Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp9306268rwl; Wed, 11 Jan 2023 04:13:01 -0800 (PST) X-Google-Smtp-Source: AMrXdXvO1BASLbtK9v7L89FYHMBhBIHSDyau2tz07a/YFlFkOeJOA5g+UZ00k0ubXaXOb6a2EsNp X-Received: by 2002:a17:906:958:b0:7c0:be4d:46d6 with SMTP id j24-20020a170906095800b007c0be4d46d6mr55966071ejd.59.1673439181447; Wed, 11 Jan 2023 04:13:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673439181; cv=none; d=google.com; s=arc-20160816; b=K/YjJ14gi/Pqic6g3t4RMsJ6K6kxa7kKpmEOmZ6w3RzwA/Ja9TMfICzIsP0PJRxNtL CTVN18q9ixVVUTrR14Qk/kCi+06RJzvO9od1LqjrlhZIWVAK79k5coatzbSgiqfD/C54 uPy0eQuPJ5zPu+q6Smq7ZILW4GHmYMAGL99Z3FsRnOvW6xPpI70gvEtBe7RSt2dzzu8Y pSn/XX4xEJv8tVli/L0w9lvQiHCSfsYLRMWgB6pNIszdz6Kgwka5PEt2T/DCKdwcawcF el4CiCnTcuE3zZ8M28b4B7Ar6FAPET7YAQP8vbq5vRUCGOWUhsc+Loq1Xd3s0aMRU1Vt 94Sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=lhcN72TlpXzeMF6P/0s+b51s7aEDyLevfxQ2xhwM/hY=; b=0YotaSmIg0N7xlNI1Wo9rdUTMZ4+/Q26BuQQwzt+KjSlvJpieCVS8O8rdsBvVCR5WS Sd/FTb3iFFDxGJs6D8OQTv+2D3PwWiq0MnGoe2p//AVUyipgEyIwKbZeCLGovZHV+klj UoVpS9ErxO1d0q9G1MlxL5y+0MsB3QP1BT+wlxrpuB61mT6r4WDC0Q0o9BfPkLcu+O8G okC4m+Pdsto9fTNMKntnEDhwuoTkgXk2yO1Cp2DZHNme3SY6nKLAwEnRBwJJskz9Bszy rYgIHQNU3q6MIg/EvqUcaYBGDA0A7JEGnuIMCJ73lvC+svMkujyWbEkkixHFmzEAGdfr wfTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="kir/S369"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id xb13-20020a170907070d00b007dd1da8cd85si14701500ejb.126.2023.01.11.04.12.30; Wed, 11 Jan 2023 04:13:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="kir/S369"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232053AbjAKMEH (ORCPT + 99 others); Wed, 11 Jan 2023 07:04:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233136AbjAKMDN (ORCPT ); Wed, 11 Jan 2023 07:03:13 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2F5521A8 for ; Wed, 11 Jan 2023 04:00:23 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 35165B81BDB for ; Wed, 11 Jan 2023 12:00:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 53CECC433F0; Wed, 11 Jan 2023 12:00:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1673438420; bh=kjEsJtsTXCugmi29pjn3nMa9Nj7+FlpAr7rFJnxLKFk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=kir/S369r9BJlyYcYPMNImGgSQcOfxclYP0bB6BDLEOgZeG9Eiy3lEP6rwGfeXxYS MsE2keR/0bqHgzPT6LrIWy/nwXKVWPl6LXL2kk8ogmoy+8du8egA04jeMr02wfgNxh Aagfy6ZAnEtbCZy6/YtfhOlFJVR0luxywvdgyTJ0oG6PqO3hPcZOs3d5hcQJIlt0Ae i+O3wwUZ7McUexb3ixhUhaBElON27ppeWgZhpYTGG7qSgu1jZA+Sn7ljJkDY2vLdyN XrmW3hj3eVvXXEQCtfShGH4Wu/8l4d1bSJOyvE8EAqrPiw8mLyvyiYHLIWi+o8E899 0p+8jcarqc7RA== Message-ID: Subject: Re: [PATCH 1/1] NFSD: fix WARN_ON_ONCE in __queue_delayed_work From: Jeff Layton To: Mike Galbraith , dai.ngo@oracle.com, Chuck Lever III Cc: Linux NFS Mailing List Date: Wed, 11 Jan 2023 07:00:18 -0500 In-Reply-To: References: <1673333310-24837-1-git-send-email-dai.ngo@oracle.com> <57dc06d57b4b643b4bf04daf28acca202c9f7a85.camel@kernel.org> <71672c07-5e53-31e6-14b1-e067fd56df57@oracle.com> <8C3345FB-6EDF-411A-B942-5AFA03A89BA2@oracle.com> <5e34288720627d2a09ae53986780b2d293a54eea.camel@kernel.org> <42876697-ba42-c38f-219d-f760b94e5fed@oracle.com> <8e0cb925-9f73-720d-b402-a7204659ff7f@oracle.com> <37c80eaf2f6d8a5d318e2b10e737a1c351b27427.camel@gmx.de> <2067b4b4ce029ab5be982820b81241cd457ff475.camel@kernel.org> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.3 (3.46.3-1.fc37) MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, 2023-01-11 at 12:19 +0100, Mike Galbraith wrote: > On Wed, 2023-01-11 at 05:55 -0500, Jeff Layton wrote: > > >=20 > > > > crash> delayed_work ffff8881601fab48 > > > > struct delayed_work { > > > > =A0 work =3D { > > > > =A0=A0=A0 data =3D { > > > > =A0=A0=A0=A0=A0 counter =3D 1 > > > > =A0=A0=A0 }, > > > > =A0=A0=A0 entry =3D { > > > > =A0=A0=A0=A0=A0 next =3D 0x0, > > > > =A0=A0=A0=A0=A0 prev =3D 0x0 > > > > =A0=A0=A0 }, > > > > =A0=A0=A0 func =3D 0x0 > > > > =A0 }, > > > > =A0 timer =3D { > > > > =A0=A0=A0 entry =3D { > > > > =A0=A0=A0=A0=A0 next =3D 0x0, > > > > =A0=A0=A0=A0=A0 pprev =3D 0x0 > > > > =A0=A0=A0 }, > > > > =A0=A0=A0 expires =3D 0, > > > > =A0=A0=A0 function =3D 0x0, > > > > =A0=A0=A0 flags =3D 0 > > > > =A0 }, > > > > =A0 wq =3D 0x0, > > > > =A0 cpu =3D 0 > > > > } > > >=20 > > > That looks more like a memory scribble or UAF. Merely having multiple > > > tasks calling queue_work at the same time wouldn't be enough to trigg= er > > > this, IMO. It's more likely that the extra locking is changing the > > > timing of your reproducer somehow. > > >=20 > > > It might be interesting to turn up KASAN if you're able. >=20 > I can try that. >=20 > > If you still have this vmcore, it might be interesting to do the pointe= r > > math and find the nfsd_net structure that contains the above > > delayed_work. Does the rest of it also seem to be corrupt? My guess is > > that the corrupted structure extends beyond just the delayed_work above= . > >=20 > > Also, it might be helpful to do this: > >=20 > > =A0=A0=A0=A0 kmem -s ffff8881601fab48 > >=20 > > ...which should tell us whether and what part of the slab this object i= s > > now a part of. That said, net-namespace object allocations are somewhat > > weird, and I'm not 100% sure they come out of the slab. >=20 > I tossed the vmcore, but can generate another. I had done kmem sans -s > previously, still have that. >=20 > crash> kmem ffff8881601fab48 > CACHE OBJSIZE ALLOCATED TOTAL SLABS SSIZE NAME > kmem: kmalloc-1k: partial list slab: ffffea0005b20c08 invalid page.inuse:= -1 > ffff888100041840 1024 2329 2432 76 32k kmalloc-1k > SLAB MEMORY NODE TOTAL ALLOCATED FREE > ffffea0005807e00 ffff8881601f8000 0 32 32 0 > FREE / [ALLOCATED] > [ffff8881601fa800] >=20 > PAGE PHYSICAL MAPPING INDEX CNT FLAGS > ffffea0005807e80 1601fa000 dead000000000400 0 0 200000000000000 > crash >=20 Thanks. The pernet allocations do come out of the slab. The allocation is done in ops_init in net/core/namespace.c. This one is a 1k allocation, which jives with the size of nfsd_net (which is 976 bytes). So, this seems to be consistent with where an nfsd_net would have come from. Maybe not a UAF, but I do think we have some sort of mem corruption going on. --=20 Jeff Layton