kern/55282: Race around UVM swapdum_getsdp() reported by KASAN

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/55282: Race around UVM swapdum_getsdp() reported by KASAN
From: jdolecek%netbsd.org@localhost
Date: Thu, 21 May 2020 14:50:01 +0000 (UTC)

>Number:         55282
>Category:       kern
>Synopsis:       Race around UVM swapdum_getsdp() reported by KASAN
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 21 14:50:00 +0000 2020
>Originator:     Jaromir Dolecek
>Release:        NetBSD 9.99.60
>Organization:
>Environment:
Architecture: x86_64
Machine: amd64
>Description:

Kernel compiled with DIAGNOSTIC, DEBUG, LOCKDEBUG, KASAN, run under
QEMU.

KASAN reports:

[ 459.8858950] ASan: Unauthorized Access In 0xffffffff8065df50: Addr 0xffff940000b8f4c0 [4 bytes, read, PoolUseAfterFree]
[ 459.9059859] #0 0xffffffff8065df50 in uvm_swap_io <netbsd>
[ 459.9157787] #1 0xffffffff8065498f in swapcluster_flush.part.2 <netbsd>
[ 459.9157787] #2 0xffffffff80655726 in uvm_pageout <netbsd>
[ 459.9157787] #3 0xffffffff80208747 in lwp_trampoline <netbsd>

gdb claims this is on line uvm_swap.c:1181, which is this code:
	KDASSERT(swapdrum_getsdp(s) == sdp);

Reading code, it seems that swapdrum_getsdp() should be always called with
uvm_swap_data_lock held, as is done e.g. in swstrategy().

>How-To-Repeat:
	Not clear, happens under QEMU with 'slow' devices, no idea
	if slow disk device is required to trigger this.
>Fix:
	Lock uvm_swap_data_lock around calls to swapdum_getsdp()?

Prev by Date: Re: kern/55022 (pgdaemon busy loops)
Next by Date: Re: kern/55243: panic at usb_transfer_complete() on raspberry pi 4
Previous by Thread: Re: port-sparc/55261 (sparc still panics running ATF tests)
Next by Thread: Re: kern/55282 (Race around UVM swapdum_getsdp() reported by KASAN)
Indexes:

Home | Main Index | Thread Index | Old Index