Re: kern/55169 (KASAN reported use after free by ahcicore.c)

[Nick Hudson <nick.hudson%gmx.co.uk@localhost>]

Send the report to the ML...

>Environment:
System: NetBSD tx1 (GENERIC64_TX1) #0: Sun Apr 12 10:00:26 BST 2020
nick@zoom:/home/nick/netbsd/trunk/obj.evbarm64-el/sys/arch/evbarm/compile/GENERIC64_TX1
Architecture: aarch64
Machine: evbarm
>Description:

ahci_ata_bio+0xe0 is sys/dev/ic/ahcisata_core.c#1394

panic: ASan: Unauthorized Access In 0xffffc00000290014: Addr
0xffffc0000b4d6898 [2 bytes, read, PoolUseAfterFree]

[ 505.7560156] cpu0: Begin traceback...
[ 505.7560156] trace fp ffffc000c9e95d80
[ 505.7647943] fp ffffc000c9e95db0 vpanic() at ffffc000007851d8
netbsd:vpanic+0x210
[ 505.7747959] fp ffffc000c9e95e30 panic() at ffffc0000078530c
netbsd:panic+0xa4
[ 505.7847958] fp ffffc000c9e95f10 kasan_report() at ffffc00000749b0c
netbsd:kasan_report+0x94
[ 505.7948010] fp ffffc000c9e95f20 __asan_load2() at ffffc000007549e8
netbsd:__asan_load2+0xc8
[ 505.8047986] fp ffffc000c9e95f30 ahci_ata_bio() at ffffc00000290010
netbsd:ahci_ata_bio+0xe0
[ 505.8155968] fp ffffc000c9e95f80 wdstart1() at ffffc000000ec038
netbsd:wdstart1+0x2e0
[ 505.8356017] fp ffffc000c9e95ff0 wd_diskstart() at ffffc000000ed0f4
netbsd:wd_diskstart+0xbc
[ 505.8456013] fp ffffc000c9e96040 dk_start() at ffffc00000839f3c
netbsd:dk_start+0x14c
[ 505.8556029] fp ffffc000c9e960b0 bdev_strategy() at ffffc00000765704
netbsd:bdev_strategy+0xec
[ 505.8656035] fp ffffc000c9e960e0 spec_strategy() at ffffc000008343d4
netbsd:spec_strategy+0x15c
[ 505.8757272] fp ffffc000c9e96130 VOP_STRATEGY() at ffffc000008238a0
netbsd:VOP_STRATEGY+0xf0
[ 505.8856061] fp ffffc000c9e961d0 genfs_getpages() at ffffc000008286ac
netbsd:genfs_getpages+0x18a4
[ 505.8956079] fp ffffc000c9e96620 VOP_GETPAGES() at ffffc00000824058
netbsd:VOP_GETPAGES+0x128
[ 505.9056072] fp ffffc000c9e96780 ubc_fault() at ffffc0000069a7f4
netbsd:ubc_fault+0x28c
[ 505.9167081] fp ffffc000c9e968e0 uvm_fault_internal() at
ffffc0000069e5fc netbsd:uvm_fault_internal+0x864
[ 505.9286916] fp ffffc000c9e96d80 data_abort_handler() at
ffffc000000e0e40 netbsd:data_abort_handler+0x228
[ 505.9402960] tf ffffc000c9e96e00 el1_trap() at ffffc000000dc5c0
netbsd:el1_trap
[ 505.9510246] ---- trapframe 0xffffc000c9e96e00 (304 bytes) ----
[ 505.9510246]     pc=ffffc00000af5778,   spsr=0000000020000005
[ 505.9640311]    esr=0000000096000007,    far=ffffc000bacdd000
[ 505.9640311]     x0=ffffc0000bf84100,     x1=ffffc000bacdd000
[ 505.9752974]     x2=0000000000000004,     x3=ffffc000bacdd000
[ 505.9752974]     x4=0000000000000004,     x5=0000c0000bf84504
[ 505.9865663]     x6=ffffc0000bf84100,     x7=ffffc0000bf84100
[ 505.9865663]     x8=0000000000000000,     x9=0000c0000bf84504
[ 505.9978306]    x10=0000000000000404,    x11=0000000000000001
[ 505.9978306]    x12=00000000f2f2f2f2,    x13=00000000f1f1f1f1
[ 506.0090974]    x14=00000000000000a5,    x15=ffffc0000b579a20
[ 506.0090974]    x16=000000020013f1f8,    x17=0000fa48bedc85a4
[ 506.0203643]    x18=0000000000000000,    x19=ffffc000bacdd000
[ 506.0203643]    x20=ffffc0000bf84100,    x21=ffffc00001a39ca0
[ 506.0316303]    x22=ffffc00000cae000,    x23=ffffc000bacdd000
[ 506.0316303]    x24=ffffc0000bf84100,    x25=ffffc000019a9d00
[ 506.0428970]    x26=ffffc000c9e97658,    x27=ffffc00000cae820
[ 506.0428970]    x28=0000000000000000, fp=x29=ffffc000c9e971b0
[ 506.0541686] lr=x30=ffffc000000dbabc,     sp=ffffc000c9e97130
[ 506.0541686] ------------------------------------------------
[ 506.0654304] fp ffffc000c9e971b0 memcpy() at ffffc00000af5778
netbsd:memcpy+0x118
[ 506.0741663] fp ffffc000c9e971c0 copyout_vmspace() at ffffc00000762afc
netbsd:copyout_vmspace+0x124
[ 506.0841691] fp ffffc000c9e972d0 uiomove() at ffffc00000762cb0
netbsd:uiomove+0x100
[ 506.0941684] fp ffffc000c9e97350 ubc_uiomove() at ffffc0000069b194
netbsd:ubc_uiomove+0x1ec
[ 506.1041705] fp ffffc000c9e97440 ffs_read() at ffffc0000068072c
netbsd:ffs_read+0x174
[ 506.1141718] fp ffffc000c9e974b0 VOP_READ() at ffffc000008214c4
netbsd:VOP_READ+0xe4
[ 506.1241725] fp ffffc000c9e97570 vn_rdwr() at ffffc00000814be0
netbsd:vn_rdwr+0x1d8
[ 506.1341724] fp ffffc000c9e976b0 check_exec() at ffffc000006eb1b4
netbsd:check_exec+0x3f4
[ 506.1441746] fp ffffc000c9e978b0 execve_loadvm() at ffffc000006ebc50
netbsd:execve_loadvm+0x430
[ 506.1549577] fp ffffc000c9e97b10 execve1() at ffffc000006f0040
netbsd:execve1+0x60
[ 506.1657748] fp ffffc000c9e97d90 syscall() at ffffc000000de7e4
netbsd:syscall+0x2a4
[ 506.1766755] tf ffffc000c9e97ed0 el0_trap() at ffffc000000dc62c
netbsd:el0_trap
[ 506.1876397] ---- trapframe 0xffffc000c9e97ed0 (304 bytes) ----
[ 506.1876397]     pc=0000fa48bedc85a8,   spsr=0000000080000000
[ 506.2006471]    esr=000000005600003b,    far=000000020011a4e0
[ 506.2006471]     x0=0000000200140910,     x1=0000000200140938
[ 506.2119136]     x2=0000000200140948,     x3=0000000000000000
[ 506.2119136]     x4=0000000000000000,     x5=0000000200140938
[ 506.2231797]     x6=0000000200140000,     x7=0000000000000198
[ 506.2231797]     x8=0000000200140910,     x9=0000000000000011
[ 506.2344467]    x10=0000000000000004,    x11=0000000000000001
[ 506.2344467]    x12=0000fa48bf17b458,    x13=0000000000000005
[ 506.2457148]    x14=00000000000000a5,    x15=0000fa48be800ea8
[ 506.2457148]    x16=000000020013f1f8,    x17=0000fa48bedc85a4
[ 506.2569798]    x18=0000000000000000,    x19=0000000000000000
[ 506.2569798]    x20=0000000200140938,    x21=0000000000000000
[ 506.2682485]    x22=0000000200140910,    x23=0000000200140948
[ 506.2682485]    x24=0000000000000000,    x25=0000000200140120
[ 506.2795127]    x26=0000000000000000,    x27=0000000000000000
[ 506.2795127]    x28=0000000000000000, fp=x29=0000ffffffe37b40
[ 506.2907791] lr=x30=0000000200108de0,     sp=0000ffffffe37b40
[ 506.2907791] ------------------------------------------------
[ 506.3020457] cpu0: End traceback...
Stopped in pid 611.1 (sh) at    netbsd:cpu_Debugger+0x4:        ret
db{0}>