Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4268006imm; Fri, 18 May 2018 02:08:51 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoYWBOiOguvAKZ0gFyPB/iZeQ/Rfq5VOC2qrawD7Z/ltPnToJPiXCtEWguDXmsk8A26RLki X-Received: by 2002:a63:7701:: with SMTP id s1-v6mr1010475pgc.196.1526634531639; Fri, 18 May 2018 02:08:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526634531; cv=none; d=google.com; s=arc-20160816; b=bAdk+6WWDbqF7YsOb5HtqpQfqJACtE4bqtT7Xp0VIg19V49HeHqNcMJZtTTeqNZpJJ FKZ934R5VnJX9PVIbCMfHQlEOn5jhhSFPvC++/4TfUz1cl3EyVCtUzjnoQZ6DMhB+Pbw NlixCoP2xacYUbI5z62YWcv8ROVnIjA1xc91gxUQ1Oe9rqp6VUbqxVvex90SkiJHkOeZ CJQDKA1Ly1EVW2dVO5BHar6VQPZkWabKYw8qYW7PX7l9OUTObVBpHIsdYHORVo53ZzV1 mfP5DCmxwd4hUy2PKObJBmoWyAeUtQQSHx71mXexb078gjuAuMMe6gHHmf1Y5fIdvx93 WzZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=gLho4gg+yaP7uwpVDsncR6dSRCOVBYMyTRNZFuZMsIo=; b=SQTm8lIlNM93VOAR5lFm9bd2YITSTqIwhZdtaMJ6t3/SEpIgipBj3vvO3x2DeyhXZ9 SGR7haavoFYuXDrrtqaB9+ojuNhl0KbG6TV+C6a2LoxoqUIeUSMwopFMiQa6hK9ZUvzP a6ZQ8DM6zE6ZMcrlRmCl7wjBR4P7M9hD+Q/mBf98NBJy4/WtQADZz3PJRU5x8UgXMbEl SBcv//2BpjCd7sTImmE3BP3dehPecz6ureADw6bmCNx4Wphef29jIDCvQQkEnZ68nKgk 4cSBckwltRF511QqBP9rP0e8XYEKqpmMEYTsAzMpuwESqK8x5wwlZs1+c472vZrEDlcb qIZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eNLzimiK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z3-v6si6596282pln.292.2018.05.18.02.08.37; Fri, 18 May 2018 02:08:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=eNLzimiK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752952AbeERJGp (ORCPT + 99 others); Fri, 18 May 2018 05:06:45 -0400 Received: from mail-qt0-f171.google.com ([209.85.216.171]:35374 "EHLO mail-qt0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751280AbeERJGk (ORCPT ); Fri, 18 May 2018 05:06:40 -0400 Received: by mail-qt0-f171.google.com with SMTP id f5-v6so9373725qth.2; Fri, 18 May 2018 02:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=gLho4gg+yaP7uwpVDsncR6dSRCOVBYMyTRNZFuZMsIo=; b=eNLzimiKCzVALR0cE9ICS2aCFPECt9pspcOiSLwCKdaPYfRo/EQppROVmJS0LjDdd8 FO11Q6CEtLc3B/oe6zDf8pvGylGLGA8ZabE15gBTrizVEAFIYzlzOXBQOfrA47OpepuW jyqeNOau7l5yjAODFtYXDtEzdUy1szLYBUJWOy0T3qNyIEfW15JJU3Qc8dPx1xmiJC+n VyV5kaeU83f7Z1Mp6glQAenVpehC5yzVwTGnArmccqVCUP6iFHIcH7Wt/CEPfEqLFvCY 41d9V6ONGR5ATi+J2ZMrh5PijtUi68aBRZyfoNTwceSVFCkFnI9oXTKKrCm31onOI+1o Bq8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=gLho4gg+yaP7uwpVDsncR6dSRCOVBYMyTRNZFuZMsIo=; b=aZFWwfTWBCzcq854F5HC/GZ7bQ6j9TXXBcRHmhhRVDYwlmNKeTMRr8AbctNQe2UlUT Mg64wTEkoDSDyrX1xREYj6ZGFYy0EpqicnXFG9rTpFzJxnI7MeSJ6JggkRrD7WileAo5 u9GvIkwvpzM9jlL6AKqnpnlJ8vUC+YHG8MsmO7AL2J0IhVfkAIwKGWvEBHH/cT3NvPxh lzK5SubrvBLFCRC/pqlho9rJLkT1v0IDa9dw44AR0MlCcEX4o7h1XtHXPXV5Gw5cDr1V KtP+mODMPyW+Ml8bHEuBGSw/GVnZDzXVbpISc0Iv8dmnFDxpgsZ2qbZpAoTctfnoM7yF jw4Q== X-Gm-Message-State: ALKqPwdVwuq+1cXDxrlmzAs7Ojn4rG/43fIDMOEDqyUrdJcF1QbFFLAd 1HlR2FmVAV3qb1Pjh57Z4QXCoYr8AA== X-Received: by 2002:a0c:b992:: with SMTP id v18-v6mr4375907qvf.199.1526634399573; Fri, 18 May 2018 02:06:39 -0700 (PDT) Received: from kmo-pixel (c-71-234-172-214.hsd1.vt.comcast.net. [71.234.172.214]) by smtp.gmail.com with ESMTPSA id g64-v6sm4864835qtd.5.2018.05.18.02.06.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 18 May 2018 02:06:38 -0700 (PDT) Date: Fri, 18 May 2018 05:06:36 -0400 From: Kent Overstreet To: Bart Van Assche Cc: "mingo@kernel.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" , "linux-block@vger.kernel.org" , "axboe@kernel.dk" Subject: Re: [PATCH 00/10] Misc block layer patches for bcachefs Message-ID: <20180518090636.GA14738@kmo-pixel> References: <20180509013358.16399-1-kent.overstreet@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.5 (2018-04-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 17, 2018 at 08:54:57PM +0000, Bart Van Assche wrote: > On Tue, 2018-05-08 at 21:33 -0400, Kent Overstreet wrote: > > [ ... ] > > Hello Kent, > > With Jens' latest for-next branch I hit the kernel warning shown below. Can > you have a look? Any hints on how to reproduce it? > Thanks, > > Bart. > > > ================================================================== > BUG: KASAN: use-after-free in bio_advance+0x110/0x1b0 > Read of size 4 at addr ffff880156c5e6d0 by task ksoftirqd/10/72 > > CPU: 10 PID: 72 Comm: ksoftirqd/10 Tainted: G W 4.17.0-rc4-dbg+ #5 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 > Call Trace: > dump_stack+0x9a/0xeb > print_address_description+0x65/0x270 > kasan_report+0x232/0x350 > bio_advance+0x110/0x1b0 > blk_update_request+0x9d/0x5a0 > scsi_end_request+0x4c/0x300 [scsi_mod] > scsi_io_completion+0x71e/0xa40 [scsi_mod] > __blk_mq_complete_request+0x143/0x220 > srp_recv_done+0x454/0x1100 [ib_srp] > __ib_process_cq+0x9a/0xf0 [ib_core] > ib_poll_handler+0x2d/0x90 [ib_core] > irq_poll_softirq+0xe5/0x1e0 > __do_softirq+0x112/0x5f0 > run_ksoftirqd+0x29/0x50 > smpboot_thread_fn+0x30f/0x410 > kthread+0x1b2/0x1d0 > ret_from_fork+0x24/0x30 > > Allocated by task 1356: > kasan_kmalloc+0xa0/0xd0 > kmem_cache_alloc+0xed/0x320 > mempool_alloc+0xc6/0x210 > bio_alloc_bioset+0x128/0x2d0 > submit_bh_wbc+0x95/0x2d0 > __block_write_full_page+0x2a6/0x5c0 > __writepage+0x37/0x80 > write_cache_pages+0x305/0x7c0 > generic_writepages+0xb9/0x110 > do_writepages+0x96/0x180 > __filemap_fdatawrite_range+0x162/0x1b0 > file_write_and_wait_range+0x4d/0xb0 > blkdev_fsync+0x3c/0x70 > do_fsync+0x33/0x60 > __x64_sys_fsync+0x18/0x20 > do_syscall_64+0x6d/0x220 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Freed by task 72: > __kasan_slab_free+0x130/0x180 > kmem_cache_free+0xcd/0x380 > blk_update_request+0xc4/0x5a0 > blk_update_request+0xc4/0x5a0 > scsi_end_request+0x4c/0x300 [scsi_mod] > scsi_io_completion+0x71e/0xa40 [scsi_mod] > __blk_mq_complete_request+0x143/0x220 > srp_recv_done+0x454/0x1100 [ib_srp] > __ib_process_cq+0x9a/0xf0 [ib_core] > ib_poll_handler+0x2d/0x90 [ib_core] > irq_poll_softirq+0xe5/0x1e0 > __do_softirq+0x112/0x5f0 > > The buggy address belongs to the object at ffff880156c5e640 > which belongs to the cache bio-0 of size 200 > The buggy address is located 144 bytes inside of > 200-byte region [ffff880156c5e640, ffff880156c5e708) > The buggy address belongs to the page: > page:ffffea00055b1780 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 > ib_srpt:srpt_zerolength_write: ib_srpt 10.196.159.179-24: queued zerolength write > flags: 0x8000000000008100(slab|head) > raw: 8000000000008100 0000000000000000 0000000000000000 0000000100190019 > raw: ffffea000543a800 0000000200000002 ffff88015a8f3a00 0000000000000000 > ib_srpt:srpt_zerolength_write: ib_srpt 10.196.159.179-22: queued zerolength write > page dumped because: kasan: bad access detected > ib_srpt:srpt_zerolength_write: ib_srpt 10.196.159.179-20: queued zerolength write > > Memory state around the buggy address: > ib_srpt:srpt_zerolength_write: ib_srpt 10.196.159.179-18: queued zerolength write > ffff880156c5e580: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc > ib_srpt:srpt_zerolength_write_done: ib_srpt 10.196.159.179-24 wc->status 5 > ffff880156c5e600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb > ib_srpt:srpt_zerolength_write_done: ib_srpt 10.196.159.179-22 wc->status 5 > >ffff880156c5e680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ib_srpt:srpt_zerolength_write_done: ib_srpt 10.196.159.179-20 wc->status 5 > ^ > ffff880156c5e700: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ib_srpt:srpt_zerolength_write_done: ib_srpt 10.196.159.179-18 wc->status 5 > ffff880156c5e780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ib_srpt:srpt_release_channel_work: ib_srpt 10.196.159.179-24 > ================================================================== > > (gdb) list *(bio_advance+0x110) > 0xffffffff81450090 is in bio_advance (./include/linux/bvec.h:82). > 77 iter->bi_size = 0; > 78 return false; > 79 } > 80 > 81 while (bytes) { > 82 unsigned iter_len = bvec_iter_len(bv, *iter); > 83 unsigned len = min(bytes, iter_len); > 84 > 85 bytes -= len; > 86 iter->bi_size -= len; > > > > > >