Greeting,
FYI, we noticed BUG:KASAN:use-after-free_in_bfq_exit_icq_bfqq due to commit (built with gcc-11):
commit: 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ("block, bfq: fix possible uaf for 'bfqq->bic'")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linux-next/master e45fb347b630ee76482fe938ba76cf8eab811290]
in testcase: blktests
version: blktests-x86_64-b35866f-1_20221206
with following parameters:
disk: 1SSD
test: block-027
on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-lkp/[email protected]
[ 68.195492][ T862] BUG: KASAN: use-after-free in bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321)
[ 68.203861][ T862] Read of size 8 at addr ffff8888019ded20 by task check/862
[ 68.212059][ T862]
[ 68.215294][ T862] CPU: 2 PID: 862 Comm: check Not tainted 6.1.0-09942-g64dc8c732f5c #1
[ 68.224446][ T862] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 68.233607][ T862] Call Trace:
[ 68.237830][ T862] <TASK>
[ 68.241700][ T862] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 68.247130][ T862] print_address_description+0x87/0x2a1
[ 68.254648][ T862] print_report (mm/kasan/report.c:418)
[ 68.260075][ T862] ? kasan_addr_to_slab (mm/kasan/common.c:35)
[ 68.265933][ T862] ? bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321)
[ 68.271970][ T862] kasan_report (mm/kasan/report.c:519)
[ 68.277213][ T862] ? bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321)
[ 68.283232][ T862] bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321)
[ 68.289077][ T862] bfq_exit_icq (block/bfq-iosched.c:5349)
[ 68.294394][ T862] ioc_destroy_icq (block/blk-ioc.c:56 block/blk-ioc.c:93)
[ 68.300055][ T862] ioc_clear_queue (block/blk-ioc.c:187)
[ 68.305717][ T862] ? ioc_find_get_icq (block/blk-ioc.c:173)
[ 68.311633][ T862] ? mutex_lock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1781 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285)
[ 68.316855][ T862] ? __mutex_lock_slowpath (kernel/locking/mutex.c:282)
[ 68.323034][ T862] elevator_exit (block/elevator.c:164)
[ 68.328355][ T862] del_gendisk (block/genhd.c:660)
[ 68.333667][ T862] ? __pm_runtime_resume (drivers/base/power/runtime.c:1174)
[ 68.339759][ T862] sd_remove (drivers/scsi/sd.c:3577) sd_mod
[ 68.345507][ T862] device_release_driver_internal (drivers/base/dd.c:1251 drivers/base/dd.c:1275)
[ 68.352473][ T862] ? klist_put (include/linux/kref.h:66 lib/klist.c:206 lib/klist.c:217)
[ 68.357778][ T862] bus_remove_device (drivers/base/bus.c:530)
[ 68.363592][ T862] device_del (drivers/base/core.c:3705)
[ 68.368811][ T862] ? __device_link_del (drivers/base/core.c:3660)
[ 68.374815][ T862] ? __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800)
[ 68.380815][ T862] ? kobject_put (arch/x86/include/asm/atomic.h:190 include/linux/atomic/atomic-instrumented.h:177 include/linux/refcount.h:272 include/linux/refcount.h:315 include/linux/refcount.h:333 include/linux/kref.h:64 lib/kobject.c:721)
[ 68.386114][ T862] ? sysfs_kf_bin_read (fs/sysfs/file.c:129)
[ 68.392104][ T862] __scsi_remove_device (drivers/scsi/scsi_sysfs.c:1475)
[ 68.398182][ T862] sdev_store_delete (drivers/scsi/scsi_sysfs.c:1516 drivers/scsi/scsi_sysfs.c:797)
[ 68.403917][ T862] kernfs_fop_write_iter (fs/kernfs/file.c:334)
[ 68.410059][ T862] vfs_write (include/linux/fs.h:2186 fs/read_write.c:491 fs/read_write.c:584)
[ 68.415130][ T862] ? kernel_write (fs/read_write.c:565)
[ 68.420608][ T862] ? __fget_light (include/linux/atomic/atomic-arch-fallback.h:227 include/linux/atomic/atomic-instrumented.h:35 fs/file.c:1015)
[ 68.425971][ T862] ksys_write (fs/read_write.c:637)
[ 68.430950][ T862] ? __ia32_sys_read (fs/read_write.c:627)
[ 68.436450][ T862] ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:371)
[ 68.441057][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 68.446152][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 68.452696][ T862] RIP: 0033:0x7f746cf6a8f3
[ 68.457767][ T862] Code: 8b 15 a1 25 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
All code
========
0: 8b 15 a1 25 0e 00 mov 0xe25a1(%rip),%edx # 0xe25a7
6: f7 d8 neg %eax
8: 64 89 02 mov %eax,%fs:(%rdx)
b: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
12: eb b7 jmp 0xffffffffffffffcb
14: 0f 1f 00 nopl (%rax)
17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax
1e: 00
1f: 85 c0 test %eax,%eax
21: 75 14 jne 0x37
23: b8 01 00 00 00 mov $0x1,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 55 ja 0x87
32: c3 retq
33: 0f 1f 40 00 nopl 0x0(%rax)
37: 48 83 ec 28 sub $0x28,%rsp
3b: 48 89 54 24 18 mov %rdx,0x18(%rsp)
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 55 ja 0x5d
8: c3 retq
9: 0f 1f 40 00 nopl 0x0(%rax)
d: 48 83 ec 28 sub $0x28,%rsp
11: 48 89 54 24 18 mov %rdx,0x18(%rsp)
[ 68.478908][ T862] RSP: 002b:00007ffcb26ee558 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 68.488041][ T862] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f746cf6a8f3
[ 68.496744][ T862] RDX: 0000000000000002 RSI: 000055dcfd0b7750 RDI: 0000000000000001
[ 68.505450][ T862] RBP: 000055dcfd0b7750 R08: 000000000000000a R09: 0000000000000001
[ 68.514154][ T862] R10: 000055dcfd122a00 R11: 0000000000000246 R12: 0000000000000002
[ 68.522852][ T862] R13: 00007f746d04e6a0 R14: 0000000000000002 R15: 00007f746d049880
[ 68.531556][ T862] </TASK>
[ 68.535303][ T862]
[ 68.538338][ T862] Allocated by task 1400:
[ 68.543367][ T862] kasan_save_stack (mm/kasan/common.c:46)
[ 68.548731][ T862] kasan_set_track (mm/kasan/common.c:52)
[ 68.554011][ T862] __kasan_slab_alloc (mm/kasan/common.c:328)
[ 68.559529][ T862] kmem_cache_alloc_node (mm/slab.h:761 mm/slub.c:3452 mm/slub.c:3497)
[ 68.565469][ T862] bfq_get_queue (block/bfq-iosched.c:5689)
[ 68.570714][ T862] bfq_get_bfqq_handle_split (block/bfq-iosched.c:6591)
[ 68.576912][ T862] bfq_init_rq (block/bfq-iosched.c:6710)
[ 68.582053][ T862] bfq_insert_request+0xdd/0x700
[ 68.588230][ T862] bfq_insert_requests (include/linux/list.h:292 block/bfq-iosched.c:6134)
[ 68.593961][ T862] blk_mq_sched_insert_request (block/blk-mq-sched.c:457)
[ 68.600379][ T862] blk_mq_submit_bio (block/blk-mq.c:2995)
[ 68.606010][ T862] submit_bio_noacct_nocheck (include/linux/bio.h:609 block/blk-core.c:682 block/blk-core.c:698 block/blk-core.c:687)
[ 68.612243][ T862] __blkdev_direct_IO_async (block/fops.c:355)
[ 68.618382][ T862] blkdev_read_iter (block/fops.c:362 block/fops.c:581)
[ 68.623828][ T862] aio_read (fs/aio.c:1520 fs/aio.c:1560)
[ 68.628583][ T862] io_submit_one (include/linux/instrumented.h:102 include/linux/atomic/atomic-instrumented.h:176 include/linux/refcount.h:272 include/linux/refcount.h:315 include/linux/refcount.h:333 fs/aio.c:1186 fs/aio.c:2022)
[ 68.633764][ T862] __x64_sys_io_submit (fs/aio.c:2078 fs/aio.c:2048 fs/aio.c:2048)
[ 68.639467][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 68.644473][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 68.650960][ T862]
[ 68.653882][ T862] Freed by task 862:
[ 68.658366][ T862] kasan_save_stack (mm/kasan/common.c:46)
[ 68.663632][ T862] kasan_set_track (mm/kasan/common.c:52)
[ 68.668810][ T862] kasan_save_free_info (mm/kasan/generic.c:520)
[ 68.674425][ T862] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244)
[ 68.679954][ T862] kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3809)
[ 68.685313][ T862] bfq_put_queue (block/bfq-iosched.c:5266)
[ 68.690504][ T862] bfq_exit_icq_bfqq (block/bfq-iosched.c:389 block/bfq-iosched.c:5321)
[ 68.696030][ T862] bfq_exit_icq (block/bfq-iosched.c:5349)
[ 68.701037][ T862] ioc_destroy_icq (block/blk-ioc.c:56 block/blk-ioc.c:93)
[ 68.706388][ T862] ioc_clear_queue (block/blk-ioc.c:187)
[ 68.711737][ T862] elevator_exit (block/elevator.c:164)
[ 68.716734][ T862] del_gendisk (block/genhd.c:660)
[ 68.721731][ T862] sd_remove (drivers/scsi/sd.c:3577) sd_mod
[ 68.727158][ T862] device_release_driver_internal (drivers/base/dd.c:1251 drivers/base/dd.c:1275)
[ 68.733799][ T862] bus_remove_device (drivers/base/bus.c:530)
[ 68.739318][ T862] device_del (drivers/base/core.c:3705)
[ 68.744228][ T862] __scsi_remove_device (drivers/scsi/scsi_sysfs.c:1475)
[ 68.750005][ T862] sdev_store_delete (drivers/scsi/scsi_sysfs.c:1516 drivers/scsi/scsi_sysfs.c:797)
[ 68.755442][ T862] kernfs_fop_write_iter (fs/kernfs/file.c:334)
[ 68.761313][ T862] vfs_write (include/linux/fs.h:2186 fs/read_write.c:491 fs/read_write.c:584)
[ 68.766145][ T862] ksys_write (fs/read_write.c:637)
[ 68.770971][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 68.775963][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
[ 68.782442][ T862]
[ 68.785361][ T862] The buggy address belongs to the object at ffff8888019deb80
[ 68.785361][ T862] which belongs to the cache bfq_queue of size 568
[ 68.800590][ T862] The buggy address is located 416 bytes inside of
[ 68.800590][ T862] 568-byte region [ffff8888019deb80, ffff8888019dedb8)
[ 68.815221][ T862]
[ 68.818171][ T862] The buggy address belongs to the physical page:
[ 68.825204][ T862] page:0000000059db31a7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8019dc
[ 68.836068][ T862] head:0000000059db31a7 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[ 68.846747][ T862] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 68.855593][ T862] raw: 0017ffffc0010200 ffff8881103ea500 dead000000000122 0000000000000000
[ 68.864771][ T862] raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
[ 68.873944][ T862] page dumped because: kasan: bad access detected
[ 68.880954][ T862]
[ 68.883885][ T862] Memory state around the buggy address:
[ 68.890120][ T862] ffff8888019dec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.898794][ T862] ffff8888019dec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.907453][ T862] >ffff8888019ded00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.916109][ T862] ^
[ 68.921828][ T862] ffff8888019ded80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[ 68.930509][ T862] ffff8888019dee00: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
[ 68.939190][ T862] ==================================================================
[ 68.947879][ T862] Disabling lock debugging due to kernel taint
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests