[LU-12812] use-after-free in ll_update_inode Created: 27/Sep/19  Updated: 05/Aug/20

Status: Open
Project: Lustre
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor
Reporter: CEA Assignee: Oleg Drokin
Resolution: Unresolved Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

I discussed KASAN (kernel address sanitizer) with Oleg at LAD, and centos 8 just went out with their -debug kernel having KASAN enabled; so just compiled a fresh lustre master with that and ran sanity.sh to show what kind of reports would come up.

On v2_12_58-81-g95f8ae5677

I got this trace twice on the same test, but not if I try to run the test individually, not sure if cleanup from previous tests happen at the same time or what happens...

1st

[ 1523.737579] Lustre: DEBUG MARKER: == sanity test 27K: basic ops on dir with foreign LMV ================================================ 10:42:27 (1569573747)
[ 1524.109788] ==================================================================
[ 1524.113090] BUG: KASAN: slab-out-of-bounds in strcmp+0x97/0xa0
[ 1524.113983] Read of size 1 at addr ffff880301be4759 by task lt-lfs/27933

[ 1524.115222] CPU: 26 PID: 27933 Comm: lt-lfs Kdump: loaded Tainted: G        W  OE    --------- -t - 4.18.0-80.7.1.el8.x86_64+debug #1
[ 1524.117042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
[ 1524.118861] Call Trace:
[ 1524.119242]  dump_stack+0x9a/0xe9
[ 1524.119777]  print_address_description+0x65/0x22e
[ 1524.120512]  ? strcmp+0x97/0xa0
[ 1524.120995]  kasan_report.cold.6+0x92/0x1a6
[ 1524.121651]  strcmp+0x97/0xa0
[ 1524.122145]  ll_update_inode+0x1375/0x3e60 [lustre]
[ 1524.122900]  ? _raw_spin_unlock+0x24/0x30
[ 1524.123563]  ? ll_set_inode+0x430/0x430 [lustre]
[ 1524.124269]  ? do_raw_spin_unlock+0x13e/0x1e0
[ 1524.124968]  ? ll_set_inode+0x430/0x430 [lustre]
[ 1524.125742]  ll_iget+0x40a/0x7a0 [lustre]
[ 1524.126386]  ll_prep_inode+0x852/0x1900 [lustre]
[ 1524.127131]  ? mdc_intent_lock+0x7a7/0xf40 [mdc]
[ 1524.127870]  ? ll_open_cleanup+0xcb0/0xcb0 [lustre]
[ 1524.128675]  ? ll_atomic_open+0x867/0x4880 [lustre]
[ 1524.129406]  ? lookup_open+0xab3/0x1980
[ 1524.129987]  ? mdc_revalidate_lock+0x530/0x530 [mdc]
[ 1524.130870]  ? __req_capsule_get+0xb20/0xf40 [ptlrpc]
[ 1524.131705]  ? lustre_swab_generic_32s+0x40/0x40 [ptlrpc]
[ 1524.132584]  ll_lookup_it_finish+0x5f7/0x2f80 [lustre]
[ 1524.133363]  ? trace_hardirqs_on+0x10/0x10
[ 1524.133992]  ? ll_splice_alias+0x7b0/0x7b0 [lustre]
[ 1524.134776]  ? lmv_intent_remote.isra.10+0x1e60/0x1e60 [lmv]
[ 1524.135653]  ? from_kgid+0x83/0xc0
[ 1524.136186]  ? ll_md_need_convert+0x440/0x440 [lustre]
[ 1524.136988]  ? lmv_intent_lock+0x47c/0xaf0 [lmv]
[ 1524.137739]  ? cfs_curproc_cap_pack+0x14/0x80 [libcfs]
[ 1524.138522]  ? lock_downgrade+0x5e0/0x5e0
[ 1524.139181]  ? lprocfs_counter_add+0x275/0x410 [obdclass]
[ 1524.140008]  ? lmv_intent_lookup+0x1840/0x1840 [lmv]
[ 1524.140835]  ll_lookup_it+0x16b3/0x3fc0 [lustre]
[ 1524.141571]  ? kasan_kmalloc+0xbf/0xe0
[ 1524.142152]  ? ll_lookup_it_finish+0x2f80/0x2f80 [lustre]
[ 1524.142975]  ? path_openat+0x14ce/0x2e30
[ 1524.143604]  ? do_sys_open+0x1db/0x310
[ 1524.144183]  ? do_syscall_64+0xa5/0x4a0
[ 1524.144794]  ? entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[ 1524.145610]  ? libcfs_debug_msg+0x1523/0x1f30 [libcfs]
[ 1524.146398]  ? lookup_open+0x472/0x1980
[ 1524.147000]  ? do_filp_open+0x17c/0x250
[ 1524.147661]  ? do_syscall_64+0xa5/0x4a0
[ 1524.148252]  ? put_pages_on_daemon_list+0x120/0x120 [libcfs]
[ 1524.149177]  ? lprocfs_counter_add+0x275/0x410 [obdclass]
[ 1524.150047]  ? lprocfs_alloc_md_stats+0x3b0/0x3b0 [obdclass]
[ 1524.150934]  ? ll_atomic_open+0x2a1/0x4880 [lustre]
[ 1524.151699]  ? kmem_cache_alloc_trace+0x15b/0x3a0
[ 1524.152448]  ? ll_atomic_open+0x2a1/0x4880 [lustre]
[ 1524.153221]  ll_atomic_open+0x867/0x4880 [lustre]
[ 1524.153954]  ? lock_downgrade+0x5e0/0x5e0
[ 1524.154604]  ? lookup_open+0x472/0x1980
[ 1524.155179]  ? _raw_spin_unlock+0x24/0x30
[ 1524.155824]  ? ll_lookup_it+0x3fc0/0x3fc0 [lustre]
[ 1524.156615]  ? d_alloc_parallel+0x51e/0x14b0
[ 1524.157255]  ? __d_lookup_rcu+0x800/0x800
[ 1524.157889]  ? __d_lookup+0x3e/0x580
[ 1524.158456]  ? lookup_open+0x289/0x1980
[ 1524.159058]  lookup_open+0xab3/0x1980
[ 1524.159652]  ? trailing_symlink+0x8b0/0x8b0
[ 1524.160293]  ? trace_hardirqs_on+0x10/0x10
[ 1524.160934]  path_openat+0x14ce/0x2e30
[ 1524.161527]  ? kasan_kmalloc+0xbf/0xe0
[ 1524.162107]  ? kmem_cache_alloc+0x112/0x370
[ 1524.162766]  ? getname_flags+0xba/0x510
[ 1524.163352]  ? path_lookupat.isra.47+0x830/0x830
[ 1524.164070]  ? _raw_spin_unlock+0x24/0x30
[ 1524.164713]  ? get_partial_node.isra.59.part.60+0x1eb/0x290
[ 1524.165576]  ? lock_acquire+0x14c/0x400
[ 1524.166145]  ? __audit_syscall_entry+0x33d/0x790
[ 1524.166863]  ? trace_hardirqs_on+0x10/0x10
[ 1524.167494]  do_filp_open+0x17c/0x250
[ 1524.168063]  ? may_open_dev+0xc0/0xc0
[ 1524.168668]  ? do_raw_spin_unlock+0x13e/0x1e0
[ 1524.169329]  ? _raw_spin_unlock+0x24/0x30
[ 1524.169948]  do_sys_open+0x1db/0x310
[ 1524.170520]  ? spurious_fault+0x710/0x710
[ 1524.171135]  ? filp_open+0x50/0x50
[ 1524.171685]  do_syscall_64+0xa5/0x4a0
[ 1524.172247]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[ 1524.173034] RIP: 0033:0x7fefeb5b5675
[ 1524.173615] Code: 44 24 18 31 c0 41 83 e2 40 75 42 89 f0 25 00 00 41 00 3d 00 00 41 00 74 34 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 43 48 8b 4c 24 18 64 48 33 0c 25 28 00 00 00
[ 1524.176444] RSP: 002b:00007ffe87f814a0 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
[ 1524.177624] RAX: ffffffffffffffda RBX: 00000000022e72a4 RCX: 00007fefeb5b5675
[ 1524.178703] RDX: 0000000000090800 RSI: 00000000022e7280 RDI: 00000000ffffff9c
[ 1524.179789] RBP: 00000000022e7280 R08: 00007ffe87f81730 R09: 0000000000000000
[ 1524.180896] R10: 0000000000000000 R11: 0000000000000287 R12: 00000000022e7280
[ 1524.181976] R13: 00007fefec4781f0 R14: 00007fefec46e7b0 R15: 0000000000000000

[ 1524.183324] Allocated by task 27933:
[ 1524.183877]  kasan_kmalloc+0xbf/0xe0
[ 1524.184447]  __kmalloc+0x149/0x350
[ 1524.184974]  lmv_unpackmd+0xca2/0x23e0 [lmv]
[ 1524.185666]  mdc_get_lustre_md+0xd03/0x2460 [mdc]
[ 1524.186422]  ll_prep_inode+0x402/0x1900 [lustre]
[ 1524.187151]  ll_lookup_it_finish+0x5f7/0x2f80 [lustre]
[ 1524.187944]  ll_lookup_it+0x16b3/0x3fc0 [lustre]
[ 1524.188712]  ll_atomic_open+0x867/0x4880 [lustre]
[ 1524.189428]  lookup_open+0xab3/0x1980
[ 1524.189986]  path_openat+0x14ce/0x2e30
[ 1524.190600]  do_filp_open+0x17c/0x250
[ 1524.191168]  do_sys_open+0x1db/0x310
[ 1524.191745]  do_syscall_64+0xa5/0x4a0
[ 1524.192318]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf

[ 1524.193344] Freed by task 11472:
[ 1524.193854]  __kasan_slab_free+0x125/0x170
[ 1524.194488]  slab_free_freelist_hook+0x5a/0x120
[ 1524.195184]  kfree+0xd6/0x2e0
[ 1524.195717]  tgt_release_reply_data+0x29a/0x4d0 [ptlrpc]
[ 1524.196672]  tgt_handle_received_xid+0x18f/0x280 [ptlrpc]
[ 1524.197587]  tgt_request_handle+0x28f5/0x4040 [ptlrpc]
[ 1524.198411]  ptlrpc_server_handle_request+0xa65/0x1ff0 [ptlrpc]
[ 1524.199359]  ptlrpc_main+0x1f6c/0x3d10 [ptlrpc]
[ 1524.200046]  kthread+0x30c/0x3d0
[ 1524.200595]  ret_from_fork+0x3a/0x50

[ 1524.201372] The buggy address belongs to the object at ffff880301be4700
                which belongs to the cache kmalloc-96 of size 96
[ 1524.203242] The buggy address is located 89 bytes inside of
                96-byte region [ffff880301be4700, ffff880301be4760)
[ 1524.204977] The buggy address belongs to the page:
[ 1524.205743] page:ffffea000c06f900 count:1 mapcount:0 mapping:ffff880107c16e00 index:0xffff880301be4180
[ 1524.207137] flags: 0x17ffffc0000100(slab)
[ 1524.207772] raw: 0017ffffc0000100 ffffea0064ae12c0 0000000b0000000b ffff880107c16e00
[ 1524.208985] raw: ffff880301be4180 000000008020000b 00000001ffffffff 0000000000000000
[ 1524.210176] page dumped because: kasan: bad access detected

[ 1524.211261] Memory state around the buggy address:
[ 1524.211993]  ffff880301be4600: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1524.213159]  ffff880301be4680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1524.214268] >ffff880301be4700: 00 00 00 00 00 00 00 00 00 00 00 01 fc fc fc fc
[ 1524.215370]                                                     ^
[ 1524.216317]  ffff880301be4780: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1524.217454]  ffff880301be4800: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1524.218578] ==================================================================

2nd

[ 2628.507920] Lustre: DEBUG MARKER: == sanity test 27K: basic ops on dir with foreign LMV ================================================ 15:22:19 (1569504139)
[ 2628.940393] ==================================================================
[ 2628.943833] BUG: KASAN: slab-out-of-bounds in strcmp+0x97/0xa0
[ 2628.944738] Read of size 1 at addr ffff88031e652659 by task lt-lfs/10986

[ 2628.946028] CPU: 26 PID: 10986 Comm: lt-lfs Kdump: loaded Tainted: G        W  OE    --------- -t - 4.18.0-80.7.1.el8.x86_64+debug #1
[ 2628.947829] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
[ 2628.949646] Call Trace:
[ 2628.950046]  dump_stack+0x9a/0xe9
[ 2628.950557]  print_address_description+0x65/0x22e
[ 2628.951293]  ? strcmp+0x97/0xa0
[ 2628.951788]  kasan_report.cold.6+0x92/0x1a6
[ 2628.952447]  strcmp+0x97/0xa0
[ 2628.952957]  ll_update_inode+0x1375/0x3e60 [lustre]
[ 2628.953719]  ? _raw_spin_unlock+0x24/0x30
[ 2628.954364]  ? ll_set_inode+0x430/0x430 [lustre]
[ 2628.955087]  ? do_raw_spin_unlock+0x13e/0x1e0
[ 2628.955770]  ? ll_set_inode+0x430/0x430 [lustre]
[ 2628.956503]  ll_iget+0x40a/0x7a0 [lustre]
[ 2628.957160]  ll_prep_inode+0x852/0x1900 [lustre]
[ 2628.957899]  ? mdc_intent_lock+0x7a7/0xf40 [mdc]
[ 2628.958642]  ? ll_open_cleanup+0xcb0/0xcb0 [lustre]
[ 2628.959413]  ? ll_atomic_open+0x867/0x4880 [lustre]
[ 2628.960173]  ? lookup_open+0xab3/0x1980
[ 2628.960796]  ? mdc_revalidate_lock+0x530/0x530 [mdc]
[ 2628.961699]  ? __req_capsule_get+0xb20/0xf40 [ptlrpc]
[ 2628.962534]  ? lustre_swab_generic_32s+0x40/0x40 [ptlrpc]
[ 2628.963407]  ll_lookup_it_finish+0x5f7/0x2f80 [lustre]
[ 2628.964214]  ? trace_hardirqs_on+0x10/0x10
[ 2628.964869]  ? ll_splice_alias+0x7b0/0x7b0 [lustre]
[ 2628.965643]  ? lmv_intent_remote.isra.10+0x1e60/0x1e60 [lmv]
[ 2628.966507]  ? from_kgid+0x83/0xc0
[ 2628.967078]  ? ll_md_need_convert+0x440/0x440 [lustre]
[ 2628.967884]  ? lmv_intent_lock+0x47c/0xaf0 [lmv]
[ 2628.968632]  ? cfs_curproc_cap_pack+0x14/0x80 [libcfs]
[ 2628.969422]  ? lock_downgrade+0x5e0/0x5e0
[ 2628.970119]  ? lprocfs_counter_add+0x275/0x410 [obdclass]
[ 2628.970954]  ? lmv_intent_lookup+0x1840/0x1840 [lmv]
[ 2628.971771]  ll_lookup_it+0x16b3/0x3fc0 [lustre]
[ 2628.972507]  ? kasan_kmalloc+0xbf/0xe0
[ 2628.973145]  ? ll_lookup_it_finish+0x2f80/0x2f80 [lustre]
[ 2628.973998]  ? path_openat+0x14ce/0x2e30
[ 2628.974641]  ? do_sys_open+0x1db/0x310
[ 2628.975249]  ? do_syscall_64+0xa5/0x4a0
[ 2628.975878]  ? entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[ 2628.976736]  ? libcfs_debug_msg+0x1523/0x1f30 [libcfs]
[ 2628.977577]  ? lookup_open+0x472/0x1980
[ 2628.978219]  ? do_filp_open+0x17c/0x250
[ 2628.978835]  ? do_syscall_64+0xa5/0x4a0
[ 2628.979478]  ? put_pages_on_daemon_list+0x120/0x120 [libcfs]
[ 2628.980446]  ? lprocfs_counter_add+0x275/0x410 [obdclass]
[ 2628.981359]  ? lprocfs_alloc_md_stats+0x3b0/0x3b0 [obdclass]
[ 2628.982286]  ? ll_atomic_open+0x2a1/0x4880 [lustre]
[ 2628.983089]  ? kmem_cache_alloc_trace+0x15b/0x3a0
[ 2628.983856]  ? ll_atomic_open+0x2a1/0x4880 [lustre]
[ 2628.984678]  ll_atomic_open+0x867/0x4880 [lustre]
[ 2628.985419]  ? lock_downgrade+0x5e0/0x5e0
[ 2628.986072]  ? lookup_open+0x472/0x1980
[ 2628.986689]  ? _raw_spin_unlock+0x24/0x30
[ 2628.987360]  ? ll_lookup_it+0x3fc0/0x3fc0 [lustre]
[ 2628.988124]  ? d_alloc_parallel+0x51e/0x14b0
[ 2628.988809]  ? __d_lookup_rcu+0x800/0x800
[ 2628.989465]  ? __d_lookup+0x3e/0x580
[ 2628.990057]  ? lookup_open+0x289/0x1980
[ 2628.990679]  ? iam_lvar_create+0x720/0xa60 [osd_ldiskfs]
[ 2628.991522]  lookup_open+0xab3/0x1980
[ 2628.992117]  ? trailing_symlink+0x8b0/0x8b0
[ 2628.992783]  ? trace_hardirqs_on+0x10/0x10
[ 2628.993464]  path_openat+0x14ce/0x2e30
[ 2628.994080]  ? kasan_kmalloc+0xbf/0xe0
[ 2628.994688]  ? kmem_cache_alloc+0x112/0x370
[ 2628.995363]  ? getname_flags+0xba/0x510
[ 2628.995963]  ? path_lookupat.isra.47+0x830/0x830
[ 2628.996691]  ? trace_hardirqs_on+0x10/0x10
[ 2628.997372]  ? handle_pte_fault+0x837/0x2b80
[ 2628.998049]  ? lock_downgrade+0x5e0/0x5e0
[ 2628.998677]  ? lock_acquire+0x14c/0x400
[ 2628.999281]  ? __audit_syscall_entry+0x33d/0x790
[ 2629.000024]  ? trace_hardirqs_on+0x10/0x10
[ 2629.000680]  do_filp_open+0x17c/0x250
[ 2629.001274]  ? may_open_dev+0xc0/0xc0
[ 2629.001852]  ? do_raw_spin_unlock+0x13e/0x1e0
[ 2629.002559]  ? _raw_spin_unlock+0x24/0x30
[ 2629.003220]  do_sys_open+0x1db/0x310
[ 2629.003784]  ? spurious_fault+0x710/0x710
[ 2629.004448]  ? filp_open+0x50/0x50
[ 2629.005000]  do_syscall_64+0xa5/0x4a0
[ 2629.005586]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf
[ 2629.006411] RIP: 0033:0x7fbf58904675
[ 2629.006973] Code: 44 24 18 31 c0 41 83 e2 40 75 42 89 f0 25 00 00 41 00 3d 00 00 41 00 74 34 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 43 48 8b 4c 24 18 64 48 33 0c 25 28 00 00 00
[ 2629.009919] RSP: 002b:00007ffc0271b250 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
[ 2629.011130] RAX: ffffffffffffffda RBX: 00000000022082a4 RCX: 00007fbf58904675
[ 2629.012270] RDX: 0000000000090800 RSI: 0000000002208280 RDI: 00000000ffffff9c
[ 2629.013386] RBP: 0000000002208280 R08: 00007ffc0271b4e0 R09: 0000000000000000
[ 2629.014482] R10: 0000000000000000 R11: 0000000000000287 R12: 0000000002208280
[ 2629.015629] R13: 00007fbf597c71f0 R14: 00007fbf597bd7b0 R15: 0000000000000000

[ 2629.016993] Allocated by task 10986:
[ 2629.017563]  kasan_kmalloc+0xbf/0xe0
[ 2629.018144]  __kmalloc+0x149/0x350
[ 2629.018685]  lmv_unpackmd+0xca2/0x23e0 [lmv]
[ 2629.019391]  mdc_get_lustre_md+0xd03/0x2460 [mdc]
[ 2629.020148]  ll_prep_inode+0x402/0x1900 [lustre]
[ 2629.020918]  ll_lookup_it_finish+0x5f7/0x2f80 [lustre]
[ 2629.021753]  ll_lookup_it+0x16b3/0x3fc0 [lustre]
[ 2629.022519]  ll_atomic_open+0x867/0x4880 [lustre]
[ 2629.023315]  lookup_open+0xab3/0x1980
[ 2629.023952]  path_openat+0x14ce/0x2e30
[ 2629.024537]  do_filp_open+0x17c/0x250
[ 2629.025142]  do_sys_open+0x1db/0x310
[ 2629.025703]  do_syscall_64+0xa5/0x4a0
[ 2629.026283]  entry_SYSCALL_64_after_hwframe+0x6a/0xdf

[ 2629.027330] Freed by task 0:
[ 2629.027782]  __kasan_slab_free+0x125/0x170
[ 2629.028442]  slab_free_freelist_hook+0x5a/0x120
[ 2629.029158]  kfree+0xd6/0x2e0
[ 2629.029653]  rcu_process_callbacks+0xb43/0x1320
[ 2629.030380]  __do_softirq+0x23c/0xaa0

[ 2629.031201] The buggy address belongs to the object at ffff88031e652600
                which belongs to the cache kmalloc-96 of size 96
[ 2629.033125] The buggy address is located 89 bytes inside of
                96-byte region [ffff88031e652600, ffff88031e652660)
[ 2629.034924] The buggy address belongs to the page:
[ 2629.035685] page:ffffea000c799480 count:1 mapcount:0 mapping:ffff880107c16e00 index:0x0
[ 2629.036942] flags: 0x17ffffc0000100(slab)
[ 2629.037574] raw: 0017ffffc0000100 ffffea000c9c7700 0000001000000010 ffff880107c16e00
[ 2629.038796] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 2629.040039] page dumped because: kasan: bad access detected

[ 2629.041163] Memory state around the buggy address:
[ 2629.041929]  ffff88031e652500: 00 00 00 00 00 00 00 00 00 00 00 01 fc fc fc fc
[ 2629.043075]  ffff88031e652580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 2629.044187] >ffff88031e652600: 00 00 00 00 00 00 00 00 00 00 00 01 fc fc fc fc
[ 2629.045311]                                                     ^
[ 2629.046275]  ffff88031e652680: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 2629.047417]  ffff88031e652700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 2629.048552] ==================================================================

lmv_unpackmd allocates a lmv_stripe_md struct so assuming it's what it is we have:

crash> struct lmv_stripe_md
struct lmv_stripe_md {
    __u32 lsm_md_magic;
    __u32 lsm_md_stripe_count;
    __u32 lsm_md_master_mdt_index;
    __u32 lsm_md_hash_type;
    __u32 lsm_md_layout_version;
    __u32 lsm_md_migrate_offset;
    __u32 lsm_md_migrate_hash;
    __u32 lsm_md_default_count;
    __u32 lsm_md_default_index;
    char lsm_md_pool_name[16];
    struct lmv_oinfo lsm_md_oinfo[];
}
SIZE: 56
crash> struct lmv_oinfo
struct lmv_oinfo {
    struct lu_fid lmo_fid;
    u32 lmo_mds;
    struct inode *lmo_root;
}
SIZE: 32
crash> p 56+32
$1 = 88
crash> p 56+32+32
$2 = 120

So offset 89 would be the start of x.lsm_md_oinfo[1].lmo_fid, but the allocation size hints that only one element was allocated in the first place, a bit weird that this comes out as a use-after-free from KASAN?...

I actually looked a bit and couldn't find where the strcmp comes from in ll_update_inode, it looks like it might actually be a memcmp that got incorrectly logged for some reason.
Looking at the dis -l ll_update_inode output the bad access seems to be in ll_update_inode ->ll_update_lsm_md -> lsm_md_eq -> lu_fid_eq
(deduced from the +0x1375)

Unfortunately cannot tell what lsm1->lsm_md_stripe_count was at the time, would need to configure kdump on this machine and set kernel.panic_on_warn maybe but I'm afraid I'd crash on the earlier lockdep / block when !TASK_RUNNING warnings I get if I were to do that... Anyway, I'm not too serious about this particular issue, I just wanted to show Oleg what a KASAN trace looks like.

 Comments   
Comment by Peter Jones [ 27/Sep/19 ]

FAO green

Generated at Sat Feb 10 02:55:51 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.