search

openzfs / zfs

OpenZFS on Linux and FreeBSD
https://openzfs.github.io/openzfs-docs
Other
10.6k stars 1.75k forks source link

KASAN: stack-out-of-bounds in arc_read+0x3643/0x3790 [zfs] #13142

Open szubersk opened 2 years ago

szubersk commented 2 years ago

System information

Type Version/Name
Distribution Name Debian
Distribution Version bookworm
Kernel Version 5.15.23-kasan
Architecture amd64
OpenZFS Version zfs-2.1.99-854_ga5b3fab34 zfs-kmod-2.1.99-854_ga5b3fab34

Describe the problem you're observing

[Tue Feb 22 14:41:26 2022] BUG: KASAN: stack-out-of-bounds in arc_read+0x3643/0x3790 [zfs]
[Tue Feb 22 14:41:26 2022] Read of size 32 at addr ffff888132e37640 by task txg_sync/17380

[Tue Feb 22 14:41:26 2022] CPU: 7 PID: 17380 Comm: txg_sync Tainted: P           O      5.15.23-kasan #1
[Tue Feb 22 14:41:26 2022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[Tue Feb 22 14:41:26 2022] Call Trace:
[Tue Feb 22 14:41:26 2022]  <TASK>
[Tue Feb 22 14:41:26 2022]  dump_stack_lvl+0x46/0x5a
[Tue Feb 22 14:41:26 2022]  print_address_description.constprop.0+0x1f/0x140
[Tue Feb 22 14:41:26 2022]  ? arc_read+0x3643/0x3790 [zfs]
[Tue Feb 22 14:41:26 2022]  kasan_report.cold+0x83/0xdf
[Tue Feb 22 14:41:26 2022]  ? arc_read+0x3643/0x3790 [zfs]
[Tue Feb 22 14:41:26 2022]  arc_read+0x3643/0x3790 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_read+0x9aa/0xf80 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_rele_and_unlock+0xe00/0xe00 [zfs]
[Tue Feb 22 14:41:26 2022]  ? arc_loan_raw_buf+0x70/0x70 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_write_children_ready+0x400/0x400 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __raw_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_rele_and_unlock+0x449/0xe00 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __cond_resched+0x16/0x40
[Tue Feb 22 14:41:26 2022]  ? queued_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __raw_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dnode_block_freed+0x17e/0x230 [zfs]
[Tue Feb 22 14:41:26 2022]  dbuf_read_impl.constprop.0+0x67e/0xb80 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_write_override_ready+0x70/0x70 [zfs]
[Tue Feb 22 14:41:26 2022]  ? spl_kmem_cache_alloc+0xd3/0x480 [spl]
[Tue Feb 22 14:41:26 2022]  ? zio_null+0x2b/0x30 [zfs]
[Tue Feb 22 14:41:26 2022]  dbuf_read+0x289/0xf80 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_read_impl.constprop.0+0xb80/0xb80 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __raw_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dmu_buf_hold_noread+0x111/0x1d0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dmu_offset_next+0x250/0x250 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_getflags+0x45/0x80 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_leaf_array_read+0x315/0x650 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_leaf_array_match+0x150/0x470 [zfs]
[Tue Feb 22 14:41:26 2022]  dmu_buf_hold+0x72/0xd0 [zfs]
[Tue Feb 22 14:41:26 2022]  zap_lockdir+0xa6/0x1c0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_byteswap+0x70/0x70 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zfs_refcount_add_many+0x155/0x1f0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_rele_and_unlock+0x960/0xe00 [zfs]
[Tue Feb 22 14:41:26 2022]  ? dbuf_evict_notify+0x40/0x40 [zfs]
[Tue Feb 22 14:41:26 2022]  zap_lookup_norm+0xa1/0x130 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_count+0x180/0x180 [zfs]
[Tue Feb 22 14:41:26 2022]  zap_lookup+0x12/0x20 [zfs]
[Tue Feb 22 14:41:26 2022]  zap_lookup_int_key+0xa1/0xd0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zap_update_int_key+0xf0/0xf0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? zcp_user_props_iter+0xd9/0x170 [zfs]
[Tue Feb 22 14:41:26 2022]  ? spa_feature_decr+0x20/0x20 [zfs]
[Tue Feb 22 14:41:26 2022]  spa_generate_syncing_log_sm+0x132/0x340 [zfs]
[Tue Feb 22 14:41:26 2022]  ? spa_cleanup_old_sm_logs+0x350/0x350 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __cond_resched+0x16/0x40
[Tue Feb 22 14:41:26 2022]  ? queued_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __raw_spin_unlock+0x5/0x10 [zfs]
[Tue Feb 22 14:41:26 2022]  ? multilist_is_empty+0x16f/0x210 [zfs]
[Tue Feb 22 14:41:26 2022]  ? spa_feature_decr+0x20/0x20 [zfs]
[Tue Feb 22 14:41:26 2022]  spa_flush_metaslabs+0xc8/0x3c0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __cv_broadcast+0xb8/0x140 [spl]
[Tue Feb 22 14:41:26 2022]  spa_sync_iterate_to_convergence+0x22c/0x450 [zfs]
[Tue Feb 22 14:41:26 2022]  spa_sync+0x6c9/0x12c0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? __cond_resched+0x16/0x40
[Tue Feb 22 14:41:26 2022]  ? spa_async_dispatch+0x1b0/0x1b0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? spa_txg_history_set+0x14e/0x1e0 [zfs]
[Tue Feb 22 14:41:26 2022]  txg_sync_thread+0x5ae/0x960 [zfs]
[Tue Feb 22 14:41:26 2022]  ? slab_free_freelist_hook+0x66/0x130
[Tue Feb 22 14:41:26 2022]  ? txg_dispatch_callbacks+0x1b0/0x1b0 [zfs]
[Tue Feb 22 14:41:26 2022]  ? kfree+0xc5/0x280
[Tue Feb 22 14:41:26 2022]  ? txg_dispatch_callbacks+0x1b0/0x1b0 [zfs]
[Tue Feb 22 14:41:26 2022]  thread_generic_wrapper+0x171/0x200 [spl]
[Tue Feb 22 14:41:26 2022]  ? _raw_spin_unlock_irqrestore+0xa/0x20
[Tue Feb 22 14:41:26 2022]  ? IS_ERR+0x10/0x10 [spl]
[Tue Feb 22 14:41:26 2022]  kthread+0x127/0x150
[Tue Feb 22 14:41:26 2022]  ? set_kthread_struct+0x40/0x40
[Tue Feb 22 14:41:26 2022]  ret_from_fork+0x22/0x30
[Tue Feb 22 14:41:26 2022]  </TASK>

[Tue Feb 22 14:41:26 2022] The buggy address belongs to the page:
[Tue Feb 22 14:41:26 2022] page:000000007bcd694e refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x132e37
[Tue Feb 22 14:41:26 2022] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[Tue Feb 22 14:41:26 2022] raw: 0017ffffc0000000 0000000000000000 ffffea0004cb8d88 0000000000000000
[Tue Feb 22 14:41:26 2022] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[Tue Feb 22 14:41:26 2022] page dumped because: kasan: bad access detected

[Tue Feb 22 14:41:26 2022] addr ffff888132e37640 is located in stack of task txg_sync/17380 at offset 64 in frame:
[Tue Feb 22 14:41:26 2022]  dbuf_read_impl.constprop.0+0x0/0xb80 [zfs]

[Tue Feb 22 14:41:26 2022] this frame has 3 objects:
[Tue Feb 22 14:41:26 2022]  [48, 52) 'aflags'
[Tue Feb 22 14:41:26 2022]  [64, 96) 'zb'
[Tue Feb 22 14:41:26 2022]  [128, 256) 'bp'

[Tue Feb 22 14:41:26 2022] Memory state around the buggy address:
[Tue Feb 22 14:41:26 2022]  ffff888132e37500: f1 f1 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00
[Tue Feb 22 14:41:26 2022]  ffff888132e37580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Tue Feb 22 14:41:26 2022] >ffff888132e37600: f1 f1 f1 f1 f1 f1 04 f2 00 00 f1 f1 f2 f2 f2 f2
[Tue Feb 22 14:41:26 2022]                                                  ^
[Tue Feb 22 14:41:26 2022]  ffff888132e37680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Tue Feb 22 14:41:26 2022]  ffff888132e37700: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[Tue Feb 22 14:41:26 2022] ==================================================================

Describe how to reproduce the problem

/usr/share/zfs/zfs-tests.sh -v -r common -T pyzfs

stale[bot] commented 1 year ago

This issue has been automatically marked as "stale" because it has not had any activity for a while. It will be closed in 90 days if no further activity occurs. Thank you for your contributions.

szubersk commented 1 year ago

Prolly still relevant. I'll run ZTS with KASan on Linux 6.1 again when I have a spare minute.