From: bugzilla-daemon@kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 216151] kernel panic after BUG: KASAN: use-after-free in _copy_to_iter+0x830/0x1030
Date: Mon, 20 Jun 2022 06:10:40 +0000 [thread overview]
Message-ID: <bug-216151-201763-MqAyMME6Zw@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-216151-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=216151
--- Comment #2 from Zorro Lang (zlang@redhat.com) ---
Same panic on another machine (s390x):
[10054.497558] run fstests generic/465 at 2022-06-19 16:09:21
[10055.731299]
=================================================================
=
[10055.731308] BUG: KASAN: use-after-free in _copy_to_iter+0x830/0x1030
[10055.731324] Write of size 16 at addr 0000000090ebd000 by task nfsd/45999
[10055.731328]
[10055.731331] CPU: 1 PID: 45999 Comm: nfsd Kdump: loaded Not tainted
5.19.0-rc2
+ #1
[10055.731335] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[10055.731338] Call Trace:
[10055.731339] [<000000007bc24fda>] dump_stack_lvl+0xfa/0x150
[10055.731345] [<000000007bc173bc>]
print_address_description.constprop.0+0x64/
0x3a8
[10055.731351] [<000000007a98757e>] print_report+0xbe/0x230
[10055.731356] [<000000007a987ba6>] kasan_report+0xa6/0x1e0
[10055.731359] [<000000007a988fa4>] kasan_check_range+0x174/0x1c0
[10055.731362] [<000000007a989a38>] memcpy+0x58/0x90
[10055.731365] [<000000007affd0c0>] _copy_to_iter+0x830/0x1030
[10055.731369] [<000000007affddd0>] copy_page_to_iter+0x510/0xcb0
[10055.731372] [<000000007a7e986c>] filemap_read+0x52c/0x950
[10055.731378] [<001bffff80599042>] xfs_file_buffered_read+0x1c2/0x410 [xfs]
[10055.731751] [<001bffff80599eba>] xfs_file_read_iter+0x28a/0x4c0 [xfs]
[10055.731975] [<000000007aa1084a>] do_iter_readv_writev+0x2ca/0x4c0
[10055.731981] [<000000007aa1102a>] do_iter_read+0x23a/0x3a0
[10055.731984] [<001bffff80f58d30>] nfsd_readv+0x1e0/0x710 [nfsd]
[10055.732070] [<001bffff80fa2f88>] nfsd4_encode_read_plus_data+0x3a8/0x770
[nf
sd]
[10055.732129] [<001bffff80fa5010>] nfsd4_encode_read_plus+0x3e0/0xaa0 [nfsd]
[10055.732188] [<001bffff80fbc0ac>] nfsd4_encode_operation+0x21c/0xab0 [nfsd]
[10055.732249] [<001bffff80f9ca7e>] nfsd4_proc_compound+0x125e/0x21a0 [nfsd]
[10055.732307] [<001bffff80f441aa>] nfsd_dispatch+0x44a/0xc40 [nfsd]
[10055.732362] [<001bffff80b8d00c>] svc_process_common+0x92c/0x1cd0 [sunrpc]
[10055.732500] [<001bffff80b8e6ac>] svc_process+0x2fc/0x4c0 [sunrpc]
[10055.732579] [<001bffff80f42f4e>] nfsd+0x31e/0x600 [nfsd]
[10055.732634] [<000000007a2cc514>] kthread+0x2a4/0x360
[10055.732640] [<000000007a186a5a>] __ret_from_fork+0x8a/0xf0
[10055.732645] [<000000007bc5575a>] ret_from_fork+0xa/0x40
[10055.732650] 1 lock held by nfsd/45999:
[10055.732653] #0: 000000009cc7fb38 (&sb->s_type->i_mutex_key#13){++++}-{3:3},
at: xfs_ilock+0x2fa/0x4e0 [xfs]
[10055.732887]
[10055.732888] Allocated by task 601543:
[10055.732890] kasan_save_stack+0x34/0x60
[10055.732893] __kasan_slab_alloc+0x84/0xb0
[10055.732896] kmem_cache_alloc+0x1e2/0x3d0
[10055.732900] security_file_alloc+0x3a/0x150
[10055.732906] __alloc_file+0xc0/0x210
[10055.732908] alloc_empty_file+0x5c/0x140
[10055.732911] path_openat+0xf8/0x700
[10055.732914] do_filp_open+0x1b0/0x390
[10055.732917] do_sys_openat2+0x134/0x3c0
[10055.732920] do_sys_open+0xdc/0x120
[10055.732922] do_syscall+0x22c/0x330
[10055.732925] __do_syscall+0xce/0xf0
[10055.732928] system_call+0x82/0xb0
[10055.732931]
[10055.732932] Freed by task 601543:
[10055.732933] kasan_save_stack+0x34/0x60
[10055.732935] kasan_set_track+0x36/0x50
[10055.732937] kasan_set_free_info+0x34/0x60
[10055.732940] __kasan_slab_free+0x106/0x150
[10055.732942] slab_free_freelist_hook+0x148/0x230
[10055.732946] kmem_cache_free+0x132/0x370
[10055.732948] __fput+0x2b2/0x700
[10055.732950] task_work_run+0xf4/0x1b0
[10055.732952] exit_to_user_mode_prepare+0x286/0x290
[10055.732957] __do_syscall+0xce/0xf0
[10055.732959] system_call+0x82/0xb0
[10055.732962]
[10055.732962] The buggy address belongs to the object at 0000000090ebd000
[10055.732962] which belongs to the cache lsm_file_cache of size 16
[10055.732965] The buggy address is located 0 bytes inside of
[10055.732965] 16-byte region [0000000090ebd000, 0000000090ebd010)
[10055.732968]
[10055.732969] The buggy address belongs to the physical page:
[10055.732970] page:00000000b4bd66d5 refcount:1 mapcount:0
mapping:0000000000000
000 index:0x0 pfn:0x90ebd
[10055.732975] flags: 0x2000000000000200(slab|node=0|zone=1)
[10055.732982] raw: 2000000000000200 0000000000000100 0000000000000122
000000008
024a200
[10055.732985] raw: 0000000000000000 0080010000000000 ffffffff00000001
000000000
0000000
[10055.732986] page dumped because: kasan: bad access detected
[10055.732988]
[10055.732989] Memory state around the buggy address:
[10055.732990] 0000000090ebcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0
0
[10055.732992] 0000000090ebcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0
[10055.732994] >0000000090ebd000: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc
f
c
[10055.732995] ^
[10055.732997] 0000000090ebd080: fa fb fc fc 00 00 fc fc fa fb fc fc 00 00 fc
f
c
[10055.732999] 0000000090ebd100: 00 00 fc fc 00 00 fc fc fa fb fc fc fa fb fc
f
c
[10055.733001]
=================================================================
=
[10055.733031] Disabling lock debugging due to kernel taint
[10058.081326] systemd-udevd (601251) used greatest stack depth: 45056 bytes
lef
t
[10058.575324] Unable to handle kernel pointer dereference in virtual kernel
add
ress space
[10058.575333] Failing address: 0185c58585858000 TEID: 0185c58585858803
[10058.575337] Fault in home space mode while using kernel ASCE.
[10058.575342] AS:000000007d39400b R2:0000000000000028
[10058.575389] Oops: 0038 ilc:3 [#1] SMP
[10058.575423] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs
fsc
ache netfs rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd
gr
ace loop lcs ctcm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
v
fio_iommu_type1 zcrypt_cex4 sunrpc vfio drm i2c_core fb fuse font
drm_panel_orie
ntation_quirks xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390
sha
3_256_s390 qeth_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup
dm_m
irror dm_region_hash dm_log dm_mod pkey zcrypt
[10058.575531] CPU: 1 PID: 754 Comm: systemd-journal Kdump: loaded Tainted: G
B 5.19.0-rc2+ #1
[10058.575540] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[10058.575547] Krnl PSW : 0704e00180000000 000000007a989e3c
(qlist_free_all+0x9c
/0x130)
[10058.575572] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0
RI:
0 EA:3
[10058.575579] Krnl GPRS: 000000000098b130 0005002100000001 0185c58585858580
000
000007c9111a8
[10058.575584] 0000000091a8b000 0005002100000000 0000000091a8b000
001
bff80018df5e8
[10058.575588] 0000000000000000 0000000091a8b000 0000000080082e00
616
1616161616161
[10058.575592] 000000007c3cd090 000000007ab19aa6 000000007a989e1e
001
bff80018df4e0
[10058.575602] Krnl Code: 000000007a989e2a: c43800d22e97 lgrl
%r3,0000
00007c3cfb58
[10058.575602] 000000007a989e30: ec2b06b93a59 risbgn
%r2,%r11
,6,185,58
[10058.575602] #000000007a989e36: e32030000008 ag
%r2,0(%r
3)
[10058.575602] >000000007a989e3c: e33020080004 lg
%r3,8(%r
2)
[10058.575602] 000000007a989e42: a7310001 tmll %r3,1
[10058.575602] 000000007a989e46: a774003a brc
7,000000
007a989eba
[10058.575602] 000000007a989e4a: e33020000004 lg
%r3,0(%r
2)
[10058.575602] 000000007a989e50: a7310200 tmll %r3,512
[10058.575635] Call Trace:
[10058.575638] [<000000007a989e3c>] qlist_free_all+0x9c/0x130
[10058.575643] ([<000000007a989e1e>] qlist_free_all+0x7e/0x130)
[10058.575647] [<000000007a98a45a>] kasan_quarantine_reduce+0x16a/0x1c0
[10058.575652] [<000000007a98720e>] __kasan_slab_alloc+0x9e/0xb0
[10058.575657] [<000000007a9810a4>] __kmalloc+0x214/0x440
[10058.575663] [<000000007ab19aa6>] inotify_handle_inode_event+0x1b6/0x7d0
[10058.575669] [<000000007ab0ee74>]
fsnotify_handle_inode_event.isra.0+0x1c4/0x
2f0
[10058.575674] [<000000007ab0f490>] send_to_group+0x4f0/0x6c0
[10058.575678] [<000000007ab0fe14>] fsnotify+0x654/0xb30
[10058.575682] [<000000007ab10ca2>] __fsnotify_parent+0x372/0x780
[10058.575687] [<000000007aa7eb9e>] notify_change+0x96e/0xcf0
[10058.575693] [<000000007aa0a0c8>] do_truncate+0x108/0x190
[10058.575699] [<000000007aa0aafc>] do_sys_ftruncate+0x31c/0x600
[10058.575703] [<000000007a18da8c>] do_syscall+0x22c/0x330
[10058.575709] [<000000007bc2cb6e>] __do_syscall+0xce/0xf0
[10058.575716] [<000000007bc55722>] system_call+0x82/0xb0
[10058.575722] INFO: lockdep is turned off.
[10058.575725] Last Breaking-Event-Address:
[10058.575727] [<000000007a985860>] ___cache_free+0x150/0x2a0
[10058.575733] ---[ end trace 0000000000000000 ]---
[10058.590086] systemd[1]: systemd-journald.service: Scheduled restart job,
rest
art counter is at 2.
[10058.590588] systemd[1]: Stopped Journal Service.
[10058.590758] systemd[1]: systemd-journald.service: Consumed 4.770s CPU time.
[10058.596950] systemd[1]: Starting Journal Service...
[10058.634628] systemd-journald[601774]: File
/run/log/journal/23dc967c665d48678
d6de8983973d399/system.journal corrupted or uncleanly shut down, renaming and
re
placing.
[-- MARK -- Sun Jun 19 20:10:00 2022]
[10148.825091] systemd[1]: systemd-journald.service: start operation timed out.
Terminating.
[10180.285606] Unable to handle kernel pointer dereference in virtual kernel
add
ress space
[10180.285615] Failing address: 0185c58585858000 TEID: 0185c58585858803
[10180.285618] Fault in home space mode while using kernel ASCE.
[10180.285624] AS:000000007d39400b R2:0000000000000028
[10180.285671] Oops: 0038 ilc:3 [#2] SMP
[10180.285707] Modules linked in: tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs
fsc
ache netfs rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd
gr
ace loop lcs ctcm fsm zfcp scsi_transport_fc dasd_fba_mod rfkill vfio_ccw mdev
v
fio_iommu_type1 zcrypt_cex4 sunrpc vfio drm i2c_core fb fuse font
drm_panel_orie
ntation_quirks xfs libcrc32c ghash_s390 prng aes_s390 des_s390 sha3_512_s390
sha
3_256_s390 qeth_l2 bridge stp llc dasd_eckd_mod dasd_mod qeth qdio ccwgroup
dm_m
irror dm_region_hash dm_log dm_mod pkey zcrypt
[10180.285815] CPU: 1 PID: 908 Comm: gmain Kdump: loaded Tainted: G B D
5.19.0-rc2+ #1
[10180.285825] Hardware name: IBM 8561 LT1 400 (z/VM 7.2.0)
[10180.285833] Krnl PSW : 0704e00180000000 000000007a989e3c
(qlist_free_all+0x9c
/0x130)
[10180.285858] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0
RI:
0 EA:3
[10180.285864] Krnl GPRS: 0000000000000001 001c000000000000 0185c58585858580
000
000007c9111a8
[10180.285869] 0000000000000000 000000007a3bf8a2 000000009315c000
001
bff8001f0fab8
[10180.285873] 0000000000000000 000000009315c000 000000008026f200
616
1616161616161
[10180.285877] 000000007c3cd090 000000007c2f9f98 000000007a989e1e
001
bff8001f0f9b0
[10180.285888] Krnl Code: 000000007a989e2a: c43800d22e97 lgrl
%r3,0000
00007c3cfb58
[10180.285888] 000000007a989e30: ec2b06b93a59 risbgn
%r2,%r11
,6,185,58
[10180.285888] #000000007a989e36: e32030000008 ag
%r2,0(%r
3)
[10180.285888] >000000007a989e3c: e33020080004 lg
%r3,8(%r
2)
[10180.285888] 000000007a989e42: a7310001 tmll %r3,1
[10180.285888] 000000007a989e46: a774003a brc
7,000000
007a989eba
[10180.285888] 000000007a989e4a: e33020000004 lg
%r3,0(%r
2)
[10180.285888] 000000007a989e50: a7310200 tmll %r3,512
[10180.285921] Call Trace:
[10180.285924] [<000000007a989e3c>] qlist_free_all+0x9c/0x130
[10180.285929] ([<000000007a989e1e>] qlist_free_all+0x7e/0x130)
[10180.285933] [<000000007a98a45a>] kasan_quarantine_reduce+0x16a/0x1c0
[10180.285938] [<000000007a98720e>] __kasan_slab_alloc+0x9e/0xb0
[10180.285943] [<000000007a982102>] kmem_cache_alloc+0x1e2/0x3d0
[10180.285949] [<000000007aa4e9d6>] getname_flags.part.0+0x56/0x430
[10180.285955] [<000000007aa5073a>] user_path_at_empty+0x3a/0x80
[10180.285959] [<000000007ab1b59a>] inotify_find_inode+0x3a/0x150
[10180.285966] [<000000007ab1c9de>] __s390x_sys_inotify_add_watch+0x17e/0x2c0
[10180.285971] [<000000007a18da8c>] do_syscall+0x22c/0x330
[10180.285978] [<000000007bc2cb6e>] __do_syscall+0xce/0xf0
[10180.285984] [<000000007bc55722>] system_call+0x82/0xb0
[10180.285990] INFO: lockdep is turned off.
[10180.285993] Last Breaking-Event-Address:
[10180.285995] [<000000007a985860>] ___cache_free+0x150/0x2a0
[10180.286001] ---[ end trace 0000000000000000 ]---
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2022-06-20 6:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-20 5:52 [Bug 216151] New: kernel panic after BUG: KASAN: use-after-free in _copy_to_iter+0x830/0x1030 bugzilla-daemon
2022-06-20 6:07 ` [Bug 216151] " bugzilla-daemon
2022-06-20 6:10 ` bugzilla-daemon [this message]
2022-06-23 23:34 ` Dave Chinner
2022-06-23 23:34 ` bugzilla-daemon
2022-06-26 21:04 ` bugzilla-daemon
2022-07-04 16:21 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-216151-201763-MqAyMME6Zw@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.