Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-19757

Use after free seen on: sanity/17n

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Medium
    • None
    • None
    • None
    • 3
    • 9223372036854775807

    Description

      With KASAN and memory debugging enabled this appears to be a use-after-free where
      tgt_ses_info() returns an overwritten lc_value[<index>] after keys_fini() and bfore keys_init() has been completed.

      [ 1427.858040] Oops: general protection fault, probably for non-canonical address 0xe82ba42b882bbc13: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
[ 1427.859002] KASAN: maybe wild-memory-access in range [0x415d415c415de098-0x415d415c415de09f]
[ 1427.859852] CPU: 1 UID: 0 PID: 12602 Comm: tgt_recover_0 Kdump: loaded Tainted: G        W  OE      6.12.6-1.ldiskfs.gcov.el9.x86_64 #1

      By adding an sanity check on lc_tags this race appears to be preventable (a valid lc_value will always have at least one bit set in lc_tags).

      Attachments

        Activity

          People

            stancheff Shaun Tancheff
            stancheff Shaun Tancheff
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: