[LU-13040] BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180 Created: 30/Nov/19 Updated: 01/Mar/20 Resolved: 01/Mar/20 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Lustre 2.14.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Shaun Tancheff | Assignee: | Shaun Tancheff |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Severity: | 3 |
| Rank (Obsolete): | 9223372036854775807 |
| Description |
Nov 27 00:46:15 lustre-client kernel: ================================================================== Nov 27 00:46:15 lustre-client kernel: BUG: KASAN: slab-out-of-bounds in string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: Read of size 1 at addr ffff888217560921 by task parse_foreign_d/23741 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: CPU: 3 PID: 23741 Comm: parse_foreign_d Tainted: P O 5.4.0-1.ldiskfs.d.el7.x86_64 #1 Nov 27 00:46:15 lustre-client kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-1 04/01/2014 Nov 27 00:46:15 lustre-client kernel: Call Trace: Nov 27 00:46:15 lustre-client kernel: dump_stack+0x7b/0xba Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: print_address_description.constprop.7.cold.9+0x9/0x350 Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: __kasan_report.cold.10+0x1b/0x3f Nov 27 00:46:15 lustre-client kernel: ? string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: kasan_report+0x12/0x20 Nov 27 00:46:15 lustre-client kernel: __asan_load1+0x47/0x50 Nov 27 00:46:15 lustre-client kernel: string_nocheck+0xd1/0x180 Nov 27 00:46:15 lustre-client kernel: ? widen_string+0x190/0x190 Nov 27 00:46:15 lustre-client kernel: string+0xb6/0xc0 Nov 27 00:46:15 lustre-client kernel: ? hex_string+0x2e0/0x2e0 Nov 27 00:46:15 lustre-client kernel: vsnprintf+0x56c/0x8e0 Nov 27 00:46:15 lustre-client kernel: ? pointer+0x4e0/0x4e0 Nov 27 00:46:15 lustre-client kernel: ? vsnprintf+0x655/0x8e0 Nov 27 00:46:15 lustre-client kernel: libcfs_debug_msg+0x4f2/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? put_pages_on_daemon_list+0xd0/0xd0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: lsm_md_dump+0x14a/0x270 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_update_inode+0xb6c/0x2010 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_test_inode_by_fid+0x30/0x30 [lustre] Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_read+0x11/0x20 Nov 27 00:46:15 lustre-client kernel: ll_iget+0x2bf/0x420 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_prep_inode+0x50e/0xca0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_open_cleanup+0x6b0/0x6b0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? strcpy+0x30/0x50 Nov 27 00:46:15 lustre-client kernel: ? cfs_trace_unlock_tcd+0x20/0xb0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? lustre_msg_buf_v2+0x8a/0x220 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? ptlrpc_buf_need_swab+0x5d/0xf0 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? __req_capsule_get+0x72a/0x8a0 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ? lustre_swab_generic_32s+0x20/0x20 [ptlrpc] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it_finish+0x349/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_splice_alias+0x410/0x410 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_md_need_convert+0x2c0/0x2c0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_md_need_convert+0x2c0/0x2c0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? libcfs_log_return+0x22/0x30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? lmv_intent_lock+0x2f0/0x560 [lmv] Nov 27 00:46:15 lustre-client kernel: ? lmv_intent_lookup+0xaf0/0xaf0 [lmv] Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_write+0x14/0x20 Nov 27 00:46:15 lustre-client kernel: ll_lookup_it+0xeae/0x2000 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_lookup_it_finish+0x1500/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ? strcpy+0x30/0x50 Nov 27 00:46:15 lustre-client kernel: ? cfs_trace_unlock_tcd+0x20/0xb0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? put_pages_on_daemon_list+0xd0/0xd0 [libcfs] Nov 27 00:46:15 lustre-client kernel: ? __d_alloc+0x277/0x380 Nov 27 00:46:15 lustre-client kernel: ? __kasan_check_write+0x14/0x20 Nov 27 00:46:15 lustre-client kernel: ? d_alloc_parallel+0x435/0x950 Nov 27 00:46:15 lustre-client kernel: ? libcfs_debug_msg+0xd99/0xf30 [libcfs] Nov 27 00:46:15 lustre-client kernel: ll_lookup_nd+0x1ee/0x2b0 [lustre] Nov 27 00:46:15 lustre-client kernel: ? ll_atomic_open+0x2360/0x2360 [lustre] Nov 27 00:46:15 lustre-client kernel: ? __d_lookup+0x49/0x230 Nov 27 00:46:15 lustre-client kernel: __lookup_slow+0x123/0x230 Nov 27 00:46:15 lustre-client kernel: ? vfs_readlink+0x220/0x220 Nov 27 00:46:15 lustre-client kernel: ? __nd_alloc_stack+0xa0/0xa0 Nov 27 00:46:15 lustre-client kernel: lookup_slow+0x44/0x60 Nov 27 00:46:15 lustre-client kernel: walk_component+0x3e3/0x680 Nov 27 00:46:15 lustre-client kernel: ? lookup_slow+0x60/0x60 Nov 27 00:46:15 lustre-client kernel: ? link_path_walk.part.41+0x292/0x830 Nov 27 00:46:15 lustre-client kernel: ? lookup_one_len+0x130/0x130 Nov 27 00:46:15 lustre-client kernel: ? path_init+0x451/0x5a0 Nov 27 00:46:15 lustre-client kernel: ? save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: ? __kasan_kmalloc.constprop.14+0xc1/0xd0 Nov 27 00:46:15 lustre-client kernel: ? kasan_slab_alloc+0x11/0x20 Nov 27 00:46:15 lustre-client kernel: ? getname_flags+0x6f/0x2c0 Nov 27 00:46:15 lustre-client kernel: path_lookupat.isra.43+0x118/0x420 Nov 27 00:46:15 lustre-client kernel: ? path_parentat.isra.42+0xa0/0xa0 Nov 27 00:46:15 lustre-client kernel: ? deactivate_slab.isra.79+0x21b/0x5c0 Nov 27 00:46:15 lustre-client kernel: ? check_object+0xb5/0x290 Nov 27 00:46:15 lustre-client kernel: ? init_object+0x7e/0x90 Nov 27 00:46:15 lustre-client kernel: filename_lookup.part.59+0x116/0x240 Nov 27 00:46:15 lustre-client kernel: ? __ia32_sys_rename+0x50/0x50 Nov 27 00:46:15 lustre-client kernel: ? __check_object_size+0x1a7/0x216 Nov 27 00:46:15 lustre-client kernel: ? strncpy_from_user+0xdd/0x200 Nov 27 00:46:15 lustre-client kernel: ? getname_flags+0x112/0x2c0 Nov 27 00:46:15 lustre-client kernel: user_path_at_empty+0x3e/0x50 Nov 27 00:46:15 lustre-client kernel: path_getxattr+0xa8/0x130 Nov 27 00:46:15 lustre-client kernel: ? getxattr+0x230/0x230 Nov 27 00:46:15 lustre-client kernel: __x64_sys_getxattr+0x5b/0x70 Nov 27 00:46:15 lustre-client kernel: do_syscall_64+0x78/0x200 Nov 27 00:46:15 lustre-client kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 Nov 27 00:46:15 lustre-client kernel: RIP: 0033:0x7fec4f3453ea Nov 27 00:46:15 lustre-client kernel: Code: 73 01 c3 48 8b 0d 86 9a 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 bf 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 9a 2c 00 f7 d8 64 89 01 48 Nov 27 00:46:15 lustre-client kernel: RSP: 002b:00007ffd6b274628 EFLAGS: 00000206 ORIG_RAX: 00000000000000bf Nov 27 00:46:15 lustre-client kernel: RAX: ffffffffffffffda RBX: 00007ffd6b274748 RCX: 00007fec4f3453ea Nov 27 00:46:15 lustre-client kernel: RDX: 0000000000000000 RSI: 0000000000400cff RDI: 00007ffd6b276054 Nov 27 00:46:15 lustre-client kernel: RBP: 0000000000400cfc R08: 0000000000000000 R09: 0000000000000000 Nov 27 00:46:15 lustre-client kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000003 Nov 27 00:46:15 lustre-client kernel: R13: 00007ffd6b276054 R14: 0000000000000000 R15: 0000000000000000 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Allocated by task 23741: Nov 27 00:46:15 lustre-client kernel: save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: __kasan_kmalloc.constprop.14+0xc1/0xd0 Nov 27 00:46:15 lustre-client kernel: kasan_kmalloc+0x9/0x10 Nov 27 00:46:15 lustre-client kernel: __kmalloc+0x139/0x300 Nov 27 00:46:15 lustre-client kernel: lmv_unpackmd+0x5d3/0x12a0 [lmv] Nov 27 00:46:15 lustre-client kernel: mdc_get_lustre_md+0x81a/0x12a0 [mdc] Nov 27 00:46:15 lustre-client kernel: lmv_get_lustre_md+0x1c9/0x1e0 [lmv] Nov 27 00:46:15 lustre-client kernel: ll_prep_inode+0x1e7/0xca0 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it_finish+0x349/0x1500 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_it+0xeae/0x2000 [lustre] Nov 27 00:46:15 lustre-client kernel: ll_lookup_nd+0x1ee/0x2b0 [lustre] Nov 27 00:46:15 lustre-client kernel: __lookup_slow+0x123/0x230 Nov 27 00:46:15 lustre-client kernel: lookup_slow+0x44/0x60 Nov 27 00:46:15 lustre-client kernel: walk_component+0x3e3/0x680 Nov 27 00:46:15 lustre-client kernel: path_lookupat.isra.43+0x118/0x420 Nov 27 00:46:15 lustre-client kernel: filename_lookup.part.59+0x116/0x240 Nov 27 00:46:15 lustre-client kernel: user_path_at_empty+0x3e/0x50 Nov 27 00:46:15 lustre-client kernel: path_getxattr+0xa8/0x130 Nov 27 00:46:15 lustre-client kernel: __x64_sys_getxattr+0x5b/0x70 Nov 27 00:46:15 lustre-client kernel: do_syscall_64+0x78/0x200 Nov 27 00:46:15 lustre-client kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Freed by task 0: Nov 27 00:46:15 lustre-client kernel: save_stack+0x21/0x90 Nov 27 00:46:15 lustre-client kernel: __kasan_slab_free+0x128/0x170 Nov 27 00:46:15 lustre-client kernel: kasan_slab_free+0xe/0x10 Nov 27 00:46:15 lustre-client kernel: kfree+0xa4/0x290 Nov 27 00:46:15 lustre-client kernel: autogroup_free+0x25/0x30 Nov 27 00:46:15 lustre-client kernel: sched_free_group+0x22/0x40 Nov 27 00:46:15 lustre-client kernel: sched_free_group_rcu+0x15/0x20 Nov 27 00:46:15 lustre-client kernel: rcu_do_batch+0x27c/0x660 Nov 27 00:46:15 lustre-client kernel: rcu_core+0x2a8/0x460 Nov 27 00:46:15 lustre-client kernel: rcu_core_si+0xe/0x10 Nov 27 00:46:15 lustre-client kernel: __do_softirq+0x10d/0x3c9 Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: The buggy address belongs to the object at ffff8882175608c8#012 which belongs to the cache kmalloc-96 of size 96 Nov 27 00:46:15 lustre-client kernel: The buggy address is located 89 bytes inside of#012 96-byte region [ffff8882175608c8, ffff888217560928) Nov 27 00:46:15 lustre-client kernel: The buggy address belongs to the page: Nov 27 00:46:15 lustre-client kernel: page:ffffea00085d5800 refcount:1 mapcount:0 mapping:ffff888227010a00 index:0xffff888217563488 compound_mapcount: 0 Nov 27 00:46:15 lustre-client kernel: flags: 0x17ffffc0010200(slab|head) Nov 27 00:46:15 lustre-client kernel: raw: 0017ffffc0010200 ffffea0007cc0208 ffff888227003a50 ffff888227010a00 Nov 27 00:46:15 lustre-client kernel: raw: ffff888217563488 0000000000240011 00000001ffffffff 0000000000000000 Nov 27 00:46:15 lustre-client kernel: page dumped because: kasan: bad access detected Nov 27 00:46:15 lustre-client kernel: Nov 27 00:46:15 lustre-client kernel: Memory state around the buggy address: Nov 27 00:46:15 lustre-client kernel: ffff888217560800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ffff888217560880: fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 Nov 27 00:46:15 lustre-client kernel: >ffff888217560900: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ^ Nov 27 00:46:15 lustre-client kernel: ffff888217560980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ffff888217560a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Nov 27 00:46:15 lustre-client kernel: ================================================================== |
| Comments |
| Comment by Shaun Tancheff [ 30/Nov/19 ] |
|
This KASAN indicates two different issues, The root cause is indicated by lsm_md_dump() where the lsm_md_pool_name is not null terminated. This case appears to be rooted in The second issue is the theoretical buffer overflow in libcfs_debug_msg() where the second pass of snprintf() reports number of bytes need, where the results is expected to be number of bytes actual. There are a couple of additional uses of snprintf that should also be changed to scnprintf() here. |
| Comment by Gerrit Updater [ 03/Dec/19 ] |
|
Shaun Tancheff (stancheff@cray.com) uploaded a new patch: https://review.whamcloud.com/36908 |
| Comment by Gerrit Updater [ 01/Mar/20 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/36908/ |
| Comment by Peter Jones [ 01/Mar/20 ] |
|
Landed for 2.14 |