https://bugzilla.suse.com/show_bug.cgi?id=1192714 https://bugzilla.suse.com/show_bug.cgi?id=1192714#c7 --- Comment #7 from Fabian Vogt <fvogt@suse.com> --- Another one, with more info: [ 1562.396848] ================================================================== [ 1562.401006] BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x72b/0xa50 [ 1562.403329] Read of size 8 at addr ffff8880218f60c0 by task swapper/0/0 [ 1562.407362] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 [ 1562.412042] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 1562.416385] Call Trace: [ 1562.418285] <IRQ> [ 1562.420087] dump_stack_lvl+0x46/0x5a [ 1562.422053] print_address_description.constprop.0+0x1f/0x140 [ 1562.424227] ? __bfq_deactivate_entity+0x72b/0xa50 [ 1562.426309] kasan_report.cold+0x7f/0x11b [ 1562.428310] ? update_curr+0x2b0/0x5d0 [ 1562.430273] ? __bfq_deactivate_entity+0x72b/0xa50 [ 1562.432335] __bfq_deactivate_entity+0x72b/0xa50 [ 1562.434377] bfq_deactivate_entity+0xa0/0x1d0 [ 1562.436402] bfq_del_bfqq_busy+0x28a/0x420 [ 1562.438366] ? bfq_requeue_bfqq+0x70/0x70 [ 1562.440295] ? update_curr+0x32f/0x5d0 [ 1562.442179] __bfq_bfqq_expire+0x1a2/0x270 [ 1562.444061] bfq_bfqq_expire+0xd16/0x2160 [ 1562.445896] ? enqueue_entity+0x466/0x2520 [ 1562.447704] ? bfq_end_wr_async_queues+0xe0/0xe0 [ 1562.449543] ? _raw_write_unlock_bh+0x60/0x60 [ 1562.451317] bfq_idle_slice_timer+0x109/0x280 [ 1562.453066] ? bfq_dispatch_request+0x4870/0x4870 [ 1562.454811] __hrtimer_run_queues+0x37d/0x700 [ 1562.456498] ? enqueue_hrtimer+0x1b0/0x1b0 [ 1562.458121] ? kvm_clock_get_cycles+0xd/0x10 [ 1562.459962] ? ktime_get_update_offsets_now+0x6f/0x280 [ 1562.461690] hrtimer_interrupt+0x2c8/0x740 [ 1562.463313] __sysvec_apic_timer_interrupt+0xcd/0x260 [ 1562.465044] sysvec_apic_timer_interrupt+0x6a/0x90 [ 1562.466712] </IRQ> [ 1562.468103] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 1562.469783] RIP: 0010:native_safe_halt+0xb/0x10 [ 1562.471397] Code: ff ff ff 4c 89 e7 e8 34 e2 91 fe e9 f0 fe ff ff 48 89 ef e8 27 e2 91 fe eb a3 cc cc cc cc cc eb 07 0f 00 2d 27 37 52 00 fb f4 <c3> 0f 1f 40 00 eb 07 0f 00 2d 17 37 52 00 f4 c3 cc cc cc cc cc 0f [ 1562.475550] RSP: 0018:ffffffffb7e07e40 EFLAGS: 00000202 [ 1562.477283] RAX: ffffffffb6b5ded0 RBX: ffffffffb7e24780 RCX: ffffffffb6b36fb6 [ 1562.479197] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000024b46 [ 1562.481117] RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8880218388a3 [ 1562.483018] R10: ffffed1004307114 R11: 0000000000000001 R12: 0000000000000000 [ 1562.484915] R13: ffffffffb874e6a0 R14: 0000000000000000 R15: dffffc0000000000 [ 1562.486801] ? __cpuidle_text_start+0x8/0x8 [ 1562.488371] ? rcu_eqs_enter.constprop.0+0x86/0xb0 [ 1562.489967] default_idle+0xa/0x10 [ 1562.491412] default_idle_call+0x71/0x1f0 [ 1562.492896] do_idle+0x3e7/0x570 [ 1562.494287] ? arch_cpu_idle_exit+0x40/0x40 [ 1562.495749] cpu_startup_entry+0x19/0x20 [ 1562.497160] start_kernel+0x3bb/0x3d9 [ 1562.498503] secondary_startup_64_no_verify+0xc2/0xcb [ 1562.501055] Allocated by task 463: [ 1562.502353] kasan_save_stack+0x1b/0x40 [ 1562.502359] __kasan_kmalloc+0xa4/0xd0 [ 1562.502362] bfq_pd_alloc+0xa8/0x170 [ 1562.502365] blkg_alloc+0x397/0x540 [ 1562.502369] blkg_create+0x66b/0xcd0 [ 1562.502372] bio_associate_blkg_from_css+0x43c/0xb20 [ 1562.502375] bio_associate_blkg+0x66/0x100 [ 1562.502378] btrfs_map_bio+0x53e/0x10d0 [btrfs] [ 1562.502447] btrfs_submit_metadata_bio+0x209/0x410 [btrfs] [ 1562.502489] submit_one_bio+0x14f/0x1c0 [btrfs] [ 1562.502536] read_extent_buffer_pages+0x557/0xfb0 [btrfs] [ 1562.502585] btree_read_extent_buffer_pages+0x166/0x240 [btrfs] [ 1562.502629] read_tree_block+0x39/0x60 [btrfs] [ 1562.502670] read_block_for_search+0x420/0x710 [btrfs] [ 1562.502710] btrfs_search_slot+0x74f/0x1fe0 [btrfs] [ 1562.502752] btrfs_lookup_csum+0x108/0x350 [btrfs] [ 1562.502797] btrfs_lookup_bio_sums+0x71b/0x13a0 [btrfs] [ 1562.502838] btrfs_submit_data_bio+0x30f/0x7b0 [btrfs] [ 1562.502880] submit_one_bio+0x108/0x1c0 [btrfs] [ 1562.502926] extent_readahead+0x7fb/0xac0 [btrfs] [ 1562.502975] read_pages+0x1bf/0xb00 [ 1562.502979] page_cache_ra_unbounded+0x329/0x720 [ 1562.502982] filemap_fault+0xf35/0x1c70 [ 1562.502984] __do_fault+0xf8/0x390 [ 1562.502988] __handle_mm_fault+0x1a26/0x3020 [ 1562.502990] handle_mm_fault+0x196/0x610 [ 1562.502992] do_user_addr_fault+0x323/0xd60 [ 1562.502995] exc_page_fault+0x5b/0xc0 [ 1562.502997] asm_exc_page_fault+0x1e/0x30 [ 1562.504110] Freed by task 6904: [ 1562.505366] kasan_save_stack+0x1b/0x40 [ 1562.505370] kasan_set_track+0x1c/0x30 [ 1562.505373] kasan_set_free_info+0x20/0x30 [ 1562.505376] __kasan_slab_free+0x10b/0x140 [ 1562.505379] slab_free_freelist_hook+0x8e/0x180 [ 1562.505382] kfree+0xc7/0x400 [ 1562.505385] blkg_free.part.0+0x78/0xf0 [ 1562.505387] rcu_do_batch+0x365/0x1280 [ 1562.505391] rcu_core+0x493/0x8d0 [ 1562.505394] __do_softirq+0x18e/0x544 [ 1562.506477] Last potentially related work creation: [ 1562.507892] kasan_save_stack+0x1b/0x40 [ 1562.507904] kasan_record_aux_stack+0xbe/0xd0 [ 1562.507907] call_rcu+0xe0/0x14e0 [ 1562.507909] netlink_release+0x7ce/0x1140 [ 1562.507912] __sock_release+0xc5/0x270 [ 1562.507916] sock_close+0x11/0x20 [ 1562.507919] __fput+0x1ec/0x8b0 [ 1562.507922] task_work_run+0xd3/0x160 [ 1562.507926] exit_to_user_mode_prepare+0x224/0x230 [ 1562.507930] syscall_exit_to_user_mode+0x18/0x40 [ 1562.507932] do_syscall_64+0x69/0x80 [ 1562.507936] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1562.509029] Second to last potentially related work creation: [ 1562.510539] kasan_save_stack+0x1b/0x40 [ 1562.510544] kasan_record_aux_stack+0xbe/0xd0 [ 1562.510546] call_rcu+0xe0/0x14e0 [ 1562.510549] netlink_release+0x7ce/0x1140 [ 1562.510551] __sock_release+0xc5/0x270 [ 1562.510554] sock_close+0x11/0x20 [ 1562.510556] __fput+0x1ec/0x8b0 [ 1562.510559] task_work_run+0xd3/0x160 [ 1562.510562] exit_to_user_mode_prepare+0x224/0x230 [ 1562.510564] syscall_exit_to_user_mode+0x18/0x40 [ 1562.510567] do_syscall_64+0x69/0x80 [ 1562.510570] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1562.511666] The buggy address belongs to the object at ffff8880218f6000 which belongs to the cache kmalloc-2k of size 2048 [ 1562.514812] The buggy address is located 192 bytes inside of 2048-byte region [ffff8880218f6000, ffff8880218f6800) [ 1562.517930] The buggy address belongs to the page: [ 1562.519403] page:00000000d524ba6f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x218f0 [ 1562.519408] head:00000000d524ba6f order:3 compound_mapcount:0 compound_pincount:0 [ 1562.519410] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) [ 1562.519416] raw: 000fffffc0010200 0000000000000000 0000000100000001 ffff888001042000 [ 1562.519421] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 1562.519423] page dumped because: kasan: bad access detected [ 1562.520576] Memory state around the buggy address: [ 1562.522053] ffff8880218f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1562.523785] ffff8880218f6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1562.525529] >ffff8880218f6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1562.527247] ^ [ 1562.528790] ffff8880218f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1562.530535] ffff8880218f6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1562.532267] ================================================================== [ 1562.534011] Disabling lock debugging due to kernel taint -- You are receiving this mail because: You are the assignee for the bug.