[linux-next:master] [xfs] 7f2f7531e0: BUG:KASAN:slab-use-after-free_in_xfs_defer_finish_recovery

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <oliver.sang@intel.com>
To: Christoph Hellwig <hch@lst.de>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
	Linux Memory Management List <linux-mm@kvack.org>,
	Chandan Babu R <chandanbabu@kernel.org>,
	"Darrick J. Wong" <djwong@kernel.org>,
	<linux-xfs@vger.kernel.org>, <oliver.sang@intel.com>
Subject: [linux-next:master] [xfs]  7f2f7531e0: BUG:KASAN:slab-use-after-free_in_xfs_defer_finish_recovery
Date: Wed, 27 Dec 2023 15:08:57 +0800	[thread overview]
Message-ID: <202312271458.851834a0-oliver.sang@intel.com> (raw)



Hello,

kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_xfs_defer_finish_recovery" on:

commit: 7f2f7531e0d455f1abb9f48fbbe17c37e8742590 ("xfs: store an ops pointer in struct xfs_defer_pending")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

[test failed on linux-next/master 39676dfe52331dba909c617f213fdb21015c8d10]

in testcase: xfstests
version: xfstests-x86_64-f814a0d8-1_20231225
with following parameters:

	disk: 4HDD
	fs: xfs
	test: xfs-rmapbt



compiler: gcc-12
test machine: 4 threads Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz (Skylake) with 16G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202312271458.851834a0-oliver.sang@intel.com



The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20231227/202312271458.851834a0-oliver.sang@intel.com


[  172.112523][ T4713] XFS (sda4): Corruption detected. Unmount and run xfs_repair
[  172.119897][ T4713] ==================================================================
[  172.127821][ T4713] BUG: KASAN: slab-use-after-free in xfs_defer_finish_recovery+0x19c/0x1d0 [xfs]
[  172.136916][ T4713] Read of size 8 at addr ffff8881257529f0 by task mount/4713
[  172.144139][ T4713] 
[  172.146328][ T4713] CPU: 1 PID: 4713 Comm: mount Not tainted 6.7.0-rc4-00053-g7f2f7531e0d4 #1
[  172.154856][ T4713] Hardware name: HP HP Z238 Microtower Workstation/8183, BIOS N51 Ver. 01.63 10/05/2017
[  172.164424][ T4713] Call Trace:
[  172.167570][ T4713]  <TASK>
[  172.170368][ T4713]  dump_stack_lvl+0x36/0x50
[  172.174730][ T4713]  print_address_description+0x2c/0x3a0
[  172.181173][ T4713]  ? xfs_defer_finish_recovery+0x19c/0x1d0 [xfs]
[  172.187555][ T4713]  print_report+0xba/0x2b0
[  172.191830][ T4713]  ? kasan_addr_to_slab+0xd/0x90
[  172.196623][ T4713]  ? xfs_defer_finish_recovery+0x19c/0x1d0 [xfs]
[  172.202954][ T4713]  kasan_report+0xc7/0x100
[  172.207228][ T4713]  ? xfs_defer_finish_recovery+0x19c/0x1d0 [xfs]
[  172.213601][ T4713]  xfs_defer_finish_recovery+0x19c/0x1d0 [xfs]
[  172.219747][ T4713]  xlog_recover_process_intents+0x26d/0xb10 [xfs]
[  172.226169][ T4713]  ? _raw_read_unlock_irqrestore+0x50/0x50
[  172.231823][ T4713]  ? xlog_recover_free_trans+0x3d0/0x3d0 [xfs]
[  172.237987][ T4713]  ? xfs_buf_rele+0x31d/0x8f0 [xfs]
[  172.243185][ T4713]  ? __mod_timer+0x666/0xb30
[  172.247628][ T4713]  ? round_jiffies_up_relative+0x110/0x110
[  172.253283][ T4713]  xlog_recover_finish+0x72/0x430 [xfs]
[  172.258858][ T4713]  ? xfs_ag_resv_free+0x40/0x40 [xfs]
[  172.264221][ T4713]  ? xlog_recover+0x470/0x470 [xfs]
[  172.269476][ T4713]  ? xfs_check_summary_counts+0x23f/0x3c0 [xfs]
[  172.275720][ T4713]  xfs_log_mount_finish+0x2a6/0x590 [xfs]
[  172.281452][ T4713]  xfs_mountfs+0x117d/0x1c60 [xfs]
[  172.286569][ T4713]  ? xfs_mount_reset_sbqflags+0x100/0x100 [xfs]
[  172.292820][ T4713]  ? xfs_filestream_pick_ag+0x760/0x760 [xfs]
[  172.298890][ T4713]  ? xfs_mru_cache_create+0x38a/0x580 [xfs]
[  172.304789][ T4713]  xfs_fs_fill_super+0xf13/0x1740 [xfs]
[  172.310345][ T4713]  ? setup_bdev_super+0x2fe/0x640
[  172.315221][ T4713]  get_tree_bdev+0x32b/0x580
[  172.319666][ T4713]  ? xfs_finish_flags+0x290/0x290 [xfs]
[  172.325216][ T4713]  ? sget_dev+0xd0/0xd0
[  172.329227][ T4713]  ? vfs_parse_fs_string+0xd8/0x120
[  172.334284][ T4713]  vfs_get_tree+0x81/0x320
[  172.338574][ T4713]  do_new_mount+0x218/0x540
[  172.342934][ T4713]  ? do_add_mount+0x370/0x370
[  172.347466][ T4713]  ? security_capable+0x6e/0xa0
[  172.352171][ T4713]  path_mount+0x2af/0x1350
[  172.356440][ T4713]  ? kasan_save_free_info+0x2b/0x40
[  172.361496][ T4713]  ? finish_automount+0x6e0/0x6e0
[  172.366375][ T4713]  ? user_path_at_empty+0x44/0x50
[  172.371279][ T4713]  ? kmem_cache_free+0x18b/0x490
[  172.376078][ T4713]  ? getname_flags+0xb7/0x440
[  172.381224][ T4713]  __x64_sys_mount+0x210/0x280
[  172.385846][ T4713]  ? path_mount+0x1350/0x1350
[  172.390375][ T4713]  ? from_kgid+0xc0/0xc0
[  172.394480][ T4713]  ? getname_flags+0xb7/0x440
[  172.399622][ T4713]  do_syscall_64+0x3f/0xe0
[  172.403899][ T4713]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  172.409649][ T4713] RIP: 0033:0x7f977d8cc62a
[  172.413922][ T4713] Code: 48 8b 0d 69 18 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 36 18 0d 00 f7 d8 64 89 01 48
[  172.433374][ T4713] RSP: 002b:00007fffc4e3ea38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[  172.441637][ T4713] RAX: ffffffffffffffda RBX: 00007f977da00264 RCX: 00007f977d8cc62a
[  172.449466][ T4713] RDX: 000055a677172b90 RSI: 000055a677172bd0 RDI: 000055a677172bb0
[  172.457305][ T4713] RBP: 000055a677172960 R08: 0000000000000000 R09: 00007f977d99ebe0
[  172.465150][ T4713] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  172.472981][ T4713] R13: 000055a677172bb0 R14: 000055a677172b90 R15: 000055a677172960
[  172.480810][ T4713]m_cache_alloc+0x158/0x340
[  172.508483][ T4713]  xfs_defer_start_recovery+0x2b/0x230 [xfs]
[  172.514503][ T4713]  xlog_recover_intent_item+0x7f/0x150 [xfs]
[  172.520494][ T4713]  xlog_recover_rui_commit_pass2+0x18e/0x240 [xfs]
[  172.527009][ T4713]  xlog_recover_items_pass2+0xe7/0x220 [xfs]
[  172.533000][ T4713]  xlog_recover_commit_trans+0x70f/0xa10 [xfs]
[  172.539160][ T4713]  xlog_recovery_process_trans+0x10f/0x140 [xfs]
[  172.545546][ T4713]  xlog_recover_process_data+0x11b/0x2a0 [xfs]
[  172.551710][ T4713]  xlog_do_recovery_pass+0x57f/0xc90 [xfs]
[  172.557531][ T4713]  xlog_do_log_recovery+0x62/0xb0 [xfs]
[  172.563088][ T4713]  xlog_do_recover+0x74/0x420 [xfs]
[  172.568307][ T4713]  xlog_recover+0x23f/0x470 [xfs]
[  172.573357][ T4713]  xfs_log_mount+0x1c1/0x490 [xfs]
[  172.578477][ T4713]  xfs_mountfs+0xf66/0x1c60 [xfs]
[  172.583503][ T4713]  xfs_fs_fill_super+0xf13/0x1740 [xfs]
[  172.589050][ T4713]  get_tree_bdev+0x32b/0x580
[  172.593493][ T4713]  vfs_get_tree+0x81/0x320
[  172.597766][ T4713]  do_new_mount+0x218/0x540
[  172.602127][ T4713]  path_mount+0x2af/0x1350
[  172.606400][ T4713]  __x64_sys_mount+0x210/0x280
[  172.611021][ T4713]  do_syscall_64+0x3f/0xe0
[  172.615298][ T4713]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  172.621065][ T4713] 
[  172.623275][ T4713] Freed by task 4713:
[  172.627115][ T4713]  kasan_save_stack+0x33/0x50
[  172.631651][ T4713]  kasan_set_track+0x25/0x30
[  172.636099][ T4713]  kasan_save_free_info+0x2b/0x40
[  172.640977][ T4713]  __kasan_slab_free+0x10a/0x180
[  172.645769][ T4713]  kmem_cache_free+0x18b/0x490
[  172.650391][ T4713]  xfs_defer_cancel+0xb1/0x1d0 [xfs]
[  172.655683][ T4713]  xfs_trans_cancel+0x117/0x540 [xfs]
[  172.661064][ T4713]  xfs_rmap_recover_work+0x94c/0xd20 [xfs]
[  172.666883][ T4713]  xfs_defer_finish_recovery+0x64/0x1d0 [xfs]
[  172.672950][ T4713]  xlog_recover_process_intents+0x26d/0xb10 [xfs]
[  172.679374][ T4713]  xlog_recover_finish+0x72/0x430 [xfs]
[  172.684933][ T4713]  xfs_log_mount_finish+0x2a6/0x590 [xfs]
[  172.690665][ T4713]  xfs_mountfs+0x117d/0x1c60 [xfs]
[  172.695780][ T4713]  xfs_fs_fill_super+0xf13/0x1740 [xfs]
[  172.701329][ T4713]  get_tree_bdev+0x32b/0x580
[  172.705771][ T4713]  vfs_get_tree+0x81/0x320
[  172.710046][ T4713]  do_new_mount+0x218/0x540
[  172.714407][ T4713]  path_mount+0x2af/0x1350
[  172.718678][ T4713]  __x64_sys_mount+0x210/0x280
[  172.723308][ T4713]  do_syscall_64+0x3f/0xe0
[  172.727595][ T4713]  entry_SYSCALL_64_after_hwframe+0x63/0x6b
[  172.733347][ T4713] 
[  172.735541][ T4713] The buggy address belongs to the object at ffff8881257529c0
[  172.735541][ T4713]  which belongs to the cache xfs_defer_pending of size 64
[  172.749877][ T4713] The buggy address is located 48 bytes inside of
[  172.749877][ T4713]  freed 64-byte region [ffff8881257529c0, ffff888125752a00)
[  172.763358][ T4713] 
[  172.765549][ T4713] The buggy address belongs to the physical page:
[  172.771821][ T4713] page:00000000bdec89a5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888125752b40 pfn:0x125752
[  172.783203][ T4713] anon flags: 0x17ffffc0000800(slab|node=0|zone=2|lastcpupid=0x1fffff)
[  172.791303][ T4713] page_type: 0xffffffff()
[  172.795508][ T4713] raw: 0017ffffc0000800 ffff88811417db80 0000000000000000 0000000000000001
[  172.803937][ T4713] raw: ffff888125752b40 00000000802a001c 00000001ffffffff 0000000000000000
[  172.812378][ T4713] page dumped because: kasan: bad access detected
[  172.818643][ T4713] 
[  172.820839][ T4713] Memory state around the buggy address:
[  172.826331][ T4713]  ffff888125752880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[  172.834241][ T4713]  ffff888125752900: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[  172.842159][ T4713] >ffff888125752980: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb
[  172.850076][ T4713]                                                              ^
[  172.857645][ T4713]  ffff888125752a00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
[  172.865564][ T4713]  ffff888125752a80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
[  172.873482][ T4713] ==================================================================

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

next             reply	other threads:[~2023-12-27  7:10 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-27  7:08 kernel test robot [this message]
2023-12-27  7:26 ` [linux-next:master] [xfs] 7f2f7531e0: BUG:KASAN:slab-use-after-free_in_xfs_defer_finish_recovery Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202312271458.851834a0-oliver.sang@intel.com \
    --to=oliver.sang@intel.com \
    --cc=chandanbabu@kernel.org \
    --cc=djwong@kernel.org \
    --cc=hch@lst.de \
    --cc=linux-mm@kvack.org \
    --cc=linux-xfs@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=oe-lkp@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.