v6.9-rc1 bug?

Itaru Kitayama itaru.kitayama at linux.dev
Fri Mar 15 21:23:30 PDT 2024 

On FVP with the latest v6.9-rc1 kernel, when mounting a host directory
via the 9p virtual filesystem it splats buggy addresses:

[  101.148388] ==================================================================
[  101.148706] BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x804/0x984
[  101.149185] Read of size 8 at addr ffff000805f06788 by task mount/158
[  101.149548]
[  101.149742] CPU: 2 PID: 158 Comm: mount Not tainted 6.8.0-11409-gf6cef5f8c37f #85
[  101.150163] Hardware name: FVP Base RevC (DT)
[  101.150436] Call trace:
[  101.150658]  dump_backtrace+0x94/0xf0
[  101.150999]  show_stack+0x1c/0x2c
[  101.151327]  dump_stack_lvl+0xf0/0x178
[  101.151740]  print_report+0xdc/0x57c
[  101.152117]  kasan_report+0xb4/0x100
[  101.152498]  __asan_report_load8_noabort+0x24/0x34
[  101.152931]  v9fs_stat2inode_dotl+0x804/0x984
[  101.153355]  v9fs_fid_iget_dotl+0x174/0x208
[  101.153767]  v9fs_mount+0x37c/0x740
[  101.154143]  legacy_get_tree+0xd4/0x198
[  101.154545]  vfs_get_tree+0x78/0x284
[  101.154890]  path_mount+0x738/0x1500
[  101.155226]  __arm64_sys_mount+0x48c/0x5c4
[  101.155579]  invoke_syscall+0xd4/0x24c
[  101.156002]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.156458]  do_el0_svc+0x44/0x60
[  101.156869]  el0_svc+0x3c/0x84
[  101.157189]  el0t_64_sync_handler+0x128/0x134
[  101.157556]  el0t_64_sync+0x1b0/0x1b4
[  101.157897]
[  101.158089] Allocated by task 158 on cpu 2 at 101.140412s:
[  101.158429]  kasan_save_stack+0x40/0x6c
[  101.158797]  kasan_save_track+0x24/0x44
[  101.159167]  kasan_save_alloc_info+0x44/0x5c
[  101.159581]  __kasan_kmalloc+0xe0/0xe4
[  101.159946]  kmalloc_trace+0x164/0x300
[  101.160310]  p9_client_getattr_dotl+0x50/0x19c
[  101.160739]  v9fs_fid_iget_dotl+0xb4/0x208
[  101.161140]  v9fs_mount+0x37c/0x740
[  101.161508]  legacy_get_tree+0xd4/0x198
[  101.161902]  vfs_get_tree+0x78/0x284
[  101.162239]  path_mount+0x738/0x1500
[  101.162567]  __arm64_sys_mount+0x48c/0x5c4
[  101.162912]  invoke_syscall+0xd4/0x24c
[  101.163327]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.163775]  do_el0_svc+0x44/0x60
[  101.164171]  el0_svc+0x3c/0x84
[  101.164490]  el0t_64_sync_handler+0x128/0x134
[  101.164848]  el0t_64_sync+0x1b0/0x1b4
[  101.165180]
[  101.165372] Freed by task 158 on cpu 2 at 101.148373s:
[  101.165705]  kasan_save_stack+0x40/0x6c
[  101.166074]  kasan_save_track+0x24/0x44
[  101.166443]  kasan_save_free_info+0x50/0x7c
[  101.166855]  poison_slab_object+0x11c/0x170
[  101.167235]  __kasan_slab_free+0x40/0x7c
[  101.167611]  kfree+0xf0/0x298
[  101.167945]  v9fs_fid_iget_dotl+0x138/0x208
[  101.168349]  v9fs_mount+0x37c/0x740
[  101.168717]  legacy_get_tree+0xd4/0x198
[  101.169111]  vfs_get_tree+0x78/0x284
[  101.169448]  path_mount+0x738/0x1500
[  101.169775]  __arm64_sys_mount+0x48c/0x5c4
[  101.170119]  invoke_syscall+0xd4/0x24c
[  101.170536]  el0_svc_common.constprop.0+0xb0/0x23c
[  101.170984]  do_el0_svc+0x44/0x60
[  101.171387]  el0_svc+0x3c/0x84
[  101.171699]  el0t_64_sync_handler+0x128/0x134
[  101.172058]  el0t_64_sync+0x1b0/0x1b4
[  101.172389]
[  101.172581] The buggy address belongs to the object at ffff000805f06788
[  101.172581]  which belongs to the cache kmalloc-192 of size 192
[  101.173042] The buggy address is located 0 bytes inside of
[  101.173042]  freed 192-byte region [ffff000805f06788, ffff000805f06848)
[  101.173528]
[  101.173714] The buggy address belongs to the physical page:
[  101.174005] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000805f068c8 pfn:0x885f06
[  101.174426] head: order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  101.174770] flags: 0x5ffff0000000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1ffff)
[  101.175187] page_type: 0xffffffff()
[  101.175519] raw: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850
[  101.175933] raw: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000
[  101.176359] head: 05ffff0000000a40 ffff000800002c40 ffff000800000850 ffff000800000850
[  101.176775] head: ffff000805f068c8 0000000000190007 00000001ffffffff 0000000000000000
[  101.177199] head: 05ffff0000000001 fffffdffe017c181 dead000000000122 00000000ffffffff
[  101.177611] head: 0000000200000000 0000000000000000 00000000ffffffff 0000000000000000
[  101.177960] page dumped because: kasan: bad access detected
[  101.178248]
[  101.178440] Memory state around the buggy address:
[  101.178731]  ffff000805f06680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
[  101.179100]  ffff000805f06700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  101.179469] >ffff000805f06780: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  101.179806]                       ^
[  101.180081]  ffff000805f06800: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[  101.180450]  ffff000805f06880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  101.180787] ==================================================================
[  101.181384] Disabling lock debugging due to kernel taint
[80713.750745] 9pnet_virtio: no channels available for device FM

After this I can see the directory contents but not execute shell
scripts.

Thanks,
Itaru.

More information about the linux-arm-kernel mailing list