Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KASAN reports invalid load access while flushing ext2 superblock on RISC-V #25547

Open
spholz opened this issue Dec 12, 2024 · 2 comments · May be fixed by #25640
Open

KASAN reports invalid load access while flushing ext2 superblock on RISC-V #25547

spholz opened this issue Dec 12, 2024 · 2 comments · May be fixed by #25640

Comments

@spholz
Copy link
Member

spholz commented Dec 12, 2024

This doesn't happen on x86-64 for some reason.

Kernel log:

21.697 [init_stage2(1:1)]: Ext2FS: super block magic: ef53 (super block size: 1024)
21.703 [init_stage2(1:1)]: Ext2FS: 149504 inodes, 517924 blocks
21.708 [init_stage2(1:1)]: Ext2FS: Block size: 4096
21.712 [init_stage2(1:1)]: Ext2FS: First data block: 0
21.716 [init_stage2(1:1)]: Ext2FS: Inodes per block: 16
21.721 [init_stage2(1:1)]: Ext2FS: Inodes per group: 9344
21.725 [init_stage2(1:1)]: Ext2FS: Free inodes: 130622
21.729 [init_stage2(1:1)]: Ext2FS: Descriptors per block: 128
21.734 [init_stage2(1:1)]: Ext2FS: Descriptor size: 32
22.372 [#0 init_stage2(1:1)]: BlockBasedFileSystem::read_block 1
22.381 [#0 init_stage2(1:1)]: Ext2FS: group[1] ( block_bitmap: 112, inode_bitmap: 113, inode_table: 114 )
22.385 [#0 init_stage2(1:1)]: Ext2FS: group[2] ( block_bitmap: 32880, inode_bitmap: 32881, inode_table: 32882 )
22.389 [#0 init_stage2(1:1)]: Ext2FS: group[3] ( block_bitmap: 65536, inode_bitmap: 65537, inode_table: 65538 )
22.393 [#0 init_stage2(1:1)]: Ext2FS: group[4] ( block_bitmap: 98416, inode_bitmap: 98417, inode_table: 98418 )
22.397 [#0 init_stage2(1:1)]: Ext2FS: group[5] ( block_bitmap: 131072, inode_bitmap: 131073, inode_table: 131074 )
22.401 [#0 init_stage2(1:1)]: Ext2FS: group[6] ( block_bitmap: 163952, inode_bitmap: 163953, inode_table: 163954 )
22.405 [#0 init_stage2(1:1)]: Ext2FS: group[7] ( block_bitmap: 196608, inode_bitmap: 196609, inode_table: 196610 )
22.409 [#0 init_stage2(1:1)]: Ext2FS: group[8] ( block_bitmap: 229488, inode_bitmap: 229489, inode_table: 229490 )
22.414 [#0 init_stage2(1:1)]: Ext2FS: group[9] ( block_bitmap: 262144, inode_bitmap: 262145, inode_table: 262146 )
22.418 [#0 init_stage2(1:1)]: Ext2FS: group[10] ( block_bitmap: 295024, inode_bitmap: 295025, inode_table: 295026 )
22.422 [#0 init_stage2(1:1)]: Ext2FS: group[11] ( block_bitmap: 327680, inode_bitmap: 327681, inode_table: 327682 )
22.426 [#0 init_stage2(1:1)]: Ext2FS: group[12] ( block_bitmap: 360448, inode_bitmap: 360449, inode_table: 360450 )
22.431 [#0 init_stage2(1:1)]: Ext2FS: group[13] ( block_bitmap: 393216, inode_bitmap: 393217, inode_table: 393218 )
22.435 [#0 init_stage2(1:1)]: Ext2FS: group[14] ( block_bitmap: 425984, inode_bitmap: 425985, inode_table: 425986 )
22.439 [#0 init_stage2(1:1)]: Ext2FS: group[15] ( block_bitmap: 458752, inode_bitmap: 458753, inode_table: 458754 )
22.444 [#0 init_stage2(1:1)]: Ext2FS: group[16] ( block_bitmap: 491520, inode_bitmap: 491521, inode_table: 491522 )
22.452 [#0 init_stage2(1:1)]: BlockBasedFileSystem::read_block 114
22.458 [init_stage2(1:1)]: Ext2FS: Mount successful, setting superblock to error state.
22.472 [#0 init_stage2(1:1)]: Writing superblock backup to block group 2 (block 32768)
22.476 [#0 init_stage2(1:1)]: BlockBasedFileSystem::write_blocks 32768, count=1
22.476 [#0 init_stage2(1:1)]: BlockBasedFileSystem::write_block 32768, size=4096
[init_stage2(1:1)]: KASAN: Invalid 1-byte Load access to V0x00000020021537d8, which is marked as 'Malloc Redzone' [at 0x0000002000679e92]
[init_stage2(1:1)]: Kernel + 0x000000000073e44e  Kernel::AddressSanitizer::print_violation(unsigned long, unsigned long, Kernel::AddressSanitizer::AccessType, Kernel::AddressSanitizer::ShadowType, void*) +0x94
[init_stage2(1:1)]: Kernel + 0x000000000073e5f0  Kernel::AddressSanitizer::shadow_va_check(unsigned long, unsigned long, Kernel::AddressSanitizer::AccessType, void*) +0x130
[init_stage2(1:1)]: Kernel + 0x000000000073e662  __asan_load1_noabort +0x12
[init_stage2(1:1)]: Kernel + 0x0000000000679e92  memcpy +0x78
[init_stage2(1:1)]: Kernel + 0x0000000000686b58  Kernel::UserOrKernelBuffer::read(void*, unsigned long, unsigned long) const +0x1b4
[init_stage2(1:1)]: Kernel + 0x00000000000f4d48  Kernel::UserOrKernelBuffer::read(void*, unsigned long) const +0x4e
[init_stage2(1:1)]: Kernel + 0x00000000003624a4  Kernel::UserOrKernelBuffer::read(AK::Span<unsigned char>) const +0x70
[init_stage2(1:1)]: Kernel + 0x00000000003619f2  Kernel::BlockBasedFileSystem::write_block(AK::DistinctNumeric<unsigned long, Kernel::__BlockIndex_tag, AK::DistinctNumericFeature::Comparison, AK::DistinctNumericFeature::CastToBool>, Kernel::UserOrKernelBuffer const&, unsigned long, unsigned long, bool) +0x1bc
[init_stage2(1:1)]: Kernel + 0x0000000000362090  Kernel::BlockBasedFileSystem::write_blocks(AK::DistinctNumeric<unsigned long, Kernel::__BlockIndex_tag, AK::DistinctNumericFeature::Comparison, AK::DistinctNumericFeature::CastToBool>, unsigned int, Kernel::UserOrKernelBuffer const&, bool) +0x322
[init_stage2(1:1)]: Kernel + 0x0000000000392454  Kernel::Ext2FS::flush_super_block() +0x560
[init_stage2(1:1)]: Kernel + 0x000000000039cbc8  Kernel::Ext2FS::initialize_while_locked() +0x1c06
[init_stage2(1:1)]: Kernel + 0x000000000041b438  Kernel::FileBackedFileSystem::initialize() +0x14e
[init_stage2(1:1)]: Kernel + 0x000000000057e73c  Kernel::create_and_initialize_filesystem_from_mount_file_and_description(AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node>&, Kernel::MountFile&, Kernel::OpenFileDescription&) +0x71e
[init_stage2(1:1)]: Kernel + 0x00000000005818d2  AK::ErrorOr<AK::NonnullRefPtr<Kernel::FileBackedFileSystem>, AK::Error> Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}::operator()<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >(AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node>&) const +0xa8
[init_stage2(1:1)]: Kernel + 0x0000000000581d20  decltype(auto) Kernel::MutexProtected<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >::with_exclusive<Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}>(Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::{lambda(auto:1&)#1}, Kernel::LockLocation const&) +0xbc
[init_stage2(1:1)]: Kernel + 0x0000000000581e40  Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&) +0x6c
[init_stage2(1:1)]: Kernel + 0x000000000033b288  Kernel::StorageManagement::create_first_vfs_root_context() const +0x32e
[init_stage2(1:1)]: Kernel + 0x000000000000151e  Kernel::init_stage2(void*) +0xce0
[init_stage2(1:1)]: Kernel + 0x00000000000176e8  exit_kernel_thread +0x0
[init_stage2(1:1)]: KASAN is configured to be deadly, halting the system.

GDB backtrace:

#0  Kernel::ProcessorBase<Kernel::Processor>::halt () at ./Kernel/Arch/riscv64/Processor.cpp:135
#1  0x000000200073e4bc in Kernel::AddressSanitizer::print_violation (address=address@entry=137473898456, size=<optimized out>, 
    size@entry=1, access_type=access_type@entry=Kernel::AddressSanitizer::AccessType::Load, shadow_type=Kernel::AddressSanitizer::ShadowType::Malloc, return_address=<optimized out>, return_address@entry=0x2000679e92 <memcpy(void*, void const*, size_t)+120>)
    at ./Kernel/Security/AddressSanitizer.cpp:90
#2  0x000000200073e5f0 in Kernel::AddressSanitizer::shadow_va_check (address=address@entry=137473898456, size=size@entry=1, access_type=access_type@entry=Kernel::AddressSanitizer::AccessType::Load, return_address=0x2000679e92 <memcpy(void*, void const*, size_t)+120>, 
    return_address@entry=0x200073e662 <__asan_load1_noabort(FlatPtr)+18>) at ./Kernel/Security/AddressSanitizer.cpp:244
#3  0x000000200073e662 in __asan_load1_noabort (address=address@entry=137473898456) at ./Kernel/Security/AddressSanitizer.cpp:299
#4  0x0000002000679e92 in memcpy (dest_ptr=0x2002159900 <initial_kmalloc_memory+755968>, src_ptr=<optimized out>, n=2999) at ./Kernel/Library/MiniStdLib.cpp:35
#5  0x0000002000686b58 in Kernel::UserOrKernelBuffer::read (this=this@entry=0x2003422a50, dest=dest@entry=0x2002159900 <initial_kmalloc_memory+755968>, offset=offset@entry=0, len=len@entry=4096) at ./Kernel/Library/UserOrKernelBuffer.cpp:52
#6  0x00000020000f4d48 in Kernel::UserOrKernelBuffer::read (this=0x2003422a50, dest=0x2002159900 <initial_kmalloc_memory+755968>, len=4096) at ././Kernel/Library/UserOrKernelBuffer.h:71
#7  0x00000020003624a4 in Kernel::UserOrKernelBuffer::read (this=this@entry=0x2003422a50, bytes=...) at ././Kernel/Library/UserOrKernelBuffer.h:76
#8  0x00000020003619f2 in Kernel::BlockBasedFileSystem::write_block (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>, index=..., data=..., count=<optimized out>, offset=<optimized out>, offset@entry=0, allow_cache=<optimized out>, allow_cache@entry=true)
    at ./Kernel/FileSystem/BlockBasedFileSystem.cpp:160
#9  0x0000002000362090 in Kernel::BlockBasedFileSystem::write_blocks (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>, index=..., count=<optimized out>, count@entry=1, data=..., allow_cache=allow_cache@entry=true) at ./Kernel/FileSystem/BlockBasedFileSystem.cpp:225
#10 0x0000002000392454 in Kernel::Ext2FS::flush_super_block (this=this@entry=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/Ext2FS/FileSystem.cpp:46
#11 0x000000200039cbc8 in Kernel::Ext2FS::initialize_while_locked (this=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/Ext2FS/FileSystem.cpp:134
#12 0x000000200041b438 in Kernel::FileBackedFileSystem::initialize (this=0x2002153200 <initial_kmalloc_memory+729600>) at ./Kernel/FileSystem/FileBackedFileSystem.cpp:23
#13 0x000000200057e73c in Kernel::create_and_initialize_filesystem_from_mount_file_and_description (file_backed_fs_list=..., mount_file=..., source_description=...) at ././AK/RefPtr.h:280
#14 0x00000020005818d2 in operator()<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> > (__closure=__closure@entry=0x2003422d70, list=...)
    at ./Kernel/FileSystem/VirtualFileSystem.cpp:152
#15 0x0000002000581d20 in Kernel::MutexProtected<AK::Detail::IntrusiveList<Kernel::FileBackedFileSystem, Kernel::FileBackedFileSystem*, &Kernel::FileBackedFileSystem::m_file_backed_file_system_node> >::with_exclusive<Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description(Kernel::MountFile&, Kernel::OpenFileDescription&)::<lambda(auto:193&)> >(struct {...}, const Kernel::LockLocation &) (this=this@entry=0x20021a5940 <initial_kmalloc_memory+1067328>, callback=..., location=...) at ././Kernel/Locking/MutexProtected.h:75
#16 0x0000002000581e40 in Kernel::FileBackedFileSystem::create_and_append_filesystems_list_from_mount_file_and_description (mount_file=..., source_description=...) at ./Kernel/FileSystem/VirtualFileSystem.cpp:155
#17 0x000000200033b288 in Kernel::StorageManagement::create_first_vfs_root_context (this=<optimized out>) at ./Kernel/Devices/Storage/StorageManagement.cpp:478
#18 0x000000200000151e in Kernel::init_stage2 () at ./Kernel/Arch/init.cpp:396

The fault always seems to happen while reading index 1096 of the superblock.

@spholz
Copy link
Member Author

spholz commented Dec 12, 2024

The superblock struct seems to be only 1024 bytes big. So we probably should not try to write a whole logical block to disk (or zero pad it?)

@supercomputer7
Copy link
Member

I found the bug (as I told you on our Discord conversation). I will try to put a patch to this, but this will not be an easy fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants