* Use-after-free in ata_qc_issue
@ 2013-09-18 18:45 Dmitry Vyukov
2013-09-22 16:39 ` Tejun Heo
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2013-09-18 18:45 UTC (permalink / raw)
To: tj, linux-ide, Andrey Konovalov, Kostya Serebryany, marc.ceeeee,
aaron.lu
[-- Attachment #1: Type: text/plain, Size: 6902 bytes --]
Hi!
I am working on AddressSanitizer -- a tool that detects use-after-free
and out-of-bounds bugs
(https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
Below is one of the bug reports that I got while running trinity
syscall fuzzer. Kernel is built on revision
d8efd82eece89f8a5790b0febf17522affe9e1f1.
The report was followed by a bunch of similar use-after-free reports,
and later the kernel crashed somewhere in ata subsystem. I've attached
the full log.
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region
[ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500)
asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500)
./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230)
./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region
./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
#4 inlined (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs
./include/asm-generic/dma-mapping-common.h:50
#4 inlined (ata_qc_issue+0x2b4/0x740) ata_sg_setup
./drivers/ata/libata-core.c:4707
#4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740)
./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620)
ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620)
__ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620)
./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20)
./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued
./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60)
./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210)
./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70)
do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a)
./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170)
scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170)
./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0)
scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0)
./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210)
./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0)
./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100)
scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100)
./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0)
./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20)
./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60)
cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60)
./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210)
./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
[-- Attachment #2: asan1-131-1379512967.log_symb --]
[-- Type: application/octet-stream, Size: 124250 bytes --]
[watchdog] child 1 wrapped! old=21762 now=0
[watchdog] child 3 wrapped! old=21762 now=0
[watchdog] child 17 wrapped! old=21761 now=0
[watchdog] child 22 wrapped! old=21762 now=0
[watchdog] child 23 wrapped! old=21762 now=0
[watchdog] child 39 wrapped! old=21762 now=0
[watchdog] child 52 wrapped! old=21762 now=0
[watchdog] 46686 iterations. [F:39006 S:7680]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:08:40:85:1c/00:00:00:00:00/e0 tag 0 dma 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 52706 iterations. [F:44111 S:8595]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: READ DMA
ata1.00: cmd c8/00:00:40:1e:16/00:00:00:00:00/e0 tag 0 dma 131072 in
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
end_request: I/O error, dev sda, sector 1588032
=========================================================================
end_request: I/O error, dev sda, sector 1588056
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
#4 inlined (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:50
#4 inlined (ata_qc_issue+0x2b4/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce00c
ffff880034fce00c is located 12 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 4 at ffff880034fce00c by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read4+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:275
#2 ffffffff810d8d10 (__tsan_read4+0x20/0x30) ./arch/x86/mm/asan/asan.c:275
#3 ffffffff810879c1 (nommu_map_sg+0x31/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff810879dd (nommu_map_sg+0x4d/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce008
ffff880034fce008 is located 8 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 4 at ffff880034fce008 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read4+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:275
#2 ffffffff810d8d10 (__tsan_read4+0x20/0x30) ./arch/x86/mm/asan/asan.c:275
#3 ffffffff81087a43 (nommu_map_sg+0xb3/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce010
ffff880034fce010 is located 16 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
WRITE of size 8 at ffff880034fce010 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_write8+0x23/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:282
#2 ffffffff810d8e33 (__tsan_write8+0x23/0x30) ./arch/x86/mm/asan/asan.c:282
#3 ffffffff81087a75 (nommu_map_sg+0xe5/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce00c
ffff880034fce00c is located 12 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 4 at ffff880034fce00c by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read4+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:275
#2 ffffffff810d8d10 (__tsan_read4+0x20/0x30) ./arch/x86/mm/asan/asan.c:275
#3 ffffffff81087a81 (nommu_map_sg+0xf1/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce00c
ffff880034fce00c is located 12 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 4 at ffff880034fce00c by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read4+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:275
#2 ffffffff810d8d10 (__tsan_read4+0x20/0x30) ./arch/x86/mm/asan/asan.c:275
#3 ffffffff810879fc (nommu_map_sg+0x6c/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce018
ffff880034fce018 is located 24 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
WRITE of size 4 at ffff880034fce018 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_write4+0x23/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:281
#2 ffffffff810d8e03 (__tsan_write4+0x23/0x30) ./arch/x86/mm/asan/asan.c:281
#3 ffffffff81087a09 (nommu_map_sg+0x79/0x160) pci-nommu.c:0
#4 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#4 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#4 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
#4 ffffffff81087a15 (nommu_map_sg+0x85/0x160) pci-nommu.c:0
#5 inlined (ata_qc_issue+0x2e5/0x740) dma_map_sg_attrs ./include/asm-generic/dma-mapping-common.h:53
#5 inlined (ata_qc_issue+0x2e5/0x740) ata_sg_setup ./drivers/ata/libata-core.c:4707
#5 ffffffff816574e5 (ata_qc_issue+0x2e5/0x740) ./drivers/ata/libata-core.c:5082
#6 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#6 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#6 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#7 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#8 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#9 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#10 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#10 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#11 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#12 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#13 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#14 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#15 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#16 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#17 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#17 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#18 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#19 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#20 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#21 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce010
ffff880034fce010 is located 16 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce010 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 inlined (ata_bmdma_qc_prep+0xbd/0x1e0) ata_bmdma_fill_sg ./drivers/ata/libata-sff.c:2657
#3 ffffffff8167337d (ata_bmdma_qc_prep+0xbd/0x1e0) ./drivers/ata/libata-sff.c:2753
#4 ffffffff81657682 (ata_qc_issue+0x482/0x740) ./drivers/ata/libata-core.c:5093
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce018
ffff880034fce018 is located 24 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 4 at ffff880034fce018 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read4+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:275
#2 ffffffff810d8d10 (__tsan_read4+0x20/0x30) ./arch/x86/mm/asan/asan.c:275
#3 inlined (ata_bmdma_qc_prep+0xca/0x1e0) ata_bmdma_fill_sg ./drivers/ata/libata-sff.c:2658
#3 ffffffff8167338a (ata_bmdma_qc_prep+0xca/0x1e0) ./drivers/ata/libata-sff.c:2753
#4 ffffffff81657682 (ata_qc_issue+0x482/0x740) ./drivers/ata/libata-core.c:5093
#5 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#5 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#5 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#6 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#7 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#8 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#9 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#9 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#10 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#11 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#12 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#13 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#14 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#15 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#16 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#16 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#17 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#18 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#19 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#20 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
ffff880034fce000 is located 0 bytes inside of 256-byte region [ffff880034fce000, ffff880034fce100)
READ of size 8 at ffff880034fce000 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
#4 inlined (ata_bmdma_qc_prep+0x16d/0x1e0) ata_bmdma_fill_sg ./drivers/ata/libata-sff.c:2649
#4 ffffffff8167342d (ata_bmdma_qc_prep+0x16d/0x1e0) ./drivers/ata/libata-sff.c:2753
#5 ffffffff81657682 (ata_qc_issue+0x482/0x740) ./drivers/ata/libata-core.c:5093
#6 inlined (ata_scsi_queuecmd+0x249/0x620) ata_scsi_translate ./drivers/ata/libata-scsi.c:1838
#6 inlined (ata_scsi_queuecmd+0x249/0x620) __ata_scsi_queuecmd ./drivers/ata/libata-scsi.c:3426
#6 ffffffff816663b9 (ata_scsi_queuecmd+0x249/0x620) ./drivers/ata/libata-scsi.c:3475
#7 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#8 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#9 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#10 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#10 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#11 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#12 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#13 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#14 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#15 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#16 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#17 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#17 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#18 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#19 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#20 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#21 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 ffffffff815fcc0d (scsi_sg_free+0x5d/0x70) ./drivers/scsi/scsi_lib.c:622
#4 ffffffff814cc28b (__sg_free_table+0x9b/0xe0) ??:0
#5 inlined (__scsi_release_buffers+0x164/0x170) scsi_free_sgtable ./drivers/scsi/scsi_lib.c:651
#5 ffffffff815f9854 (__scsi_release_buffers+0x164/0x170) ./drivers/scsi/scsi_lib.c:658
#6 inlined (scsi_io_completion+0x827/0x8e0) scsi_release_buffers ./drivers/scsi/scsi_lib.c:693
#6 ffffffff815fdb37 (scsi_io_completion+0x827/0x8e0) ./drivers/scsi/scsi_lib.c:995
#7 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#8 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#9 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#10 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#11 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#12 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#13 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 ffffffff815fcc7d (scsi_sg_alloc+0x5d/0x70) ./drivers/scsi/scsi_lib.c:630
#4 ffffffff814cca3c (__sg_alloc_table+0x8c/0x1e0) ??:0
#5 inlined (scsi_init_sgtable+0x4c/0x100) scsi_alloc_sgtable ./drivers/scsi/scsi_lib.c:640
#5 ffffffff815fc6bc (scsi_init_sgtable+0x4c/0x100) ./drivers/scsi/scsi_lib.c:1036
#6 ffffffff815fc7b1 (scsi_init_io+0x41/0x160) ./drivers/scsi/scsi_lib.c:1069
#7 ffffffff815fcb67 (scsi_setup_fs_cmnd+0x87/0xd0) ./drivers/scsi/scsi_lib.c:1219
#8 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#9 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#10 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#11 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#12 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#12 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#13 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#14 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#15 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
Shadow bytes around the buggy address:
ffff880034fcdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcde80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fcdf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>ffff880034fce000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880034fce100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880034fce200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff880034fce280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff88001cfd4b90
ffff88001cfd4b90 is located 80 bytes inside of 232-byte region [ffff88001cfd4b40, ffff88001cfd4c28)
READ of size 8 at ffff88001cfd4b90 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff8166288f (ata_scsi_qc_complete+0x3f/0x570) ./drivers/ata/libata-scsi.c:1738
#4 ffffffff81656aae (__ata_qc_complete+0x14e/0x2d0) ./drivers/ata/libata-core.c:4858
#5 ffffffff81656d9b (ata_qc_complete+0x16b/0x490) ./drivers/ata/libata-core.c:4971
#6 ffffffff816759f5 (ata_hsm_qc_complete+0x75/0x1e0) ./drivers/ata/libata-sff.c:1021
#7 ffffffff81675c75 (ata_sff_hsm_move+0x115/0xd30) ./drivers/ata/libata-sff.c:1293
#8 ffffffff81676995 (__ata_sff_port_intr+0x105/0x230) ./drivers/ata/libata-sff.c:1569
#9 ffffffff81676f3d (ata_bmdma_port_intr+0x4d/0x1e0) ./drivers/ata/libata-sff.c:2873
#10 inlined (ata_bmdma_interrupt+0x163/0x320) __ata_sff_interrupt ./drivers/ata/libata-sff.c:1614
#10 ffffffff81677603 (ata_bmdma_interrupt+0x163/0x320) ./drivers/ata/libata-sff.c:2898
#11 ffffffff81155eb3 (handle_irq_event_percpu+0x73/0x300) ??:0
#12 ffffffff811561bf (handle_irq_event+0x7f/0xc0) ??:0
#13 ffffffff81159e83 (handle_edge_irq+0xf3/0x270) ??:0
#14 ffffffff8108018e (handle_irq+0x2e/0x40) ??:0
#15 ffffffff818ed256 (do_IRQ+0x56/0xf0) ./arch/x86/kernel/irq.c:193
#16 ffffffff818deeea (ret_from_intr+0x0/0xe) ./arch/x86/kernel/entry_64.S:1006
#17 inlined (irq_exit+0x10d/0x120) invoke_softirq ./kernel/softirq.c:332
#17 ffffffff810eae0d (irq_exit+0x10d/0x120) ./kernel/softirq.c:365
#18 ffffffff818ed34e (smp_apic_timer_interrupt+0x5e/0x70) ././arch/x86/include/asm/apic.h:708
#19 ffffffff818ec10a (apic_timer_interrupt+0x6a/0x70) ./arch/x86/kernel/entry_64.S:1181
#20 ffffffff816663ce (ata_scsi_queuecmd+0x25e/0x620) ./include/linux/spinlock.h:348
#21 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#22 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#23 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#24 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#24 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#25 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#26 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#27 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#28 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#29 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#30 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#31 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#31 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#32 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#33 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#34 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#35 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff815ee871 (scsi_pool_free_command.isra.8+0x81/0x90) ./drivers/scsi/scsi.c:211
#2 ffffffff815eec41 (__scsi_put_command+0x71/0xf0) ./drivers/scsi/scsi.c:336
#3 ffffffff815eed8d (scsi_put_command+0xcd/0xe0) ./drivers/scsi/scsi.c:361
#4 ffffffff815fd282 (scsi_next_command+0x42/0x60) ./drivers/scsi/scsi_lib.c:526
#5 ffffffff815fd688 (scsi_io_completion+0x378/0x8e0) ./drivers/scsi/scsi_lib.c:831
#6 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#7 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#8 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#9 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#10 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#11 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#12 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 inlined (scsi_pool_alloc_command+0x43/0xc0) kmem_cache_zalloc ./include/linux/slab.h:635
#1 ffffffff815eda53 (scsi_pool_alloc_command+0x43/0xc0) ./drivers/scsi/scsi.c:181
#2 ffffffff815ee8ae (scsi_host_alloc_command+0x2e/0xc0) ./drivers/scsi/scsi.c:227
#3 ffffffff815ee95e (__scsi_get_command+0x1e/0x150) ./drivers/scsi/scsi.c:253
#4 ffffffff815eead6 (scsi_get_command+0x46/0x140) ./drivers/scsi/scsi.c:298
#5 ffffffff815f993d (scsi_get_cmd_from_req+0xbd/0xe0) ./drivers/scsi/scsi_lib.c:1124
#6 ffffffff815fcb39 (scsi_setup_fs_cmnd+0x59/0xd0) ./drivers/scsi/scsi_lib.c:1214
#7 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#8 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#9 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#10 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#11 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#11 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#12 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#13 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#14 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#15 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
Shadow bytes around the buggy address:
ffff88001cfd4900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4980: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
ffff88001cfd4a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>ffff88001cfd4b80: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4c00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff880024df8658
ffff880024df8658 is located 264 bytes inside of 368-byte region [ffff880024df8550, ffff880024df86c0)
READ of size 1 at ffff880024df8658 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read1+0x20/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:273
#2 ffffffff810d8cb0 (__tsan_read1+0x20/0x30) ./arch/x86/mm/asan/asan.c:273
#3 ffffffff816628b0 (ata_scsi_qc_complete+0x60/0x570) ./drivers/ata/libata-scsi.c:1750
#4 ffffffff81656aae (__ata_qc_complete+0x14e/0x2d0) ./drivers/ata/libata-core.c:4858
#5 ffffffff81656d9b (ata_qc_complete+0x16b/0x490) ./drivers/ata/libata-core.c:4971
#6 ffffffff816759f5 (ata_hsm_qc_complete+0x75/0x1e0) ./drivers/ata/libata-sff.c:1021
#7 ffffffff81675c75 (ata_sff_hsm_move+0x115/0xd30) ./drivers/ata/libata-sff.c:1293
#8 ffffffff81676995 (__ata_sff_port_intr+0x105/0x230) ./drivers/ata/libata-sff.c:1569
#9 ffffffff81676f3d (ata_bmdma_port_intr+0x4d/0x1e0) ./drivers/ata/libata-sff.c:2873
#10 inlined (ata_bmdma_interrupt+0x163/0x320) __ata_sff_interrupt ./drivers/ata/libata-sff.c:1614
#10 ffffffff81677603 (ata_bmdma_interrupt+0x163/0x320) ./drivers/ata/libata-sff.c:2898
#11 ffffffff81155eb3 (handle_irq_event_percpu+0x73/0x300) ??:0
#12 ffffffff811561bf (handle_irq_event+0x7f/0xc0) ??:0
#13 ffffffff81159e83 (handle_edge_irq+0xf3/0x270) ??:0
#14 ffffffff8108018e (handle_irq+0x2e/0x40) ??:0
#15 ffffffff818ed256 (do_IRQ+0x56/0xf0) ./arch/x86/kernel/irq.c:193
#16 ffffffff818deeea (ret_from_intr+0x0/0xe) ./arch/x86/kernel/entry_64.S:1006
#17 inlined (irq_exit+0x10d/0x120) invoke_softirq ./kernel/softirq.c:332
#17 ffffffff810eae0d (irq_exit+0x10d/0x120) ./kernel/softirq.c:365
#18 ffffffff818ed34e (smp_apic_timer_interrupt+0x5e/0x70) ././arch/x86/include/asm/apic.h:708
#19 ffffffff818ec10a (apic_timer_interrupt+0x6a/0x70) ./arch/x86/kernel/entry_64.S:1181
#20 ffffffff816663ce (ata_scsi_queuecmd+0x25e/0x620) ./include/linux/spinlock.h:348
#21 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#22 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#23 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#24 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#24 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#25 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#26 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#27 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#28 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#29 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#30 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#31 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#31 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#32 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#33 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#34 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#35 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff81209867 (mempool_free_slab+0x17/0x20) ??:0
#2 ffffffff81209eff (mempool_free+0x8f/0xe0) ??:0
#3 inlined (__blk_put_request+0xf1/0x230) blk_free_request ./block/blk-core.c:768
#3 ffffffff81487cd1 (__blk_put_request+0xf1/0x230) ./block/blk-core.c:1296
#4 ffffffff814880a4 (blk_finish_request+0x184/0x560) ./block/blk-core.c:2465
#5 ffffffff814884f1 (blk_end_bidi_request+0x71/0xa0) ./block/blk-core.c:2496
#6 ffffffff8148860d (blk_end_request_err+0x2d/0x50) ./block/blk-core.c:2544
#7 ffffffff815fd837 (scsi_io_completion+0x527/0x8e0) ./drivers/scsi/scsi_lib.c:1005
#8 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#9 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#10 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#11 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#12 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#13 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#14 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 ffffffff81209845 (mempool_alloc_slab+0x15/0x20) ??:0
#2 ffffffff81209a1d (mempool_alloc+0x7d/0x1a0) ??:0
#3 inlined (get_request+0x409/0xc00) __get_request ./block/blk-core.c:977
#3 ffffffff814851c9 (get_request+0x409/0xc00) ./block/blk-core.c:1081
#4 ffffffff8148b306 (blk_queue_bio+0x96/0x520) ./block/blk-core.c:1531
#5 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#6 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#7 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#8 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#9 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#9 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#10 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#11 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#12 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#13 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
Shadow bytes around the buggy address:
ffff880024df8380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880024df8400: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880024df8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880024df8500: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
ffff880024df8580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>ffff880024df8600: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
ffff880024df8680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
ffff880024df8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff880024df8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd
ffff880024df8800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff880024df8880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff88001cfd4c20
ffff88001cfd4c20 is located 224 bytes inside of 232-byte region [ffff88001cfd4b40, ffff88001cfd4c28)
WRITE of size 4 at ffff88001cfd4c20 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_write4+0x23/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:281
#2 ffffffff810d8e03 (__tsan_write4+0x23/0x30) ./arch/x86/mm/asan/asan.c:281
#3 ffffffff816628d0 (ata_scsi_qc_complete+0x80/0x570) ./drivers/ata/libata-scsi.c:1755
#4 ffffffff81656aae (__ata_qc_complete+0x14e/0x2d0) ./drivers/ata/libata-core.c:4858
#5 ffffffff81656d9b (ata_qc_complete+0x16b/0x490) ./drivers/ata/libata-core.c:4971
#6 ffffffff816759f5 (ata_hsm_qc_complete+0x75/0x1e0) ./drivers/ata/libata-sff.c:1021
#7 ffffffff81675c75 (ata_sff_hsm_move+0x115/0xd30) ./drivers/ata/libata-sff.c:1293
#8 ffffffff81676995 (__ata_sff_port_intr+0x105/0x230) ./drivers/ata/libata-sff.c:1569
#9 ffffffff81676f3d (ata_bmdma_port_intr+0x4d/0x1e0) ./drivers/ata/libata-sff.c:2873
#10 inlined (ata_bmdma_interrupt+0x163/0x320) __ata_sff_interrupt ./drivers/ata/libata-sff.c:1614
#10 ffffffff81677603 (ata_bmdma_interrupt+0x163/0x320) ./drivers/ata/libata-sff.c:2898
#11 ffffffff81155eb3 (handle_irq_event_percpu+0x73/0x300) ??:0
#12 ffffffff811561bf (handle_irq_event+0x7f/0xc0) ??:0
#13 ffffffff81159e83 (handle_edge_irq+0xf3/0x270) ??:0
#14 ffffffff8108018e (handle_irq+0x2e/0x40) ??:0
#15 ffffffff818ed256 (do_IRQ+0x56/0xf0) ./arch/x86/kernel/irq.c:193
#16 ffffffff818deeea (ret_from_intr+0x0/0xe) ./arch/x86/kernel/entry_64.S:1006
#17 inlined (irq_exit+0x10d/0x120) invoke_softirq ./kernel/softirq.c:332
#17 ffffffff810eae0d (irq_exit+0x10d/0x120) ./kernel/softirq.c:365
#18 ffffffff818ed34e (smp_apic_timer_interrupt+0x5e/0x70) ././arch/x86/include/asm/apic.h:708
#19 ffffffff818ec10a (apic_timer_interrupt+0x6a/0x70) ./arch/x86/kernel/entry_64.S:1181
#20 ffffffff816663ce (ata_scsi_queuecmd+0x25e/0x620) ./include/linux/spinlock.h:348
#21 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#22 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#23 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#24 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#24 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#25 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#26 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#27 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#28 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#29 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#30 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#31 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#31 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#32 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#33 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#34 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#35 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff815ee871 (scsi_pool_free_command.isra.8+0x81/0x90) ./drivers/scsi/scsi.c:211
#2 ffffffff815eec41 (__scsi_put_command+0x71/0xf0) ./drivers/scsi/scsi.c:336
#3 ffffffff815eed8d (scsi_put_command+0xcd/0xe0) ./drivers/scsi/scsi.c:361
#4 ffffffff815fd282 (scsi_next_command+0x42/0x60) ./drivers/scsi/scsi_lib.c:526
#5 ffffffff815fd688 (scsi_io_completion+0x378/0x8e0) ./drivers/scsi/scsi_lib.c:831
#6 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#7 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#8 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#9 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#10 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#11 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#12 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 inlined (scsi_pool_alloc_command+0x43/0xc0) kmem_cache_zalloc ./include/linux/slab.h:635
#1 ffffffff815eda53 (scsi_pool_alloc_command+0x43/0xc0) ./drivers/scsi/scsi.c:181
#2 ffffffff815ee8ae (scsi_host_alloc_command+0x2e/0xc0) ./drivers/scsi/scsi.c:227
#3 ffffffff815ee95e (__scsi_get_command+0x1e/0x150) ./drivers/scsi/scsi.c:253
#4 ffffffff815eead6 (scsi_get_command+0x46/0x140) ./drivers/scsi/scsi.c:298
#5 ffffffff815f993d (scsi_get_cmd_from_req+0xbd/0xe0) ./drivers/scsi/scsi_lib.c:1124
#6 ffffffff815fcb39 (scsi_setup_fs_cmnd+0x59/0xd0) ./drivers/scsi/scsi_lib.c:1214
#7 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#8 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#9 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#10 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#11 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#11 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#12 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#13 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#14 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#15 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
Shadow bytes around the buggy address:
ffff88001cfd4980: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
ffff88001cfd4a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
ffff88001cfd4b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>ffff88001cfd4c00: fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
ffff88001cfd4e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
=========================================================================
ERROR: AddressSanitizer: heap-use-after-free on address ffff88001cfd4bc0
ffff88001cfd4bc0 is located 128 bytes inside of 232-byte region [ffff88001cfd4b40, ffff88001cfd4c28)
READ of size 8 at ffff88001cfd4bc0 by thread T3645:
#0 inlined (asan_report_error+0x3e7/0x500) asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
#0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500) ./arch/x86/mm/asan/report.c:309
#1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230) ./arch/x86/mm/asan/asan.c:263
#2 inlined (__tsan_read8+0x28/0x30) asan_check_region ./arch/x86/mm/asan/asan.c:276
#2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
#3 ffffffff815efac2 (scsi_done+0x22/0x90) ./drivers/scsi/scsi.c:788
#4 ffffffff816628eb (ata_scsi_qc_complete+0x9b/0x570) ./drivers/ata/libata-scsi.c:1770
#5 ffffffff81656aae (__ata_qc_complete+0x14e/0x2d0) ./drivers/ata/libata-core.c:4858
#6 ffffffff81656d9b (ata_qc_complete+0x16b/0x490) ./drivers/ata/libata-core.c:4971
#7 ffffffff816759f5 (ata_hsm_qc_complete+0x75/0x1e0) ./drivers/ata/libata-sff.c:1021
#8 ffffffff81675c75 (ata_sff_hsm_move+0x115/0xd30) ./drivers/ata/libata-sff.c:1293
#9 ffffffff81676995 (__ata_sff_port_intr+0x105/0x230) ./drivers/ata/libata-sff.c:1569
#10 ffffffff81676f3d (ata_bmdma_port_intr+0x4d/0x1e0) ./drivers/ata/libata-sff.c:2873
#11 inlined (ata_bmdma_interrupt+0x163/0x320) __ata_sff_interrupt ./drivers/ata/libata-sff.c:1614
#11 ffffffff81677603 (ata_bmdma_interrupt+0x163/0x320) ./drivers/ata/libata-sff.c:2898
#12 ffffffff81155eb3 (handle_irq_event_percpu+0x73/0x300) ??:0
#13 ffffffff811561bf (handle_irq_event+0x7f/0xc0) ??:0
#14 ffffffff81159e83 (handle_edge_irq+0xf3/0x270) ??:0
#15 ffffffff8108018e (handle_irq+0x2e/0x40) ??:0
#16 ffffffff818ed256 (do_IRQ+0x56/0xf0) ./arch/x86/kernel/irq.c:193
#17 ffffffff818deeea (ret_from_intr+0x0/0xe) ./arch/x86/kernel/entry_64.S:1006
#18 inlined (irq_exit+0x10d/0x120) invoke_softirq ./kernel/softirq.c:332
#18 ffffffff810eae0d (irq_exit+0x10d/0x120) ./kernel/softirq.c:365
#19 ffffffff818ed34e (smp_apic_timer_interrupt+0x5e/0x70) ././arch/x86/include/asm/apic.h:708
#20 ffffffff818ec10a (apic_timer_interrupt+0x6a/0x70) ./arch/x86/kernel/entry_64.S:1181
#21 ffffffff816663ce (ata_scsi_queuecmd+0x25e/0x620) ./include/linux/spinlock.h:348
#22 ffffffff815f03d7 (scsi_dispatch_cmd+0x1d7/0x4d0) ./drivers/scsi/scsi.c:752
#23 ffffffff815fc2e0 (scsi_request_fn+0x690/0xa20) ./drivers/scsi/scsi_lib.c:1638
#24 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#25 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#25 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#26 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#27 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#28 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#29 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
#30 ffffffff812e9619 (mpage_readpage+0xa9/0xc0) ??:0
#31 ffffffff8138f0fb (ext4_readpage+0x4b/0xd0) ./fs/ext4/inode.c:2938
#32 inlined (generic_file_aio_read+0x546/0xa70) do_generic_file_read ./mm/filemap.c:1248
#32 ffffffff81208076 (generic_file_aio_read+0x546/0xa70) ./mm/filemap.c:1482
#33 ffffffff8128bea9 (do_sync_read+0xd9/0x120) ??:0
#34 ffffffff8128c7ea (vfs_read+0xfa/0x240) ??:0
#35 ffffffff8128da62 (SyS_read+0x72/0xd0) ??:0
#36 ffffffff818ecc75 (sysenter_dispatch+0x7/0x1a) ./arch/x86/ia32/ia32entry.S:163
freed by thread T1095 here:
#0 inlined (kmem_cache_free+0x55/0x2e0) __cache_free ./mm/slab.c:3590
#0 ffffffff812706b5 (kmem_cache_free+0x55/0x2e0) ./mm/slab.c:3799
#1 ffffffff815ee871 (scsi_pool_free_command.isra.8+0x81/0x90) ./drivers/scsi/scsi.c:211
#2 ffffffff815eec41 (__scsi_put_command+0x71/0xf0) ./drivers/scsi/scsi.c:336
#3 ffffffff815eed8d (scsi_put_command+0xcd/0xe0) ./drivers/scsi/scsi.c:361
#4 ffffffff815fd282 (scsi_next_command+0x42/0x60) ./drivers/scsi/scsi_lib.c:526
#5 ffffffff815fd688 (scsi_io_completion+0x378/0x8e0) ./drivers/scsi/scsi_lib.c:831
#6 ffffffff815edda6 (scsi_finish_command+0x176/0x210) ./drivers/scsi/scsi.c:847
#7 ffffffff815f810f (scsi_eh_flush_done_q+0x1df/0x230) ??:0
#8 ffffffff81670842 (ata_scsi_port_error_handler+0x932/0xc50) ??:0
#9 ffffffff81670c9e (ata_scsi_error+0x13e/0x190) ??:0
#10 ffffffff815f893e (scsi_error_handler+0x1ae/0xb70) ??:0
#11 ffffffff81115a96 (kthread+0x126/0x130) kthread.c:0
#12 ffffffff818eb49c (ret_from_fork+0x7c/0xb0) ./arch/x86/kernel/entry_64.S:569
previously allocated by thread T3645 here:
#0 inlined (kmem_cache_alloc+0x9a/0x4c0) slab_alloc ./mm/slab.c:3471
#0 ffffffff8127292a (kmem_cache_alloc+0x9a/0x4c0) ./mm/slab.c:3629
#1 inlined (scsi_pool_alloc_command+0x43/0xc0) kmem_cache_zalloc ./include/linux/slab.h:635
#1 ffffffff815eda53 (scsi_pool_alloc_command+0x43/0xc0) ./drivers/scsi/scsi.c:181
#2 ffffffff815ee8ae (scsi_host_alloc_command+0x2e/0xc0) ./drivers/scsi/scsi.c:227
#3 ffffffff815ee95e (__scsi_get_command+0x1e/0x150) ./drivers/scsi/scsi.c:253
#4 ffffffff815eead6 (scsi_get_command+0x46/0x140) ./drivers/scsi/scsi.c:298
#5 ffffffff815f993d (scsi_get_cmd_from_req+0xbd/0xe0) ./drivers/scsi/scsi_lib.c:1124
#6 ffffffff815fcb39 (scsi_setup_fs_cmnd+0x59/0xd0) ./drivers/scsi/scsi_lib.c:1214
#7 ffffffff8164912c (sd_prep_fn+0x5bc/0x1e00) ./drivers/scsi/sd.c:895
#8 ffffffff8148a9a1 (blk_peek_request+0x221/0x3f0) ./block/blk-core.c:2147
#9 ffffffff815fbce3 (scsi_request_fn+0x93/0xa20) ./drivers/scsi/scsi_lib.c:1568
#10 ffffffff8148737e (__blk_run_queue+0x7e/0xb0) ./block/blk-core.c:312
#11 inlined (cfq_insert_request+0x60c/0xb60) cfq_rq_enqueued ./block/cfq-iosched.c:3908
#11 ffffffff814af94c (cfq_insert_request+0x60c/0xb60) ./block/cfq-iosched.c:3925
#12 ffffffff814805d5 (__elv_add_request+0x275/0x480) ./block/elevator.c:653
#13 ffffffff8148b65f (blk_queue_bio+0x3ef/0x520) ./block/blk-core.c:1215
#14 ffffffff81487087 (generic_make_request+0x187/0x210) ./block/blk-core.c:1831
#15 ffffffff814871b2 (submit_bio+0xa2/0x1f0) ./block/blk-core.c:1883
Shadow bytes around the buggy address:
ffff88001cfd4900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4980: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
ffff88001cfd4a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>ffff88001cfd4b80: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
ffff88001cfd4c00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
ffff88001cfd4d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
ffff88001cfd4e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap redzone: fa
Heap kmalloc redzone: fb
Freed heap region: fd
Shadow gap: fe
=========================================================================
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:08:00:05:00/00:00:00:00:00/e0 tag 0 dma 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:10:e0:0c:00/00:00:00:00:00/e0 tag 0 dma 8192 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 52707 iterations. [F:44111 S:8596]
end_request: I/O error, dev sda, sector 1745024
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:08:f0:1f:08/00:00:00:00:00/e0 tag 0 dma 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 55561 iterations. [F:46565 S:8996]
kasaner_binary: malloc.c:3801: _int_malloc: Assertion `(unsigned long)(size) >= (unsigned long)(nb)' failed.
Random reseed: 722711287
workqueue: uevent: unknown action-string
[watchdog] 64054 iterations. [F:53852 S:10203]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:60:c0:89:1c/00:00:00:00:00/e0 tag 0 dma 49152 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] child 2 wrapped! old=10 now=0
[watchdog] child 15 wrapped! old=10 now=0
[watchdog] child 18 wrapped! old=9 now=0
[watchdog] child 35 wrapped! old=10 now=0
[watchdog] child 41 wrapped! old=9 now=0
[watchdog] child 49 wrapped! old=10 now=0
[watchdog] child 53 wrapped! old=10 now=0
[watchdog] child 54 wrapped! old=9 now=0
[watchdog] child 60 wrapped! old=9 now=0
[watchdog] child 61 wrapped! old=9 now=0
[watchdog] child 62 wrapped! old=10 now=0
[watchdog] child 63 wrapped! old=10 now=0
[watchdog] 71572 iterations. [F:60240 S:11333]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE DMA
ata1.00: cmd ca/00:28:40:8d:1c/00:00:00:00:00/e0 tag 0 dma 20480 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 77398 iterations. [F:65205 S:12194]
end_request: I/O error, dev sda, sector 535048
kasaner_binary: malloc.c:3801: _int_malloc: Assertion `(unsigned long)(size) >= (unsigned long)(nb)' failed.
Aborting journal on device sda1-8.
journal commit I/O error
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs (sda1): Remounting filesystem read-only
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal[5332] Random re
seed: 331866887
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56:
EXT4-fs error (device sda1): ext4_journal_check_start:56: Dec 31 16:00:01 asan1 kernel: [ 86.841633] journal commit I/O error
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: [ 86.947941] EXT4-fs error (device sda1): ext4_journal_check_start:56: [ 86.948310] EXT4-fs error (device sda1): ext4_journal_check_start:56:
EXT4-fs (sda1): ext4_writepages: jbd2_start: 9223372036854775807 pages, ino 18874; err -30
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs error (device sda1): ext4_journal_check_start:56: [ 86.959611] EXT4-fs error (device sda1): ext4_journal_check_start:56: [ 86.961172] EXT4-fs error (device sda1): ext4_journal_check_start:56: [ 86.961714] EXT4-fs error (device sda1): ext4_journal_check_start:56:
EXT4-fs error (device sda1): ext4_journal_check_start:56: Detected aborted journal
[watchdog] 81398 iterations. [F:68573 S:12826]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:08:90:85:00/00:00:00:00:00/e0 tag 0 pio 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] huge delta! pid slot 28 [6430]: old:1 now:1443523892 diff:1443523891. Setting to now.
[watchdog] 93910 iterations. [F:79161 S:14751]
workqueue: uevent: unknown action-string
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE EXT
ata1.00: cmd 39/00:10:b8:c0:24/00:01:00:00:00/e0 tag 0 pio 139264 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 103728 iterations. [F:87510 S:16218]
kasaner_binary: malloc.c:3801: _int_malloc: Assertion `(unsigned long)(size) >= (unsigned long)(nb)' failed.
Random reseed: 788490512
Regenerating random pages, fd's etc.
[watchdog] 120439 iterations. [F:101770 S:18669]
Random reseed: 39752021
[watchdog] 133050 iterations. [F:112497 S:20553]
kasaner_binary: malloc.c:3801: _int_malloc: Assertion `(unsigned long)(size) >= (unsigned long)(nb)' failed.
kasaner_binary: malloc.c:3801: _int_malloc: Assertion `(unsigned long)(size) >= (unsigned long)(nb)' failed.
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:08:80:18:48/00:00:00:00:00/e0 tag 0 pio 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
Random reseed: 1378168394
[watchdog] 143999 iterations. [F:121803 S:22195]
Random reseed: 1041602727
workqueue: uevent: unknown action-string
[watchdog] 154210 iterations. [F:130579 S:23632]
Random reseed: 2144220039
[watchdog] 160404 iterations. [F:135848 S:24556]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:10:e0:40:24/00:00:00:00:00/e0 tag 0 pio 8192 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 166576 iterations. [F:141185 S:25392]
[watchdog] 172524 iterations. [F:146267 S:26258]
Random reseed: 1091373698
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:10:38:17:20/00:00:00:00:00/e0 tag 0 pio 8192 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 179675 iterations. [F:152383 S:27292]
Random reseed: 1762103512
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:10:50:17:20/00:00:00:00:00/e0 tag 0 pio 8192 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 187834 iterations. [F:159349 S:28485]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:08:20:18:21/00:00:00:00:00/e0 tag 0 pio 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:08:00:41:24/00:00:00:00:00/e0 tag 0 pio 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
acpi PNP0C0F:00: uevent: unknown action-string
[watchdog] 201026 iterations. [F:170684 S:30344]
[watchdog] 212233 iterations. [F:180303 S:31931]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: READ MULTIPLE
ata1.00: cmd c4/00:00:e8:d7:09/00:00:00:00:00/e0 tag 0 pio 131072 in
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
[watchdog] 217687 iterations. [F:184963 S:32725]
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: WRITE MULTIPLE
ata1.00: cmd c5/00:08:e0:41:24/00:00:00:00:00/e0 tag 0 pio 4096 out
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
end_request: I/O error, dev sda, sector 4725064
Aborting journal on device sda3-8.
EXT4-fs error (device sda3): ext4_journal_check_start:56: Detected aborted journal
EXT4-fs (sda3): Remounting filesystem read-only
[watchdog] 218451 iterations. [F:185612 S:32840]
[watchdog] 218525 iterations. [F:185671 S:32854]
[watchdog] 220392 iterations. [F:187269 S:33124]
[watchdog] 226849 iterations. [F:192799 S:34051]
bdi 1:3: uevent: unknown action-string
[watchdog] 231280 iterations. [F:196597 S:34684]
bdi 1:3: uevent: unknown action-string
[watchdog] 234300 iterations. [F:199164 S:35137]
Random reseed: 677274216
ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
ata1.00: failed command: READ MULTIPLE
ata1.00: cmd c4/00:00:a0:07:07/00:00:00:00:00/e0 tag 0 pio 131072 in
res 40/00:01:00:4f:c2/00:00:00:00:00/a0 Emask 0x4 (timeout)
ata1.00: status: { DRDY }
Regenerating random pages, fd's etc.
------------[ cut here ]------------
kernel BUG at drivers/ata/libata-sff.c:1299!
invalid opcode: 0000 [#1] SMP
Modules linked in: snd_pcm_oss snd_pcm snd_page_alloc snd_timer snd_mixer_oss snd bridge stp llc 8021q sr_mod cdrom loop st ipt_ULOG nfnetlink iptable_mangle tg3 ptp pps_core i2c_piix4 i2c_core msr cpuid e1000 ipv6
CPU: 1 PID: 13 Comm: ksoftirqd/1 Not tainted 3.11.0-smp-DEV #7
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
task: ffff880035ae4a90 ti: ffff880035ae8000 task.ti: ffff880035ae8000
RIP: 0010:[<ffffffff81675e90>] [<ffffffff81675e90>] ata_sff_hsm_move+0x330/0xd30
RSP: 0018:ffff88003fd03cf0 EFLAGS: 00010097
RAX: 0000000000000000 RBX: 0000000000000050 RCX: ffff880000000000
RDX: 0000000000000000 RSI: 000000000657064c RDI: ffff880032b83263
RBP: ffff88003fd03d98 R08: 0000000000000001 R09: ffff880032b83260
R10: 0000000000000000 R11: 0000000000000001 R12: 00000000000003e8
R13: ffff880032b80108 R14: ffff880032b80258 R15: ffff880032b80100
FS: 0000000000000000(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000082e6004 CR3: 000000000968a000 CR4: 00000000000006e0
Stack:
0000000000000009 ffff880023000af8 ffff880035ae4af8 ffff880035ae4a90
ffff880024fbc000 ffff880023000a90 ffff88003fd03d68 ffff880032b80304
ffffffff810d8b32 ffff880032b82158 ffff880032b80308 ffff880032b80280
Call Trace:
<IRQ>
[<ffffffff810d8b32>] ? asan_check_region.part.1+0xd2/0x230
[<ffffffff81676995>] __ata_sff_port_intr+0x105/0x230
[<ffffffff81676f3d>] ata_bmdma_port_intr+0x4d/0x1e0
[<ffffffff81677603>] ata_bmdma_interrupt+0x163/0x320
[<ffffffff816774a0>] ? ata_sff_tf_load+0x3d0/0x3d0
[<ffffffff81155eb3>] handle_irq_event_percpu+0x73/0x300
[<ffffffff810d8b32>] ? asan_check_region.part.1+0xd2/0x230
[<ffffffff811561bf>] handle_irq_event+0x7f/0xc0
[<ffffffff81159e83>] handle_edge_irq+0xf3/0x270
[<ffffffff8108018e>] handle_irq+0x2e/0x40
[<ffffffff818ed256>] do_IRQ+0x56/0xf0
[<ffffffff818deeea>] common_interrupt+0x6a/0x6a
<EOI>
[<ffffffff818de69e>] ? _raw_spin_unlock_irqrestore+0xe/0x10
[<ffffffff816663ce>] ata_scsi_queuecmd+0x25e/0x620
[<ffffffff81660f20>] ? ata_scsi_invalid_field+0x70/0x70
[<ffffffff815f03d7>] scsi_dispatch_cmd+0x1d7/0x4d0
[<ffffffff810d8ddb>] ? __tsan_write2+0x2b/0x30
[<ffffffff815fc2e0>] scsi_request_fn+0x690/0xa20
[<ffffffff8148737e>] __blk_run_queue+0x7e/0xb0
[<ffffffff81487427>] blk_run_queue+0x37/0x60
[<ffffffff815fb7fd>] scsi_run_queue+0x34d/0x540
[<ffffffff815fd28a>] scsi_next_command+0x4a/0x60
[<ffffffff815fd77d>] scsi_io_completion+0x46d/0x8e0
[<ffffffff815edda6>] scsi_finish_command+0x176/0x210
[<ffffffff815fd1df>] scsi_softirq_done+0x19f/0x1d0
[<ffffffff81493759>] blk_done_softirq+0x109/0x140
[<ffffffff810ea9bf>] __do_softirq+0x16f/0x380
[<ffffffff810eabd0>] ? __do_softirq+0x380/0x380
[<ffffffff810eabf8>] run_ksoftirqd+0x28/0x40
[<ffffffff811222a7>] smpboot_thread_fn+0x187/0x260
[<ffffffff81122120>] ? lg_local_lock+0x70/0x70
[<ffffffff81115a96>] kthread+0x126/0x130
[<ffffffff81115970>] ? kthread_create_on_node+0x1c0/0x1c0
[<ffffffff818eb49c>] ret_from_fork+0x7c/0xb0
[<ffffffff81115970>] ? kthread_create_on_node+0x1c0/0x1c0
Code: 41 0f b6 46 28 44 8b 45 b0 3c 06 0f 84 3a 05 00 00 3c 07 0f 84 ea 04 00 00 3c 05 0f 84 ba 04 00 00 0f 0b 0f 1f 84 00 00 00 00 00 <0f> 0b 66 0f 1f 44 00 00 f6 c3 08 0f 84 e1 08 00 00 f6 c3 21 0f
RIP [<ffffffff81675e90>] ata_sff_hsm_move+0x330/0xd30
RSP <ffff88003fd03cf0>
---[ end trace a9f787cd166583fd ]---
Kernel panic - not syncing: Fatal exception in interrupt
Shutting down cpus with NMI
Rebooting in 10 seconds..
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Use-after-free in ata_qc_issue
2013-09-18 18:45 Use-after-free in ata_qc_issue Dmitry Vyukov
@ 2013-09-22 16:39 ` Tejun Heo
2013-09-22 18:24 ` Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: Tejun Heo @ 2013-09-22 16:39 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, marc.ceeeee,
aaron.lu, linux-scsi, James E.J. Bottomley
(cc'ing SCSI people)
On Wed, Sep 18, 2013 at 11:45:22AM -0700, Dmitry Vyukov wrote:
> Hi!
>
> I am working on AddressSanitizer -- a tool that detects use-after-free
> and out-of-bounds bugs
> (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
> Below is one of the bug reports that I got while running trinity
> syscall fuzzer. Kernel is built on revision
> d8efd82eece89f8a5790b0febf17522affe9e1f1.
> The report was followed by a bunch of similar use-after-free reports,
> and later the kernel crashed somewhere in ata subsystem. I've attached
> the full log.
>
>
> ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
> ffff880034fce000 is located 0 bytes inside of 256-byte region
> [ffff880034fce000, ffff880034fce100)
> READ of size 8 at ffff880034fce000 by thread T3645:
> #0 inlined (asan_report_error+0x3e7/0x500)
> asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
> #0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500)
> ./arch/x86/mm/asan/report.c:309
> #1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230)
> ./arch/x86/mm/asan/asan.c:263
> #2 inlined (__tsan_read8+0x28/0x30) asan_check_region
> ./arch/x86/mm/asan/asan.c:276
> #2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
> #3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
> #4 inlined (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs
> ./include/asm-generic/dma-mapping-common.h:50
> #4 inlined (ata_qc_issue+0x2b4/0x740) ata_sg_setup
> ./drivers/ata/libata-core.c:4707
> #4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740)
> ./drivers/ata/libata-core.c:5082
So, if I'm reading this right, it means that the sg list is used after
being freed? The sglist is directly from scsi_cmnd and use-after-free
there is likely to be quite noticeable. Any chance you guys aren't
following mempool based allocations correctly?
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Use-after-free in ata_qc_issue
2013-09-22 16:39 ` Tejun Heo
@ 2013-09-22 18:24 ` Dmitry Vyukov
2013-09-22 18:59 ` Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2013-09-22 18:24 UTC (permalink / raw)
To: Tejun Heo
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, Marc C, aaron.lu,
linux-scsi, James E.J. Bottomley
On Sun, Sep 22, 2013 at 9:39 AM, Tejun Heo <tj@kernel.org> wrote:
>
> (cc'ing SCSI people)
>
> On Wed, Sep 18, 2013 at 11:45:22AM -0700, Dmitry Vyukov wrote:
> > Hi!
> >
> > I am working on AddressSanitizer -- a tool that detects use-after-free
> > and out-of-bounds bugs
> > (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
> > Below is one of the bug reports that I got while running trinity
> > syscall fuzzer. Kernel is built on revision
> > d8efd82eece89f8a5790b0febf17522affe9e1f1.
> > The report was followed by a bunch of similar use-after-free reports,
> > and later the kernel crashed somewhere in ata subsystem. I've attached
> > the full log.
> >
> >
> > ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
> > ffff880034fce000 is located 0 bytes inside of 256-byte region
> > [ffff880034fce000, ffff880034fce100)
> > READ of size 8 at ffff880034fce000 by thread T3645:
> > #0 inlined (asan_report_error+0x3e7/0x500)
> > asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
> > #0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500)
> > ./arch/x86/mm/asan/report.c:309
> > #1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230)
> > ./arch/x86/mm/asan/asan.c:263
> > #2 inlined (__tsan_read8+0x28/0x30) asan_check_region
> > ./arch/x86/mm/asan/asan.c:276
> > #2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
> > #3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
> > #4 inlined (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs
> > ./include/asm-generic/dma-mapping-common.h:50
> > #4 inlined (ata_qc_issue+0x2b4/0x740) ata_sg_setup
> > ./drivers/ata/libata-core.c:4707
> > #4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740)
> > ./drivers/ata/libata-core.c:5082
>
> So, if I'm reading this right, it means that the sg list is used after
> being freed?
Yes, that's correct.
First thread 3645 allocated the list in scsi_setup_fs_cmnd().
Then thread 1095 freed it in scsi_io_completion().
Then thread 3645 accessed the list in ata_scsi_queuecmd().
> The sglist is directly from scsi_cmnd and use-after-free
> there is likely to be quite noticeable.
Note that we've seen this only once during several weeks of running
trinity syscall fuzzer. So it's not something that happens all that
frequently. This may explain why it was not noticed before. Also a
use-after-free bug has some chances to silently corrupt heap and/or
read garbage, but still survive.
> Any chance you guys aren't
> following mempool based allocations correctly?
This is quite unlikely, I've looked at mempool code and I do not think
it can affect tool operation. We intercept kmalloc/kmem_cache_free,
poison the memory block and put it into a delay reuse queue. Then
watch for memory accesses that access poisoned memory ranges.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Use-after-free in ata_qc_issue
2013-09-22 18:24 ` Dmitry Vyukov
@ 2013-09-22 18:59 ` Dmitry Vyukov
2013-09-22 21:47 ` Tejun Heo
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2013-09-22 18:59 UTC (permalink / raw)
To: Tejun Heo
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, Marc C, aaron.lu,
linux-scsi, James E.J. Bottomley
On Sun, Sep 22, 2013 at 11:24 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
> On Sun, Sep 22, 2013 at 9:39 AM, Tejun Heo <tj@kernel.org> wrote:
>>
>> (cc'ing SCSI people)
>>
>> On Wed, Sep 18, 2013 at 11:45:22AM -0700, Dmitry Vyukov wrote:
>> > Hi!
>> >
>> > I am working on AddressSanitizer -- a tool that detects use-after-free
>> > and out-of-bounds bugs
>> > (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
>> > Below is one of the bug reports that I got while running trinity
>> > syscall fuzzer. Kernel is built on revision
>> > d8efd82eece89f8a5790b0febf17522affe9e1f1.
>> > The report was followed by a bunch of similar use-after-free reports,
>> > and later the kernel crashed somewhere in ata subsystem. I've attached
>> > the full log.
>> >
>> >
>> > ERROR: AddressSanitizer: heap-use-after-free on address ffff880034fce000
>> > ffff880034fce000 is located 0 bytes inside of 256-byte region
>> > [ffff880034fce000, ffff880034fce100)
>> > READ of size 8 at ffff880034fce000 by thread T3645:
>> > #0 inlined (asan_report_error+0x3e7/0x500)
>> > asan_describe_heap_address ./arch/x86/mm/asan/report.c:191
>> > #0 ffffffff810d9af7 (asan_report_error+0x3e7/0x500)
>> > ./arch/x86/mm/asan/report.c:309
>> > #1 ffffffff810d8c12 (asan_check_region.part.1+0x1b2/0x230)
>> > ./arch/x86/mm/asan/asan.c:263
>> > #2 inlined (__tsan_read8+0x28/0x30) asan_check_region
>> > ./arch/x86/mm/asan/asan.c:276
>> > #2 ffffffff810d8d48 (__tsan_read8+0x28/0x30) ./arch/x86/mm/asan/asan.c:276
>> > #3 ffffffff814cc0ef (sg_next+0xf/0x40) ??:0
>> > #4 inlined (ata_qc_issue+0x2b4/0x740) dma_map_sg_attrs
>> > ./include/asm-generic/dma-mapping-common.h:50
>> > #4 inlined (ata_qc_issue+0x2b4/0x740) ata_sg_setup
>> > ./drivers/ata/libata-core.c:4707
>> > #4 ffffffff816574b4 (ata_qc_issue+0x2b4/0x740)
>> > ./drivers/ata/libata-core.c:5082
>>
>> So, if I'm reading this right, it means that the sg list is used after
>> being freed?
>
> Yes, that's correct.
> First thread 3645 allocated the list in scsi_setup_fs_cmnd().
> Then thread 1095 freed it in scsi_io_completion().
> Then thread 3645 accessed the list in ata_scsi_queuecmd().
>
>
>> The sglist is directly from scsi_cmnd and use-after-free
>> there is likely to be quite noticeable.
>
> Note that we've seen this only once during several weeks of running
> trinity syscall fuzzer. So it's not something that happens all that
> frequently. This may explain why it was not noticed before. Also a
> use-after-free bug has some chances to silently corrupt heap and/or
> read garbage, but still survive.
>
>
>> Any chance you guys aren't
>> following mempool based allocations correctly?
>
> This is quite unlikely, I've looked at mempool code and I do not think
> it can affect tool operation. We intercept kmalloc/kmem_cache_free,
> poison the memory block and put it into a delay reuse queue. Then
> watch for memory accesses that access poisoned memory ranges.
I've noticed that free happens in scsi_error_handler thread, so maybe
a timeout or some other error condition is involved here.
It is possible that timeout happens while the request is still being
in process of submitting (in ata_scsi_queuecmd)?
Also the use-after-free access happens in:
for_each_sg(sg, s, nents, i)
kmemcheck_mark_initialized(sg_virt(s), s->length);
Is it possible that the special code added for kmemcheck touches
memory that it is not supposed to touch?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Use-after-free in ata_qc_issue
2013-09-22 18:59 ` Dmitry Vyukov
@ 2013-09-22 21:47 ` Tejun Heo
2013-09-22 21:51 ` Dmitry Vyukov
0 siblings, 1 reply; 7+ messages in thread
From: Tejun Heo @ 2013-09-22 21:47 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, Marc C, aaron.lu,
linux-scsi, James E.J. Bottomley
Hello,
On Sun, Sep 22, 2013 at 11:59:53AM -0700, Dmitry Vyukov wrote:
> I've noticed that free happens in scsi_error_handler thread, so maybe
> a timeout or some other error condition is involved here.
> It is possible that timeout happens while the request is still being
> in process of submitting (in ata_scsi_queuecmd)?
Yeah, could be. IIRC, there's still race condition in block / scsi
timeout handling. Hmmm...
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Use-after-free in ata_qc_issue
2013-09-22 21:47 ` Tejun Heo
@ 2013-09-22 21:51 ` Dmitry Vyukov
2013-09-23 13:43 ` Tejun Heo
0 siblings, 1 reply; 7+ messages in thread
From: Dmitry Vyukov @ 2013-09-22 21:51 UTC (permalink / raw)
To: Tejun Heo
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, Marc C, aaron.lu,
linux-scsi, James E.J. Bottomley
On Sun, Sep 22, 2013 at 2:47 PM, Tejun Heo <tj@kernel.org> wrote:
> Hello,
>
> On Sun, Sep 22, 2013 at 11:59:53AM -0700, Dmitry Vyukov wrote:
>> I've noticed that free happens in scsi_error_handler thread, so maybe
>> a timeout or some other error condition is involved here.
>> It is possible that timeout happens while the request is still being
>> in process of submitting (in ata_scsi_queuecmd)?
>
> Yeah, could be. IIRC, there's still race condition in block / scsi
> timeout handling. Hmmm...
Is there an open bug for this?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Use-after-free in ata_qc_issue
2013-09-22 21:51 ` Dmitry Vyukov
@ 2013-09-23 13:43 ` Tejun Heo
0 siblings, 0 replies; 7+ messages in thread
From: Tejun Heo @ 2013-09-23 13:43 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: linux-ide, Andrey Konovalov, Kostya Serebryany, Marc C, aaron.lu,
linux-scsi, James E.J. Bottomley
Hello,
On Sun, Sep 22, 2013 at 02:51:51PM -0700, Dmitry Vyukov wrote:
> > Yeah, could be. IIRC, there's still race condition in block / scsi
> > timeout handling. Hmmm...
>
> Is there an open bug for this?
Not that I know of. ISTR a couple threads about it. My memory is
quite hazy as usual but IIRC there's a race window between arming the
timer and the command issue path actually becoming ready for timer
going off and I wouldn't be suprised if there are other race
conditions around timeout / exception handling path. It kinda has
grown over time and I don't think anybody audited how the whole thing
fits and works together. :(
Thanks.
--
tejun
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-09-23 13:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-18 18:45 Use-after-free in ata_qc_issue Dmitry Vyukov
2013-09-22 16:39 ` Tejun Heo
2013-09-22 18:24 ` Dmitry Vyukov
2013-09-22 18:59 ` Dmitry Vyukov
2013-09-22 21:47 ` Tejun Heo
2013-09-22 21:51 ` Dmitry Vyukov
2013-09-23 13:43 ` Tejun Heo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).