* [axboe:for-7.0/block] [block] ee623c892a: BUG:KASAN:slab-use-after-free_in__blk_rq_map_sg
@ 2026-01-10 13:24 kernel test robot
0 siblings, 0 replies; only message in thread
From: kernel test robot @ 2026-01-10 13:24 UTC (permalink / raw)
To: Ming Lei; +Cc: oe-lkp, lkp, Jens Axboe, Nitesh Shetty, linux-block, oliver.sang
Hello,
kernel test robot noticed "BUG:KASAN:slab-use-after-free_in__blk_rq_map_sg" on:
commit: ee623c892aa59003fca173de0041abc2ccc2c72d ("block: use bvec iterator helper for bio_may_need_split()")
https://git.kernel.org/cgit/linux/kernel/git/axboe/linux.git for-7.0/block
in testcase: xfstests
version: xfstests-x86_64-df16c93a-1_20260105
with following parameters:
disk: 4HDD
fs: xfs
test: generic-group-76
config: x86_64-rhel-9.4-func
compiler: gcc-14
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202601102120.cf5782cf-lkp@intel.com
[ 94.845194][ T5251] BUG: KASAN: slab-use-after-free in __blk_rq_map_sg (include/linux/scatterlist.h:131 include/linux/scatterlist.h:162 block/blk-mq-dma.c:300)
[ 94.852772][ T5251] Read of size 8 at addr ffff88816bc71180 by task fsx/5251
[ 94.859809][ T5251]
[ 94.861988][ T5251] CPU: 3 UID: 0 PID: 5251 Comm: fsx Tainted: G S I 6.19.0-rc3-00010-gee623c892aa5 #1 PREEMPT(voluntary)
[ 94.861994][ T5251] Tainted: [S]=CPU_OUT_OF_SPEC, [I]=FIRMWARE_WORKAROUND
[ 94.861995][ T5251] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.1.1 10/07/2015
[ 94.861997][ T5251] Call Trace:
[ 94.861999][ T5251] <TASK>
[ 94.862000][ T5251] dump_stack_lvl (lib/dump_stack.c:122)
[ 94.862005][ T5251] print_address_description+0x88/0x320
[ 94.862009][ T5251] ? __blk_rq_map_sg (include/linux/scatterlist.h:131 include/linux/scatterlist.h:162 block/blk-mq-dma.c:300)
[ 94.862013][ T5251] print_report (mm/kasan/report.c:483)
[ 94.862016][ T5251] ? __virt_addr_valid (include/linux/mmzone.h:2100 (discriminator 1) include/linux/mmzone.h:2182 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 94.862019][ T5251] ? __blk_rq_map_sg (include/linux/scatterlist.h:131 include/linux/scatterlist.h:162 block/blk-mq-dma.c:300)
[ 94.862022][ T5251] kasan_report (mm/kasan/report.c:597)
[ 94.862025][ T5251] ? __blk_rq_map_sg (include/linux/scatterlist.h:131 include/linux/scatterlist.h:162 block/blk-mq-dma.c:300)
[ 94.862029][ T5251] __blk_rq_map_sg (include/linux/scatterlist.h:131 include/linux/scatterlist.h:162 block/blk-mq-dma.c:300)
[ 94.862032][ T5251] ? __pfx___blk_rq_map_sg (block/blk-mq-dma.c:292)
[ 94.862036][ T5251] ? __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 94.862040][ T5251] scsi_alloc_sgtables (include/linux/blk-mq.h:1117 drivers/scsi/scsi_lib.c:1154)
[ 94.862043][ T5251] ? __pfx_scsi_alloc_sgtables (drivers/scsi/scsi_lib.c:1122)
[ 94.862046][ T5251] ? __pfx_stack_trace_consume_entry (kernel/stacktrace.c:83)
[ 94.862050][ T5251] ? __pfx_stack_trace_consume_entry (kernel/stacktrace.c:83)
[ 94.862054][ T5251] sd_setup_read_write_cmnd (drivers/scsi/sd.c:1366) sd_mod
[ 94.862062][ T5251] scsi_queue_rq (drivers/scsi/scsi_lib.c:1868)
[ 94.862065][ T5251] ? sbitmap_find_bit (arch/x86/include/asm/bitops.h:136 arch/x86/include/asm/bitops.h:142 include/asm-generic/bitops/instrumented-lock.h:58 lib/sbitmap.c:181 lib/sbitmap.c:200 lib/sbitmap.c:245)
[ 94.862069][ T5251] blk_mq_dispatch_rq_list (block/blk-mq.c:2139)
[ 94.862072][ T5251] ? __pfx_blk_mq_dispatch_rq_list (block/blk-mq.c:2108)
[ 94.862075][ T5251] ? __blk_mq_alloc_driver_tag (block/blk-mq.c:1874)
[ 94.862078][ T5251] __blk_mq_do_dispatch_sched (block/blk-mq-sched.c:168)
[ 94.862081][ T5251] ? __pfx___blk_mq_do_dispatch_sched (block/blk-mq-sched.c:86)
[ 94.862083][ T5251] ? elv_attempt_insert_merge (block/elevator.c:349 (discriminator 1))
[ 94.862088][ T5251] __blk_mq_sched_dispatch_requests (block/blk-mq-sched.c:183 block/blk-mq-sched.c:307)
[ 94.862090][ T5251] ? __pfx___blk_mq_sched_dispatch_requests (block/blk-mq-sched.c:269)
[ 94.862093][ T5251] blk_mq_sched_dispatch_requests (block/blk-mq-sched.c:329 (discriminator 1))
[ 94.862096][ T5251] blk_mq_run_hw_queue (block/blk-mq.c:2378)
[ 94.862100][ T5251] blk_mq_dispatch_list (block/blk-mq.c:2943)
[ 94.862103][ T5251] ? __pfx_blk_mq_dispatch_list (block/blk-mq.c:2902)
[ 94.862106][ T5251] blk_mq_flush_plug_list (include/linux/blk-mq.h:251 block/blk-mq.c:2988 block/blk-mq.c:2959)
[ 94.862109][ T5251] ? __pfx_submit_bio_noacct_nocheck (block/blk-core.c:731)
[ 94.862112][ T5251] ? __pfx_blk_mq_flush_plug_list (block/blk-mq.c:2960)
[ 94.862115][ T5251] __blk_flush_plug (include/linux/blk-mq.h:251 block/blk-core.c:1232)
[ 94.862118][ T5251] ? iomap_dio_bio_iter (fs/iomap/direct-io.c:516)
[ 94.862122][ T5251] ? __pfx___blk_flush_plug (block/blk-core.c:1222)
[ 94.862124][ T5251] ? __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 94.862128][ T5251] ? iomap_iter (fs/iomap/iter.c:106)
[ 94.862131][ T5251] blk_finish_plug (block/blk-core.c:1253 (discriminator 1))
[ 94.862134][ T5251] __iomap_dio_rw (include/linux/uio.h:160 fs/iomap/direct-io.c:768)
[ 94.862137][ T5251] ? __pfx___xfs_trans_commit (fs/xfs/xfs_trans.c:826) xfs
[ 94.862542][ T5251] ? __pfx___iomap_dio_rw (fs/iomap/direct-io.c:627)
[ 94.862547][ T5251] ? xfs_vn_update_time (fs/xfs/xfs_iops.c:1226) xfs
[ 94.862926][ T5251] ? xfs_file_write_checks (fs/xfs/xfs_file.c:491) xfs
[ 94.863321][ T5251] iomap_dio_rw (fs/iomap/direct-io.c:847)
[ 94.863324][ T5251] xfs_file_dio_write_unaligned (fs/xfs/xfs_file.c:879) xfs
[ 94.863667][ T5251] ? __pfx_xfs_file_dio_write_unaligned (fs/xfs/xfs_file.c:823) xfs
[ 94.864153][ T5251] ? kasan_save_track (mm/kasan/common.c:69 (discriminator 1) mm/kasan/common.c:78 (discriminator 1))
[ 94.864169][ T5251] ? __kasan_kmalloc (mm/kasan/common.c:397 mm/kasan/common.c:414)
[ 94.864171][ T5251] xfs_file_write_iter (fs/xfs/xfs_file.c:905 fs/xfs/xfs_file.c:1122) xfs
[ 94.864565][ T5251] iter_file_splice_write (fs/splice.c:739)
[ 94.864570][ T5251] ? __pfx_iter_file_splice_write (fs/splice.c:665)
[ 94.864573][ T5251] ? copy_splice_read (fs/splice.c:322)
[ 94.864576][ T5251] ? __pfx_copy_splice_read (fs/splice.c:322)
[ 94.864579][ T5251] ? __kmalloc_noprof (include/linux/kasan.h:262 mm/slub.c:5657 mm/slub.c:5669)
[ 94.864583][ T5251] direct_splice_actor (fs/splice.c:1163)
[ 94.864587][ T5251] splice_direct_to_actor (fs/splice.c:1105 (discriminator 1))
[ 94.864589][ T5251] ? __pfx_direct_splice_actor (fs/splice.c:1156)
[ 94.864592][ T5251] ? up_write (include/linux/instrumented.h:96 include/linux/atomic/atomic-instrumented.h:3390 kernel/locking/rwsem.c:1385 kernel/locking/rwsem.c:1643)
[ 94.864596][ T5251] ? xfs_reflink_remap_prep (fs/xfs/xfs_reflink.c:1728) xfs
[ 94.864982][ T5251] ? __pfx_splice_direct_to_actor (fs/splice.c:1029)
[ 94.864985][ T5251] do_splice_direct (fs/splice.c:1205 fs/splice.c:1230)
[ 94.864988][ T5251] ? __pfx_do_splice_direct (fs/splice.c:1229)
[ 94.864991][ T5251] ? __pfx_direct_file_splice_eof (fs/splice.c:1175)
[ 94.864994][ T5251] ? rw_verify_area (fs/read_write.c:473)
[ 94.864998][ T5251] vfs_copy_file_range (fs/read_write.c:1632)
[ 94.865001][ T5251] ? vfs_write (fs/read_write.c:594 (discriminator 1) fs/read_write.c:686 (discriminator 1))
[ 94.865003][ T5251] ? __pfx_vfs_copy_file_range (fs/read_write.c:1555)
[ 94.865005][ T5251] ? __pfx___do_sys_newfstat (fs/stat.c:551)
[ 94.865008][ T5251] ? __pfx_vfs_write (fs/read_write.c:667)
[ 94.865011][ T5251] __do_sys_copy_file_range (fs/read_write.c:1681)
[ 94.865013][ T5251] ? __pfx___do_sys_copy_file_range (fs/read_write.c:1651)
[ 94.865016][ T5251] ? ksys_write (fs/read_write.c:738)
[ 94.865018][ T5251] ? __pfx_ksys_write (fs/read_write.c:728)
[ 94.865020][ T5251] ? __pfx_cp_new_stat (fs/stat.c:471)
[ 94.865023][ T5251] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 94.865026][ T5251] ? do_syscall_64 (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 include/linux/unwind_deferred.h:37 include/linux/irq-entry-common.h:296 include/linux/entry-common.h:196 arch/x86/entry/syscall_64.c:100)
[ 94.865029][ T5251] ? vfs_getattr_nosec (fs/stat.c:215)
[ 94.865032][ T5251] ? __do_sys_newfstat (fs/stat.c:551)
[ 94.865034][ T5251] ? __pfx___do_sys_newfstat (fs/stat.c:551)
[ 94.865038][ T5251] ? xfs_file_llseek (arch/x86/include/asm/bitops.h:202 (discriminator 1) arch/x86/include/asm/bitops.h:232 (discriminator 1) include/asm-generic/bitops/instrumented-non-atomic.h:142 (discriminator 1) fs/xfs/xfs_mount.h:597 (discriminator 1) fs/xfs/xfs_file.c:1756 (discriminator 1)) xfs
[ 94.865369][ T5251] ? __x64_sys_lseek (fs/read_write.c:389 fs/read_write.c:402 fs/read_write.c:412 fs/read_write.c:410 fs/read_write.c:410)
[ 94.865372][ T5251] ? do_syscall_64 (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 include/linux/unwind_deferred.h:37 include/linux/irq-entry-common.h:296 include/linux/entry-common.h:196 arch/x86/entry/syscall_64.c:100)
[ 94.865375][ T5251] ? do_syscall_64 (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 include/linux/unwind_deferred.h:37 include/linux/irq-entry-common.h:296 include/linux/entry-common.h:196 arch/x86/entry/syscall_64.c:100)
[ 94.865377][ T5251] ? do_syscall_64 (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 include/linux/unwind_deferred.h:37 include/linux/irq-entry-common.h:296 include/linux/entry-common.h:196 arch/x86/entry/syscall_64.c:100)
[ 94.865380][ T5251] ? irqentry_exit (arch/x86/include/asm/atomic64_64.h:15 include/linux/atomic/atomic-arch-fallback.h:2583 include/linux/atomic/atomic-long.h:38 include/linux/atomic/atomic-instrumented.h:3189 include/linux/unwind_deferred.h:37 include/linux/irq-entry-common.h:296 include/linux/irq-entry-common.h:341 kernel/entry/common.c:196)
[ 94.865383][ T5251] ? __irq_exit_rcu (kernel/softirq.c:688 (discriminator 1) kernel/softirq.c:729 (discriminator 1))
[ 94.865386][ T5251] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
[ 94.865389][ T5251] RIP: 0033:0x7ffb11506779
[ 94.865392][ T5251] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 86 0d 00 f7 d8 64 89 01 48
All code
========
0: ff c3 inc %ebx
2: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd8689
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d 4f 86 0d 00 mov 0xd864f(%rip),%rcx # 0xd865f
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20260110/202601102120.cf5782cf-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-10 13:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-10 13:24 [axboe:for-7.0/block] [block] ee623c892a: BUG:KASAN:slab-use-after-free_in__blk_rq_map_sg kernel test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox