https://bugzilla.kernel.org/show_bug.cgi?id=216151 Bug ID: 216151 Summary: kernel panic after BUG: KASAN: use-after-free in _copy_to_iter+0x830/0x1030 Product: File System Version: 2.5 Kernel Version: v5.19-rc2+ Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: XFS Assignee: filesystem_xfs@xxxxxxxxxxxxxxxxxxxxxx Reporter: zlang@xxxxxxxxxx Regression: No xfstests generic/465 hit below kernel panic and KASAN BUG on NFS through XFS(default mkfs options). Hit on linux v5.19-rc2+, which HEAD is: commit 05c6ca8512f2722f57743d653bb68cf2a273a55a Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Date: Sun Jun 19 09:58:28 2022 -0500 Merge tag 'x86-urgent-2022-06-19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip # cat local.config FSTYP=nfs TEST_DEV=$mynfs_server:/mnt/xfstests/test/nfs-server TEST_DIR=/mnt/xfstests/test/nfs-client SCRATCH_DEV=$mynfs_server:/mnt/xfstests/scratch/nfs-server SCRATCH_MNT=/mnt/xfstests/scratch/nfs-client MOUNT_OPTIONS="-o vers=4.2" TEST_FS_MOUNT_OPTS="-o vers=4.2" XFS info: meta-data=/dev/vda4 isize=512 agcount=4, agsize=983040 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=0 = reflink=1 bigtime=1 inobtcount=1 data = bsize=4096 blocks=3932160, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 console log: [26844.323108] run fstests generic/465 at 2022-06-20 00:24:32 [26847.872804] ================================================================== [26847.872854] BUG: KASAN: use-after-free in _copy_to_iter+0x694/0xd0c [26847.872992] Write of size 16 at addr ffff2fb1d4013000 by task nfsd/45920 [26847.872999] [26847.873083] CPU: 0 PID: 45920 Comm: nfsd Kdump: loaded Not tainted 5.19.0-rc2+ #1 [26847.873090] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [26847.873094] Call trace: [26847.873174] dump_backtrace+0x1e0/0x26c [26847.873198] show_stack+0x1c/0x70 [26847.873203] dump_stack_lvl+0x98/0xd0 [26847.873262] print_address_description.constprop.0+0x74/0x420 [26847.873285] print_report+0xc8/0x234 [26847.873290] kasan_report+0xb0/0xf0 [26847.873294] kasan_check_range+0xf4/0x1a0 [26847.873298] memcpy+0xdc/0x100 [26847.873303] _copy_to_iter+0x694/0xd0c [26847.873307] copy_page_to_iter+0x3f0/0xb30 [26847.873311] filemap_read+0x3e8/0x7e0 [26847.873319] generic_file_read_iter+0x2b0/0x404 [26847.873324] xfs_file_buffered_read+0x18c/0x4e0 [xfs] [26847.873854] xfs_file_read_iter+0x260/0x514 [xfs] [26847.874168] do_iter_readv_writev+0x338/0x4b0 [26847.874176] do_iter_read+0x120/0x374 [26847.874180] vfs_iter_read+0x5c/0xa0 [26847.874185] nfsd_readv+0x1a0/0x9ac [nfsd] [26847.874308] nfsd4_encode_read_plus_data+0x2f0/0x690 [nfsd] [26847.874387] nfsd4_encode_read_plus+0x344/0x924 [nfsd] [26847.874468] nfsd4_encode_operation+0x1fc/0x800 [nfsd] [26847.874544] nfsd4_proc_compound+0x9c4/0x2364 [nfsd] [26847.874620] nfsd_dispatch+0x3a4/0x67c [nfsd] [26847.874697] svc_process_common+0xd54/0x1be0 [sunrpc] [26847.874921] svc_process+0x298/0x484 [sunrpc] [26847.875063] nfsd+0x2b0/0x580 [nfsd] [26847.875143] kthread+0x230/0x294 [26847.875170] ret_from_fork+0x10/0x20 [26847.875178] [26847.875180] Allocated by task 602477: [26847.875185] kasan_save_stack+0x28/0x50 [26847.875191] __kasan_slab_alloc+0x68/0x90 [26847.875195] kmem_cache_alloc+0x180/0x394 [26847.875199] security_inode_alloc+0x30/0x120 [26847.875221] inode_init_always+0x49c/0xb1c [26847.875228] alloc_inode+0x70/0x1c0 [26847.875232] new_inode+0x20/0x230 [26847.875236] debugfs_create_dir+0x74/0x48c [26847.875243] rpc_clnt_debugfs_register+0xd0/0x174 [sunrpc] [26847.875384] rpc_client_register+0x90/0x4c4 [sunrpc] [26847.875526] rpc_new_client+0x6e0/0x1260 [sunrpc] [26847.875666] __rpc_clone_client+0x158/0x7d4 [sunrpc] [26847.875831] rpc_clone_client+0x168/0x1dc [sunrpc] [26847.875972] nfs4_proc_lookup_mountpoint+0x180/0x1f0 [nfsv4] [26847.876149] nfs4_submount+0xcc/0x6cc [nfsv4] [26847.876251] nfs_d_automount+0x4b4/0x7bc [nfs] [26847.876389] __traverse_mounts+0x180/0x4a0 [26847.876396] step_into+0x510/0x940 [26847.876400] walk_component+0xf0/0x510 [26847.876405] link_path_walk.part.0.constprop.0+0x4c0/0xa3c [26847.876410] path_lookupat+0x6c/0x57c [26847.876436] filename_lookup+0x13c/0x400 [26847.876440] vfs_path_lookup+0xa0/0xec [26847.876445] mount_subtree+0x1c4/0x380 [26847.876451] do_nfs4_mount+0x3c0/0x770 [nfsv4] [26847.876554] nfs4_try_get_tree+0xc0/0x24c [nfsv4] [26847.876653] nfs_get_tree+0xc0/0x110 [nfs] [26847.876742] vfs_get_tree+0x78/0x2a0 [26847.876748] do_new_mount+0x228/0x4fc [26847.876753] path_mount+0x268/0x16d4 [26847.876757] __arm64_sys_mount+0x1dc/0x240 [26847.876762] invoke_syscall.constprop.0+0xd8/0x1d0 [26847.876769] el0_svc_common.constprop.0+0x224/0x2bc [26847.876774] do_el0_svc+0x4c/0x90 [26847.876778] el0_svc+0x5c/0x140 [26847.876785] el0t_64_sync_handler+0xb4/0x130 [26847.876789] el0t_64_sync+0x174/0x178 [26847.876793] [26847.876794] Last potentially related work creation: [26847.876797] kasan_save_stack+0x28/0x50 [26847.876802] __kasan_record_aux_stack+0x9c/0xc0 [26847.876806] kasan_record_aux_stack_noalloc+0x10/0x20 [26847.876811] call_rcu+0xf8/0x6c0 [26847.876818] security_inode_free+0x94/0xc0 [26847.876823] __destroy_inode+0xb0/0x420 [26847.876828] destroy_inode+0x80/0x170 [26847.876832] evict+0x334/0x4c0 [26847.876836] iput_final+0x138/0x364 [26847.876841] iput.part.0+0x330/0x47c [26847.876845] iput+0x44/0x60 [26847.876849] dentry_unlink_inode+0x200/0x43c [26847.876853] __dentry_kill+0x29c/0x56c [26847.876857] dput+0x41c/0x870 [26847.876860] simple_recursive_removal+0x4ac/0x630 [26847.876865] debugfs_remove+0x5c/0x80 [26847.876870] rpc_clnt_debugfs_unregister+0x3c/0x7c [sunrpc] [26847.877011] rpc_free_client_work+0xdc/0x480 [sunrpc] [26847.877154] process_one_work+0x794/0x184c [26847.877161] worker_thread+0x3d4/0xc40 [26847.877165] kthread+0x230/0x294 [26847.877168] ret_from_fork+0x10/0x20 [26847.877172] [26847.877174] Second to last potentially related work creation: [26847.877177] kasan_save_stack+0x28/0x50 [26847.877181] __kasan_record_aux_stack+0x9c/0xc0 [26847.877185] kasan_record_aux_stack_noalloc+0x10/0x20 [26847.877190] call_rcu+0xf8/0x6c0 [26847.877195] security_inode_free+0x94/0xc0 [26847.877200] __destroy_inode+0xb0/0x420 [26847.877205] destroy_inode+0x80/0x170 [26847.877209] evict+0x334/0x4c0 [26847.877213] iput_final+0x138/0x364 [26847.877217] iput.part.0+0x330/0x47c [26847.877221] iput+0x44/0x60 [26847.877226] dentry_unlink_inode+0x200/0x43c [26847.877229] __dentry_kill+0x29c/0x56c [26847.877233] dput+0x44c/0x870 [26847.877237] __fput+0x244/0x730 [26847.877241] ____fput+0x14/0x20 [26847.877245] task_work_run+0xd0/0x240 [26847.877250] do_exit+0x3a0/0xaac [26847.877256] do_group_exit+0xac/0x244 [26847.877260] __arm64_sys_exit_group+0x40/0x4c [26847.877264] invoke_syscall.constprop.0+0xd8/0x1d0 [26847.877270] el0_svc_common.constprop.0+0x224/0x2bc [26847.877275] do_el0_svc+0x4c/0x90 [26847.877280] el0_svc+0x5c/0x140 [26847.877284] el0t_64_sync_handler+0xb4/0x130 [26847.877288] el0t_64_sync+0x174/0x178 [26847.877292] [26847.877293] The buggy address belongs to the object at ffff2fb1d4013000 [26847.877293] which belongs to the cache lsm_inode_cache of size 128 [26847.877298] The buggy address is located 0 bytes inside of [26847.877298] 128-byte region [ffff2fb1d4013000, ffff2fb1d4013080) [26847.877302] [26847.877304] The buggy address belongs to the physical page: [26847.877308] page:000000007bc4a504 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff2fb1d4013000 pfn:0x154013 [26847.877363] flags: 0x17ffff800000200(slab|node=0|zone=2|lastcpupid=0xfffff) [26847.877375] raw: 017ffff800000200 fffffcbec6646688 fffffcbec750d708 ffff2fb1808dfe00 [26847.877379] raw: ffff2fb1d4013000 0000000000150010 00000001ffffffff 0000000000000000 [26847.877382] page dumped because: kasan: bad access detected [26847.877384] [26847.877385] Memory state around the buggy address: [26847.877389] ffff2fb1d4012f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [26847.877392] ffff2fb1d4012f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [26847.877395] >ffff2fb1d4013000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [26847.877397] ^ [26847.877400] ffff2fb1d4013080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb [26847.877402] ffff2fb1d4013100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [26847.877405] ================================================================== [26847.877570] Disabling lock debugging due to kernel taint [26848.391268] Unable to handle kernel write to read-only memory at virtual address ffff2fb197f76000 [26848.393628] KASAN: maybe wild-memory-access in range [0xfffd7d8cbfbb0000-0xfffd7d8cbfbb0007] [26848.395572] Mem abort info: [26848.396408] ESR = 0x000000009600004f [26848.397314] EC = 0x25: DABT (current EL), IL = 32 bits [26848.398520] SET = 0, FnV = 0 [26848.506889] EA = 0, S1PTW = 0 [26848.507633] FSC = 0x0f: level 3 permission fault [26848.508802] Data abort info: [26848.509480] ISV = 0, ISS = 0x0000004f [26848.510347] CM = 0, WnR = 1 [26848.511032] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000b22dd000 [26848.512543] [ffff2fb197f76000] pgd=18000001bfff8003, p4d=18000001bfff8003, pud=18000001bfa08003, pmd=18000001bf948003, pte=0060000117f76f87 [26848.515600] Internal error: Oops: 9600004f [#1] SMP [26848.516870] Modules linked in: loop dm_mod tls rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache netfs rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace rfkill sunrpc vfat fat drm fuse xfs libcrc32c crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_blk virtio_net virtio_console net_failover failover virtio_mmio ipmi_devintf ipmi_msghandler [26848.525472] CPU: 1 PID: 45919 Comm: nfsd Kdump: loaded Tainted: G B 5.19.0-rc2+ #1 [26848.527934] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [26848.529819] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [26848.531625] pc : __memcpy+0x2c/0x230 [26848.532583] lr : memcpy+0xa8/0x100 [26848.533497] sp : ffff80000bbb6f00 [26848.534444] x29: ffff80000bbb6f00 x28: 0000000000000000 x27: ffff2fb18a4bd5b8 [26848.536435] x26: 0000000000000000 x25: ffff80000bbb7740 x24: ffff2fb18a4bd5b0 [26848.538283] x23: ffff2fb1ee80bff0 x22: ffffa83e4692e000 x21: ffffa83e434ae3e8 [26848.540181] x20: ffff2fb197f76000 x19: 0000000000000010 x18: ffff2fb1d3c34530 [26848.542071] x17: 0000000000000000 x16: ffffa83e42d01a30 x15: 6161616161616161 [26848.543840] x14: 6161616161616161 x13: 6161616161616161 x12: 6161616161616161 [26848.545614] x11: 1fffe5f632feec01 x10: ffff65f632feec01 x9 : dfff800000000000 [26848.547387] x8 : ffff2fb197f7600f x7 : 6161616161616161 x6 : 6161616161616161 [26848.549156] x5 : ffff2fb197f76010 x4 : ffff2fb1ee80c000 x3 : ffffa83e434ae3e8 [26848.550924] x2 : 0000000000000010 x1 : ffff2fb1ee80bff0 x0 : ffff2fb197f76000 [26848.552694] Call trace: [26848.553314] __memcpy+0x2c/0x230 [26848.554123] _copy_to_iter+0x694/0xd0c [26848.555084] copy_page_to_iter+0x3f0/0xb30 [26848.556104] filemap_read+0x3e8/0x7e0 [26848.557020] generic_file_read_iter+0x2b0/0x404 [26848.558152] xfs_file_buffered_read+0x18c/0x4e0 [xfs] [26848.559795] xfs_file_read_iter+0x260/0x514 [xfs] [26848.561265] do_iter_readv_writev+0x338/0x4b0 [26848.562346] do_iter_read+0x120/0x374 [26848.563263] vfs_iter_read+0x5c/0xa0 [26848.564162] nfsd_readv+0x1a0/0x9ac [nfsd] [26848.565415] nfsd4_encode_read_plus_data+0x2f0/0x690 [nfsd] [26848.566869] nfsd4_encode_read_plus+0x344/0x924 [nfsd] [26848.568231] nfsd4_encode_operation+0x1fc/0x800 [nfsd] [26848.569596] nfsd4_proc_compound+0x9c4/0x2364 [nfsd] [26848.570908] nfsd_dispatch+0x3a4/0x67c [nfsd] [26848.572067] svc_process_common+0xd54/0x1be0 [sunrpc] [26848.573508] svc_process+0x298/0x484 [sunrpc] [26848.574743] nfsd+0x2b0/0x580 [nfsd] [26848.575718] kthread+0x230/0x294 [26848.576528] ret_from_fork+0x10/0x20 [26848.577421] Code: f100405f 540000c3 a9401c26 a97f348c (a9001c06) [26848.578934] SMP: stopping secondary CPUs [26848.582664] Starting crashdump kernel... [26848.583602] Bye! -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.