[block] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970

From: Mike Galbraith
Date: Thu Mar 09 2017 - 10:17:21 EST

Next message: Paolo Bonzini: "Re: [PATCH RFC 3/4] KVM: MMU: Add 5 level EPT & Shadow page table support."
Previous message: Madalin Bucur: "[net-next v2 06/10] dpaa_eth: enable Rx checksum offload"
Next in thread: Jens Axboe: "Re: [block] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

Building master.today with kasan enabled (because I saw the same when
trying out kasan on rt), the below fell out.

Config is enterprise based (tune for maximum build time), plus PREEMPT.

[ 5.335444] ==================================================================
[ 5.337030] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970 at addr ffff88035e78abb0
[ 5.338642] Write of size 8 by task swapper/7/0
[ 5.340204] CPU: 7 PID: 0 Comm: swapper/7 Tainted: G E 4.11.0-kasan #160
[ 5.341774] Hardware name: MEDION MS-7848/MS-7848, BIOS M7848W08.20C 09/23/2013
[ 5.343374] Call Trace:
[ 5.344948] <IRQ>
[ 5.346522] ? dump_stack+0x5c/0x7b
[ 5.348098] ? kasan_object_err+0x1c/0x70
[ 5.349648] ? kasan_report.part.1+0x233/0x530
[ 5.351216] ? save_stack+0x33/0xa0
[ 5.352744] ? save_stack+0x33/0xa0
[ 5.354297] ? save_stack+0x33/0xa0
[ 5.355839] ? save_stack+0x33/0xa0
[ 5.357353] ? save_stack+0x33/0xa0
[ 5.358861] ? save_stack+0x33/0xa0
[ 5.360513] ? save_stack+0x33/0xa0
[ 5.362019] ? rb_erase+0x1431/0x1970
[ 5.363719] ? wb_congested_put+0x65/0xd0
[ 5.365833] ? __blkg_release_rcu+0x114/0x230
[ 5.367274] ? rcu_process_callbacks+0x8e2/0xff0
[ 5.368633] ? __do_softirq+0x1dd/0x581
[ 5.369988] ? irq_exit+0x166/0x190
[ 5.371323] ? smp_apic_timer_interrupt+0x76/0x90
[ 5.372627] ? apic_timer_interrupt+0x8c/0xa0
[ 5.374011] </IRQ>
[ 5.375329] ? cpuidle_enter_state+0x10d/0x760
[ 5.376616] ? do_idle+0x21e/0x2d0
[ 5.377895] ? cpu_startup_entry+0xbe/0xd0
[ 5.379209] ? cpu_in_idle+0x20/0x20
[ 5.380452] ? clockevents_register_device+0x141/0x400
[ 5.381771] ? clockevents_config.part.9+0xfc/0x170
[ 5.383054] ? start_secondary+0x307/0x3e0
[ 5.384273] ? set_cpu_sibling_map+0x1880/0x1880
[ 5.385488] ? start_cpu+0x14/0x14
[ 5.387012] Object at ffff88035e78a880, in cache kmalloc-1024 size: 1024
[ 5.388250] Allocated:
[ 5.389462] PID = 541
[ 5.390666] save_stack+0x33/0xa0
[ 5.391825] save_stack+0x33/0xa0
[ 5.392929] save_stack+0x33/0xa0
[ 5.394091] save_stack+0x33/0xa0
[ 5.395218] save_stack+0x33/0xa0
[ 5.396248] save_stack+0x33/0xa0
[ 5.397229] save_stack+0x33/0xa0
[ 5.398219] save_stack+0x33/0xa0
[ 5.399258] save_stack+0x33/0xa0
[ 5.400199] save_stack+0x33/0xa0
[ 5.401073] save_stack+0x33/0xa0
[ 5.401933] save_stack+0x33/0xa0
[ 5.402783] save_stack+0x33/0xa0
[ 5.403676] save_stack+0x33/0xa0
[ 5.404439] save_stack+0x33/0xa0
[ 5.405186] save_stack+0x33/0xa0
[ 5.405923] save_stack+0x33/0xa0
[ 5.406657] save_stack+0x33/0xa0
[ 5.407477] save_stack+0x33/0xa0
[ 5.408292] save_stack+0x33/0xa0
[ 5.408976] save_stack+0x33/0xa0
[ 5.409664] save_stack+0x33/0xa0
[ 5.410344] save_stack+0x33/0xa0
[ 5.411028] save_stack+0x33/0xa0
[ 5.411680] save_stack+0x33/0xa0
[ 5.412304] save_stack+0x33/0xa0
[ 5.412886] save_stack+0x33/0xa0
[ 5.413454] save_stack+0x33/0xa0
[ 5.414009] save_stack+0x33/0xa0
[ 5.414540] save_stack+0x33/0xa0
[ 5.415044] save_stack+0x33/0xa0
[ 5.415525] save_stack+0x33/0xa0
[ 5.416002] save_stack+0x33/0xa0
[ 5.416447] save_stack+0x33/0xa0
[ 5.416872] save_stack+0x33/0xa0
[ 5.417315] save_stack+0x33/0xa0
[ 5.417806] save_stack+0x33/0xa0
[ 5.418250] save_stack+0x33/0xa0
[ 5.418674] save_stack+0x33/0xa0
[ 5.419089] save_stack+0x33/0xa0
[ 5.419480] save_stack+0x33/0xa0
[ 5.419871] save_stack+0x33/0xa0
[ 5.420287] save_stack+0x33/0xa0
[ 5.420706] save_stack+0x33/0xa0
[ 5.421096] save_stack+0x33/0xa0
[ 5.421496] save_stack+0x33/0xa0
[ 5.421890] save_stack+0x33/0xa0
[ 5.422360] save_stack+0x33/0xa0
[ 5.422783] save_stack+0x33/0xa0
[ 5.423161] save_stack+0x33/0xa0
[ 5.423509] save_stack+0x33/0xa0
[ 5.423850] save_stack+0x33/0xa0
[ 5.424257] save_stack+0x33/0xa0
[ 5.424609] save_stack+0x33/0xa0
[ 5.424920] save_stack+0x33/0xa0
[ 5.425221] save_stack+0x33/0xa0
[ 5.425514] save_stack+0x33/0xa0
[ 5.425836] save_stack+0x33/0xa0
[ 5.426135] save_stack+0x33/0xa0
[ 5.426404] save_stack+0x33/0xa0
[ 5.426663] save_stack+0x33/0xa0
[ 5.426935] save_stack+0x33/0xa0
[ 5.427193] save_stack+0x33/0xa0
[ 5.427421] save_stack+0x33/0xa0
[ 5.427632] Freed:
[ 5.427880] PID = 541
[ 5.428122] save_stack+0x33/0xa0
[ 5.428326] save_stack+0x33/0xa0
[ 5.428529] save_stack+0x33/0xa0
[ 5.428731] save_stack+0x33/0xa0
[ 5.428934] save_stack+0x33/0xa0
[ 5.429157] save_stack+0x33/0xa0
[ 5.429360] save_stack+0x33/0xa0
[ 5.429570] save_stack+0x33/0xa0
[ 5.429769] save_stack+0x33/0xa0
[ 5.429976] save_stack+0x33/0xa0
[ 5.430194] save_stack+0x33/0xa0
[ 5.430401] save_stack+0x33/0xa0
[ 5.430622] save_stack+0x33/0xa0
[ 5.430832] save_stack+0x33/0xa0
[ 5.431030] save_stack+0x33/0xa0
[ 5.431247] save_stack+0x33/0xa0
[ 5.431444] save_stack+0x33/0xa0
[ 5.431651] save_stack+0x33/0xa0
[ 5.431858] save_stack+0x33/0xa0
[ 5.432078] save_stack+0x33/0xa0
[ 5.432275] save_stack+0x33/0xa0
[ 5.432471] save_stack+0x33/0xa0
[ 5.432686] save_stack+0x33/0xa0
[ 5.432882] save_stack+0x33/0xa0
[ 5.433077] save_stack+0x33/0xa0
[ 5.433272] save_stack+0x33/0xa0
[ 5.433476] save_stack+0x33/0xa0
[ 5.433681] save_stack+0x33/0xa0
[ 5.433875] save_stack+0x33/0xa0
[ 5.434069] save_stack+0x33/0xa0
[ 5.434266] save_stack+0x33/0xa0
[ 5.434461] save_stack+0x33/0xa0
[ 5.434655] save_stack+0x33/0xa0
[ 5.434848] save_stack+0x33/0xa0
[ 5.435043] save_stack+0x33/0xa0
[ 5.435271] save_stack+0x33/0xa0
[ 5.435494] save_stack+0x33/0xa0
[ 5.435707] save_stack+0x33/0xa0
[ 5.435935] save_stack+0x33/0xa0
[ 5.436142] save_stack+0x33/0xa0
[ 5.436335] save_stack+0x33/0xa0
[ 5.436528] save_stack+0x33/0xa0
[ 5.436722] save_stack+0x33/0xa0
[ 5.436925] save_stack+0x33/0xa0
[ 5.437122] save_stack+0x33/0xa0
[ 5.437318] save_stack+0x33/0xa0
[ 5.437536] save_stack+0x33/0xa0
[ 5.437733] save_stack+0x33/0xa0
[ 5.437958] save_stack+0x33/0xa0
[ 5.438151] save_stack+0x33/0xa0
[ 5.438348] save_stack+0x33/0xa0
[ 5.438561] save_stack+0x33/0xa0
[ 5.438775] save_stack+0x33/0xa0
[ 5.438968] save_stack+0x33/0xa0
[ 5.439161] save_stack+0x33/0xa0
[ 5.439354] save_stack+0x33/0xa0
[ 5.439548] save_stack+0x33/0xa0
[ 5.439741] save_stack+0x33/0xa0
[ 5.439937] save_stack+0x33/0xa0
[ 5.440133] save_stack+0x33/0xa0
[ 5.440326] save_stack+0x33/0xa0
[ 5.440520] save_stack+0x33/0xa0
[ 5.440714] save_stack+0x33/0xa0
[ 5.440906] save_stack+0x33/0xa0
[ 5.441099] Memory state around the buggy address:
[ 5.441327] ffff88035e78aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5.441572] ffff88035e78ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5.441805] >ffff88035e78ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5.442027] ^
[ 5.442262] ffff88035e78ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 5.442538] ffff88035e78ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 5.442822] ==================================================================

Next message: Paolo Bonzini: "Re: [PATCH RFC 3/4] KVM: MMU: Add 5 level EPT & Shadow page table support."
Previous message: Madalin Bucur: "[net-next v2 06/10] dpaa_eth: enable Rx checksum offload"
Next in thread: Jens Axboe: "Re: [block] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]