Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in_copy_from_iter" on:
commit: 6afe9feeb377343e805b41bf08504bba6fcbaa7b ("netfs: Use new folio_queue data type and iterator instead of xarray iter")
https://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git netfs-writeback
in testcase: xfstests
version: xfstests-x86_64-b3b32377-1_20240729
with following parameters:
disk: 4HDD
fs: ext4
fs2: smbv2
test: generic-group-13
compiler: gcc-13
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202408081649.796e7bd-oliver.sang@xxxxxxxxx
[ 388.136673][ T2650] BUG: KASAN: slab-use-after-free in _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 388.144431][ T2650] Read of size 8 at addr ffff88813dc6b520 by task xfs_io/2650
[ 388.151751][ T2650]
[ 388.153947][ T2650] CPU: 0 UID: 0 PID: 2650 Comm: xfs_io Not tainted 6.11.0-rc1-00018-g6afe9feeb377 #1
[ 388.163269][ T2650] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 388.171372][ T2650] Call Trace:
[ 388.174524][ T2650] <TASK>
[ 388.177328][ T2650] dump_stack_lvl (lib/dump_stack.c:122)
[ 388.181698][ T2650] print_address_description+0x30/0x410
[ 388.188158][ T2650] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 388.193126][ T2650] print_report (mm/kasan/report.c:489)
[ 388.197400][ T2650] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 388.202195][ T2650] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 388.207164][ T2650] kasan_report (mm/kasan/report.c:603)
[ 388.211436][ T2650] ? _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 388.216409][ T2650] _copy_from_iter (include/linux/iov_iter.h:157 include/linux/iov_iter.h:308 include/linux/iov_iter.h:328 lib/iov_iter.c:249 lib/iov_iter.c:260)
[ 388.221204][ T2650] ? __pfx_try_charge_memcg (mm/memcontrol.c:2158)
[ 388.226434][ T2650] ? __pfx__copy_from_iter (lib/iov_iter.c:254)
[ 388.231593][ T2650] ? __mod_memcg_state (mm/memcontrol.c:555 (discriminator 1) mm/memcontrol.c:669 (discriminator 1))
[ 388.236566][ T2650] ? check_heap_object (arch/x86/include/asm/bitops.h:206 (discriminator 1) arch/x86/include/asm/bitops.h:238 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) include/linux/page-flags.h:827 (discriminator 1) include/linux/page-flags.h:848 (discriminator 1) include/linux/mm.h:1122 (discriminator 1) include/linux/mm.h:2138 (discriminator 1) mm/usercopy.c:199 (discriminator 1))
[ 388.241552][ T2650] ? 0xffffffff81000000
[ 388.245567][ T2650] ? __check_object_size (mm/memremap.c:167)
[ 388.251246][ T2650] skb_do_copy_data_nocache (include/linux/uio.h:213 include/linux/uio.h:230 include/net/sock.h:2167)
[ 388.256655][ T2650] ? __pfx_skb_do_copy_data_nocache (include/net/sock.h:2158)
[ 388.262594][ T2650] ? __sk_mem_schedule (net/core/sock.c:3194)
[ 388.267406][ T2650] tcp_sendmsg_locked (include/net/sock.h:2195 net/ipv4/tcp.c:1218)
[ 388.272463][ T2650] ? cifs_flush (fs/smb/client/file.c:2726) cifs
[ 388.277444][ T2650] ? filp_flush (fs/open.c:1526)
[ 388.281720][ T2650] ? __pfx_tcp_sendmsg_locked (net/ipv4/tcp.c:1049)
[ 388.287126][ T2650] ? filp_close (fs/open.c:1540)
[ 388.291315][ T2650] ? _raw_spin_lock_bh (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
[ 388.296113][ T2650] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177)
[ 388.301431][ T2650] tcp_sendmsg (net/ipv4/tcp.c:1355)
[ 388.305533][ T2650] sock_sendmsg (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:768 (discriminator 1))
[ 388.309897][ T2650] ? stack_trace_save (kernel/stacktrace.c:123)
[ 388.314623][ T2650] ? __pfx_sock_sendmsg (net/socket.c:757)
[ 388.319529][ T2650] ? recalc_sigpending (arch/x86/include/asm/bitops.h:75 include/asm-generic/bitops/instrumented-atomic.h:42 include/linux/thread_info.h:94 kernel/signal.c:178 kernel/signal.c:175)
[ 388.324509][ T2650] smb_send_kvec (fs/smb/client/transport.c:215) cifs
[ 388.329725][ T2650] __smb_send_rqst (fs/smb/client/transport.c:361) cifs
[ 388.335056][ T2650] ? __pfx___smb_send_rqst (fs/smb/client/transport.c:274) cifs
[ 388.340915][ T2650] ? __pfx_mempool_alloc_noprof (mm/mempool.c:385)
[ 388.346499][ T2650] ? __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 388.350949][ T2650] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:134 (discriminator 4) kernel/locking/spinlock.c:154 (discriminator 4))
[ 388.355488][ T2650] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
[ 388.360546][ T2650] ? smb2_setup_async_request (fs/smb/client/smb2transport.c:903) cifs
[ 388.366873][ T2650] cifs_call_async (fs/smb/client/transport.c:841) cifs
[ 388.372196][ T2650] ? __pfx_cifs_call_async (fs/smb/client/transport.c:787) cifs
[ 388.378041][ T2650] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:134 (discriminator 4) kernel/locking/spinlock.c:154 (discriminator 4))
[ 388.382596][ T2650] ? __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 388.387047][ T2650] ? __smb2_plain_req_init (arch/x86/include/asm/atomic.h:53 include/linux/atomic/atomic-arch-fallback.h:992 include/linux/atomic/atomic-instrumented.h:436 fs/smb/client/smb2pdu.c:552) cifs
[ 388.393155][ T2650] smb2_async_writev (fs/smb/client/smb2pdu.c:5014) cifs
[ 388.398744][ T2650] ? __pfx_smb2_async_writev (fs/smb/client/smb2pdu.c:4881) cifs
[ 388.404765][ T2650] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:134 (discriminator 4) kernel/locking/spinlock.c:154 (discriminator 4))
[ 388.409306][ T2650] ? cifs_prepare_write (fs/smb/client/file.c:77) cifs
[ 388.415061][ T2650] ? netfs_advance_write (fs/netfs/write_issue.c:298)
[ 388.420208][ T2650] netfs_advance_write (fs/netfs/write_issue.c:298)
[ 388.425181][ T2650] ? netfs_buffer_append_folio (arch/x86/include/asm/bitops.h:206 (discriminator 1) arch/x86/include/asm/bitops.h:238 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) include/linux/page-flags.h:827 (discriminator 1) include/linux/page-flags.h:848 (discriminator 1) include/linux/mm.h:1122 (discriminator 1) include/linux/folio_queue.h:102 (discriminator 1) fs/netfs/misc.c:43 (discriminator 1))
[ 388.430848][ T2650] netfs_write_folio (fs/netfs/write_issue.c:466)
[ 388.435733][ T2650] ? writeback_get_folio (mm/page-writeback.c:2502)
[ 388.440882][ T2650] netfs_writepages (fs/netfs/write_issue.c:538 (discriminator 1))
[ 388.445598][ T2650] ? __kernel_text_address (kernel/extable.c:79 (discriminator 1))
[ 388.450759][ T2650] ? __pfx_netfs_writepages (fs/netfs/write_issue.c:497)
[ 388.455994][ T2650] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:26)
[ 388.460707][ T2650] do_writepages (mm/page-writeback.c:2683)
[ 388.465157][ T2650] ? stack_trace_save (kernel/stacktrace.c:123)
[ 388.469868][ T2650] ? __pfx_do_writepages (mm/page-writeback.c:2673)
[ 388.474839][ T2650] ? stack_depot_save_flags (lib/stackdepot.c:609)
[ 388.480158][ T2650] ? kasan_save_track (arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
[ 388.484867][ T2650] ? kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))
[ 388.489928][ T2650] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:134 (discriminator 4) kernel/locking/spinlock.c:154 (discriminator 4))
[ 388.494465][ T2650] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153)
[ 388.499522][ T2650] ? __kasan_record_aux_stack (mm/kasan/generic.c:541 (discriminator 1))
[ 388.504926][ T2650] ? wbc_attach_and_unlock_inode (arch/x86/include/asm/jump_label.h:27 include/linux/backing-dev.h:176 fs/fs-writeback.c:737)
[ 388.510679][ T2650] filemap_fdatawrite_wbc (mm/filemap.c:398 mm/filemap.c:387)
[ 388.515912][ T2650] __filemap_fdatawrite_range (mm/filemap.c:422)
[ 388.521317][ T2650] ? __pfx___filemap_fdatawrite_range (mm/filemap.c:422)
[ 388.527424][ T2650] ? __pfx_task_work_add (kernel/task_work.c:54)
[ 388.532395][ T2650] filemap_write_and_wait_range (mm/filemap.c:685 mm/filemap.c:676)
[ 388.537977][ T2650] cifs_flush (fs/smb/client/file.c:2729 (discriminator 2)) cifs
[ 388.542863][ T2650] filp_flush (fs/open.c:1526)
[ 388.546967][ T2650] filp_close (fs/open.c:1540)
[ 388.550983][ T2650] put_files_struct (fs/file.c:438 fs/file.c:452 fs/file.c:449)
[ 388.555700][ T2650] do_exit (kernel/exit.c:878)
[ 388.559651][ T2650] ? __pfx_do_exit (kernel/exit.c:821)
[ 388.564106][ T2650] ? update_load_avg (kernel/sched/fair.c:4410 kernel/sched/fair.c:4747)
[ 388.569001][ T2650] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) include/asm-generic/qspinlock.h:111 (discriminator 4) include/linux/spinlock.h:187 (discriminator 4) include/linux/spinlock_api_smp.h:120 (discriminator 4) kernel/locking/spinlock.c:170 (discriminator 4))
[ 388.573892][ T2650] do_group_exit (kernel/exit.c:1012)
[ 388.578264][ T2650] get_signal (kernel/signal.c:746 kernel/signal.c:2794)
[ 388.582648][ T2650] ? finish_task_switch+0x1b3/0x750
[ 388.588319][ T2650] ? __pfx_get_signal (kernel/signal.c:2682)
[ 388.593031][ T2650] ? __schedule (kernel/sched/core.c:6399)
[ 388.597485][ T2650] arch_do_signal_or_restart (arch/x86/kernel/signal.c:310 (discriminator 1))
[ 388.602893][ T2650] ? __pfx_arch_do_signal_or_restart (arch/x86/kernel/signal.c:307)
[ 388.608910][ T2650] syscall_exit_to_user_mode (kernel/entry/common.c:111 include/linux/entry-common.h:328 kernel/entry/common.c:207 kernel/entry/common.c:218)
[ 388.614407][ T2650] do_syscall_64 (arch/x86/entry/common.c:102)
[ 388.618771][ T2650] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 388.624527][ T2650] RIP: 0033:0x7f877d125d32
[ 388.628802][ T2650] Code: Unable to access opcode bytes at 0x7f877d125d08.
Code starting with the faulting instruction
===========================================
[ 388.635684][ T2650] RSP: 002b:00007f877cdffdb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000022
[ 388.643958][ T2650] RAX: fffffffffffffdfe RBX: 00007f877ce006c0 RCX: 00007f877d125d32
[ 388.651794][ T2650] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[ 388.659642][ T2650] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe43b01d37
[ 388.667478][ T2650] R10: 00007f877d06bf80 R11: 0000000000000293 R12: ffffffffffffff80
[ 388.675314][ T2650] R13: 0000000000000002 R14: 00007ffe43b01c40 R15: 00007f877c600000
[ 388.683154][ T2650] </TASK>
[ 388.686037][ T2650]
[ 388.688226][ T2650] Allocated by task 2650:
[ 388.692414][ T2650] kasan_save_stack (mm/kasan/common.c:48)
[ 388.696948][ T2650] kasan_save_track (arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
[ 388.701485][ T2650] __kasan_kmalloc (mm/kasan/common.c:370 mm/kasan/common.c:387)
[ 388.705934][ T2650] netfs_buffer_append_folio (include/linux/slab.h:681 fs/netfs/misc.c:25)
[ 388.711424][ T2650] netfs_write_folio (fs/netfs/write_issue.c:432)
[ 388.716307][ T2650] netfs_writepages (fs/netfs/write_issue.c:538 (discriminator 1))
[ 388.721017][ T2650] do_writepages (mm/page-writeback.c:2683)
[ 388.725468][ T2650] filemap_fdatawrite_wbc (mm/filemap.c:398 mm/filemap.c:387)
[ 388.730699][ T2650] __filemap_fdatawrite_range (mm/filemap.c:422)
[ 388.736107][ T2650] filemap_write_and_wait_range (mm/filemap.c:685 mm/filemap.c:676)
[ 388.741687][ T2650] cifs_flush (fs/smb/client/file.c:2729 (discriminator 2)) cifs
[ 388.746589][ T2650] filp_flush (fs/open.c:1526)
[ 388.750690][ T2650] filp_close (fs/open.c:1540)
[ 388.754704][ T2650] put_files_struct (fs/file.c:438 fs/file.c:452 fs/file.c:449)
[ 388.759411][ T2650] do_exit (kernel/exit.c:878)
[ 388.763339][ T2650] do_group_exit (kernel/exit.c:1012)
[ 388.767702][ T2650] get_signal (kernel/signal.c:746 kernel/signal.c:2794)
[ 388.772066][ T2650] arch_do_signal_or_restart (arch/x86/kernel/signal.c:310 (discriminator 1))
[ 388.777478][ T2650] syscall_exit_to_user_mode (kernel/entry/common.c:111 include/linux/entry-common.h:328 kernel/entry/common.c:207 kernel/entry/common.c:218)
[ 388.782973][ T2650] do_syscall_64 (arch/x86/entry/common.c:102)
[ 388.787338][ T2650] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 388.793091][ T2650]
[ 388.795282][ T2650] Freed by task 2622:
[ 388.799128][ T2650] kasan_save_stack (mm/kasan/common.c:48)
[ 388.803669][ T2650] kasan_save_track (arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
[ 388.808211][ T2650] kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))
[ 388.813103][ T2650] poison_slab_object (mm/kasan/common.c:242)
[ 388.817993][ T2650] __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))
[ 388.822642][ T2650] kfree (mm/slub.c:4474 mm/slub.c:4594)
[ 388.826311][ T2650] netfs_delete_buffer_head (fs/netfs/misc.c:60)
[ 388.831650][ T2650] netfs_writeback_unlock_folios (fs/netfs/write_collect.c:137)
[ 388.837489][ T2650] netfs_collect_write_results (fs/netfs/write_collect.c:551)
[ 388.843241][ T2650] netfs_write_collection_worker (include/linux/instrumented.h:68 include/asm-generic/bitops/instrumented-non-atomic.h:141 fs/netfs/write_collect.c:641)
[ 388.849080][ T2650] process_one_work (kernel/workqueue.c:3231)
[ 388.853878][ T2650] worker_thread (kernel/workqueue.c:3306 (discriminator 2) kernel/workqueue.c:3390 (discriminator 2))
[ 388.858415][ T2650] kthread (kernel/kthread.c:389)
[ 388.862343][ T2650] ret_from_fork (arch/x86/kernel/process.c:147)
[ 388.866627][ T2650] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 388.871249][ T2650]
[ 388.873436][ T2650] The buggy address belongs to the object at ffff88813dc6b400
[ 388.873436][ T2650] which belongs to the cache kmalloc-512 of size 512
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240808/202408081649.796e7bd-oliver.sang@xxxxxxxxx
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
