New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes according to kmemleak and kasan #4708

Closed
wants to merge 3 commits into
base: master
from
Jump to file or symbol
Failed to load files and symbols.
+1 −2
Diff settings

Always

Just for now

Next

Fix out-of-bound access in zfs_fillpage

The original code will do an out-of-bound access on pl[] during last
iteration.

[ 1841.677147] ==================================================================
[ 1841.677688] BUG: KASAN: stack-out-of-bounds in zfs_getpage+0x14c/0x2d0 [zfs] at addr ffff88005f1b7678
[ 1841.678229] Read of size 8 by task tmpfile/7850
[ 1841.678478] page:ffffea00017c6dc0 count:0 mapcount:0 mapping:          (null) index:0x0
[ 1841.678915] flags: 0xffff8000000000()
[ 1841.679115] page dumped because: kasan: bad access detected
[ 1841.679422] CPU: 3 PID: 7850 Comm: tmpfile Tainted: G           OE   4.6.0+ #3
[ 1841.679811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1841.680316]  ffff88005f1b7678 0000000006dbe035 ffff88005f1b7508 ffffffff81635618
[ 1841.680741]  ffff88005f1b7678 ffff88005f1b75a0 ffff88005f1b7590 ffffffff81313ee8
[ 1841.681165]  ffffea0001ae8dd0 ffff88005f1b7670 0000000000000246 0000000041b58ab3
[ 1841.681594] Call Trace:
[ 1841.681734]  [<ffffffff81635618>] dump_stack+0x63/0x8b
[ 1841.682035]  [<ffffffff81313ee8>] kasan_report_error+0x528/0x560
[ 1841.682360]  [<ffffffff81278f20>] ? filemap_map_pages+0x5f0/0x5f0
[ 1841.682691]  [<ffffffff813144b8>] kasan_report+0x58/0x60
[ 1841.683050]  [<ffffffffc12250dc>] ? zfs_getpage+0x14c/0x2d0 [zfs]
[ 1841.683384]  [<ffffffff81312e4e>] __asan_load8+0x5e/0x70
[ 1841.683741]  [<ffffffffc12250dc>] zfs_getpage+0x14c/0x2d0 [zfs]
[ 1841.684132]  [<ffffffffc1252131>] zpl_readpage+0xd1/0x180 [zfs]
...
[ 1841.694430]  [<ffffffff81353c3a>] SyS_execve+0x3a/0x50
[ 1841.694710]  [<ffffffff810058ef>] do_syscall_64+0xef/0x180
[ 1841.695007]  [<ffffffff81d0ee25>] entry_SYSCALL64_slow_path+0x25/0x25
[ 1841.695349] Memory state around the buggy address:
[ 1841.695610]  ffff88005f1b7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1841.695994]  ffff88005f1b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1841.696380] >ffff88005f1b7600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f4
[ 1841.696767]                                                                 ^
[ 1841.697146]  ffff88005f1b7680: f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
[ 1841.697533]  ffff88005f1b7700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1841.697943] ==================================================================

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
  • Loading branch information...
tuxoko committed May 27, 2016
commit 01709937be3c28a89eff83e0e657a72826947506
View
@@ -4271,10 +4271,10 @@ zfs_fillpage(struct inode *ip, struct page *pl[], int nr_pages)
* Iterate over list of pages and read each page individually.
*/
page_idx = 0;
cur_pp = pl[0];
for (total = io_off + io_len; io_off < total; io_off += PAGESIZE) {
caddr_t va;
cur_pp = pl[page_idx++];
va = kmap(cur_pp);
err = dmu_read(os, zp->z_id, io_off, PAGESIZE, va,
DMU_READ_PREFETCH);
@@ -4285,7 +4285,6 @@ zfs_fillpage(struct inode *ip, struct page *pl[], int nr_pages)
err = SET_ERROR(EIO);
return (err);
}
cur_pp = pl[++page_idx];
}
return (0);
ProTip! Use n and p to navigate between commits in a pull request.