Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_ifs_free" on:
commit: 5ade73f9dd3a66f007bc8ee76dcb9e1224e9bbfa ("iomap: check if folio size is equal to FS block size")
https://github.com/goldwynr/linux buffered-iomap
in testcase: xfstests
version: xfstests-x86_64-c46ca4d1-1_20240205
with following parameters:
disk: 4HDD
fs: xfs
test: xfs-group-54
compiler: gcc-12
test machine: 4 threads Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz (Skylake) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202402201521.1a5453d-oliver.sang@xxxxxxxxx
[ 187.766673][ T3992] BUG: KASAN: slab-use-after-free in ifs_free (fs/iomap/buffered-io.c:197)
[ 187.773657][ T3992] Read of size 4 at addr ffff8881901b0584 by task fsstress/3992
[ 187.781155][ T3992]
[ 187.783353][ T3992] CPU: 3 PID: 3992 Comm: fsstress Not tainted 6.8.0-rc3-00092-g5ade73f9dd3a #1
[ 187.792159][ T3992] Hardware name: HP HP Z238 Microtower Workstation/8183, BIOS N51 Ver. 01.63 10/05/2017
[ 187.801746][ T3992] Call Trace:
[ 187.804903][ T3992] <TASK>
[ 187.807713][ T3992] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 187.812075][ T3992] print_address_description+0x2c/0x3a0
[ 187.818524][ T3992] ? ifs_free (fs/iomap/buffered-io.c:197)
[ 187.822716][ T3992] print_report (mm/kasan/report.c:489)
[ 187.826995][ T3992] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 187.831799][ T3992] ? ifs_free (fs/iomap/buffered-io.c:197)
[ 187.835995][ T3992] kasan_report (mm/kasan/report.c:603)
[ 187.840282][ T3992] ? ifs_free (fs/iomap/buffered-io.c:197)
[ 187.844480][ T3992] ifs_free (fs/iomap/buffered-io.c:197)
[ 187.848499][ T3992] truncate_cleanup_folio (mm/truncate.c:158 mm/truncate.c:178)
[ 187.853727][ T3992] truncate_inode_partial_folio (mm/truncate.c:195 mm/truncate.c:227)
[ 187.859470][ T3992] truncate_inode_pages_range (mm/truncate.c:370)
[ 187.865048][ T3992] ? truncate_inode_partial_folio (mm/truncate.c:322)
[ 187.870969][ T3992] xfs_flush_unmap_range (fs/xfs/xfs_bmap_util.c:820) xfs
[ 187.876706][ T3992] xfs_file_fallocate (fs/xfs/xfs_file.c:994) xfs
[ 187.882304][ T3992] ? xfs_break_layouts (fs/xfs/xfs_file.c:951) xfs
[ 187.887959][ T3992] ? __do_sys_newfstat (fs/stat.c:481)
[ 187.892765][ T3992] ? __ia32_sys_fstat (fs/stat.c:476)
[ 187.897487][ T3992] ? preempt_notifier_dec (kernel/sched/core.c:10131)
[ 187.902556][ T3992] vfs_fallocate (fs/open.c:328)
[ 187.907012][ T3992] __x64_sys_fallocate (include/linux/file.h:45 fs/open.c:352 fs/open.c:359 fs/open.c:357 fs/open.c:357)
[ 187.911899][ T3992] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 187.916263][ T3992] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 187.922007][ T3992] RIP: 0033:0x7ff1a6311246
[ 187.926283][ T3992] Code: b8 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 49 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 1d 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 90 48 83 ec 28 48 89 54 24 10 89 74 24
All code
========
0: b8 ff ff ff ff mov $0xffffffff,%eax
5: eb bd jmp 0xffffffffffffffc4
7: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
e: 00 00 00
11: 0f 1f 00 nopl (%rax)
14: 49 89 ca mov %rcx,%r10
17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax
1e: 00
1f: 85 c0 test %eax,%eax
21: 75 11 jne 0x34
23: b8 1d 01 00 00 mov $0x11d,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 5a ja 0x8c
32: c3 retq
33: 90 nop
34: 48 83 ec 28 sub $0x28,%rsp
38: 48 89 54 24 10 mov %rdx,0x10(%rsp)
3d: 89 .byte 0x89
3e: 74 24 je 0x64
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 5a ja 0x62
8: c3 retq
9: 90 nop
a: 48 83 ec 28 sub $0x28,%rsp
e: 48 89 54 24 10 mov %rdx,0x10(%rsp)
13: 89 .byte 0x89
14: 74 24 je 0x3a
[ 187.945763][ T3992] RSP: 002b:00007ffde302b2c8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
[ 187.954046][ T3992] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007ff1a6311246
[ 187.961897][ T3992] RDX: 00000000001e9d02 RSI: 0000000000000003 RDI: 0000000000000004
[ 187.969717][ T3992] RBP: 0000000000000004 R08: 0000000000000071 R09: 00007ffde302aef7
[ 187.977541][ T3992] R10: 00000000000ad212 R11: 0000000000000246 R12: 0000000000000029
[ 187.985363][ T3992] R13: 00000000000ad212 R14: 00000000001e9d02 R15: 0000000000000003
[ 187.993188][ T3992] </TASK>
[ 187.996070][ T3992]
[ 187.998261][ T3992] Allocated by task 3992:
[ 188.002453][ T3992] kasan_save_stack (mm/kasan/common.c:48)
[ 188.006996][ T3992] kasan_save_track (arch/x86/include/asm/current.h:42 mm/kasan/common.c:60 mm/kasan/common.c:70)
[ 188.011527][ T3992] __kasan_kmalloc (mm/kasan/common.c:372 mm/kasan/common.c:389)
[ 188.015970][ T3992] __kmalloc (include/linux/kasan.h:211 mm/slub.c:3981 mm/slub.c:3994)
[ 188.020068][ T3992] ifs_alloc (include/linux/slab.h:594 include/linux/slab.h:711 fs/iomap/buffered-io.c:176)
[ 188.024164][ T3992] iomap_writepage_map (fs/iomap/buffered-io.c:1923)
[ 188.029213][ T3992] write_cache_pages (include/linux/instrumented.h:68 include/asm-generic/bitops/instrumented-non-atomic.h:141 include/linux/page-flags.h:785 include/linux/page-flags.h:806 include/linux/mm.h:2059 mm/page-writeback.c:2475)
[ 188.034010][ T3992] iomap_writepages (fs/iomap/buffered-io.c:2123)
[ 188.038559][ T3992] xfs_vm_writepages (fs/xfs/xfs_aops.c:502) xfs
[ 188.044041][ T3992] do_writepages (mm/page-writeback.c:2553)
[ 188.048499][ T3992] filemap_fdatawrite_wbc (mm/filemap.c:389 mm/filemap.c:378)
[ 188.053740][ T3992] __filemap_fdatawrite_range (mm/filemap.c:413)
[ 188.059156][ T3992] filemap_write_and_wait_range (mm/filemap.c:676 mm/filemap.c:667)
[ 188.064732][ T3992] xfs_setattr_size (fs/xfs/xfs_iops.c:900) xfs
[ 188.070155][ T3992] xfs_vn_setattr (fs/xfs/xfs_iops.c:1021) xfs
[ 188.075275][ T3992] notify_change (fs/attr.c:503)
[ 188.079718][ T3992] do_truncate (fs/open.c:67)
[ 188.083990][ T3992] vfs_truncate (fs/open.c:112)
[ 188.088356][ T3992] __x64_sys_truncate (fs/open.c:136 fs/open.c:147 fs/open.c:145 fs/open.c:145)
[ 188.093250][ T3992] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 188.097621][ T3992] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 188.103385][ T3992]
[ 188.105581][ T3992] Freed by task 3992:
[ 188.109432][ T3992] kasan_save_stack (mm/kasan/common.c:48)
[ 188.113979][ T3992] kasan_save_track (arch/x86/include/asm/current.h:42 mm/kasan/common.c:60 mm/kasan/common.c:70)
[ 188.118520][ T3992] kasan_save_free_info (mm/kasan/generic.c:643)
[ 188.123406][ T3992] poison_slab_object (mm/kasan/common.c:243)
[ 188.128281][ T3992] __kasan_slab_free (mm/kasan/common.c:257)
[ 188.132924][ T3992] kfree (mm/slub.c:4299 mm/slub.c:4409)
[ 188.136598][ T3992] iomap_release_folio (fs/iomap/buffered-io.c:675)
[ 188.141576][ T3992] split_huge_page_to_list (mm/huge_memory.c:3032)
[ 188.146902][ T3992] truncate_inode_partial_folio (mm/truncate.c:242)
[ 188.152666][ T3992] truncate_inode_pages_range (mm/truncate.c:370)
[ 188.158255][ T3992] xfs_flush_unmap_range (fs/xfs/xfs_bmap_util.c:820) xfs
[ 188.164000][ T3992] xfs_file_fallocate (fs/xfs/xfs_file.c:994) xfs
[ 188.169566][ T3992] vfs_fallocate (fs/open.c:328)
[ 188.174012][ T3992] __x64_sys_fallocate (include/linux/file.h:45 fs/open.c:352 fs/open.c:359 fs/open.c:357 fs/open.c:357)
[ 188.178901][ T3992] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 188.183274][ T3992] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)
[ 188.189029][ T3992]
[ 188.191222][ T3992] The buggy address belongs to the object at ffff8881901b0580
[ 188.191222][ T3992] which belongs to the cache kmalloc-32 of size 32
[ 188.204985][ T3992] The buggy address is located 4 bytes inside of
[ 188.204985][ T3992] freed 32-byte region [ffff8881901b0580, ffff8881901b05a0)
[ 188.218401][ T3992]
[ 188.220588][ T3992] The buggy address belongs to the physical page:
[ 188.226868][ T3992] page:000000007b2fa282 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1901b0
[ 188.236992][ T3992] flags: 0x17ffffc0000800(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 188.244660][ T3992] page_type: 0xffffffff()
[ 188.248868][ T3992] raw: 0017ffffc0000800 ffff88810c842500 dead000000000100 dead000000000122
[ 188.257321][ T3992] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
[ 188.265749][ T3992] page dumped because: kasan: bad access detected
[ 188.272024][ T3992]
[ 188.274222][ T3992] Memory state around the buggy address:
[ 188.279724][ T3992] ffff8881901b0480: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[ 188.287658][ T3992] ffff8881901b0500: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc
[ 188.295593][ T3992] >ffff8881901b0580: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[ 188.303520][ T3992] ^
[ 188.307443][ T3992] ffff8881901b0600: fa fb fb fb fc fc fc fc 00 00 00 fc fc fc fc fc
[ 188.315365][ T3992] ffff8881901b0680: fb fb fb fb fc fc fc fc 00 00 03 fc fc fc fc fc
[ 188.323301][ T3992] ==================================================================
[ 188.331310][ T3992] Disabling lock debugging due to kernel taint
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240220/202402201521.1a5453d-oliver.sang@xxxxxxxxx
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
