NetBSD Problem Report #55251
From clare@csel.org Sun May 10 05:15:14 2020
Return-Path: <clare@csel.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 8AF8A1A9213
for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 May 2020 05:15:14 +0000 (UTC)
Message-Id: <20200510051506.9033038844@mail.csel.org>
Date: Sun, 10 May 2020 14:15:06 +0900 (JST)
From: clare@csel.org
Reply-To: clare@csel.org
To: gnats-bugs@NetBSD.org
Subject: use of ZFS may trigger kernel memory corruption (KASAN error)
X-Send-Pr-Version: 3.95
>Number: 55251
>Category: kern
>Synopsis: use of ZFS may trigger kernel memory corruption (KASAN error)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun May 10 05:20:01 +0000 2020
>Closed-Date: Tue May 12 21:26:04 +0000 2020
>Last-Modified: Tue May 12 22:00:02 +0000 2020
>Originator: Shinichi Doyashiki
>Release: NetBSD 9.99.59
>Organization:
at home
>Environment:
System: NetBSD yuzuki.nas.csel.org 9.99.59 NetBSD 9.99.59 (YUZUKI2_KASAN) #0: Tue May 5 19:13:50 JST 2020 clare@yuzuki.nas.csel.org:/export/netbsd/stage/hack/src/sys/arch/amd64/compile/YUZUKI2_KASAN amd64
Architecture: x86_64
Machine: amd64
>Description:
I got a error report from the KASAN while ZFS load testing.
(the ZFS module itself was not compiled with the KASAN option
at the time, how to enable it?)
[ 403635.376449] panic: ASan: Unauthorized Access In 0xffffffff80fbb04f: Addr 0xffffc90012f16a18 [8 bytes, read, PoolUseAfterFree]
[ 403635.376449] cpu0: Begin traceback...
[ 403635.386461] vpanic() at netbsd:vpanic+0x1f3
[ 403635.396466] snprintf() at netbsd:snprintf
[ 403635.416470] kasan_report() at netbsd:kasan_report+0x9c
[ 403635.426476] __asan_load8() at netbsd:__asan_load8+0x294
[ 403635.446481] mutex_oncpu() at netbsd:mutex_oncpu+0x25
[ 403635.456491] mutex_vector_enter() at netbsd:mutex_vector_enter+0xeb
[ 403635.466491] pool_put() at netbsd:pool_put+0x81
[ 403635.486499] pathbuf_destroy() at netbsd:pathbuf_destroy+0x57
[ 403635.496505] do_sys_openat() at netbsd:do_sys_openat+0x191
[ 403635.516516] sys_open() at netbsd:sys_open+0xaf
[ 403635.526518] syscall() at netbsd:syscall+0x4e8
[ 403635.536522] --- syscall (number 5) ---
[ 403635.536522] 6f8748a42cca:
[ 403635.536522] cpu0: End traceback...
>How-To-Repeat:
create a zpool. (I chosen RAIDZ configuration and added a slog
device, not yet narrowed down)
# zpool create zpool raidz wd2 wd3 wd4 wd5
# zpool add zpool log dk1
run load test like "build.sh -j4" few days on the pool created.
>Fix:
unknown.
>Release-Note:
>Audit-Trail:
From: "Andrew Doran" <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55251 CVS commit: src/sys/kern
Date: Tue, 12 May 2020 21:24:30 +0000
Module Name: src
Committed By: ad
Date: Tue May 12 21:24:30 UTC 2020
Modified Files:
src/sys/kern: kern_mutex.c
Log Message:
PR kern/55251: use of ZFS may trigger kernel memory corruption
mutex_vector_enter(): reload mtx_owner with preemption disabled before
calling mutex_oncpu(), otherwise lwp_dtor() can intervene.
To generate a diff of this commit:
cvs rdiff -u -r1.90 -r1.91 src/sys/kern/kern_mutex.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: ad@NetBSD.org
State-Changed-When: Tue, 12 May 2020 21:26:04 +0000
State-Changed-Why:
Fixed with revision 1.91 of src/sys/kern/kern_mutex.c.
Thanks for the problem report.
From: "Andrew Doran" <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55251 CVS commit: src/sys/kern
Date: Tue, 12 May 2020 21:56:17 +0000
Module Name: src
Committed By: ad
Date: Tue May 12 21:56:17 UTC 2020
Modified Files:
src/sys/kern: kern_mutex.c
Log Message:
PR kern/55251 (use of ZFS may trigger kernel memory corruption (KASAN error))
Previous wasn't quite right. Redo it differently - disable preemption
earlier instead.
To generate a diff of this commit:
cvs rdiff -u -r1.91 -r1.92 src/sys/kern/kern_mutex.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.