? _raw_spin_unlock_irq+0x24/0x30
[ 704.573868] ? kthread_mod_delayed_work+0x180/0x180
[ 704.574448] ret_from_fork+0x1f/0x30
[ 732.526532] watchdog: BUG: soft lockup - CPU#0 stuck for 23s!
[kworker/0:74:413]
[ 732.527626] Modules linked in:
[ 732.528103] irq event stamp: 3870620
[ 732.528599] hardirqs last enabled at (3870619):
[<ffffffffaa600b9e>] asm_common_interrupt+0x1e/0x40
[ 732.529728] hardirqs last disabled at (3870620):
[<ffffffffaa473fe7>] __schedule+0xea7/0x1df0
[ 732.530866] softirqs last enabled at (3870618):
[<ffffffffaa80055c>] __do_softirq+0x55c/0x902
[ 732.532019] softirqs last disabled at (3870573):
[<ffffffffaa600f6f>] asm_call_irq_on_stack+0xf/0x20
[ 732.533266] CPU: 0 PID: 413 Comm: kworker/0:74 Tainted: G B D
L 5.10.0+ #57
[ 732.534360] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 732.535708] Workqueue: ksmbd-io handle_ksmbd_work
[ 732.536404] RIP: 0010:queued_spin_lock_slowpath+0x28a/0x8e0
[ 732.537154] Code: 00 85 c0 74 3d 8b 03 84 c0 74 37 48 b8 00 00 00
00 00 fc ff df 49 89 dd 48 89 dd 49 c1 ed 03 83 0
[ 732.539708] RSP: 0018:ffffc90000967328 EFLAGS: 00000202
[ 732.540451] RAX: 0000000000000101 RBX: ffff888021cb8ba8 RCX: ffffffffa8288b52
[ 732.541431] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff888021cb8ba8
[ 732.542456] RBP: 0000000000000003 R08: 0000000000000001 R09: ffffed1004397176
[ 732.543346] R10: ffff888021cb8bab R11: ffffed1004397175 R12: 1ffff9200012ce67
[ 732.544618] R13: ffffed1004397175 R14: ffffc900009674d8 R15: ffff888021cb8680
[ 732.545784] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 732.546906] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 732.547706] CR2: 000055b7ab2b0028 CR3: 0000000007610000 CR4: 00000000000006f0
[ 732.548686] Call Trace:
[ 732.549054] ? lock_acquire+0x6a1/0x9e0
[ 732.549552] ? osq_unlock+0x1a0/0x1a0
[ 732.550062] ? lock_release+0x511/0x720
[ 732.550596] ? lock_acquire+0x6a1/0x9e0
[ 732.551121] ? check_flags+0x60/0x60
[ 732.551591] do_raw_spin_lock+0x1dd/0x290
[ 732.552143] ? rwlock_bug.part.0+0x90/0x90
[ 732.552719] ? _raw_spin_unlock+0x1f/0x30
[ 732.553306] fuse_dentry_revalidate+0x5b6/0x7c0
[ 732.553939] ? fuse_invalid_attr+0xc0/0xc0
[ 732.554513] ? lock_release+0x511/0x720
[ 732.555028] ? rwlock_bug.part.0+0x90/0x90
[ 732.555599] ? lockref_get_not_dead+0x4a/0x60
[ 732.556216] lookup_fast+0x47b/0x5d0
[ 732.556736] ? unlazy_child+0x370/0x370
[ 732.557258] ? lock_downgrade+0x6c0/0x6c0
[ 732.557797] walk_component+0xb6/0x5e0
[ 732.558275] ? handle_dots.part.0+0x1480/0x1480
[ 732.558874] ? set_root+0x29e/0x4f0
[ 732.559362] ? generic_permission+0x40/0x390
[ 732.559924] link_path_walk+0x4ed/0xa40
[ 732.560440] ? orc_find.part.0+0x330/0x330
[ 732.561113] ? walk_component+0x5e0/0x5e0
[ 732.561854] path_lookupat+0x119/0x3b0
[ 732.562424] filename_lookup+0x176/0x3a0
[ 732.562923] ? ret_from_fork+0x1f/0x30
[ 732.563379] ? may_linkat+0x180/0x180
[ 732.563830] ? _raw_spin_unlock_irqrestore+0x39/0x40
[ 732.564431] ? trace_hardirqs_on+0x1c/0x110
[ 732.564933] ? create_object+0x677/0xb30
[ 732.565400] ? __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 732.565988] ? memcpy+0x39/0x60
[ 732.566369] ? getname_kernel+0xe2/0x330
[ 732.566849] ksmbd_vfs_fp_rename+0x131/0x270
[ 732.567383] ? ksmbd_vfs_link+0x1d0/0x1d0
[ 732.567867] ? dput+0x30/0x8c0
[ 732.568231] ? dput+0x1f0/0x8c0
[ 732.568608] ? do_raw_spin_unlock+0x54/0x250
[ 732.569138] smb2_set_info+0x1fac/0x31f0
[ 732.569616] ? smb2_echo+0x150/0x150
[ 732.570045] ? lock_release+0x511/0x720
[ 732.570498] ? memset+0x20/0x40
[ 732.570875] ? is_chained_smb2_message+0x617/0x1540
[ 732.571449] ? rwlock_bug.part.0+0x90/0x90
[ 732.571936] handle_ksmbd_work+0x316/0xfa0
[ 732.572425] process_one_work+0x79c/0x1410
[ 732.572932] ? check_flags+0x60/0x60
[ 732.573346] ? pwq_dec_nr_in_flight+0x320/0x320
[ 732.573855] ? rwlock_bug.part.0+0x90/0x90
[ 732.574325] worker_thread+0x8f/0xc70
[ 732.574794] ? trace_hardirqs_off+0x93/0x100
[ 732.575545] ? process_one_work+0x1410/0x1410
[ 732.576246] kthread+0x32b/0x3f0
[ 732.576781] ? _raw_spin_unlock_irq+0x24/0x30
[ 732.577307] ? kthread_mod_delayed_work+0x180/0x180
[ 732.577851] ret_from_fork+0x1f/0x30
In a different run, KASAN reported a 'user-memory-access' rather than a
'global out-of-bounds' error, as seen below:
[ 9226.447921] ==================================================================
[ 9226.448560] BUG: KASAN: user-memory-access in
__fuse_write_file_get.isra.0+0x81/0xe0
[ 9226.448560] Write of size 4 at addr 0000000001e12cf8 by task
kworker/u2:0/1308
[ 9226.448560]
[ 9226.448560] CPU: 0 PID: 1308 Comm: kworker/u2:0 Not tainted 5.10.0+ #57
[ 9226.448560] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 9226.448560] Workqueue: writeback wb_workfn (flush-0:33)
[ 9226.448560] Call Trace:
[ 9226.448560] dump_stack+0x9a/0xcc
[ 9226.448560] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 9226.448560] kasan_report.cold+0x6a/0x7c
[ 9226.448560] ? __fuse_write_file_get.isra.0+0x81/0xe0
[ 9226.448560] check_memory_region+0x17c/0x1e0
[ 9226.448560] __fuse_write_file_get.isra.0+0x81/0xe0
[ 9226.448560] fuse_write_inode+0x10/0x40
[ 9226.448560] __writeback_single_inode+0x7e0/0xbc0
[ 9226.448560] writeback_sb_inodes+0x49c/0xb20
[ 9226.448560] ? __writeback_single_inode+0xbc0/0xbc0
[ 9226.448560] ? down_read_trylock+0x19a/0x370
[ 9226.448560] ? trylock_super+0x16/0xc0
[ 9226.448560] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 9226.448560] __writeback_inodes_wb+0xb7/0x200
[ 9226.448560] wb_writeback+0x585/0x870
[ 9226.448560] ? __writeback_inodes_wb+0x200/0x200
[ 9226.448560] ? cpumask_next+0x16/0x20
[ 9226.448560] ? get_nr_dirty_inodes+0xc1/0x160
[ 9226.448560] wb_workfn+0x776/0xcd0
[ 9226.448560] ? inode_wait_for_writeback+0x30/0x30
[ 9226.448560] ? lock_acquire+0x1e3/0x9e0
[ 9226.448560] ? process_one_work+0x6f2/0x1410
[ 9226.448560] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 9226.448560] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 9226.448560] ? lockdep_hardirqs_on_prepare+0x286/0x400
[ 9226.448560] process_one_work+0x79c/0x1410
[ 9226.448560] ? check_flags+0x60/0x60
[ 9226.448560] ? pwq_dec_nr_in_flight+0x320/0x320
[ 9226.448560] ? rwlock_bug.part.0+0x90/0x90
[ 9226.448560] worker_thread+0x8f/0xc70
[ 9226.448560] ? process_one_work+0x1410/0x1410
[ 9226.448560] kthread+0x32b/0x3f0
[ 9226.448560] ? _raw_spin_unlock_irq+0x24/0x30
[ 9226.448560] ? kthread_mod_delayed_work+0x180/0x180
[ 9226.448560] ret_from_fork+0x1f/0x30
[ 9226.448560] ==================================================================
[ 9226.448560] Disabling lock debugging due to kernel taint
[ 9226.475717] BUG: unable to handle page fault for address: 0000000001e12cf8
[ 9226.476540] #PF: supervisor write access in kernel mode
[ 9226.476665] #PF: error_code(0x0002) - not-present page
[ 9226.476665] PGD 0 P4D 0
[ 9226.476665] Oops: 0002 [#1] SMP KASAN NOPTI
[ 9226.476665] CPU: 0 PID: 1308 Comm: kworker/u2:0 Tainted: G B
5.10.0+ #57
[ 9226.476665] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 9226.476665] Workqueue: writeback wb_workfn (flush-0:33)
[ 9226.476665] RIP: 0010:__fuse_write_file_get.isra.0+0x86/0xe0
[ 9226.476665] Code: c1 ea 03 80 3c 02 00 75 6e 48 8b 9b 10 04 00 00
be 04 00 00 00 4c 8d 6b f8 4c 8d 63 d0 4c 89 ef 8
[ 9226.476665] RSP: 0018:ffffc90000457820 EFLAGS: 00010246
[ 9226.476665] RAX: 0000000000000001 RBX: 0000000001e12d00 RCX: 1ffffffff7b28337
[ 9226.476665] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffbba84559
[ 9226.476665] RBP: ffff88806418a5a8 R08: 0000000000000000 R09: 0000000000000000
[ 9226.476665] R10: ffffffffbd089aa3 R11: fffffbfff7a11354 R12: 0000000001e12cd0
[ 9226.476665] R13: 0000000001e12cf8 R14: ffff88806418a0a8 R15: ffff88806418a108
[ 9226.476665] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 9226.476665] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9226.476665] CR2: 0000000001e12cf8 CR3: 000000000285a000 CR4: 00000000000006f0
[ 9226.476665] Call Trace:
[ 9226.476665] fuse_write_inode+0x10/0x40
[ 9226.476665] __writeback_single_inode+0x7e0/0xbc0
[ 9226.476665] writeback_sb_inodes+0x49c/0xb20
[ 9226.476665] ? __writeback_single_inode+0xbc0/0xbc0
[ 9226.476665] ? down_read_trylock+0x19a/0x370
[ 9226.476665] ? trylock_super+0x16/0xc0
[ 9226.476665] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 9226.476665] __writeback_inodes_wb+0xb7/0x200
[ 9226.476665] wb_writeback+0x585/0x870
[ 9226.476665] ? __writeback_inodes_wb+0x200/0x200
[ 9226.476665] ? cpumask_next+0x16/0x20
[ 9226.476665] ? get_nr_dirty_inodes+0xc1/0x160
[ 9226.476665] wb_workfn+0x776/0xcd0
[ 9226.476665] ? inode_wait_for_writeback+0x30/0x30
[ 9226.476665] ? lock_acquire+0x1e3/0x9e0
[ 9226.476665] ? process_one_work+0x6f2/0x1410
[ 9226.476665] ? rcu_read_lock_sched_held+0xaf/0xe0
[ 9226.476665] ? rcu_read_lock_bh_held+0xc0/0xc0
[ 9226.476665] ? lockdep_hardirqs_on_prepare+0x286/0x400
[ 9226.476665] process_one_work+0x79c/0x1410
[ 9226.476665] ? check_flags+0x60/0x60
[ 9226.476665] ? pwq_dec_nr_in_flight+0x320/0x320
[ 9226.476665] ? rwlock_bug.part.0+0x90/0x90
[ 9226.476665] worker_thread+0x8f/0xc70
[ 9226.476665] ? process_one_work+0x1410/0x1410
[ 9226.476665] kthread+0x32b/0x3f0
[ 9226.476665] ? _raw_spin_unlock_irq+0x24/0x30
[ 9226.476665] ? kthread_mod_delayed_work+0x180/0x180
[ 9226.476665] ret_from_fork+0x1f/0x30
[ 9226.476665] Modules linked in:
[ 9226.476665] CR2: 0000000001e12cf8
[ 9226.476665] ---[ end trace 8f64996c5041af07 ]---
[ 9226.476665] RIP: 0010:__fuse_write_file_get.isra.0+0x86/0xe0
[ 9226.476665] Code: c1 ea 03 80 3c 02 00 75 6e 48 8b 9b 10 04 00 00
be 04 00 00 00 4c 8d 6b f8 4c 8d 63 d0 4c 89 ef 8
[ 9226.476665] RSP: 0018:ffffc90000457820 EFLAGS: 00010246
[ 9226.476665] RAX: 0000000000000001 RBX: 0000000001e12d00 RCX: 1ffffffff7b28337
[ 9226.476665] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffbba84559
[ 9226.476665] RBP: ffff88806418a5a8 R08: 0000000000000000 R09: 0000000000000000
[ 9226.476665] R10: ffffffffbd089aa3 R11: fffffbfff7a11354 R12: 0000000001e12cd0
[ 9226.476665] R13: 0000000001e12cf8 R14: ffff88806418a0a8 R15: ffff88806418a108
[ 9226.476665] FS: 0000000000000000(0000) GS:ffff88806ce00000(0000)
knlGS:0000000000000000
[ 9226.476665] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9226.476665] CR2: 0000000001e12cf8 CR3: 000000000285a000 CR4: 00000000000006f0
[ 9226.476665] note: kworker/u2:0[1308] exited with preempt_count 1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] KASAN: global-out-of-bounds in __fuse_write_file_get.isra.0+0x81/0xe0
2021-02-21 1:26 [BUG] KASAN: global-out-of-bounds in __fuse_write_file_get.isra.0+0x81/0xe0 Marios Makassikis
@ 2021-02-22 10:43 ` Miklos Szeredi
2021-02-26 11:14 ` Marios Makassikis
0 siblings, 1 reply; 3+ messages in thread
From: Miklos Szeredi @ 2021-02-22 10:43 UTC (permalink / raw)
To: Marios Makassikis; +Cc: linux-fsdevel
On Sun, Feb 21, 2021 at 2:30 AM Marios Makassikis
<mmakassikis@freebox.fr> wrote:
>
> Hello,
>
> I hope this is the correct list to report this bug I've been seeing.
>
> Background: I am testing a kernel SMB server implementation
> ("ksmbd": https://github.com/cifsd-team/cifsd).
>
> As part of my tests, I tried having a Windows client store a backup on a SMB
> share that is backed by an NTFS formatted disk. In doing so, the kernel
> reports a BUG and locks up (either immediately, or after a few minutes).
Seems like fi->write_files list gets corrupted.
Is list debugging turned on?
Can you get a crashdump, and see if the rest of the fi structure is okay?
Thanks,
Miklos
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] KASAN: global-out-of-bounds in __fuse_write_file_get.isra.0+0x81/0xe0
2021-02-22 10:43 ` Miklos Szeredi
@ 2021-02-26 11:14 ` Marios Makassikis
0 siblings, 0 replies; 3+ messages in thread
From: Marios Makassikis @ 2021-02-26 11:14 UTC (permalink / raw)
To: Miklos Szeredi; +Cc: linux-fsdevel
On Mon, 2021-02-22 at 11:43 +0100, Miklos Szeredi wrote:
> On Sun, Feb 21, 2021 at 2:30 AM Marios Makassikis
> <mmakassikis@freebox.fr> wrote:
> > Hello,
> >
> > I hope this is the correct list to report this bug I've been
> > seeing.
> >
> > Background: I am testing a kernel SMB server implementation
> > ("ksmbd": https://github.com/cifsd-team/cifsd).
> >
> > As part of my tests, I tried having a Windows client store a backup
> > on a SMB
> > share that is backed by an NTFS formatted disk. In doing so, the
> > kernel
> > reports a BUG and locks up (either immediately, or after a few
> > minutes).
>
> Seems like fi->write_files list gets corrupted.
>
> Is list debugging turned on?
>
> Can you get a crashdump, and see if the rest of the fi structure is
> okay?
>
> Thanks,
> Miklos
Hello Miklos,
I managed to get a crashdump, but couldn't get the crash utility to
work (I fed it the kernel and the crashdump but it exited without any
error message and I didn't get a chance to figure out what was wrong).
Meanwhile, a fix was committed on ksmbd with which I cannot reproduce
the issue [1]. Previously, the i_mutex lock was not held in
set_file_basic_info(): I'm guessing this is what caused the list
corruption.
Marios
[1]
https://github.com/cifsd-team/cifsd/commit/5e929125e519acaf48abc4c42f8389caa26c4d5a
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-26 11:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-21 1:26 [BUG] KASAN: global-out-of-bounds in __fuse_write_file_get.isra.0+0x81/0xe0 Marios Makassikis
2021-02-22 10:43 ` Miklos Szeredi
2021-02-26 11:14 ` Marios Makassikis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).