NetBSD Problem Report #55251

From clare@csel.org  Sun May 10 05:15:14 2020
Return-Path: <clare@csel.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 8AF8A1A9213
	for <gnats-bugs@gnats.NetBSD.org>; Sun, 10 May 2020 05:15:14 +0000 (UTC)
Message-Id: <20200510051506.9033038844@mail.csel.org>
Date: Sun, 10 May 2020 14:15:06 +0900 (JST)
From: clare@csel.org
Reply-To: clare@csel.org
To: gnats-bugs@NetBSD.org
Subject: use of ZFS may trigger kernel memory corruption (KASAN error)
X-Send-Pr-Version: 3.95

>Number:         55251
>Category:       kern
>Synopsis:       use of ZFS may trigger kernel memory corruption (KASAN error)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 10 05:20:01 +0000 2020
>Closed-Date:    Tue May 12 21:26:04 +0000 2020
>Last-Modified:  Tue May 12 22:00:02 +0000 2020
>Originator:     Shinichi Doyashiki
>Release:        NetBSD 9.99.59
>Organization:
	at home
>Environment:
System: NetBSD yuzuki.nas.csel.org 9.99.59 NetBSD 9.99.59 (YUZUKI2_KASAN) #0: Tue May 5 19:13:50 JST 2020 clare@yuzuki.nas.csel.org:/export/netbsd/stage/hack/src/sys/arch/amd64/compile/YUZUKI2_KASAN amd64
Architecture: x86_64
Machine: amd64
>Description:
	I got a error report from the KASAN while ZFS load testing.
	(the ZFS module itself was not compiled with the KASAN option
	at the time, how to enable it?)

[ 403635.376449] panic: ASan: Unauthorized Access In 0xffffffff80fbb04f: Addr 0xffffc90012f16a18 [8 bytes, read, PoolUseAfterFree]

[ 403635.376449] cpu0: Begin traceback...
[ 403635.386461] vpanic() at netbsd:vpanic+0x1f3
[ 403635.396466] snprintf() at netbsd:snprintf
[ 403635.416470] kasan_report() at netbsd:kasan_report+0x9c
[ 403635.426476] __asan_load8() at netbsd:__asan_load8+0x294
[ 403635.446481] mutex_oncpu() at netbsd:mutex_oncpu+0x25
[ 403635.456491] mutex_vector_enter() at netbsd:mutex_vector_enter+0xeb
[ 403635.466491] pool_put() at netbsd:pool_put+0x81
[ 403635.486499] pathbuf_destroy() at netbsd:pathbuf_destroy+0x57
[ 403635.496505] do_sys_openat() at netbsd:do_sys_openat+0x191
[ 403635.516516] sys_open() at netbsd:sys_open+0xaf
[ 403635.526518] syscall() at netbsd:syscall+0x4e8
[ 403635.536522] --- syscall (number 5) ---
[ 403635.536522] 6f8748a42cca:
[ 403635.536522] cpu0: End traceback...


>How-To-Repeat:
	create a zpool. (I chosen RAIDZ configuration and added a slog
	device, not yet narrowed down)
	# zpool create zpool raidz wd2 wd3 wd4 wd5
	# zpool add zpool log dk1

	run load test like "build.sh -j4" few days on the pool created.


>Fix:
	unknown.

>Release-Note:

>Audit-Trail:
From: "Andrew Doran" <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/55251 CVS commit: src/sys/kern
Date: Tue, 12 May 2020 21:24:30 +0000

 Module Name:	src
 Committed By:	ad
 Date:		Tue May 12 21:24:30 UTC 2020

 Modified Files:
 	src/sys/kern: kern_mutex.c

 Log Message:
 PR kern/55251: use of ZFS may trigger kernel memory corruption

 mutex_vector_enter(): reload mtx_owner with preemption disabled before
 calling mutex_oncpu(), otherwise lwp_dtor() can intervene.


 To generate a diff of this commit:
 cvs rdiff -u -r1.90 -r1.91 src/sys/kern/kern_mutex.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: ad@NetBSD.org
State-Changed-When: Tue, 12 May 2020 21:26:04 +0000
State-Changed-Why:
Fixed with revision 1.91 of src/sys/kern/kern_mutex.c.
Thanks for the problem report.


From: "Andrew Doran" <ad@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/55251 CVS commit: src/sys/kern
Date: Tue, 12 May 2020 21:56:17 +0000

 Module Name:	src
 Committed By:	ad
 Date:		Tue May 12 21:56:17 UTC 2020

 Modified Files:
 	src/sys/kern: kern_mutex.c

 Log Message:
 PR kern/55251 (use of ZFS may trigger kernel memory corruption (KASAN error))

 Previous wasn't quite right.  Redo it differently - disable preemption
 earlier instead.


 To generate a diff of this commit:
 cvs rdiff -u -r1.91 -r1.92 src/sys/kern/kern_mutex.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.