Comment # 7
on bug 1192714
from Fabian Vogt
Another one, with more info:
[ 1562.396848]
==================================================================
[ 1562.401006] BUG: KASAN: use-after-free in
__bfq_deactivate_entity+0x72b/0xa50
[ 1562.403329] Read of size 8 at addr ffff8880218f60c0 by task swapper/0/0
[ 1562.407362] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G E
5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased)
f1f3b891c72369aebecd2e43e4641a6358867c70
[ 1562.412042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
[ 1562.416385] Call Trace:
[ 1562.418285] <IRQ>
[ 1562.420087] dump_stack_lvl+0x46/0x5a
[ 1562.422053] print_address_description.constprop.0+0x1f/0x140
[ 1562.424227] ? __bfq_deactivate_entity+0x72b/0xa50
[ 1562.426309] kasan_report.cold+0x7f/0x11b
[ 1562.428310] ? update_curr+0x2b0/0x5d0
[ 1562.430273] ? __bfq_deactivate_entity+0x72b/0xa50
[ 1562.432335] __bfq_deactivate_entity+0x72b/0xa50
[ 1562.434377] bfq_deactivate_entity+0xa0/0x1d0
[ 1562.436402] bfq_del_bfqq_busy+0x28a/0x420
[ 1562.438366] ? bfq_requeue_bfqq+0x70/0x70
[ 1562.440295] ? update_curr+0x32f/0x5d0
[ 1562.442179] __bfq_bfqq_expire+0x1a2/0x270
[ 1562.444061] bfq_bfqq_expire+0xd16/0x2160
[ 1562.445896] ? enqueue_entity+0x466/0x2520
[ 1562.447704] ? bfq_end_wr_async_queues+0xe0/0xe0
[ 1562.449543] ? _raw_write_unlock_bh+0x60/0x60
[ 1562.451317] bfq_idle_slice_timer+0x109/0x280
[ 1562.453066] ? bfq_dispatch_request+0x4870/0x4870
[ 1562.454811] __hrtimer_run_queues+0x37d/0x700
[ 1562.456498] ? enqueue_hrtimer+0x1b0/0x1b0
[ 1562.458121] ? kvm_clock_get_cycles+0xd/0x10
[ 1562.459962] ? ktime_get_update_offsets_now+0x6f/0x280
[ 1562.461690] hrtimer_interrupt+0x2c8/0x740
[ 1562.463313] __sysvec_apic_timer_interrupt+0xcd/0x260
[ 1562.465044] sysvec_apic_timer_interrupt+0x6a/0x90
[ 1562.466712] </IRQ>
[ 1562.468103] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 1562.469783] RIP: 0010:native_safe_halt+0xb/0x10
[ 1562.471397] Code: ff ff ff 4c 89 e7 e8 34 e2 91 fe e9 f0 fe ff ff 48 89 ef
e8 27 e2 91 fe eb a3 cc cc cc cc cc eb 07 0f 00 2d 27 37 52 00 fb f4 <c3> 0f 1f
40 00 eb 07 0f 00 2d 17 37 52 00 f4 c3 cc cc cc cc cc 0f
[ 1562.475550] RSP: 0018:ffffffffb7e07e40 EFLAGS: 00000202
[ 1562.477283] RAX: ffffffffb6b5ded0 RBX: ffffffffb7e24780 RCX:
ffffffffb6b36fb6
[ 1562.479197] RDX: 0000000000000000 RSI: 0000000000000004 RDI:
0000000000024b46
[ 1562.481117] RBP: 0000000000000000 R08: 0000000000000001 R09:
ffff8880218388a3
[ 1562.483018] R10: ffffed1004307114 R11: 0000000000000001 R12:
0000000000000000
[ 1562.484915] R13: ffffffffb874e6a0 R14: 0000000000000000 R15:
dffffc0000000000
[ 1562.486801] ? __cpuidle_text_start+0x8/0x8
[ 1562.488371] ? rcu_eqs_enter.constprop.0+0x86/0xb0
[ 1562.489967] default_idle+0xa/0x10
[ 1562.491412] default_idle_call+0x71/0x1f0
[ 1562.492896] do_idle+0x3e7/0x570
[ 1562.494287] ? arch_cpu_idle_exit+0x40/0x40
[ 1562.495749] cpu_startup_entry+0x19/0x20
[ 1562.497160] start_kernel+0x3bb/0x3d9
[ 1562.498503] secondary_startup_64_no_verify+0xc2/0xcb
[ 1562.501055] Allocated by task 463:
[ 1562.502353] kasan_save_stack+0x1b/0x40
[ 1562.502359] __kasan_kmalloc+0xa4/0xd0
[ 1562.502362] bfq_pd_alloc+0xa8/0x170
[ 1562.502365] blkg_alloc+0x397/0x540
[ 1562.502369] blkg_create+0x66b/0xcd0
[ 1562.502372] bio_associate_blkg_from_css+0x43c/0xb20
[ 1562.502375] bio_associate_blkg+0x66/0x100
[ 1562.502378] btrfs_map_bio+0x53e/0x10d0 [btrfs]
[ 1562.502447] btrfs_submit_metadata_bio+0x209/0x410 [btrfs]
[ 1562.502489] submit_one_bio+0x14f/0x1c0 [btrfs]
[ 1562.502536] read_extent_buffer_pages+0x557/0xfb0 [btrfs]
[ 1562.502585] btree_read_extent_buffer_pages+0x166/0x240 [btrfs]
[ 1562.502629] read_tree_block+0x39/0x60 [btrfs]
[ 1562.502670] read_block_for_search+0x420/0x710 [btrfs]
[ 1562.502710] btrfs_search_slot+0x74f/0x1fe0 [btrfs]
[ 1562.502752] btrfs_lookup_csum+0x108/0x350 [btrfs]
[ 1562.502797] btrfs_lookup_bio_sums+0x71b/0x13a0 [btrfs]
[ 1562.502838] btrfs_submit_data_bio+0x30f/0x7b0 [btrfs]
[ 1562.502880] submit_one_bio+0x108/0x1c0 [btrfs]
[ 1562.502926] extent_readahead+0x7fb/0xac0 [btrfs]
[ 1562.502975] read_pages+0x1bf/0xb00
[ 1562.502979] page_cache_ra_unbounded+0x329/0x720
[ 1562.502982] filemap_fault+0xf35/0x1c70
[ 1562.502984] __do_fault+0xf8/0x390
[ 1562.502988] __handle_mm_fault+0x1a26/0x3020
[ 1562.502990] handle_mm_fault+0x196/0x610
[ 1562.502992] do_user_addr_fault+0x323/0xd60
[ 1562.502995] exc_page_fault+0x5b/0xc0
[ 1562.502997] asm_exc_page_fault+0x1e/0x30
[ 1562.504110] Freed by task 6904:
[ 1562.505366] kasan_save_stack+0x1b/0x40
[ 1562.505370] kasan_set_track+0x1c/0x30
[ 1562.505373] kasan_set_free_info+0x20/0x30
[ 1562.505376] __kasan_slab_free+0x10b/0x140
[ 1562.505379] slab_free_freelist_hook+0x8e/0x180
[ 1562.505382] kfree+0xc7/0x400
[ 1562.505385] blkg_free.part.0+0x78/0xf0
[ 1562.505387] rcu_do_batch+0x365/0x1280
[ 1562.505391] rcu_core+0x493/0x8d0
[ 1562.505394] __do_softirq+0x18e/0x544
[ 1562.506477] Last potentially related work creation:
[ 1562.507892] kasan_save_stack+0x1b/0x40
[ 1562.507904] kasan_record_aux_stack+0xbe/0xd0
[ 1562.507907] call_rcu+0xe0/0x14e0
[ 1562.507909] netlink_release+0x7ce/0x1140
[ 1562.507912] __sock_release+0xc5/0x270
[ 1562.507916] sock_close+0x11/0x20
[ 1562.507919] __fput+0x1ec/0x8b0
[ 1562.507922] task_work_run+0xd3/0x160
[ 1562.507926] exit_to_user_mode_prepare+0x224/0x230
[ 1562.507930] syscall_exit_to_user_mode+0x18/0x40
[ 1562.507932] do_syscall_64+0x69/0x80
[ 1562.507936] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1562.509029] Second to last potentially related work creation:
[ 1562.510539] kasan_save_stack+0x1b/0x40
[ 1562.510544] kasan_record_aux_stack+0xbe/0xd0
[ 1562.510546] call_rcu+0xe0/0x14e0
[ 1562.510549] netlink_release+0x7ce/0x1140
[ 1562.510551] __sock_release+0xc5/0x270
[ 1562.510554] sock_close+0x11/0x20
[ 1562.510556] __fput+0x1ec/0x8b0
[ 1562.510559] task_work_run+0xd3/0x160
[ 1562.510562] exit_to_user_mode_prepare+0x224/0x230
[ 1562.510564] syscall_exit_to_user_mode+0x18/0x40
[ 1562.510567] do_syscall_64+0x69/0x80
[ 1562.510570] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1562.511666] The buggy address belongs to the object at ffff8880218f6000
which belongs to the cache kmalloc-2k of size 2048
[ 1562.514812] The buggy address is located 192 bytes inside of
2048-byte region [ffff8880218f6000, ffff8880218f6800)
[ 1562.517930] The buggy address belongs to the page:
[ 1562.519403] page:00000000d524ba6f refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x218f0
[ 1562.519408] head:00000000d524ba6f order:3 compound_mapcount:0
compound_pincount:0
[ 1562.519410] flags:
0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
[ 1562.519416] raw: 000fffffc0010200 0000000000000000 0000000100000001
ffff888001042000
[ 1562.519421] raw: 0000000000000000 0000000000080008 00000001ffffffff
0000000000000000
[ 1562.519423] page dumped because: kasan: bad access detected
[ 1562.520576] Memory state around the buggy address:
[ 1562.522053] ffff8880218f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 1562.523785] ffff8880218f6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1562.525529] >ffff8880218f6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1562.527247] ^
[ 1562.528790] ffff8880218f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1562.530535] ffff8880218f6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 1562.532267]
==================================================================
[ 1562.534011] Disabling lock debugging due to kernel taint