* [Bug 206399] New: [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs]
@ 2020-02-04 6:13 bugzilla-daemon
2020-02-04 6:15 ` [Bug 206399] " bugzilla-daemon
2020-02-04 6:38 ` bugzilla-daemon
0 siblings, 2 replies; 3+ messages in thread
From: bugzilla-daemon @ 2020-02-04 6:13 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=206399
Bug ID: 206399
Summary: [xfstests xfs/433] BUG: KASAN: use-after-free in
xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs]
Product: File System
Version: 2.5
Kernel Version: linux 5.5+ with xfs-linux xfs-5.6-merge-7
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: XFS
Assignee: filesystem_xfs@kernel-bugs.kernel.org
Reporter: zlang@redhat.com
Regression: No
xfs/443 always hit below KASAN BUG:
FSTYP -- xfs (debug)
PLATFORM -- Linux/x86_64 hpe-tm200-01 5.5.0+ #1 SMP Wed Jan 29 06:10:18
EST 2020
MKFS_OPTIONS -- -f -m crc=1,finobt=1,rmapbt=1,reflink=1 -i sparse=1 /dev/sda4
MOUNT_OPTIONS -- -o context=system_u:object_r:nfs_t:s0 /dev/sda4
/mnt/xfstests/mnt2
xfs/433 _check_dmesg: something found in dmesg (see
/var/lib/xfstests/results//xfs/433.dmesg)
Ran: xfs/433
Failures: xfs/433
Failed 1 of 1 tests
[75618.288080] run fstests xfs/433 at 2020-01-30 04:00:53
[75620.394755] XFS (sda5): Mounting V5 Filesystem
[75620.488847] XFS (sda5): Ending clean mount
[75620.522825] xfs filesystem being mounted at /mnt/xfstests/mnt2 supports
timestamps until 2038 (0x7fffffff)
[75625.506275] XFS (sda5): Unmounting Filesystem
[75625.680838] XFS (sda5): Mounting V5 Filesystem
[75625.834275] XFS (sda5): Ending clean mount
[75625.885694] xfs filesystem being mounted at /mnt/xfstests/mnt2 supports
timestamps until 2038 (0x7fffffff)
[75625.985258] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75626.029242] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75626.078339] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75626.124795] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75626.169098] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75626.212549]
==================================================================
[75626.245606] BUG: KASAN: use-after-free in
xfs_attr3_node_inactive+0x61e/0x8a0 [xfs]
[75626.280164] Read of size 4 at addr ffff88881ffab004 by task rm/30390
[75626.315595] CPU: 13 PID: 30390 Comm: rm Tainted: G W 5.5.0+
#1
[75626.347856] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/02/2014
[75626.377864] Call Trace:
[75626.388868] dump_stack+0x96/0xe0
[75626.403778] print_address_description.constprop.4+0x1f/0x300
[75626.429656] __kasan_report.cold.8+0x76/0xb0
[75626.448950] ? xfs_trans_ordered_buf+0x410/0x440 [xfs]
[75626.472393] ? xfs_attr3_node_inactive+0x61e/0x8a0 [xfs]
[75626.496705] kasan_report+0xe/0x20
[75626.512134] xfs_attr3_node_inactive+0x61e/0x8a0 [xfs]
[75626.535328] ? xfs_da_read_buf+0x235/0x2c0 [xfs]
[75626.557270] ? xfs_attr3_leaf_inactive+0x470/0x470 [xfs]
[75626.583199] ? xfs_da3_root_split+0x1050/0x1050 [xfs]
[75626.607952] ? lock_contended+0xd20/0xd20
[75626.626615] ? xfs_ilock+0x149/0x4c0 [xfs]
[75626.644661] ? down_write_nested+0x187/0x3c0
[75626.663892] ? down_write_trylock+0x2f0/0x2f0
[75626.683496] ? __sb_start_write+0x1c4/0x310
[75626.702389] ? down_read_trylock+0x360/0x360
[75626.721669] ? xfs_trans_buf_set_type+0x90/0x1e0 [xfs]
[75626.745171] xfs_attr_inactive+0x3e5/0x7b0 [xfs]
[75626.766097] ? xfs_attr3_node_inactive+0x8a0/0x8a0 [xfs]
[75626.790101] ? lock_downgrade+0x6d0/0x6d0
[75626.808122] ? do_raw_spin_trylock+0xb2/0x180
[75626.827859] ? lock_contended+0xd20/0xd20
[75626.846154] xfs_inactive+0x4b8/0x5b0 [xfs]
[75626.865504] xfs_fs_destroy_inode+0x3dc/0xb80 [xfs]
[75626.887615] destroy_inode+0xbc/0x1a0
[75626.904172] do_unlinkat+0x451/0x5d0
[75626.920325] ? __ia32_sys_rmdir+0x40/0x40
[75626.938485] ? __check_object_size+0x275/0x324
[75626.958819] ? strncpy_from_user+0x7d/0x350
[75626.977848] do_syscall_64+0x9f/0x4f0
[75626.994333] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[75627.017173] RIP: 0033:0x7f968239567b
[75627.033260] Code: 73 01 c3 48 8b 0d 0d d8 2c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 07 01 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d dd d7 2c 00 f7 d8 64 89 01 48
[75627.123796] RSP: 002b:00007ffcdf66ad38 EFLAGS: 00000246 ORIG_RAX:
0000000000000107
[75627.158521] RAX: ffffffffffffffda RBX: 0000562cd8b5d5b0 RCX:
00007f968239567b
[75627.190764] RDX: 0000000000000000 RSI: 0000562cd8b5c380 RDI:
00000000ffffff9c
[75627.222921] RBP: 0000562cd8b5c2f0 R08: 0000000000000003 R09:
0000000000000000
[75627.255236] R10: 0000000000000000 R11: 0000000000000246 R12:
00007ffcdf66af20
[75627.287435] R13: 0000000000000000 R14: 0000562cd8b5d5b0 R15:
0000000000000000
[75627.326616] Allocated by task 30390:
[75627.342780] save_stack+0x19/0x80
[75627.357980] __kasan_kmalloc.constprop.7+0xc1/0xd0
[75627.379553] kmem_cache_alloc+0xc8/0x300
[75627.397288] kmem_zone_alloc+0x10a/0x3f0 [xfs]
[75627.417376] _xfs_buf_alloc+0x56/0x1140 [xfs]
[75627.437051] xfs_buf_get_map+0x126/0x7c0 [xfs]
[75627.457103] xfs_buf_read_map+0xb2/0xaa0 [xfs]
[75627.477180] xfs_trans_read_buf_map+0x6c8/0x12d0 [xfs]
[75627.500420] xfs_da_read_buf+0x1d9/0x2c0 [xfs]
[75627.520579] xfs_da3_node_read+0x23/0x80 [xfs]
[75627.540620] xfs_attr_inactive+0x5c5/0x7b0 [xfs]
[75627.561609] xfs_inactive+0x4b8/0x5b0 [xfs]
[75627.581541] xfs_fs_destroy_inode+0x3dc/0xb80 [xfs]
[75627.605628] destroy_inode+0xbc/0x1a0
[75627.624025] do_unlinkat+0x451/0x5d0
[75627.641629] do_syscall_64+0x9f/0x4f0
[75627.658156] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[75627.687232] Freed by task 30390:
[75627.701882] save_stack+0x19/0x80
[75627.716821] __kasan_slab_free+0x125/0x170
[75627.735329] kmem_cache_free+0xcd/0x400
[75627.752745] xfs_buf_rele+0x30a/0xcb0 [xfs]
[75627.772731] xfs_attr3_node_inactive+0x1c7/0x8a0 [xfs]
[75627.797384] xfs_attr_inactive+0x3e5/0x7b0 [xfs]
[75627.818450] xfs_inactive+0x4b8/0x5b0 [xfs]
[75627.837455] xfs_fs_destroy_inode+0x3dc/0xb80 [xfs]
[75627.859765] destroy_inode+0xbc/0x1a0
[75627.876296] do_unlinkat+0x451/0x5d0
[75627.892466] do_syscall_64+0x9f/0x4f0
[75627.909015] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[75627.938572] The buggy address belongs to the object at ffff88881ffaad80
which belongs to the cache xfs_buf of size 680
[75627.994075] The buggy address is located 644 bytes inside of
680-byte region [ffff88881ffaad80, ffff88881ffab028)
[75628.047015] The buggy address belongs to the page:
[75628.069056] page:ffffea00207fea00 refcount:1 mapcount:0
mapping:ffff888098515400 index:0xffff88881ffa9d40 compound_mapcount: 0
[75628.124539] raw: 0057ffffc0010200 dead000000000100 dead000000000122
ffff888098515400
[75628.162598] raw: ffff88881ffa9d40 0000000080270025 00000001ffffffff
0000000000000000
[75628.197491] page dumped because: kasan: bad access detected
[75628.230389] Memory state around the buggy address:
[75628.252072] ffff88881ffaaf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[75628.284801] ffff88881ffaaf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[75628.317587] >ffff88881ffab000: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
fc
[75628.350592] ^
[75628.364746] ffff88881ffab080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
fb
[75628.397289] ffff88881ffab100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[75628.429955]
==================================================================
[75628.463111] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75628.507525] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75628.551292] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75628.595229] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75628.642924] XFS (sda5): Injecting error (false) at file fs/xfs/xfs_buf.c,
line 2119, on filesystem "sda5"
[75628.814284] XFS (sda3): Unmounting Filesystem
[75629.252213] XFS (sda5): Unmounting Filesystem
[75630.354563] XFS (sda5): Mounting V5 Filesystem
[75630.502015] XFS (sda5): Ending clean mount
[75630.551753] xfs filesystem being mounted at /mnt/xfstests/mnt2 supports
timestamps until 2038 (0x7fffffff)
[75630.629204] XFS (sda5): Unmounting Filesystem
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 206399] [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs]
2020-02-04 6:13 [Bug 206399] New: [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs] bugzilla-daemon
@ 2020-02-04 6:15 ` bugzilla-daemon
2020-02-04 6:38 ` bugzilla-daemon
1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2020-02-04 6:15 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=206399
--- Comment #1 from Zorro Lang (zlang@redhat.com) ---
# ./scripts/faddr2line fs/xfs/xfs.ko xfs_attr3_node_inactive+0x61e
xfs_attr3_node_inactive+0x61e/0x8a0:
xfs_attr3_node_inactive at
/mnt/tests/kernel/distribution/upstream-kernel/install/kernel/fs/xfs/xfs_attr_inactive.c:214
# cat fs/xfs/xfs_attr_inactive.c
...
129 STATIC int
130 xfs_attr3_node_inactive(
131 struct xfs_trans **trans,
132 struct xfs_inode *dp,
133 struct xfs_buf *bp,
134 int level)
135 {
136 struct xfs_mount *mp = dp->i_mount;
137 struct xfs_da_blkinfo *info;
138 xfs_dablk_t child_fsb;
139 xfs_daddr_t parent_blkno, child_blkno;
140 struct xfs_buf *child_bp;
141 struct xfs_da3_icnode_hdr ichdr;
142 int error, i;
143
144 /*
145 * Since this code is recursive (gasp!) we must protect
ourselves.
146 */
147 if (level > XFS_DA_NODE_MAXDEPTH) {
148 xfs_trans_brelse(*trans, bp); /* no locks for later
trans */
149 xfs_buf_corruption_error(bp);
150 return -EFSCORRUPTED;
151 }
152
153 xfs_da3_node_hdr_from_disk(dp->i_mount, &ichdr, bp->b_addr);
154 parent_blkno = bp->b_bn;
155 if (!ichdr.count) {
156 xfs_trans_brelse(*trans, bp);
157 return 0;
158 }
159 child_fsb = be32_to_cpu(ichdr.btree[0].before);
160 xfs_trans_brelse(*trans, bp); /* no locks for later trans */
161
162 /*
163 * If this is the node level just above the leaves, simply loop
164 * over the leaves removing all of them. If this is higher up
165 * in the tree, recurse downward.
166 */
167 for (i = 0; i < ichdr.count; i++) {
168 /*
169 * Read the subsidiary block to see what we have to
work with.
170 * Don't do this in a transaction. This is a
depth-first
171 * traversal of the tree so we may deal with many
blocks
172 * before we come back to this one.
173 */
174 error = xfs_da3_node_read(*trans, dp, child_fsb,
&child_bp,
175 XFS_ATTR_FORK);
176 if (error)
177 return error;
178
179 /* save for re-read later */
180 child_blkno = XFS_BUF_ADDR(child_bp);
181
182 /*
183 * Invalidate the subtree, however we have to.
184 */
185 info = child_bp->b_addr;
186 switch (info->magic) {
187 case cpu_to_be16(XFS_DA_NODE_MAGIC):
188 case cpu_to_be16(XFS_DA3_NODE_MAGIC):
189 error = xfs_attr3_node_inactive(trans, dp,
child_bp,
190 level + 1);
191 break;
192 case cpu_to_be16(XFS_ATTR_LEAF_MAGIC):
193 case cpu_to_be16(XFS_ATTR3_LEAF_MAGIC):
194 error = xfs_attr3_leaf_inactive(trans, dp,
child_bp);
195 break;
196 default:
197 xfs_buf_corruption_error(child_bp);
198 xfs_trans_brelse(*trans, child_bp);
199 error = -EFSCORRUPTED;
200 break;
201 }
202 if (error)
203 return error;
204
205 /*
206 * Remove the subsidiary block from the cache and from
the log.
207 */
208 error = xfs_trans_get_buf(*trans, mp->m_ddev_targp,
209 child_blkno,
210 XFS_FSB_TO_BB(mp,
mp->m_attr_geo->fsbcount), 0,
211 &child_bp);
212 if (error)
213 return error;
--> 214 error = bp->b_error;
215 if (error) {
216 xfs_trans_brelse(*trans, child_bp);
217 return error;
218 }
219 xfs_trans_binval(*trans, child_bp);
220
221 /*
222 * If we're not done, re-read the parent to get the
next
223 * child block number.
224 */
225 if (i + 1 < ichdr.count) {
226 struct xfs_da3_icnode_hdr phdr;
227
228 error = xfs_da3_node_read_mapped(*trans, dp,
229 parent_blkno, &bp,
XFS_ATTR_FORK);
230 if (error)
231 return error;
232 xfs_da3_node_hdr_from_disk(dp->i_mount, &phdr,
233 bp->b_addr);
234 child_fsb = be32_to_cpu(phdr.btree[i +
1].before);
235 xfs_trans_brelse(*trans, bp);
236 }
237 /*
238 * Atomically commit the whole invalidate stuff.
239 */
240 error = xfs_trans_roll_inode(trans, dp);
241 if (error)
242 return error;
243 }
244
245 return 0;
246 }
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug 206399] [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs]
2020-02-04 6:13 [Bug 206399] New: [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs] bugzilla-daemon
2020-02-04 6:15 ` [Bug 206399] " bugzilla-daemon
@ 2020-02-04 6:38 ` bugzilla-daemon
1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2020-02-04 6:38 UTC (permalink / raw)
To: linux-xfs
https://bugzilla.kernel.org/show_bug.cgi?id=206399
--- Comment #2 from Zorro Lang (zlang@redhat.com) ---
208 error = xfs_trans_get_buf(*trans, mp->m_ddev_targp,
209 child_blkno,
210 XFS_FSB_TO_BB(mp,
mp->m_attr_geo->fsbcount), 0,
211 &child_bp);
212 if (error)
213 return error;
--> 214 error = bp->b_error;
I think this place is wrong, why not use child_bp->b_error? The 'bp' has been
freed by:
160 xfs_trans_brelse(*trans, bp); /* no locks for later trans */
right?
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-02-04 6:38 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-04 6:13 [Bug 206399] New: [xfstests xfs/433] BUG: KASAN: use-after-free in xfs_attr3_node_inactive+0x6c8/0x7b0 [xfs] bugzilla-daemon
2020-02-04 6:15 ` [Bug 206399] " bugzilla-daemon
2020-02-04 6:38 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).