[Bug 283448] [fusefs] use after free on NFS-exported file fuse systems

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 283448] [fusefs] use after free on NFS-exported file fuse systems"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 23 Dec 2024 21:09:39 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283448

--- Comment #2 from Alan Somers <asomers@FreeBSD.org> ---
Update: the bug can be triggered more rapidly by this FSX command.  Note the
seed value:

$ sudo fsx -vN 1000 -f ~/tmp/bfffs-on-nfs.toml -S10 /mnt/fsx.bin
[INFO  fsx]   1 write     0xc6f9f ..  0xcc74e ( 0x57b0 bytes)
[INFO  fsx]   2 read      0xa5598 ..  0xcbb69 (0x265d2 bytes)
[INFO  fsx]   3 mapwrite  0xebbdb ..  0xf4525 ( 0x894b bytes)
[INFO  fsx]   4 read      0x53286 ..  0x7b44b (0x281c6 bytes)
[INFO  fsx]   5 mapread   0x5c735 ..  0x62c37 ( 0x6503 bytes)
[INFO  fsx]   6 mapread   0x17e3a ..  0x3d8a0 (0x25a67 bytes)
[INFO  fsx]   7 sendfile  0x1d474 ..  0x43280 (0x25e0d bytes)
[INFO  fsx]   8 mapread   0x4f1cc ..  0x71bf7 (0x22a2c bytes)
[INFO  fsx]   9 write     0xed498 ..  0xfffff (0x12b68 bytes)
[INFO  fsx]  10 write      0x67df ..  0x34977 (0x2e199 bytes)
[INFO  fsx]  11 mapread   0xb1ccb ..  0xb4bd8 ( 0x2f0e bytes)
[INFO  fsx]  12 mapwrite  0x44c11 ..  0x591f9 (0x145e9 bytes)
[INFO  fsx]  13 mapwrite  0x5e0c4 ..  0x62b56 ( 0x4a93 bytes)
[INFO  fsx]  14 mapwrite  0xb45ef ..  0xb8ab8 ( 0x44ca bytes)
[INFO  fsx]  15 mapwrite  0x59ad9 ..  0x5ab70 ( 0x1098 bytes)
[INFO  fsx]  16 mapwrite  0xfd919 ..  0xfffff ( 0x26e7 bytes)
[INFO  fsx]  17 msync(MS_INVALIDATE)
[INFO  fsx]  18 write     0x7de52 ..  0xbc74c (0x3e8fb bytes)
[INFO  fsx]  19 msync(MS_INVALIDATE)
[INFO  fsx]  20 mapread   0x3bdbe ..  0x53ce9 (0x17f2c bytes)
[INFO  fsx]  21 write     0x68cd0 ..  0x71f65 ( 0x9296 bytes)
[INFO  fsx]  22 read      0x6cdef ..  0x78f1d ( 0xc12f bytes)
[INFO  fsx]  23 fdatasync
[INFO  fsx]  24 read      0x7ca3b ..  0xa31db (0x267a1 bytes)
[INFO  fsx]  25 write     0x75bd5 ..  0xb29b3 (0x3cddf bytes)
[INFO  fsx]  26 mapwrite   0x6ea9 ..  0x20edd (0x1a035 bytes)
[INFO  fsx]  27 fdatasync
[INFO  fsx]  28 mapread   0xe04ad ..  0xfdbc0 (0x1d714 bytes)
[INFO  fsx]  29 mapwrite  0x68500 ..  0x6b642 ( 0x3143 bytes)
[INFO  fsx]  30 mapread   0x669ab ..  0x871b6 (0x2080c bytes)
[INFO  fsx]  31 mapwrite  0x6104d ..  0x95e94 (0x34e48 bytes)
[INFO  fsx]  32 mapread   0x5b305 ..  0x99dae (0x3eaaa bytes)
[INFO  fsx]  33 read      0x33265 ..  0x6b9ab (0x38747 bytes)
[INFO  fsx]  34 mapread   0xbb090 ..  0xd23d3 (0x17344 bytes)
[INFO  fsx]  35 mapwrite  0x24b22 ..  0x410ca (0x1c5a9 bytes)
[INFO  fsx]  36 mapread   0xe85c7 ..  0xfffff (0x17a39 bytes)
[INFO  fsx]  37 read      0x8c166 ..  0xbc560 (0x303fb bytes)
[INFO  fsx]  38 copy_file_range [ 0xc5749: 0xef004] => [ 0x677cd: 0x91088]
(0x298bc bytes)
[INFO  fsx]  39 mapwrite  0xd7d7d ..  0xfffff (0x28283 bytes)
[INFO  fsx]  40 write     0x230e5 ..  0x2ef54 ( 0xbe70 bytes)
[INFO  fsx]  41 mapwrite  0x5ff68 ..  0x9eae7 (0x3eb80 bytes)
[INFO  fsx]  42 mapread   0x4ff3d ..  0x7e823 (0x2e8e7 bytes)
[INFO  fsx]  43 write     0x517dd ..  0x730ac (0x218d0 bytes)
[INFO  fsx]  44 mapwrite  0x1ddd4 ..  0x249d1 ( 0x6bfe bytes)
[INFO  fsx]  45 mapread   0xfe1a5 ..  0xfffff ( 0x1e5b bytes)
[INFO  fsx]  46 sendfile   0x2f50 ..  0x2913a (0x261eb bytes)
[INFO  fsx]  47 write     0x6406a ..  0x9cba6 (0x38b3d bytes)
[INFO  fsx]  48 sendfile  0xa4784 ..  0xc4017 (0x1f894 bytes)
[INFO  fsx]  49 mapwrite  0x26aab ..  0x585d5 (0x31b2b bytes)
[INFO  fsx]  50 mapread   0xc9147 ..  0xd7cce ( 0xeb88 bytes)
[INFO  fsx]  51 mapwrite  0x61dd9 ..  0x95092 (0x332ba bytes)
[INFO  fsx]  52 write     0x86016 ..  0xa049f (0x1a48a bytes)
[INFO  fsx]  53 copy_file_range [ 0x6d29d: 0x8849f] => [ 0x5209a: 0x6d29c]
(0x1b203 bytes)
[INFO  fsx]  54 mapwrite  0x6db1f ..  0x9483c (0x26d1e bytes)
[INFO  fsx]  55 read      0xf4d4d ..  0xfffff ( 0xb2b3 bytes)
[INFO  fsx]  56 punch_hole  0x31c73 ..  0x4dcfc (0x1c08a bytes)
[INFO  fsx]  57 fsync
[INFO  fsx]  58 write     0x5352b ..  0x55040 ( 0x1b16 bytes)
[INFO  fsx]  59 read      0x806b9 ..  0x8d8c1 ( 0xd209 bytes)
[INFO  fsx]  60 write     0x5cae5 ..  0x60046 ( 0x3562 bytes)
[INFO  fsx]  61 mapwrite  0xb13bd ..  0xb3fac ( 0x2bf0 bytes)
[INFO  fsx]  62 write     0x94e91 ..  0xab06f (0x161df bytes)
[INFO  fsx]  63 mapwrite  0xd3dfe ..  0xf37ba (0x1f9bd bytes)
[INFO  fsx]  64 punch_hole  0xefe22 ..  0xf2211 ( 0x23f0 bytes)
[INFO  fsx]  65 sendfile  0x41a73 ..  0x5cdf8 (0x1b386 bytes)
[INFO  fsx]  66 fsync
[INFO  fsx]  67 write     0x9d297 ..  0x9d4e4 (  0x24e bytes)
[INFO  fsx]  68 read      0xd49ed ..  0xfffff (0x2b613 bytes)
[INFO  fsx]  69 mapread   0xc18c1 ..  0xcb4bc ( 0x9bfc bytes)
[INFO  fsx]  70 copy_file_range [ 0x625e8: 0x8bad1] => [ 0xa6008: 0xcf4f1]
(0x294ea bytes)
[INFO  fsx]  71 write     0xe8aaf ..  0xe978a (  0xcdc bytes)
[INFO  fsx]  72 fsync
[INFO  fsx]  73 write     0x599c8 ..  0x7a5fa (0x20c33 bytes)
[INFO  fsx]  74 write     0x85871 ..  0x8c344 ( 0x6ad4 bytes)
[INFO  fsx]  75 mapwrite  0x2b178 ..  0x52ed3 (0x27d5c bytes)
[INFO  fsx]  76 mapread    0xf82e ..  0x2ef11 (0x1f6e4 bytes)
[INFO  fsx]  77 write     0xb02b8 ..  0xc32fa (0x13043 bytes)
[INFO  fsx]  78 read      0xbbf46 ..  0xfb25f (0x3f31a bytes)
[INFO  fsx]  79 write     0x6392c ..  0xa13ae (0x3da83 bytes)
[INFO  fsx]  80 mapwrite  0x63d1f ..  0x9c1e4 (0x384c6 bytes)
[INFO  fsx]  81 mapread   0xd81dd ..  0xfffff (0x27e23 bytes)
[INFO  fsx]  82 read      0xe4205 ..  0xfffff (0x1bdfb bytes)
[INFO  fsx]  83 write     0xb01e4 ..  0xc491c (0x14739 bytes)
[INFO  fsx]  84 mapread   0xfb500 ..  0xfffff ( 0x4b00 bytes)
[INFO  fsx]  85 fdatasync
[INFO  fsx]  86 mapwrite  0x533bc ..  0x9235f (0x3efa4 bytes)
[INFO  fsx]  87 mapread   0x53b0a ..  0x570b3 ( 0x35aa bytes)
[INFO  fsx]  88 mapwrite  0xc4c76 ..  0xe1d4c (0x1d0d7 bytes)
[INFO  fsx]  89 mapread   0xccef2 ..  0xcec0e ( 0x1d1d bytes)
[INFO  fsx]  90 read      0x4b520 ..  0x52f97 ( 0x7a78 bytes)
[INFO  fsx]  91 read      0xfd8c4 ..  0xfffff ( 0x273c bytes)
[INFO  fsx]  92 mapwrite  0x653f7 ..  0x7c4ed (0x170f7 bytes)
[INFO  fsx]  93 copy_file_range [ 0x82985: 0x9fd64] => [ 0x184b5: 0x35894]
(0x1d3e0 bytes)
[INFO  fsx]  94 write     0xb9c4e ..  0xc6aef ( 0xcea2 bytes)
[INFO  fsx]  95 mapread   0x645e6 ..  0x6ac66 ( 0x6681 bytes)
[INFO  fsx]  96 write     0xf237a ..  0xfffff ( 0xdc86 bytes)
[INFO  fsx]  97 mapread   0xfc3ef ..  0xfffff ( 0x3c11 bytes)
[INFO  fsx]  98 write     0xab87e ..  0xd330c (0x27a8f bytes)
[INFO  fsx]  99 write     0x1d160 ..  0x1ea6f ( 0x1910 bytes)
[INFO  fsx] 100 read      0xa08ee ..  0xbc56b (0x1bc7e bytes)
[INFO  fsx] 101 sendfile  0xb7ff4 ..  0xea6b1 (0x326be bytes)
[INFO  fsx] 102 read      0x3bb38 ..  0x60f45 (0x2540e bytes)
[INFO  fsx] 103 mapwrite  0xd108a ..  0xfffff (0x2ef76 bytes)
[INFO  fsx] 104 sendfile  0x60799 ..  0x76aa1 (0x16309 bytes)
[INFO  fsx] 105 mapwrite  0x13633 ..  0x2e123 (0x1aaf1 bytes)
[INFO  fsx] 106 mapwrite  0x7d427 ..  0xa6a1b (0x295f5 bytes)
[INFO  fsx] 107 mapread   0x765a6 ..  0x9d6ad (0x27108 bytes)
[INFO  fsx] 108 mapwrite  0x930fe ..  0xcab54 (0x37a57 bytes)
[INFO  fsx] 109 read      0xe04f1 ..  0xe926f ( 0x8d7f bytes)
[INFO  fsx] 110 write     0x7c39f ..  0xb7d9f (0x3ba01 bytes)
[INFO  fsx] 111 mapwrite  0x23786 ..  0x36b6a (0x133e5 bytes)
[INFO  fsx] 112 write     0xb7524 ..  0xd2438 (0x1af15 bytes)
[INFO  fsx] 113 read      0x8d347 ..  0xcc5ea (0x3f2a4 bytes)
[INFO  fsx] 114 mapread   0x8ea59 ..  0xafdf4 (0x2139c bytes)
[INFO  fsx] 115 write     0x3d48c ..  0x617bc (0x24331 bytes)
[INFO  fsx] 116 fsync
[INFO  fsx] 117 mapwrite  0xd861e ..  0xe7249 ( 0xec2c bytes)
[INFO  fsx] 118 read      0x37424 ..  0x4bb50 (0x1472d bytes)
[INFO  fsx] 119 mapwrite  0x94c16 ..  0xa99fa (0x14de5 bytes)
[INFO  fsx] 120 write     0x2498f ..  0x57693 (0x32d05 bytes)
[INFO  fsx] 121 mapwrite  0xd4a50 ..  0xee3f4 (0x199a5 bytes)
[INFO  fsx] 122 read      0xeb390 ..  0xf6915 ( 0xb586 bytes)
[INFO  fsx] 123 mapwrite  0x6315d ..  0x6e6ed ( 0xb591 bytes)
[INFO  fsx] 124 mapwrite  0xfadb0 ..  0xfffff ( 0x5250 bytes)
[INFO  fsx] 125 read      0xc28cc ..  0xe7676 (0x24dab bytes)
[INFO  fsx] 126 read      0xb3827 ..  0xd5738 (0x21f12 bytes)
[INFO  fsx] 127 punch_hole  0x3eea5 ..  0x55556 (0x166b2 bytes)
[INFO  fsx] 128 read      0x6077b ..  0x82730 (0x21fb6 bytes)
[INFO  fsx] 129 mapwrite  0x3daf4 ..  0x72b3c (0x35049 bytes)
[INFO  fsx] 130 read      0x7907d ..  0xaf490 (0x36414 bytes)
[INFO  fsx] 131 read      0xf2053 ..  0xfffff ( 0xdfad bytes)
[INFO  fsx] 132 mapread   0xc67e5 ..  0xe5944 (0x1f160 bytes)
[INFO  fsx] 133 mapwrite  0x56051 ..  0x5a2c7 ( 0x4277 bytes)
[INFO  fsx] 134 write     0x6553e ..  0x86087 (0x20b4a bytes)
[INFO  fsx] 135 msync(MS_INVALIDATE)
[INFO  fsx] 136 mapread   0xe8909 ..  0xfffff (0x176f7 bytes)
[INFO  fsx] 137 read      0xf4630 ..  0xfffff ( 0xb9d0 bytes)
[INFO  fsx] 138 read      0x70dc1 ..  0x9d9fc (0x2cc3c bytes)
[INFO  fsx] 139 read      0x6365b ..  0x6a34f ( 0x6cf5 bytes)
[INFO  fsx] 140 mapwrite  0xa8ac9 ..  0xbb2c4 (0x127fc bytes)
[INFO  fsx] 141 mapread   0x2dfce ..  0x45845 (0x17878 bytes)
[INFO  fsx] 142 write     0xf93fe ..  0xfffff ( 0x6c02 bytes)
[INFO  fsx] 143 read      0x793b5 ..  0xa433b (0x2af87 bytes)
[INFO  fsx] 144 close/open
[INFO  fsx] 145 fdatasync
[INFO  fsx] 146 mapread   0xafa96 ..  0xb1d78 ( 0x22e3 bytes)
[INFO  fsx] 147 write     0xb4ac3 ..  0xf00d9 (0x3b617 bytes)
[INFO  fsx] 148 sendfile  0x736ca ..  0x83573 ( 0xfeaa bytes)
[INFO  fsx] 149 write     0xdb596 ..  0xe06c5 ( 0x5130 bytes)
[INFO  fsx] 150 mapread   0x77141 ..  0xb0140 (0x39000 bytes)
[INFO  fsx] 151 mapwrite  0xaa266 ..  0xb771a ( 0xd4b5 bytes)
[INFO  fsx] 152 msync(MS_INVALIDATE)
[INFO  fsx] 153 mapwrite  0x56ccd ..  0x68e8e (0x121c2 bytes)
[INFO  fsx] 154 write      0xfcdc ..  0x2411b (0x14440 bytes)
[INFO  fsx] 155 truncate 0x100000 =>   0x72b1
<crash>

-- 
You are receiving this mail because:
You are the assignee for the bug.