| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aYrewLd7QNiPUJT1@shinmob>
Date: Tue, 10 Feb 2026 07:33:33 +0000
From: Shinichiro Kawasaki <shinichiro.kawasaki@....com>
To: Thomas Gleixner <tglx@...nel.org>
CC: LKML <linux-kernel@...r.kernel.org>, Ihor Solodrai
<ihor.solodrai@...ux.dev>, Shrikanth Hegde <sshegde@...ux.ibm.com>, Peter
Zijlstra <peterz@...radead.org>, Mathieu Desnoyers
<mathieu.desnoyers@...icios.com>, Michael Jeanson <mjeanson@...icios.com>
Subject: Re: [patch V2 3/4] sched/mmcid: Drop per CPU CID immediately when
switching to per task mode
On Feb 02, 2026 / 10:39, Thomas Gleixner wrote:
> When a exiting task initiates the switch from per CPU back to per task
> mode, it has already dropped its CID and marked itself inactive. But a
> leftover from an earlier iteration of the rework then reassigns the per
> CPU CID to the exiting task with the transition bit set.
>
> That's wrong as the task is already marked CID inactive, which means it is
> inconsistent state. It's harmless because the CID is marked in transit and
> therefore dropped back into the pool when the exiting task schedules out
> either through preemption or the final schedule().
>
> Simply drop the per CPU CID when the exiting task triggered the transition.
>
> Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions")
> Signed-off-by: Thomas Gleixner <tglx@...nel.org>
> Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Hello all,
While I evaluated v6.19 kernel, I observed a BUG KASAN. The KASAN is recreated
in stable manner by running the test case zbd/013 of blktests [1] on some of my
test systems. I bisected and found that this patch as the commit 007d84287c74
triggered the KASAN. When I reverted this patch from v6.19 kernel, the KASAN
disappeared. Of note is that the KASAN symptom slightly varies for each run. I
observed KASAN slab-use-after-free [2], use-after-free [3] and slab-out-of-
bounds [4]. All those KASANs happened "in sched_mm_cid_exit".
Actions for fix will be appreciated. If I can help by trying trial some patches
on my test systems, please let me know.
[1] https://github.com/linux-blktests/blktests
[2] KASAN slab-use-after-free
[ 64.540760] [ T1234] run blktests zbd/013 at 2026-02-10 11:06:48
[ 64.638773] [ T1252] null_blk: disk nullb1 created
[ 64.749061] [ T1252] null_blk: nullb2: using native zone append
[ 64.764569] [ T1252] null_blk: disk nullb2 created
[ 65.767294] [ T1296] ==================================================================
[ 65.768341] [ T1296] BUG: KASAN: slab-use-after-free in sched_mm_cid_exit+0x298/0x500
[ 65.769378] [ T1296] Write of size 8 at addr ffff888149792410 by task cryptsetup/1296
[ 65.770700] [ T1296] CPU: 1 UID: 0 PID: 1296 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary)
[ 65.770705] [ T1296] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
[ 65.770709] [ T1296] Call Trace:
[ 65.770711] [ T1296] <TASK>
[ 65.770713] [ T1296] dump_stack_lvl+0x6a/0x90
[ 65.770718] [ T1296] ? sched_mm_cid_exit+0x298/0x500
[ 65.770721] [ T1296] print_report+0x170/0x4f3
[ 65.770725] [ T1296] ? __virt_addr_valid+0x22e/0x4e0
[ 65.770729] [ T1296] ? sched_mm_cid_exit+0x298/0x500
[ 65.770732] [ T1296] kasan_report+0xad/0x150
[ 65.770737] [ T1296] ? sched_mm_cid_exit+0x298/0x500
[ 65.770742] [ T1296] kasan_check_range+0x115/0x1f0
[ 65.770745] [ T1296] sched_mm_cid_exit+0x298/0x500
[ 65.770750] [ T1296] do_exit+0x25e/0x24c0
[ 65.770755] [ T1296] ? __pfx_do_exit+0x10/0x10
[ 65.770758] [ T1296] ? lockdep_hardirqs_on+0x88/0x130
[ 65.770761] [ T1296] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 65.770764] [ T1296] ? do_syscall_64+0x1d7/0x540
[ 65.770766] [ T1296] ? do_raw_spin_lock+0x124/0x260
[ 65.770769] [ T1296] ? lock_acquire+0x180/0x300
[ 65.770771] [ T1296] ? find_held_lock+0x2b/0x80
[ 65.770775] [ T1296] __x64_sys_exit+0x3e/0x50
[ 65.770780] [ T1296] x64_sys_call+0x14fe/0x1500
[ 65.770784] [ T1296] do_syscall_64+0x95/0x540
[ 65.770787] [ T1296] ? lockdep_hardirqs_on+0x88/0x130
[ 65.770790] [ T1296] ? _raw_spin_unlock_irq+0x24/0x50
[ 65.770792] [ T1296] ? _raw_spin_unlock_irq+0x34/0x50
[ 65.770795] [ T1296] ? __x64_sys_rt_sigprocmask+0x23d/0x400
[ 65.770798] [ T1296] ? __pfx___x64_sys_rt_sigprocmask+0x10/0x10
[ 65.770800] [ T1296] ? rcu_nocb_unlock_irqrestore+0x87/0xb0
[ 65.770804] [ T1296] ? rcu_do_batch+0x867/0xd90
[ 65.770809] [ T1296] ? lockdep_hardirqs_on+0x88/0x130
[ 65.770811] [ T1296] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 65.770813] [ T1296] ? do_syscall_64+0x1d7/0x540
[ 65.770816] [ T1296] ? __pfx_sched_clock_cpu+0x10/0x10
[ 65.770819] [ T1296] ? lock_is_held_type+0xd5/0x140
[ 65.770824] [ T1296] ? irqtime_account_irq+0xe4/0x330
[ 65.770827] [ T1296] ? lockdep_softirqs_on+0xc3/0x140
[ 65.770829] [ T1296] ? __irq_exit_rcu+0x126/0x240
[ 65.770832] [ T1296] ? handle_softirqs+0x6c5/0x790
[ 65.770836] [ T1296] ? __pfx_handle_softirqs+0x10/0x10
[ 65.770839] [ T1296] ? irqtime_account_irq+0x1a2/0x330
[ 65.770842] [ T1296] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 65.770844] [ T1296] ? irqentry_exit+0xe2/0x6a0
[ 65.770848] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 65.770850] [ T1296] RIP: 0033:0x7f96978fef89
[ 65.770854] [ T1296] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 <eb> f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85
[ 65.770856] [ T1296] RSP: 002b:00007f9691de0d30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 65.770861] [ T1296] RAX: ffffffffffffffda RBX: 00007f9691de16c0 RCX: 00007f96978fef89
[ 65.770863] [ T1296] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000
[ 65.770865] [ T1296] RBP: 00007f9691de0df0 R08: 0000000015fc5864 R09: 0000000000000000
[ 65.770866] [ T1296] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f9691de16c0
[ 65.770867] [ T1296] R13: 00007fff8d18af10 R14: 00007f9691de1cdc R15: 00007fff8d18b017
[ 65.770875] [ T1296] </TASK>
[ 65.805902] [ T1296] Allocated by task 668:
[ 65.806662] [ T1296] kasan_save_stack+0x2c/0x50
[ 65.807400] [ T1296] kasan_save_track+0x10/0x30
[ 65.808130] [ T1296] __kasan_slab_alloc+0x7a/0x90
[ 65.808842] [ T1296] kmem_cache_alloc_noprof+0x238/0x7a0
[ 65.809569] [ T1296] getname_flags.part.0+0x48/0x4d0
[ 65.810280] [ T1296] do_sys_openat2+0xa8/0x180
[ 65.810972] [ T1296] __x64_sys_openat+0x10a/0x200
[ 65.811637] [ T1296] do_syscall_64+0x95/0x540
[ 65.812267] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 65.813538] [ T1296] Freed by task 668:
[ 65.814189] [ T1296] kasan_save_stack+0x2c/0x50
[ 65.814884] [ T1296] kasan_save_track+0x10/0x30
[ 65.815545] [ T1296] kasan_save_free_info+0x37/0x70
[ 65.816318] [ T1296] __kasan_slab_free+0x67/0x80
[ 65.817002] [ T1296] kmem_cache_free+0x1ae/0x6d0
[ 65.817700] [ T1296] audit_reset_context+0x3c7/0xeb0
[ 65.818401] [ T1296] syscall_exit_work+0x17f/0x1b0
[ 65.819124] [ T1296] do_syscall_64+0x2fe/0x540
[ 65.819812] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 65.821100] [ T1296] The buggy address belongs to the object at ffff888149792200
which belongs to the cache names_cache of size 4096
[ 65.822824] [ T1296] The buggy address is located 528 bytes inside of
freed 4096-byte region [ffff888149792200, ffff888149793200)
[ 65.825027] [ T1296] The buggy address belongs to the physical page:
[ 65.825856] [ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x149790
[ 65.826846] [ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 65.827840] [ T1296] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[ 65.828768] [ T1296] page_type: f5(slab)
[ 65.829405] [ T1296] raw: 0017ffffc0000040 ffff888100902b40 ffffea0005314600 dead000000000002
[ 65.830402] [ T1296] raw: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
[ 65.831493] [ T1296] head: 0017ffffc0000040 ffff888100902b40 ffffea0005314600 dead000000000002
[ 65.832644] [ T1296] head: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000
[ 65.833723] [ T1296] head: 0017ffffc0000003 ffffea000525e401 00000000ffffffff 00000000ffffffff
[ 65.834798] [ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 65.835827] [ T1296] page dumped because: kasan: bad access detected
[ 65.837253] [ T1296] Memory state around the buggy address:
[ 65.838039] [ T1296] ffff888149792300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.838991] [ T1296] ffff888149792380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.839939] [ T1296] >ffff888149792400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.840894] [ T1296] ^
[ 65.841569] [ T1296] ffff888149792480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.842554] [ T1296] ffff888149792500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.843504] [ T1296] ==================================================================
[ 65.844500] [ T1296] Disabling lock debugging due to kernel taint
[ 71.925834] [ T1650] device-mapper: zone: dm-0 using emulated zone append
[ 72.474170] [ C1] hrtimer: interrupt took 1119829 ns
[3] KASAN use-after-free
[ 145.885127] [ T1246] run blktests zbd/013 at 2026-02-10 10:57:04
[ 145.985394] [ T1264] null_blk: disk nullb1 created
[ 146.091908] [ T1264] null_blk: nullb2: using native zone append
[ 146.106425] [ T1264] null_blk: disk nullb2 created
[ 147.822863] [ T1479] ==================================================================
[ 147.823592] [ T1479] BUG: KASAN: use-after-free in sched_mm_cid_exit+0x298/0x500
[ 147.824479] [ T1479] Write of size 8 at addr ffff8881185cb050 by task cryptsetup/1479
[ 147.825468] [ T1479] CPU: 2 UID: 0 PID: 1479 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary)
[ 147.825472] [ T1479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
[ 147.825476] [ T1479] Call Trace:
[ 147.825478] [ T1479] <TASK>
[ 147.825480] [ T1479] dump_stack_lvl+0x6a/0x90
[ 147.825484] [ T1479] ? sched_mm_cid_exit+0x298/0x500
[ 147.825487] [ T1479] print_report+0x170/0x4f3
[ 147.825490] [ T1479] ? __virt_addr_valid+0x22e/0x4e0
[ 147.825494] [ T1479] ? sched_mm_cid_exit+0x298/0x500
[ 147.825496] [ T1479] kasan_report+0xad/0x150
[ 147.825500] [ T1479] ? sched_mm_cid_exit+0x298/0x500
[ 147.825504] [ T1479] kasan_check_range+0x115/0x1f0
[ 147.825507] [ T1479] sched_mm_cid_exit+0x298/0x500
[ 147.825510] [ T1479] do_exit+0x25e/0x24c0
[ 147.825514] [ T1479] ? lockdep_hardirqs_on+0x88/0x130
[ 147.825517] [ T1479] ? __pfx_do_exit+0x10/0x10
[ 147.825520] [ T1479] ? irqtime_account_irq+0xe4/0x330
[ 147.825524] [ T1479] __x64_sys_exit+0x3e/0x50
[ 147.825526] [ T1479] x64_sys_call+0x14fe/0x1500
[ 147.825529] [ T1479] do_syscall_64+0x95/0x540
[ 147.825531] [ T1479] ? __pfx_handle_softirqs+0x10/0x10
[ 147.825534] [ T1479] ? irqtime_account_irq+0x1a2/0x330
[ 147.825536] [ T1479] ? lockdep_hardirqs_on_prepare+0xce/0x1b0
[ 147.825539] [ T1479] ? irqentry_exit+0xe2/0x6a0
[ 147.825542] [ T1479] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 147.825544] [ T1479] RIP: 0033:0x7f505e211f89
[ 147.825547] [ T1479] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 <eb> f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85
[ 147.825549] [ T1479] RSP: 002b:00007f50585fbd30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 147.825553] [ T1479] RAX: ffffffffffffffda RBX: 00007f50585fc6c0 RCX: 00007f505e211f89
[ 147.825555] [ T1479] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000
[ 147.825556] [ T1479] RBP: 00007f50585fbdf0 R08: 00005566eb14ea20 R09: 00005566eb14ea38
[ 147.825558] [ T1479] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f50585fc6c0
[ 147.825559] [ T1479] R13: 00007fff4289e220 R14: 00007f50585fccdc R15: 00007fff4289e327
[ 147.825564] [ T1479] </TASK>
[ 147.844213] [ T1479] The buggy address belongs to the physical page:
[ 147.845137] [ T1479] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x10 pfn:0x1185cb
[ 147.846323] [ T1479] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 147.847389] [ T1479] raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000
[ 147.848662] [ T1479] raw: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
[ 147.849887] [ T1479] page dumped because: kasan: bad access detected
[ 147.851495] [ T1479] Memory state around the buggy address:
[ 147.852479] [ T1479] ffff8881185caf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 147.853600] [ T1479] ffff8881185caf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 147.854690] [ T1479] >ffff8881185cb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 147.855852] [ T1479] ^
[ 147.856798] [ T1479] ffff8881185cb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 147.857855] [ T1479] ffff8881185cb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 147.858857] [ T1479] ==================================================================
[ 147.859888] [ T1479] Disabling lock debugging due to kernel taint
[ 153.349607] [ T1982] device-mapper: zone: dm-0 using emulated zone append
[ 153.715923] [ C3] hrtimer: interrupt took 475570 ns
[ 282.408372] [ T3034] null_blk: disk nullb0 created
[ 282.409360] [ T3034] null_blk: module loaded
[4] KASAN slab-out-of-bounds
Feb 09 15:14:28 testnode2 unknown: run blktests zbd/013 at 2026-02-09 15:14:28
Feb 09 15:14:28 testnode2 kernel: null_blk: disk nullb1 created
Feb 09 15:14:28 testnode2 kernel: null_blk: nullb2: using native zone append
Feb 09 15:14:28 testnode2 kernel: null_blk: disk nullb2 created
Feb 09 15:14:29 testnode2 kernel: ==================================================================
Feb 09 15:14:29 testnode2 kernel: BUG: KASAN: slab-out-of-bounds in sched_mm_cid_exit+0x298/0x500
Feb 09 15:14:29 testnode2 kernel: Write of size 8 at addr ffff8881580db050 by task cryptsetup/136938
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: CPU: 3 UID: 0 PID: 136938 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary)
Feb 09 15:14:29 testnode2 kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
Feb 09 15:14:29 testnode2 kernel: Call Trace:
Feb 09 15:14:29 testnode2 kernel: <TASK>
Feb 09 15:14:29 testnode2 kernel: dump_stack_lvl+0x6a/0x90
Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500
Feb 09 15:14:29 testnode2 kernel: print_report+0x170/0x4f3
Feb 09 15:14:29 testnode2 kernel: ? __virt_addr_valid+0x22e/0x4e0
Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500
Feb 09 15:14:29 testnode2 kernel: kasan_report+0xad/0x150
Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500
Feb 09 15:14:29 testnode2 kernel: kasan_check_range+0x115/0x1f0
Feb 09 15:14:29 testnode2 kernel: sched_mm_cid_exit+0x298/0x500
Feb 09 15:14:29 testnode2 kernel: do_exit+0x25e/0x24c0
Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_exit+0x10/0x10
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: __x64_sys_exit+0x3e/0x50
Feb 09 15:14:29 testnode2 kernel: x64_sys_call+0x14fe/0x1500
Feb 09 15:14:29 testnode2 kernel: do_syscall_64+0x95/0x540
Feb 09 15:14:29 testnode2 kernel: ? sched_tick+0x330/0x960
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130
Feb 09 15:14:29 testnode2 kernel: ? do_syscall_64+0x1d7/0x540
Feb 09 15:14:29 testnode2 kernel: ? do_futex+0x1bf/0x210
Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_futex+0x10/0x10
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: ? profile_tick+0x18/0x90
Feb 09 15:14:29 testnode2 kernel: ? __x64_sys_futex+0x22f/0x4a0
Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_raw_spin_lock+0x10/0x10
Feb 09 15:14:29 testnode2 kernel: ? lock_release+0x242/0x2f0
Feb 09 15:14:29 testnode2 kernel: ? __pfx___x64_sys_futex+0x10/0x10
Feb 09 15:14:29 testnode2 kernel: ? timerqueue_add+0x207/0x3c0
Feb 09 15:14:29 testnode2 kernel: ? enqueue_hrtimer+0x1f0/0x290
Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130
Feb 09 15:14:29 testnode2 kernel: ? do_syscall_64+0x1d7/0x540
Feb 09 15:14:29 testnode2 kernel: ? lock_release+0x242/0x2f0
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on+0x14/0x140
Feb 09 15:14:29 testnode2 kernel: ? kvm_sched_clock_read+0xd/0x20
Feb 09 15:14:29 testnode2 kernel: ? sched_clock+0xc/0x30
Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0
Feb 09 15:14:29 testnode2 kernel: ? irqtime_account_irq+0xe4/0x330
Feb 09 15:14:29 testnode2 kernel: ? kvm_sched_clock_read+0xd/0x20
Feb 09 15:14:29 testnode2 kernel: ? sched_clock+0xc/0x30
Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0
Feb 09 15:14:29 testnode2 kernel: ? __pfx_sched_clock_cpu+0x10/0x10
Feb 09 15:14:29 testnode2 kernel: ? flush_tlb_func+0xb5/0x760
Feb 09 15:14:29 testnode2 kernel: ? irqtime_account_irq+0x1a2/0x330
Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0
Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130
Feb 09 15:14:29 testnode2 kernel: ? irqentry_exit+0xe2/0x6a0
Feb 09 15:14:29 testnode2 kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e
Feb 09 15:14:29 testnode2 kernel: RIP: 0033:0x7fca4fbf5f89
Feb 09 15:14:29 testnode2 kernel: Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 <eb> f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85
Feb 09 15:14:29 testnode2 kernel: RSP: 002b:00007fca497fad30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
Feb 09 15:14:29 testnode2 kernel: RAX: ffffffffffffffda RBX: 00007fca497fb6c0 RCX: 00007fca4fbf5f89
Feb 09 15:14:29 testnode2 kernel: RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000
Feb 09 15:14:29 testnode2 kernel: RBP: 00007fca497fadf0 R08: 0000557abe711cb0 R09: 0000557abe711cc8
Feb 09 15:14:29 testnode2 kernel: R10: 0000000000000008 R11: 0000000000000246 R12: 00007fca497fb6c0
Feb 09 15:14:29 testnode2 kernel: R13: 00007ffc5119c9c0 R14: 00007fca497fbcdc R15: 00007ffc5119cac7
Feb 09 15:14:29 testnode2 kernel: </TASK>
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: Allocated by task 136663:
Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50
Feb 09 15:14:29 testnode2 kernel: kasan_save_track+0x10/0x30
Feb 09 15:14:29 testnode2 kernel: __kasan_slab_alloc+0x7a/0x90
Feb 09 15:14:29 testnode2 kernel: kmem_cache_alloc_noprof+0x238/0x7a0
Feb 09 15:14:29 testnode2 kernel: mempool_alloc_noprof+0x150/0x250
Feb 09 15:14:29 testnode2 kernel: bio_alloc_bioset+0x1d7/0x720
Feb 09 15:14:29 testnode2 kernel: blkdev_direct_IO+0x3a7/0x1f40
Feb 09 15:14:29 testnode2 kernel: blkdev_write_iter+0x52b/0xba0
Feb 09 15:14:29 testnode2 kernel: aio_write+0x33a/0x7c0
Feb 09 15:14:29 testnode2 kernel: io_submit_one+0xd97/0x1a00
Feb 09 15:14:29 testnode2 kernel: __x64_sys_io_submit+0x15d/0x2b0
Feb 09 15:14:29 testnode2 kernel: do_syscall_64+0x95/0x540
Feb 09 15:14:29 testnode2 kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: Freed by task 37:
Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50
Feb 09 15:14:29 testnode2 kernel: kasan_save_track+0x10/0x30
Feb 09 15:14:29 testnode2 kernel: kasan_save_free_info+0x37/0x70
Feb 09 15:14:29 testnode2 kernel: __kasan_slab_free+0x67/0x80
Feb 09 15:14:29 testnode2 kernel: slab_free_after_rcu_debug+0xf5/0x200
Feb 09 15:14:29 testnode2 kernel: rcu_do_batch+0x37a/0xd90
Feb 09 15:14:29 testnode2 kernel: rcu_core+0x6f1/0xad0
Feb 09 15:14:29 testnode2 kernel: handle_softirqs+0x1ee/0x790
Feb 09 15:14:29 testnode2 kernel: run_ksoftirqd+0x3b/0x60
Feb 09 15:14:29 testnode2 kernel: smpboot_thread_fn+0x2fd/0x9a0
Feb 09 15:14:29 testnode2 kernel: kthread+0x3af/0x770
Feb 09 15:14:29 testnode2 kernel: ret_from_fork+0x55c/0x810
Feb 09 15:14:29 testnode2 kernel: ret_from_fork_asm+0x1a/0x30
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: Last potentially related work creation:
Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50
Feb 09 15:14:29 testnode2 kernel: kasan_record_aux_stack+0xac/0xc0
Feb 09 15:14:29 testnode2 kernel: kmem_cache_free+0x4af/0x6d0
Feb 09 15:14:29 testnode2 kernel: mempool_free+0xbe/0x110
Feb 09 15:14:29 testnode2 kernel: blk_update_request+0x443/0x1190
Feb 09 15:14:29 testnode2 kernel: scsi_end_request+0x70/0x7b0
Feb 09 15:14:29 testnode2 kernel: scsi_io_completion+0xea/0x1440
Feb 09 15:14:29 testnode2 kernel: blk_complete_reqs+0xa8/0x120
Feb 09 15:14:29 testnode2 kernel: handle_softirqs+0x1ee/0x790
Feb 09 15:14:29 testnode2 kernel: run_ksoftirqd+0x3b/0x60
Feb 09 15:14:29 testnode2 kernel: smpboot_thread_fn+0x2fd/0x9a0
Feb 09 15:14:29 testnode2 kernel: kthread+0x3af/0x770
Feb 09 15:14:29 testnode2 kernel: ret_from_fork+0x55c/0x810
Feb 09 15:14:29 testnode2 kernel: ret_from_fork_asm+0x1a/0x30
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: The buggy address belongs to the object at ffff8881580daf00
which belongs to the cache bio-264 of size 264
Feb 09 15:14:29 testnode2 kernel: The buggy address is located 72 bytes to the right of
allocated 264-byte region [ffff8881580daf00, ffff8881580db008)
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: The buggy address belongs to the physical page:
Feb 09 15:14:29 testnode2 kernel: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1580da
Feb 09 15:14:29 testnode2 kernel: head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
Feb 09 15:14:29 testnode2 kernel: flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
Feb 09 15:14:29 testnode2 kernel: page_type: f5(slab)
Feb 09 15:14:29 testnode2 kernel: raw: 0017ffffc0000040 ffff88810536c500 dead000000000122 0000000000000000
Feb 09 15:14:29 testnode2 kernel: raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
Feb 09 15:14:29 testnode2 kernel: head: 0017ffffc0000040 ffff88810536c500 dead000000000122 0000000000000000
Feb 09 15:14:29 testnode2 kernel: head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000
Feb 09 15:14:29 testnode2 kernel: head: 0017ffffc0000001 ffffea0005603681 00000000ffffffff 00000000ffffffff
Feb 09 15:14:29 testnode2 kernel: head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
Feb 09 15:14:29 testnode2 kernel: page dumped because: kasan: bad access detected
Feb 09 15:14:29 testnode2 kernel:
Feb 09 15:14:29 testnode2 kernel: Memory state around the buggy address:
Feb 09 15:14:29 testnode2 kernel: ffff8881580daf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Feb 09 15:14:29 testnode2 kernel: ffff8881580daf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Feb 09 15:14:29 testnode2 kernel: >ffff8881580db000: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Feb 09 15:14:29 testnode2 kernel: ^
Feb 09 15:14:29 testnode2 kernel: ffff8881580db080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Feb 09 15:14:29 testnode2 kernel: ffff8881580db100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Feb 09 15:14:29 testnode2 kernel: ==================================================================
Feb 09 15:14:34 testnode2 kernel: device-mapper: zone: dm-0 using emulated zone append
Feb 09 15:16:09 testnode2 kernel: null_blk: disk nullb0 created
Feb 09 15:16:09 testnode2 kernel: null_blk: module loaded
Powered by blists - more mailing lists