Re: new 9p kasan splat in 6.9 - Eric Van Hensbergen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Eric Van Hensbergen" <eric.vanhensbergen@linux.dev>
To: "Kent Overstreet" <kent.overstreet@linux.dev>, v9fs@lists.linux.dev
Subject: Re: new 9p kasan splat in 6.9
Date: Tue, 02 Apr 2024 00:02:43 +0000	[thread overview]
Message-ID: <0ac82d20c88c8d227064737fdc62b3195548c5ea@linux.dev> (raw)
In-Reply-To: <f6upxoxa6d2c6cbh4ka775msggvuduigiu7xgvfx7qsufg2lo6@2ellaad6b2on>

This should be fixed in -rc2.

March 31, 2024 at 12:33 AM, "Kent Overstreet" <kent.overstreet@linux.dev> wrote:
> 
> 00000 Running test kasan-ec.ktest on farm2 at /home/testdashboard/linux-5
> 
> 00164 building kernel... done
> 
> 00169 systemd[1]: Failed to find module 'autofs4'
> 
> 00170 ==================================================================
> 
> 00170 BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x7f8/0x988
> 
> 00170 Read of size 8 at addr ffff0000c12f9000 by task mount/217
> 
> 00170 
> 
> 00170 CPU: 3 PID: 217 Comm: mount Not tainted 6.9.0-rc1-ktest-ga097468ffe82 #10998
> 
> 00170 Hardware name: linux,dummy-virt (DT)
> 
> 00170 Call trace:
> 
> 00170 dump_backtrace+0xa4/0xe0
> 
> 00170 show_stack+0x1c/0x30
> 
> 00170 dump_stack_lvl+0x70/0x88
> 
> 00170 print_report+0x110/0x5b8
> 
> 00170 kasan_report+0x80/0xc0
> 
> 00170 __asan_report_load8_noabort+0x1c/0x28
> 
> 00170 v9fs_stat2inode_dotl+0x7f8/0x988
> 
> 00170 v9fs_fid_iget_dotl+0x164/0x1f0
> 
> 00170 v9fs_mount+0x380/0x718
> 
> 00170 legacy_get_tree+0xd4/0x198
> 
> 00170 vfs_get_tree+0x78/0x240
> 
> 00170 path_mount+0xc6c/0x15f0
> 
> 00170 do_mount+0xc4/0x100
> 
> 00170 __arm64_sys_mount+0x228/0x330
> 
> 00170 invoke_syscall.constprop.0+0x74/0x1e8
> 
> 00170 do_el0_svc+0xc8/0x200
> 
> 00170 el0_svc+0x20/0x60
> 
> 00170 el0t_64_sync_handler+0xb8/0xc0
> 
> 00170 el0t_64_sync+0x14c/0x150
> 
> 00170 
> 
> 00170 Allocated by task 217:
> 
> 00170 
> 
> 00170 Freed by task 217:
> 
> 00170 
> 
> 00170 The buggy address belongs to the object at ffff0000c12f9000
> 
> 00170 which belongs to the cache kmalloc-192 of size 192
> 
> 00170 The buggy address is located 0 bytes inside of
> 
> 00170 freed 192-byte region [ffff0000c12f9000, ffff0000c12f90c0)
> 
> 00170 
> 
> 00170 The buggy address belongs to the physical page:
> 
> 00170 
> 
> 00170 Memory state around the buggy address:
> 
> 00170 ffff0000c12f8f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 
> 00170 ffff0000c12f8f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
> 
> 00170 >ffff0000c12f9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> 
> 00170 ^
> 
> 00170 ffff0000c12f9080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> 
> 00170 ffff0000c12f9100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> 
> 00170 ==================================================================
> 
> 00170 Kernel panic - not syncing: kasan.fault=panic set ...
> 
> 00170 CPU: 3 PID: 217 Comm: mount Not tainted 6.9.0-rc1-ktest-ga097468ffe82 #10998
> 
> 00170 Hardware name: linux,dummy-virt (DT)
> 
> 00170 Call trace:
> 
> 00170 dump_backtrace+0xa4/0xe0
> 
> 00170 show_stack+0x1c/0x30
> 
> 00170 dump_stack_lvl+0x34/0x88
> 
> 00170 dump_stack+0x18/0x20
> 
> 00170 panic+0x4dc/0x520
> 
> 00170 end_report+0xec/0xf0
> 
> 00170 kasan_report+0x90/0xc0
> 
> 00170 __asan_report_load8_noabort+0x1c/0x28
> 
> 00170 v9fs_stat2inode_dotl+0x7f8/0x988
> 
> 00170 v9fs_fid_iget_dotl+0x164/0x1f0
> 
> 00170 v9fs_mount+0x380/0x718
> 
> 00170 legacy_get_tree+0xd4/0x198
> 
> 00170 vfs_get_tree+0x78/0x240
> 
> 00170 path_mount+0xc6c/0x15f0
> 
> 00170 do_mount+0xc4/0x100
> 
> 00170 __arm64_sys_mount+0x228/0x330
> 
> 00170 invoke_syscall.constprop.0+0x74/0x1e8
> 
> 00170 do_el0_svc+0xc8/0x200
> 
> 00170 el0_svc+0x20/0x60
> 
> 00170 el0t_64_sync_handler+0xb8/0xc0
> 
> 00170 el0t_64_sync+0x14c/0x150
> 
> 00170 SMP: stopping secondary CPUs
> 
> 00170 Kernel Offset: disabled
> 
> 00170 CPU features: 0x0,00000003,80000008,4240500b
> 
> 00170 Memory Limit: none
> 
> 00170 ---[ end Kernel panic - not syncing: kasan.fault=panic set ... ]---
> 
> 00175 ========= FAILED TIMEOUT (no test) in 1200s
>

next prev parent reply	other threads:[~2024-04-02  0:02 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-31  5:33 new 9p kasan splat in 6.9 Kent Overstreet
2024-04-02  0:02 ` Eric Van Hensbergen [this message]
2024-04-02  0:07   ` Kent Overstreet
2024-04-02  0:33     ` Eric Van Hensbergen
2024-04-02  1:12       ` Kent Overstreet
2024-04-02  1:27         ` Eric Van Hensbergen
2024-04-02  1:34           ` Kent Overstreet
2024-04-10 11:43           ` Eric Van Hensbergen
2024-04-10 17:02             ` Kent Overstreet
2024-04-10 18:17               ` Eric Van Hensbergen
2024-04-15 13:48     ` Eric Van Hensbergen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0ac82d20c88c8d227064737fdc62b3195548c5ea@linux.dev \
    --to=eric.vanhensbergen@linux.dev \
    --cc=kent.overstreet@linux.dev \
    --cc=v9fs@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.