From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 36A86C54E58 for ; Mon, 18 Mar 2024 04:43:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:To:From :Date:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=p6TsRm8a6VK+NENpHze+T0W0fVTaYdkdYYyamCR36Hw=; b=FWlvTbM3L+wVUL QxTTHy/IYJrDKitfU5uC/pWmDMf9Yz8BWVEurodIOtbrtRdPJPwL1+XpW4XbNI18agGi7FMfhFPCj tJRmgBVYF48E8EgF9c3pho49zy6W++q+zo1GvHJbI9lNyFtAN0sIhz0YppIvnTn/m5Tm7b/c6Zz14 3/AclVw9wVNHKDAvdTVX+GHLvwneMVWoPahBk9D20MJWMZ1BLHnqRomKDxB8y0t0Ioer2fkzmA1T2 tiUXuiYIeYsjbfSR2nKaNx/hCWV68nwnV40jcffgquTP2wbiXRNlL8yRHVpBy8p1KQHalY9wMvYEp exNk5p4Fr9OXEAuKrm6g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rm4q8-00000007GXh-1mF6; Mon, 18 Mar 2024 04:43:12 +0000 Received: from out-171.mta0.migadu.com ([2001:41d0:1004:224b::ab]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rm4q4-00000007GVw-3fcI for linux-arm-kernel@lists.infradead.org; Mon, 18 Mar 2024 04:43:11 +0000 Date: Sat, 16 Mar 2024 13:23:30 +0900 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1710736975; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=8m7GSomC/gsiNsoqqdObb1txRVst+HzHZ2JU+rb/ywI=; b=C46/NyjLt21WA2CXBdtclw+IYzPSWUvpvz1jzDzf622oY3EyTJoqUKe72Ju5qrsYA6qkRi o4APU9dgEyDc9CIzLWIQy6yGzi/mSoKUcgY92o7OFMr3KOBnHFNJi0YVx1pQ2zLeWthqxx zDH8zpRb/vUqIc7J7M01k70vsLD6HLs= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Itaru Kitayama To: linux-arm-kernel@lists.infradead.org Subject: v6.9-rc1 bug? Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Migadu-Flow: FLOW_OUT X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240317_214309_571967_2A1FABA0 X-CRM114-Status: UNSURE ( 6.29 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On FVP with the latest v6.9-rc1 kernel, when mounting a host directory via the 9p virtual filesystem it splats buggy addresses: [ 101.148388] ================================================================== [ 101.148706] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x804/0x984 [ 101.149185] Read of size 8 at addr ffff000805f06788 by task mount/158 [ 101.149548] [ 101.149742] CPU: 2 PID: 158 Comm: mount Not tainted 6.8.0-11409-gf6cef5f8c37f #85 [ 101.150163] Hardware name: FVP Base RevC (DT) [ 101.150436] Call trace: [ 101.150658] dump_backtrace+0x94/0xf0 [ 101.150999] show_stack+0x1c/0x2c [ 101.151327] dump_stack_lvl+0xf0/0x178 [ 101.151740] print_report+0xdc/0x57c [ 101.152117] kasan_report+0xb4/0x100 [ 101.152498] __asan_report_load8_noabort+0x24/0x34 [ 101.152931] v9fs_stat2inode_dotl+0x804/0x984 [ 101.153355] v9fs_fid_iget_dotl+0x174/0x208 [ 101.153767] v9fs_mount+0x37c/0x740 [ 101.154143] legacy_get_tree+0xd4/0x198 [ 101.154545] vfs_get_tree+0x78/0x284 [ 101.154890] path_mount+0x738/0x1500 [ 101.155226] __arm64_sys_mount+0x48c/0x5c4 [ 101.155579] invoke_syscall+0xd4/0x24c [ 101.156002] el0_svc_common.constprop.0+0xb0/0x23c [ 101.156458] do_el0_svc+0x44/0x60 [ 101.156869] el0_svc+0x3c/0x84 [ 101.157189] el0t_64_sync_handler+0x128/0x134 [ 101.157556] el0t_64_sync+0x1b0/0x1b4 [ 101.157897] [ 101.158089] Allocated by task 158 on cpu 2 at 101.140412s: [ 101.158429] kasan_save_stack+0x40/0x6c [ 101.158797] kasan_save_track+0x24/0x44 [ 101.159167] kasan_save_alloc_info+0x44/0x5c [ 101.159581] __kasan_kmalloc+0xe0/0xe4 [ 101.159946] kmalloc_trace+0x164/0x300 [ 101.160310] p9_client_getattr_dotl+0x50/0x19c [ 101.160739] v9fs_fid_iget_dotl+0xb4/0x208 [ 101.161140] v9fs_mount+0x37c/0x740 [ 101.161508] legacy_get_tree+0xd4/0x198 [ 101.161902] vfs_get_tree+0x78/0x284 [ 101.162239] path_mount+0x738/0x1500 [ 101.162567] __arm64_sys_mount+0x48c/0x5c4 [ 101.162912] invoke_syscall+0xd4/0x24c [ 101.163327] el0_svc_common.constprop.0+0xb0/0x23c [ 101.163775] do_el0_svc+0x44/0x60 [ 101.164171] el0_svc+0x3c/0x84 [ 101.164490] el0t_64_sync_handler+0x128/0x134 [ 101.164848] el0t_64_sync+0x1b0/0x1b4 [ 101.165180] [ 101.165372] Freed by task 158 on cpu 2 at 101.148373s: [ 101.165705] kasan_save_stack+0x40/0x6c [ 101.166074] kasan_save_track+0x24/0x44 [ 101.166443] kasan_save_free_info+0x50/0x7c [ 101.166855] poison_slab_object+0x11c/0x170 [ 101.167235] __kasan_slab_free+0x40/0x7c [ 101.167611] kfree+0xf0/0x298 [ 101.167945] v9fs_fid_iget_dotl+0x138/0x208 [ 101.168349] v9fs_mount+0x37c/0x740 [ 101.168717] legacy_get_tree+0xd4/0x198 [ 101.169111] vfs_get_tree+0x78/0x284 [ 101.169448] path_mount+0x738/0x1500 [ 101.169775] __arm64_sys_mount+0x48c/0x5c4 [ 101.170119] invoke_syscall+0xd4/0x24c [ 101.170536] el0_svc_common.constprop.0+0xb0/0x23c [ 101.170984] do_el0_svc+0x44/0x60 [ 101.171387] el0_svc+0x3c/0x84 [ 101.171699] el0t_64_sync_handler+0x128/0x134 [ 101.172058] el0t_64_sync+0x1b0/0x1b4 [ 101.172389] [ 101.172581] The buggy address belongs to the object at ffff000805f06788 [ 101.172581] which belongs to the cache kmalloc-192 of size 192 [ 101.173042] The buggy address is located 0 bytes inside of [ 101.173042] freed 192-byte region [ffff000805f06788, ffff000805f06848) [ 101.173528] [ 101.173714] The buggy address belongs to the physical page: [ 101.174005] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000805f068c8 pfn:0x885f06 [ 101.174426] head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 101.174770] flags: 0x5ffff0000000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1ffff) [ 101.175187] page_type: 0xffffffff() [ 101.175519] raw: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850 [ 101.175933] raw: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000 [ 101.176359] head: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850 [ 101.176775] head: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000 [ 101.177199] head: 05ffff0000000001 fffffdffe017c181 dead000000000122 00000000ffffffff [ 101.177611] head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000 [ 101.177960] page dumped because: kasan: bad access detected [ 101.178248] [ 101.178440] Memory state around the buggy address: [ 101.178731] ffff000805f06680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc [ 101.179100] ffff000805f06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 101.179469] >ffff000805f06780: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.179806] ^ [ 101.180081] ffff000805f06800: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 101.180450] ffff000805f06880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 101.180787] ================================================================== [ 101.181384] Disabling lock debugging due to kernel taint [80713.750745] 9pnet_virtio: no channels available for device FM After this I can see the directory contents but not execute shell scripts. Thanks, Itaru. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel