From: bfields@fieldses.org (J. Bruce Fields)
To: trondmy@kernel.org
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 0/9] Fix various issues in the SUNRPC xdr code
Date: Tue, 24 Nov 2020 11:12:50 -0500 [thread overview]
Message-ID: <20201124161250.GA1091@fieldses.org> (raw)
In-Reply-To: <20201124135025.1097571-1-trondmy@kernel.org>
On Tue, Nov 24, 2020 at 08:50:16AM -0500, trondmy@kernel.org wrote:
> From: Trond Myklebust <trond.myklebust@hammerspace.com>
>
> When looking at the issues raised by Tigran's testing of the NFS client
> updates, I noticed a couple of things in the generic SUNRPC xdr code
> that want to be fixed. This patch series replaces an earlier series that
> attempted to just fix the XDR padding in the NFS code.
>
> This series fixes up a number of issues w.r.t. bounds checking in the
> xdr_stream code. It corrects the behaviour of xdr_read_pages() for the
> case where the XDR object size is larger than the buffer page array
> length and simplifies the code.
I'm seeing this on the client with recent upstream + these patches.
--b.
[ 517.213581] ==================================================================
[ 517.214699] BUG: KASAN: slab-out-of-bounds in xdr_set_page+0x327/0x370 [sunrpc]
[ 517.215875] Read of size 8 at addr ffff888035929680 by task kworker/u4:7/1423
[ 517.216958] CPU: 0 PID: 1423 Comm: kworker/u4:7 Not tainted 5.10.0-rc5-16550-gf864315df3e6 #3058
[ 517.218027] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-3.fc33 04/01/2014
[ 517.219124] Workqueue: rpciod rpc_async_schedule [sunrpc]
[ 517.220079] Call Trace:
[ 517.220485] dump_stack+0x9a/0xcc
[ 517.221030] ? xdr_set_page+0x327/0x370 [sunrpc]
[ 517.221712] print_address_description.constprop.0+0x1c/0x1f0
[ 517.222492] ? xdr_set_page+0x327/0x370 [sunrpc]
[ 517.223088] ? xdr_set_page+0x327/0x370 [sunrpc]
[ 517.223677] kasan_report.cold+0x1f/0x37
[ 517.224270] ? xdr_set_page+0x327/0x370 [sunrpc]
[ 517.224872] xdr_set_page+0x327/0x370 [sunrpc]
[ 517.225476] xdr_align_data+0x1c9/0x8e0 [sunrpc]
[ 517.226073] ? lockdep_hardirqs_on_prepare+0x17b/0x400
[ 517.226730] ? kfree+0x118/0x220
[ 517.227172] ? lockdep_hardirqs_on+0x79/0x100
[ 517.227745] ? __decode_op_hdr+0x24/0x4d0 [nfsv4]
[ 517.228427] nfs4_xdr_dec_read_plus+0x360/0x5a0 [nfsv4]
[ 517.229117] ? nfs4_xdr_dec_offload_cancel+0x160/0x160 [nfsv4]
[ 517.229877] gss_unwrap_resp+0x145/0x220 [auth_rpcgss]
[ 517.230558] call_decode+0x5d2/0x830 [sunrpc]
[ 517.231127] ? rpc_decode_header+0x17c0/0x17c0 [sunrpc]
[ 517.231785] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 517.232563] ? rpc_decode_header+0x17c0/0x17c0 [sunrpc]
[ 517.233236] __rpc_execute+0x1b8/0xf10 [sunrpc]
[ 517.233831] ? rpc_exit+0x110/0x110 [sunrpc]
[ 517.234390] ? lock_downgrade+0x690/0x690
[ 517.234918] rpc_async_schedule+0x9f/0x140 [sunrpc]
[ 517.235539] process_one_work+0x7ac/0x12d0
[ 517.236106] ? lock_release+0x6c0/0x6c0
[ 517.236601] ? queue_delayed_work_on+0x90/0x90
[ 517.237170] ? rwlock_bug.part.0+0x90/0x90
[ 517.237694] worker_thread+0x590/0xf80
[ 517.238204] ? rescuer_thread+0xb80/0xb80
[ 517.238714] kthread+0x375/0x450
[ 517.239124] ? _raw_spin_unlock_irq+0x24/0x50
[ 517.239673] ? kthread_create_worker_on_cpu+0xb0/0xb0
[ 517.240392] ret_from_fork+0x22/0x30
[ 517.241072] Allocated by task 9053:
[ 517.241533] kasan_save_stack+0x1b/0x40
[ 517.242018] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 517.242667] __kmalloc+0x11e/0x210
[ 517.243111] nfs_generic_pgio+0x943/0xe10 [nfs]
[ 517.243691] nfs_generic_pg_pgios+0xea/0x3f0 [nfs]
[ 517.244375] nfs_pageio_doio+0xe3/0x240 [nfs]
[ 517.244929] nfs_pageio_complete+0x143/0x580 [nfs]
[ 517.245562] nfs_readpages+0x331/0x5b0 [nfs]
[ 517.246135] read_pages+0x4ab/0xa40
[ 517.246583] page_cache_ra_unbounded+0x361/0x620
[ 517.247165] generic_file_buffered_read+0x377/0x1e90
[ 517.247791] nfs_file_read+0x144/0x240 [nfs]
[ 517.248396] new_sync_read+0x352/0x5d0
[ 517.248870] vfs_read+0x202/0x3f0
[ 517.249290] ksys_read+0xe9/0x1b0
[ 517.249708] do_syscall_64+0x33/0x40
[ 517.251015] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 517.252201] The buggy address belongs to the object at ffff888035929600
which belongs to the cache kmalloc-128 of size 128
[ 517.253807] The buggy address is located 0 bytes to the right of
128-byte region [ffff888035929600, ffff888035929680)
[ 517.255217] The buggy address belongs to the page:
[ 517.255819] page:00000000ab6145f3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x35929
[ 517.257070] flags: 0x4000000000000200(slab)
[ 517.257600] raw: 4000000000000200 ffffea00003970d8 ffffea00004582e8 ffff888007840400
[ 517.258582] raw: 0000000000000000 ffff888035929000 0000000100000010
[ 517.259362] page dumped because: kasan: bad access detected
[ 517.260315] Memory state around the buggy address:
[ 517.260912] ffff888035929580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 517.261833] ffff888035929600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 517.262755] >ffff888035929680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 517.263655] ^
[ 517.264133] ffff888035929700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 517.265066] ffff888035929780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 517.265967] ==================================================================
next prev parent reply other threads:[~2020-11-24 16:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 13:50 [PATCH v2 0/9] Fix various issues in the SUNRPC xdr code trondmy
2020-11-24 13:50 ` [PATCH v2 1/9] NFSv4: Fix the alignment of page data in the getdeviceinfo reply trondmy
2020-11-24 13:50 ` [PATCH v2 2/9] SUNRPC: Fix up typo in xdr_init_decode() trondmy
2020-11-24 13:50 ` [PATCH v2 3/9] SUNRPC: Clean up helpers xdr_set_iov() and xdr_set_page_base() trondmy
2020-11-24 13:50 ` [PATCH v2 4/9] SUNRPC: Fix up xdr_read_pages() to take arbitrary object lengths trondmy
2020-11-24 13:50 ` [PATCH v2 5/9] SUNRPC: Clean up the handling of page padding in rpc_prepare_reply_pages() trondmy
2020-11-24 13:50 ` [PATCH v2 6/9] SUNRPC: Fix up xdr_set_page() trondmy
2020-11-24 13:50 ` [PATCH v2 7/9] SUNRPC: Fix open coded xdr_stream_remaining() trondmy
2020-11-24 13:50 ` [PATCH v2 8/9] NFSv4: " trondmy
2020-11-24 13:50 ` [PATCH v2 9/9] NFSv4.2: Fix up read_plus() page alignment trondmy
2020-11-24 17:52 ` [PATCH v2 5/9] SUNRPC: Clean up the handling of page padding in rpc_prepare_reply_pages() Anna Schumaker
[not found] ` <MN2PR13MB39576255BD4CC8160E020B35B8FB0@MN2PR13MB3957.namprd13.prod.outlook.com>
2020-11-24 18:04 ` Anna Schumaker
2020-11-24 19:42 ` Anna Schumaker
2020-11-24 16:12 ` J. Bruce Fields [this message]
2020-11-24 16:18 ` [PATCH v2 0/9] Fix various issues in the SUNRPC xdr code J. Bruce Fields
2020-11-24 20:26 ` J. Bruce Fields
2020-11-25 0:36 ` Trond Myklebust
2020-11-25 12:47 ` Mkrtchyan, Tigran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201124161250.GA1091@fieldses.org \
--to=bfields@fieldses.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).