2022-02-28 10:50:56

by kernel test robot

[permalink] [raw]
Subject: [block] 950a69daae: BUG:KASAN:use-after-free_in_throtl_pending_timer_fn


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 950a69daaecf6a7149cb245ca9291c0b68957e83 ("block: cancel all throttled bios in del_gendisk()")
linux-devel devel-catchup-20220228-041508

in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:

disk: 4HDD
fs: xfs
test: xfs-group-05
ucode: 0x21

test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git


on test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz with 8G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 114.399742][ C3] BUG: KASAN: use-after-free in throtl_pending_timer_fn (block/blk-throttle.c:1141)
[ 114.407689][ C3] Read of size 8 at addr ffff8881014a6078 by task systemd-udevd/176
[ 114.415638][ C3]
[ 114.417871][ C3] CPU: 3 PID: 176 Comm: systemd-udevd Not tainted 5.17.0-rc2-00081-g950a69daaecf #1
[ 114.427224][ C3] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013
[ 114.435764][ C3] Call Trace:
[ 114.438922][ C3] <IRQ>
[ 114.441683][ C3] dump_stack_lvl (lib/dump_stack.c:107)
[ 114.446097][ C3] print_address_description+0x21/0x180
[ 114.452599][ C3] ? throtl_pending_timer_fn (block/blk-throttle.c:1141)
[ 114.458144][ C3] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[ 114.462890][ C3] ? update_rq_clock (kernel/sched/core.c:691 kernel/sched/core.c:679)
[ 114.467643][ C3] ? throtl_pending_timer_fn (block/blk-throttle.c:1141)
[ 114.473193][ C3] throtl_pending_timer_fn (block/blk-throttle.c:1141)
[ 114.478563][ C3] ? throtl_pd_offline (block/blk-throttle.c:1137)
[ 114.483573][ C3] call_timer_fn (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/timer.h:125 kernel/time/timer.c:1422)
[ 114.487992][ C3] run_timer_softirq (kernel/time/timer.c:1467 kernel/time/timer.c:1734 kernel/time/timer.c:1710 kernel/time/timer.c:1747)
[ 114.492940][ C3] ? trace_event_raw_event_hrtimer_start (kernel/time/timer.c:1744)
[ 114.499537][ C3] ? __next_base (kernel/time/hrtimer.c:506)
[ 114.504054][ C3] ? sched_clock_cpu (kernel/sched/clock.c:371)
[ 114.508814][ C3] ? setup_local_APIC (arch/x86/kernel/apic/apic.c:475)
[ 114.513749][ C3] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/irq.h:142 kernel/softirq.c:559)
[ 114.518205][ C3] irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:637 kernel/softirq.c:649)
[ 114.522609][ C3] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14))
[ 114.528171][ C3] </IRQ>
[ 114.531013][ C3] <TASK>
[ 114.533856][ C3] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:638)
[ 114.539722][ C3] RIP: 0010:call_rcu (kernel/rcu/tree.c:3105)
[ 114.544680][ C3] Code: 02 00 0f 85 47 0b 00 00 48 8b 05 d8 2b 5b 03 49 03 87 f0 00 00 00 49 39 c5 0f 8f ea 04 00 00 fb 48 b8 00 00 00 00 00 fc ff df <48> c7 04 03 00 00 00 00 48 8b 84 24 88 00 00 00 65 48 33 04 25 28
All code
========
0: 02 00 add (%rax),%al
2: 0f 85 47 0b 00 00 jne 0xb4f
8: 48 8b 05 d8 2b 5b 03 mov 0x35b2bd8(%rip),%rax # 0x35b2be7
f: 49 03 87 f0 00 00 00 add 0xf0(%r15),%rax
16: 49 39 c5 cmp %rax,%r13
19: 0f 8f ea 04 00 00 jg 0x509
1f: fb sti
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
2a:* 48 c7 04 03 00 00 00 movq $0x0,(%rbx,%rax,1) <-- trapping instruction
31: 00
32: 48 8b 84 24 88 00 00 mov 0x88(%rsp),%rax
39: 00
3a: 65 gs
3b: 48 rex.W
3c: 33 .byte 0x33
3d: 04 25 add $0x25,%al
3f: 28 .byte 0x28

Code starting with the faulting instruction
===========================================
0: 48 c7 04 03 00 00 00 movq $0x0,(%rbx,%rax,1)
7: 00
8: 48 8b 84 24 88 00 00 mov 0x88(%rsp),%rax
f: 00
10: 65 gs
11: 48 rex.W
12: 33 .byte 0x33
13: 04 25 add $0x25,%al
15: 28 .byte 0x28
[ 114.564349][ C3] RSP: 0018:ffffc90000637cd0 EFLAGS: 00000287
[ 114.570370][ C3] RAX: dffffc0000000000 RBX: 1ffff920000c6fa0 RCX: ffffffff81350c19
[ 114.578304][ C3] RDX: 1ffff11035037166 RSI: 0000000000000008 RDI: ffff8881a81b8b00
[ 114.586259][ C3] RBP: ffff888211d1d9b0 R08: 0000000000000001 R09: ffff8881a81b8b00
[ 114.594210][ C3] R10: ffff8881a81b8b07 R11: ffffed1035037160 R12: ffff8881a81b8b30
[ 114.602148][ C3] R13: 000000000000001f R14: ffff8881a81b8ab8 R15: ffff8881a81b8a40
[ 114.610093][ C3] ? call_rcu (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-long.h:29 include/linux/atomic/atomic-instrumented.h:1266 kernel/rcu/rcu_segcblist.h:50 kernel/rcu/tree.c:2928 kernel/rcu/tree.c:3059 kernel/rcu/tree.c:3106)
[ 114.614422][ C3] ? rcu_implicit_dynticks_qs (kernel/rcu/tree.c:3105)
[ 114.620054][ C3] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154)
[ 114.624715][ C3] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:153)
[ 114.629760][ C3] ? ___d_drop (arch/x86/include/asm/bitops.h:94 arch/x86/include/asm/bitops.h:113 include/asm-generic/bitops/instrumented-lock.h:43 include/linux/bit_spinlock.h:80 include/linux/list_bl.h:153 fs/dcache.c:501)
[ 114.634069][ C3] __dentry_kill (fs/dcache.c:622)
[ 114.638556][ C3] dput (fs/dcache.c:746 fs/dcache.c:913)
[ 114.642283][ C3] do_unlinkat (fs/namei.c:4223)
[ 114.646604][ C3] ? __x64_sys_rmdir (fs/namei.c:4179)
[ 114.651317][ C3] ? __check_object_size (mm/usercopy.c:241 mm/usercopy.c:287 mm/usercopy.c:257)
[ 114.656558][ C3] ? getname_flags (fs/namei.c:149 fs/namei.c:128)
[ 114.661179][ C3] __x64_sys_unlink (fs/namei.c:4264)
[ 114.665778][ C3] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 114.670129][ C3] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
[ 114.675918][ C3] RIP: 0033:0x7f3ccc633fc7
[ 114.680227][ C3] Code: f0 ff ff 73 01 c3 48 8b 0d c6 ee 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 99 ee 0c 00 f7 d8 64 89 01 48
All code
========
0: f0 ff lock (bad)
2: ff 73 01 pushq 0x1(%rbx)
5: c3 retq
6: 48 8b 0d c6 ee 0c 00 mov 0xceec6(%rip),%rcx # 0xceed3
d: f7 d8 neg %eax
f: 64 89 01 mov %eax,%fs:(%rcx)
12: 48 83 c8 ff or $0xffffffffffffffff,%rax
16: c3 retq
17: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1e: 00 00 00
21: 66 90 xchg %ax,%ax
23: b8 57 00 00 00 mov $0x57,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 99 ee 0c 00 mov 0xcee99(%rip),%rcx # 0xceed3
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 99 ee 0c 00 mov 0xcee99(%rip),%rcx # 0xceea9
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W


To reproduce:

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation

Thanks,
Oliver Sang


Attachments:
(No filename) (8.63 kB)
config-5.17.0-rc2-00081-g950a69daaecf (168.88 kB)
job-script (5.86 kB)
dmesg.xz (8.64 kB)
xfstests (1.25 kB)
job.yaml (4.91 kB)
reproduce (953.00 B)
Download all attachments