Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932819AbdCIPRN (ORCPT <rfc822;w@1wt.eu>);
        Thu, 9 Mar 2017 10:17:13 -0500
Received: from mout.gmx.net ([212.227.17.22]:57381 "EHLO mout.gmx.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S932558AbdCIPRK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Mar 2017 10:17:10 -0500
Message-ID: <1489072619.3839.9.camel@gmx.de>
Subject: [block] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970
From: Mike Galbraith <efault@gmx.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Date: Thu, 09 Mar 2017 16:16:59 +0100
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Evolution 3.16.5 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:unh0BUkaSQw8+ukfmxfp6/Ps4SBCdz+lFOAw5x/C7zh7obNrKgi
 X2ZFBFJDgQfwzyXAuubb7YoJ8uhbrTv/RcAFDokMWob+U45LDFFwDWU5keTgRH+H+7rREnV
 1xW4VPwiApwHWktjg6OR6rdvF+y4Xwqmzi7BIbJGjdxOaW1NgP7yo3BUHMWBwJZQZ1oe/np
 s5SXGgxe6QWFYONJLbpIg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:PAiw1RgzlBw=:rdPUH1Sq+V5IGnsYIfTrs/
 cdzzeMy7rx7/nMB6VLW66+7FedSErW1Zizm5/FoBJQcF+ZuFaA+sQhJKgGZ0ASzsUy08jDQMe
 rN3nAwh//sU1BYwYNETqAqKwFaVkDheUUHcCu6/LcI11rk4ieF0+jwl9dL3atwGMPqBIs6gNS
 /tKBVH/xd1FqOQuGPfJd5APY+xAXR9EW0nicU67f7J7P9vNGeHNeW+nbiFcCuEHEXZldmgt8X
 hPMPRtZaKUgq7tMXwVWzX2zEJag0yfPv5rXNVEuLbczSJuQtZsi+I1CAl5HDzxiuudCEbylsV
 qOcW29Y0CkrnP7Hua/4Qz6mt9q/nHusnYVoHwIe0+GjZP/BqgOe7TDFpSn2aN4e8eOdmirV9v
 42w5MT/Kv6Zey1jdTFulxcm5BBCFLyHM0Ek7Lz/n0nYK6W+7RRmrLy0FiBjCQP2A2hPhEHn9p
 BXGL8FwdtqWpMIkzWBAtx4I/fT0bOQIBAgTOZupH/YunB8j62+TMvjSY0yiG9JBe5tL+Y3Ozg
 EuI1izF/Jtzu/cbKwbKdyiOe2VAX2/02H6UWnM5ozA+V9WogMs8r6NMknSSts4ng9OIBX442D
 Jht/CNy8H4tYfxo811YlQFEY252FIA6xgUCZKvYGPEOIw1x1BHDY12G0kiZEJbPaRiOLDIgBE
 WLNl1lsAjTYpmpiDwVis/WLwmnQ7x4M/Ft3R+1erg9bU/NVGT6Z6SV+8B8/IZDJ193SJwqYyL
 /A8MliRUcDjg8BrdrzVfo5Wxb25MsCTt1KAFGoAmpdCclxao6rBApWdqKMziw0MZxFnIK3y0Z
 ehbVwNw
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 7382
Lines: 183

Greetings,

Building master.today with kasan enabled (because I saw the same when
trying out kasan on rt), the below fell out.

Config is enterprise based (tune for maximum build time), plus PREEMPT.

[    5.335444] ==================================================================
[    5.337030] BUG: KASAN: use-after-free in rb_erase+0x1431/0x1970 at addr ffff88035e78abb0
[    5.338642] Write of size 8 by task swapper/7/0
[    5.340204] CPU: 7 PID: 0 Comm: swapper/7 Tainted: G            E   4.11.0-kasan #160
[    5.341774] Hardware name: MEDION MS-7848/MS-7848, BIOS M7848W08.20C 09/23/2013
[    5.343374] Call Trace:
[    5.344948]  <IRQ>
[    5.346522]  ? dump_stack+0x5c/0x7b
[    5.348098]  ? kasan_object_err+0x1c/0x70
[    5.349648]  ? kasan_report.part.1+0x233/0x530
[    5.351216]  ? save_stack+0x33/0xa0
[    5.352744]  ? save_stack+0x33/0xa0
[    5.354297]  ? save_stack+0x33/0xa0
[    5.355839]  ? save_stack+0x33/0xa0
[    5.357353]  ? save_stack+0x33/0xa0
[    5.358861]  ? save_stack+0x33/0xa0
[    5.360513]  ? save_stack+0x33/0xa0
[    5.362019]  ? rb_erase+0x1431/0x1970
[    5.363719]  ? wb_congested_put+0x65/0xd0
[    5.365833]  ? __blkg_release_rcu+0x114/0x230
[    5.367274]  ? rcu_process_callbacks+0x8e2/0xff0
[    5.368633]  ? __do_softirq+0x1dd/0x581
[    5.369988]  ? irq_exit+0x166/0x190
[    5.371323]  ? smp_apic_timer_interrupt+0x76/0x90
[    5.372627]  ? apic_timer_interrupt+0x8c/0xa0
[    5.374011]  </IRQ>
[    5.375329]  ? cpuidle_enter_state+0x10d/0x760
[    5.376616]  ? do_idle+0x21e/0x2d0
[    5.377895]  ? cpu_startup_entry+0xbe/0xd0
[    5.379209]  ? cpu_in_idle+0x20/0x20
[    5.380452]  ? clockevents_register_device+0x141/0x400
[    5.381771]  ? clockevents_config.part.9+0xfc/0x170
[    5.383054]  ? start_secondary+0x307/0x3e0
[    5.384273]  ? set_cpu_sibling_map+0x1880/0x1880
[    5.385488]  ? start_cpu+0x14/0x14
[    5.387012] Object at ffff88035e78a880, in cache kmalloc-1024 size: 1024
[    5.388250] Allocated:
[    5.389462] PID = 541
[    5.390666]  save_stack+0x33/0xa0
[    5.391825]  save_stack+0x33/0xa0
[    5.392929]  save_stack+0x33/0xa0
[    5.394091]  save_stack+0x33/0xa0
[    5.395218]  save_stack+0x33/0xa0
[    5.396248]  save_stack+0x33/0xa0
[    5.397229]  save_stack+0x33/0xa0
[    5.398219]  save_stack+0x33/0xa0
[    5.399258]  save_stack+0x33/0xa0
[    5.400199]  save_stack+0x33/0xa0
[    5.401073]  save_stack+0x33/0xa0
[    5.401933]  save_stack+0x33/0xa0
[    5.402783]  save_stack+0x33/0xa0
[    5.403676]  save_stack+0x33/0xa0
[    5.404439]  save_stack+0x33/0xa0
[    5.405186]  save_stack+0x33/0xa0
[    5.405923]  save_stack+0x33/0xa0
[    5.406657]  save_stack+0x33/0xa0
[    5.407477]  save_stack+0x33/0xa0
[    5.408292]  save_stack+0x33/0xa0
[    5.408976]  save_stack+0x33/0xa0
[    5.409664]  save_stack+0x33/0xa0
[    5.410344]  save_stack+0x33/0xa0
[    5.411028]  save_stack+0x33/0xa0
[    5.411680]  save_stack+0x33/0xa0
[    5.412304]  save_stack+0x33/0xa0
[    5.412886]  save_stack+0x33/0xa0
[    5.413454]  save_stack+0x33/0xa0
[    5.414009]  save_stack+0x33/0xa0
[    5.414540]  save_stack+0x33/0xa0
[    5.415044]  save_stack+0x33/0xa0
[    5.415525]  save_stack+0x33/0xa0
[    5.416002]  save_stack+0x33/0xa0
[    5.416447]  save_stack+0x33/0xa0
[    5.416872]  save_stack+0x33/0xa0
[    5.417315]  save_stack+0x33/0xa0
[    5.417806]  save_stack+0x33/0xa0
[    5.418250]  save_stack+0x33/0xa0
[    5.418674]  save_stack+0x33/0xa0
[    5.419089]  save_stack+0x33/0xa0
[    5.419480]  save_stack+0x33/0xa0
[    5.419871]  save_stack+0x33/0xa0
[    5.420287]  save_stack+0x33/0xa0
[    5.420706]  save_stack+0x33/0xa0
[    5.421096]  save_stack+0x33/0xa0
[    5.421496]  save_stack+0x33/0xa0
[    5.421890]  save_stack+0x33/0xa0
[    5.422360]  save_stack+0x33/0xa0
[    5.422783]  save_stack+0x33/0xa0
[    5.423161]  save_stack+0x33/0xa0
[    5.423509]  save_stack+0x33/0xa0
[    5.423850]  save_stack+0x33/0xa0
[    5.424257]  save_stack+0x33/0xa0
[    5.424609]  save_stack+0x33/0xa0
[    5.424920]  save_stack+0x33/0xa0
[    5.425221]  save_stack+0x33/0xa0
[    5.425514]  save_stack+0x33/0xa0
[    5.425836]  save_stack+0x33/0xa0
[    5.426135]  save_stack+0x33/0xa0
[    5.426404]  save_stack+0x33/0xa0
[    5.426663]  save_stack+0x33/0xa0
[    5.426935]  save_stack+0x33/0xa0
[    5.427193]  save_stack+0x33/0xa0
[    5.427421]  save_stack+0x33/0xa0
[    5.427632] Freed:
[    5.427880] PID = 541
[    5.428122]  save_stack+0x33/0xa0
[    5.428326]  save_stack+0x33/0xa0
[    5.428529]  save_stack+0x33/0xa0
[    5.428731]  save_stack+0x33/0xa0
[    5.428934]  save_stack+0x33/0xa0
[    5.429157]  save_stack+0x33/0xa0
[    5.429360]  save_stack+0x33/0xa0
[    5.429570]  save_stack+0x33/0xa0
[    5.429769]  save_stack+0x33/0xa0
[    5.429976]  save_stack+0x33/0xa0
[    5.430194]  save_stack+0x33/0xa0
[    5.430401]  save_stack+0x33/0xa0
[    5.430622]  save_stack+0x33/0xa0
[    5.430832]  save_stack+0x33/0xa0
[    5.431030]  save_stack+0x33/0xa0
[    5.431247]  save_stack+0x33/0xa0
[    5.431444]  save_stack+0x33/0xa0
[    5.431651]  save_stack+0x33/0xa0
[    5.431858]  save_stack+0x33/0xa0
[    5.432078]  save_stack+0x33/0xa0
[    5.432275]  save_stack+0x33/0xa0
[    5.432471]  save_stack+0x33/0xa0
[    5.432686]  save_stack+0x33/0xa0
[    5.432882]  save_stack+0x33/0xa0
[    5.433077]  save_stack+0x33/0xa0
[    5.433272]  save_stack+0x33/0xa0
[    5.433476]  save_stack+0x33/0xa0
[    5.433681]  save_stack+0x33/0xa0
[    5.433875]  save_stack+0x33/0xa0
[    5.434069]  save_stack+0x33/0xa0
[    5.434266]  save_stack+0x33/0xa0
[    5.434461]  save_stack+0x33/0xa0
[    5.434655]  save_stack+0x33/0xa0
[    5.434848]  save_stack+0x33/0xa0
[    5.435043]  save_stack+0x33/0xa0
[    5.435271]  save_stack+0x33/0xa0
[    5.435494]  save_stack+0x33/0xa0
[    5.435707]  save_stack+0x33/0xa0
[    5.435935]  save_stack+0x33/0xa0
[    5.436142]  save_stack+0x33/0xa0
[    5.436335]  save_stack+0x33/0xa0
[    5.436528]  save_stack+0x33/0xa0
[    5.436722]  save_stack+0x33/0xa0
[    5.436925]  save_stack+0x33/0xa0
[    5.437122]  save_stack+0x33/0xa0
[    5.437318]  save_stack+0x33/0xa0
[    5.437536]  save_stack+0x33/0xa0
[    5.437733]  save_stack+0x33/0xa0
[    5.437958]  save_stack+0x33/0xa0
[    5.438151]  save_stack+0x33/0xa0
[    5.438348]  save_stack+0x33/0xa0
[    5.438561]  save_stack+0x33/0xa0
[    5.438775]  save_stack+0x33/0xa0
[    5.438968]  save_stack+0x33/0xa0
[    5.439161]  save_stack+0x33/0xa0
[    5.439354]  save_stack+0x33/0xa0
[    5.439548]  save_stack+0x33/0xa0
[    5.439741]  save_stack+0x33/0xa0
[    5.439937]  save_stack+0x33/0xa0
[    5.440133]  save_stack+0x33/0xa0
[    5.440326]  save_stack+0x33/0xa0
[    5.440520]  save_stack+0x33/0xa0
[    5.440714]  save_stack+0x33/0xa0
[    5.440906]  save_stack+0x33/0xa0
[    5.441099] Memory state around the buggy address:
[    5.441327]  ffff88035e78aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    5.441572]  ffff88035e78ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    5.441805] >ffff88035e78ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    5.442027]                                      ^
[    5.442262]  ffff88035e78ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    5.442538]  ffff88035e78ac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    5.442822] ==================================================================