From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F4B0316912 for ; Tue, 10 Feb 2026 10:44:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770720251; cv=none; b=CQy0BDcCqwz2ot5lEhnuzX09m9PfzN3h1tlZdF2lGFRS+zp4/hca7JcaATEiX6e1WxICvXLH/kyP56mCRpOvkblRhUb/rp15YW5dZT8cGOXBo6dARfD2ed60Mt7fHgm7VhrISNxttglqB/TXlQ/59bIgNOL6EPX8oLxVxOXRNao= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770720251; c=relaxed/simple; bh=0Nve/Oz5hS+k/lUI41SRanz17LEOLBwTG+UFX+E3ksk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=DOWd8TCfYLusVHsh7sQ3g5lbReRMyOKcXHDO8KYctKWZWqbQkJ918DBlMlZH8Yvhjq81bLKZrGXq8mdEiCQTwXfh2mneCPuO+jxtoh1pUuhvYgkv7c9z0n9vXONNVL2WJpgbulQzRWu9ZIwYcFUNwM2gj6sBaWIjJ8Pdk7GDSQ8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SLbSW3yd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SLbSW3yd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 946C9C16AAE; Tue, 10 Feb 2026 10:44:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770720251; bh=0Nve/Oz5hS+k/lUI41SRanz17LEOLBwTG+UFX+E3ksk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=SLbSW3ydmpNvqY13x+4sA3hQSaLUqi8ZGISQQoUtApEYeLlPEQ1A5kmpdmXof5CuB M+L+bM5/4rg+tsKOMR9mGxKXx1ISV7ypHGhu2fuz154iDpKe63xCWXUJ0HYPF7+BuE Raj2odCrpjX3gyS5ko3VNj9qCc1It+CiEmqY0vVbEnaKzpTCl/CGMh6iJLWr+jNz7p 7caUWlO2eUIvSGCnsb8ZmVF1skLXkD4DhZ1IE40Npyp94pBC99VjQhB0LOI6yumudx hMPuh8cvyQa9kS1t1oQOC3qp5TZiLdbqcIGiNsafShprgSrg93VgME6HcvO8TwfFyu PGg2UCdCzql6g== From: Thomas Gleixner To: Shinichiro Kawasaki Cc: LKML , Ihor Solodrai , Shrikanth Hegde , Peter Zijlstra , Mathieu Desnoyers , Michael Jeanson , Andrey Ryabinin , Alexander Potapenko , kasan-dev@googlegroups.com Subject: Re: [patch V2 3/4] sched/mmcid: Drop per CPU CID immediately when switching to per task mode In-Reply-To: References: <20260201192234.380608594@kernel.org> <20260201192835.032221009@kernel.org> Date: Tue, 10 Feb 2026 11:44:07 +0100 Message-ID: <873438c1zc.ffs@tglx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain On Tue, Feb 10 2026 at 07:33, Shinichiro Kawasaki wrote: > On Feb 02, 2026 / 10:39, Thomas Gleixner wrote: >> When a exiting task initiates the switch from per CPU back to per task >> mode, it has already dropped its CID and marked itself inactive. But a >> leftover from an earlier iteration of the rework then reassigns the per >> CPU CID to the exiting task with the transition bit set. >> >> That's wrong as the task is already marked CID inactive, which means it is >> inconsistent state. It's harmless because the CID is marked in transit and >> therefore dropped back into the pool when the exiting task schedules out >> either through preemption or the final schedule(). >> >> Simply drop the per CPU CID when the exiting task triggered the transition. >> >> Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions") >> Signed-off-by: Thomas Gleixner >> Reviewed-by: Mathieu Desnoyers > > Hello all, > > While I evaluated v6.19 kernel, I observed a BUG KASAN. The KASAN is recreated > in stable manner by running the test case zbd/013 of blktests [1] on some of my > test systems. I bisected and found that this patch as the commit 007d84287c74 > triggered the KASAN. When I reverted this patch from v6.19 kernel, the KASAN > disappeared. Of note is that the KASAN symptom slightly varies for each run. I > observed KASAN slab-use-after-free [2], use-after-free [3] and slab-out-of- > bounds [4]. All those KASANs happened "in sched_mm_cid_exit". And none of them make any sense. The patch does: - mm_cid_transit_to_task(current, this_cpu_ptr(mm->mm_cid.pcpu)); + mm_drop_cid_on_cpu(mm, this_cpu_ptr(mm->mm_cid.pcpu)); Both access mm->mm_cid and mm->mm_cid.pcpu. mm is valid at that point as this is way before the task disconnects from the mm. The new code also accesses the CID bitmap which is at the end of mm_struct. But the subsequent mm_cid_fixup_cpus_to_tasks(mm) touches all of those too. So none of this makes any sense at all. > [ 65.768341] [ T1296] BUG: KASAN: slab-use-after-free in sched_mm_cid_exit+0x298/0x500 Can you please decode these symbols (file/line) so that we actually see which access is flagged by KASAN? Also .config and compiler version would be helpful. Keeping the splats below for the KASAN folks to digest. Thanks, tglx > Actions for fix will be appreciated. If I can help by trying trial some patches > on my test systems, please let me know. > > [1] https://github.com/linux-blktests/blktests > > [2] KASAN slab-use-after-free > > [ 64.540760] [ T1234] run blktests zbd/013 at 2026-02-10 11:06:48 > [ 64.638773] [ T1252] null_blk: disk nullb1 created > [ 64.749061] [ T1252] null_blk: nullb2: using native zone append > [ 64.764569] [ T1252] null_blk: disk nullb2 created > [ 65.767294] [ T1296] ================================================================== > [ 65.768341] [ T1296] BUG: KASAN: slab-use-after-free in sched_mm_cid_exit+0x298/0x500 > [ 65.769378] [ T1296] Write of size 8 at addr ffff888149792410 by task cryptsetup/1296 > > [ 65.770700] [ T1296] CPU: 1 UID: 0 PID: 1296 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary) > [ 65.770705] [ T1296] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 > [ 65.770709] [ T1296] Call Trace: > [ 65.770711] [ T1296] > [ 65.770713] [ T1296] dump_stack_lvl+0x6a/0x90 > [ 65.770718] [ T1296] ? sched_mm_cid_exit+0x298/0x500 > [ 65.770721] [ T1296] print_report+0x170/0x4f3 > [ 65.770725] [ T1296] ? __virt_addr_valid+0x22e/0x4e0 > [ 65.770729] [ T1296] ? sched_mm_cid_exit+0x298/0x500 > [ 65.770732] [ T1296] kasan_report+0xad/0x150 > [ 65.770737] [ T1296] ? sched_mm_cid_exit+0x298/0x500 > [ 65.770742] [ T1296] kasan_check_range+0x115/0x1f0 > [ 65.770745] [ T1296] sched_mm_cid_exit+0x298/0x500 > [ 65.770750] [ T1296] do_exit+0x25e/0x24c0 > [ 65.770755] [ T1296] ? __pfx_do_exit+0x10/0x10 > [ 65.770758] [ T1296] ? lockdep_hardirqs_on+0x88/0x130 > [ 65.770761] [ T1296] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 65.770764] [ T1296] ? do_syscall_64+0x1d7/0x540 > [ 65.770766] [ T1296] ? do_raw_spin_lock+0x124/0x260 > [ 65.770769] [ T1296] ? lock_acquire+0x180/0x300 > [ 65.770771] [ T1296] ? find_held_lock+0x2b/0x80 > [ 65.770775] [ T1296] __x64_sys_exit+0x3e/0x50 > [ 65.770780] [ T1296] x64_sys_call+0x14fe/0x1500 > [ 65.770784] [ T1296] do_syscall_64+0x95/0x540 > [ 65.770787] [ T1296] ? lockdep_hardirqs_on+0x88/0x130 > [ 65.770790] [ T1296] ? _raw_spin_unlock_irq+0x24/0x50 > [ 65.770792] [ T1296] ? _raw_spin_unlock_irq+0x34/0x50 > [ 65.770795] [ T1296] ? __x64_sys_rt_sigprocmask+0x23d/0x400 > [ 65.770798] [ T1296] ? __pfx___x64_sys_rt_sigprocmask+0x10/0x10 > [ 65.770800] [ T1296] ? rcu_nocb_unlock_irqrestore+0x87/0xb0 > [ 65.770804] [ T1296] ? rcu_do_batch+0x867/0xd90 > [ 65.770809] [ T1296] ? lockdep_hardirqs_on+0x88/0x130 > [ 65.770811] [ T1296] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 65.770813] [ T1296] ? do_syscall_64+0x1d7/0x540 > [ 65.770816] [ T1296] ? __pfx_sched_clock_cpu+0x10/0x10 > [ 65.770819] [ T1296] ? lock_is_held_type+0xd5/0x140 > [ 65.770824] [ T1296] ? irqtime_account_irq+0xe4/0x330 > [ 65.770827] [ T1296] ? lockdep_softirqs_on+0xc3/0x140 > [ 65.770829] [ T1296] ? __irq_exit_rcu+0x126/0x240 > [ 65.770832] [ T1296] ? handle_softirqs+0x6c5/0x790 > [ 65.770836] [ T1296] ? __pfx_handle_softirqs+0x10/0x10 > [ 65.770839] [ T1296] ? irqtime_account_irq+0x1a2/0x330 > [ 65.770842] [ T1296] ? lockdep_hardirqs_on_prepare+0xce/0x1b0 > [ 65.770844] [ T1296] ? irqentry_exit+0xe2/0x6a0 > [ 65.770848] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 65.770850] [ T1296] RIP: 0033:0x7f96978fef89 > [ 65.770854] [ T1296] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85 > [ 65.770856] [ T1296] RSP: 002b:00007f9691de0d30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c > [ 65.770861] [ T1296] RAX: ffffffffffffffda RBX: 00007f9691de16c0 RCX: 00007f96978fef89 > [ 65.770863] [ T1296] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000 > [ 65.770865] [ T1296] RBP: 00007f9691de0df0 R08: 0000000015fc5864 R09: 0000000000000000 > [ 65.770866] [ T1296] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f9691de16c0 > [ 65.770867] [ T1296] R13: 00007fff8d18af10 R14: 00007f9691de1cdc R15: 00007fff8d18b017 > [ 65.770875] [ T1296] > > [ 65.805902] [ T1296] Allocated by task 668: > [ 65.806662] [ T1296] kasan_save_stack+0x2c/0x50 > [ 65.807400] [ T1296] kasan_save_track+0x10/0x30 > [ 65.808130] [ T1296] __kasan_slab_alloc+0x7a/0x90 > [ 65.808842] [ T1296] kmem_cache_alloc_noprof+0x238/0x7a0 > [ 65.809569] [ T1296] getname_flags.part.0+0x48/0x4d0 > [ 65.810280] [ T1296] do_sys_openat2+0xa8/0x180 > [ 65.810972] [ T1296] __x64_sys_openat+0x10a/0x200 > [ 65.811637] [ T1296] do_syscall_64+0x95/0x540 > [ 65.812267] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e > > [ 65.813538] [ T1296] Freed by task 668: > [ 65.814189] [ T1296] kasan_save_stack+0x2c/0x50 > [ 65.814884] [ T1296] kasan_save_track+0x10/0x30 > [ 65.815545] [ T1296] kasan_save_free_info+0x37/0x70 > [ 65.816318] [ T1296] __kasan_slab_free+0x67/0x80 > [ 65.817002] [ T1296] kmem_cache_free+0x1ae/0x6d0 > [ 65.817700] [ T1296] audit_reset_context+0x3c7/0xeb0 > [ 65.818401] [ T1296] syscall_exit_work+0x17f/0x1b0 > [ 65.819124] [ T1296] do_syscall_64+0x2fe/0x540 > [ 65.819812] [ T1296] entry_SYSCALL_64_after_hwframe+0x76/0x7e > > [ 65.821100] [ T1296] The buggy address belongs to the object at ffff888149792200 > which belongs to the cache names_cache of size 4096 > [ 65.822824] [ T1296] The buggy address is located 528 bytes inside of > freed 4096-byte region [ffff888149792200, ffff888149793200) > > [ 65.825027] [ T1296] The buggy address belongs to the physical page: > [ 65.825856] [ T1296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x149790 > [ 65.826846] [ T1296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > [ 65.827840] [ T1296] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) > [ 65.828768] [ T1296] page_type: f5(slab) > [ 65.829405] [ T1296] raw: 0017ffffc0000040 ffff888100902b40 ffffea0005314600 dead000000000002 > [ 65.830402] [ T1296] raw: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000 > [ 65.831493] [ T1296] head: 0017ffffc0000040 ffff888100902b40 ffffea0005314600 dead000000000002 > [ 65.832644] [ T1296] head: 0000000000000000 0000000000070007 00000000f5000000 0000000000000000 > [ 65.833723] [ T1296] head: 0017ffffc0000003 ffffea000525e401 00000000ffffffff 00000000ffffffff > [ 65.834798] [ T1296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 > [ 65.835827] [ T1296] page dumped because: kasan: bad access detected > > [ 65.837253] [ T1296] Memory state around the buggy address: > [ 65.838039] [ T1296] ffff888149792300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 65.838991] [ T1296] ffff888149792380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 65.839939] [ T1296] >ffff888149792400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 65.840894] [ T1296] ^ > [ 65.841569] [ T1296] ffff888149792480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 65.842554] [ T1296] ffff888149792500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > [ 65.843504] [ T1296] ================================================================== > [ 65.844500] [ T1296] Disabling lock debugging due to kernel taint > [ 71.925834] [ T1650] device-mapper: zone: dm-0 using emulated zone append > [ 72.474170] [ C1] hrtimer: interrupt took 1119829 ns > > [3] KASAN use-after-free > > [ 145.885127] [ T1246] run blktests zbd/013 at 2026-02-10 10:57:04 > [ 145.985394] [ T1264] null_blk: disk nullb1 created > [ 146.091908] [ T1264] null_blk: nullb2: using native zone append > [ 146.106425] [ T1264] null_blk: disk nullb2 created > [ 147.822863] [ T1479] ================================================================== > [ 147.823592] [ T1479] BUG: KASAN: use-after-free in sched_mm_cid_exit+0x298/0x500 > [ 147.824479] [ T1479] Write of size 8 at addr ffff8881185cb050 by task cryptsetup/1479 > > [ 147.825468] [ T1479] CPU: 2 UID: 0 PID: 1479 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary) > [ 147.825472] [ T1479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 > [ 147.825476] [ T1479] Call Trace: > [ 147.825478] [ T1479] > [ 147.825480] [ T1479] dump_stack_lvl+0x6a/0x90 > [ 147.825484] [ T1479] ? sched_mm_cid_exit+0x298/0x500 > [ 147.825487] [ T1479] print_report+0x170/0x4f3 > [ 147.825490] [ T1479] ? __virt_addr_valid+0x22e/0x4e0 > [ 147.825494] [ T1479] ? sched_mm_cid_exit+0x298/0x500 > [ 147.825496] [ T1479] kasan_report+0xad/0x150 > [ 147.825500] [ T1479] ? sched_mm_cid_exit+0x298/0x500 > [ 147.825504] [ T1479] kasan_check_range+0x115/0x1f0 > [ 147.825507] [ T1479] sched_mm_cid_exit+0x298/0x500 > [ 147.825510] [ T1479] do_exit+0x25e/0x24c0 > [ 147.825514] [ T1479] ? lockdep_hardirqs_on+0x88/0x130 > [ 147.825517] [ T1479] ? __pfx_do_exit+0x10/0x10 > [ 147.825520] [ T1479] ? irqtime_account_irq+0xe4/0x330 > [ 147.825524] [ T1479] __x64_sys_exit+0x3e/0x50 > [ 147.825526] [ T1479] x64_sys_call+0x14fe/0x1500 > [ 147.825529] [ T1479] do_syscall_64+0x95/0x540 > [ 147.825531] [ T1479] ? __pfx_handle_softirqs+0x10/0x10 > [ 147.825534] [ T1479] ? irqtime_account_irq+0x1a2/0x330 > [ 147.825536] [ T1479] ? lockdep_hardirqs_on_prepare+0xce/0x1b0 > [ 147.825539] [ T1479] ? irqentry_exit+0xe2/0x6a0 > [ 147.825542] [ T1479] entry_SYSCALL_64_after_hwframe+0x76/0x7e > [ 147.825544] [ T1479] RIP: 0033:0x7f505e211f89 > [ 147.825547] [ T1479] Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85 > [ 147.825549] [ T1479] RSP: 002b:00007f50585fbd30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c > [ 147.825553] [ T1479] RAX: ffffffffffffffda RBX: 00007f50585fc6c0 RCX: 00007f505e211f89 > [ 147.825555] [ T1479] RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000 > [ 147.825556] [ T1479] RBP: 00007f50585fbdf0 R08: 00005566eb14ea20 R09: 00005566eb14ea38 > [ 147.825558] [ T1479] R10: 0000000000000008 R11: 0000000000000246 R12: 00007f50585fc6c0 > [ 147.825559] [ T1479] R13: 00007fff4289e220 R14: 00007f50585fccdc R15: 00007fff4289e327 > [ 147.825564] [ T1479] > > [ 147.844213] [ T1479] The buggy address belongs to the physical page: > [ 147.845137] [ T1479] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x10 pfn:0x1185cb > [ 147.846323] [ T1479] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) > [ 147.847389] [ T1479] raw: 0017ffffc0000000 dead000000000100 dead000000000122 0000000000000000 > [ 147.848662] [ T1479] raw: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000 > [ 147.849887] [ T1479] page dumped because: kasan: bad access detected > > [ 147.851495] [ T1479] Memory state around the buggy address: > [ 147.852479] [ T1479] ffff8881185caf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 147.853600] [ T1479] ffff8881185caf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 147.854690] [ T1479] >ffff8881185cb000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 147.855852] [ T1479] ^ > [ 147.856798] [ T1479] ffff8881185cb080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 147.857855] [ T1479] ffff8881185cb100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 147.858857] [ T1479] ================================================================== > [ 147.859888] [ T1479] Disabling lock debugging due to kernel taint > [ 153.349607] [ T1982] device-mapper: zone: dm-0 using emulated zone append > [ 153.715923] [ C3] hrtimer: interrupt took 475570 ns > [ 282.408372] [ T3034] null_blk: disk nullb0 created > [ 282.409360] [ T3034] null_blk: module loaded > > [4] KASAN slab-out-of-bounds > > Feb 09 15:14:28 testnode2 unknown: run blktests zbd/013 at 2026-02-09 15:14:28 > Feb 09 15:14:28 testnode2 kernel: null_blk: disk nullb1 created > Feb 09 15:14:28 testnode2 kernel: null_blk: nullb2: using native zone append > Feb 09 15:14:28 testnode2 kernel: null_blk: disk nullb2 created > Feb 09 15:14:29 testnode2 kernel: ================================================================== > Feb 09 15:14:29 testnode2 kernel: BUG: KASAN: slab-out-of-bounds in sched_mm_cid_exit+0x298/0x500 > Feb 09 15:14:29 testnode2 kernel: Write of size 8 at addr ffff8881580db050 by task cryptsetup/136938 > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: CPU: 3 UID: 0 PID: 136938 Comm: cryptsetup Not tainted 6.19.0 #571 PREEMPT(voluntary) > Feb 09 15:14:29 testnode2 kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 > Feb 09 15:14:29 testnode2 kernel: Call Trace: > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: dump_stack_lvl+0x6a/0x90 > Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500 > Feb 09 15:14:29 testnode2 kernel: print_report+0x170/0x4f3 > Feb 09 15:14:29 testnode2 kernel: ? __virt_addr_valid+0x22e/0x4e0 > Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500 > Feb 09 15:14:29 testnode2 kernel: kasan_report+0xad/0x150 > Feb 09 15:14:29 testnode2 kernel: ? sched_mm_cid_exit+0x298/0x500 > Feb 09 15:14:29 testnode2 kernel: kasan_check_range+0x115/0x1f0 > Feb 09 15:14:29 testnode2 kernel: sched_mm_cid_exit+0x298/0x500 > Feb 09 15:14:29 testnode2 kernel: do_exit+0x25e/0x24c0 > Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_exit+0x10/0x10 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: __x64_sys_exit+0x3e/0x50 > Feb 09 15:14:29 testnode2 kernel: x64_sys_call+0x14fe/0x1500 > Feb 09 15:14:29 testnode2 kernel: do_syscall_64+0x95/0x540 > Feb 09 15:14:29 testnode2 kernel: ? sched_tick+0x330/0x960 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130 > Feb 09 15:14:29 testnode2 kernel: ? do_syscall_64+0x1d7/0x540 > Feb 09 15:14:29 testnode2 kernel: ? do_futex+0x1bf/0x210 > Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_futex+0x10/0x10 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: ? profile_tick+0x18/0x90 > Feb 09 15:14:29 testnode2 kernel: ? __x64_sys_futex+0x22f/0x4a0 > Feb 09 15:14:29 testnode2 kernel: ? __pfx_do_raw_spin_lock+0x10/0x10 > Feb 09 15:14:29 testnode2 kernel: ? lock_release+0x242/0x2f0 > Feb 09 15:14:29 testnode2 kernel: ? __pfx___x64_sys_futex+0x10/0x10 > Feb 09 15:14:29 testnode2 kernel: ? timerqueue_add+0x207/0x3c0 > Feb 09 15:14:29 testnode2 kernel: ? enqueue_hrtimer+0x1f0/0x290 > Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130 > Feb 09 15:14:29 testnode2 kernel: ? do_syscall_64+0x1d7/0x540 > Feb 09 15:14:29 testnode2 kernel: ? lock_release+0x242/0x2f0 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on+0x14/0x140 > Feb 09 15:14:29 testnode2 kernel: ? kvm_sched_clock_read+0xd/0x20 > Feb 09 15:14:29 testnode2 kernel: ? sched_clock+0xc/0x30 > Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0 > Feb 09 15:14:29 testnode2 kernel: ? irqtime_account_irq+0xe4/0x330 > Feb 09 15:14:29 testnode2 kernel: ? kvm_sched_clock_read+0xd/0x20 > Feb 09 15:14:29 testnode2 kernel: ? sched_clock+0xc/0x30 > Feb 09 15:14:29 testnode2 kernel: ? sched_clock_cpu+0x65/0x5c0 > Feb 09 15:14:29 testnode2 kernel: ? __pfx_sched_clock_cpu+0x10/0x10 > Feb 09 15:14:29 testnode2 kernel: ? flush_tlb_func+0xb5/0x760 > Feb 09 15:14:29 testnode2 kernel: ? irqtime_account_irq+0x1a2/0x330 > Feb 09 15:14:29 testnode2 kernel: ? rcu_is_watching+0x11/0xb0 > Feb 09 15:14:29 testnode2 kernel: ? trace_hardirqs_on_prepare+0xfd/0x130 > Feb 09 15:14:29 testnode2 kernel: ? irqentry_exit+0xe2/0x6a0 > Feb 09 15:14:29 testnode2 kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e > Feb 09 15:14:29 testnode2 kernel: RIP: 0033:0x7fca4fbf5f89 > Feb 09 15:14:29 testnode2 kernel: Code: ff 31 c9 48 89 88 20 06 00 00 31 c0 87 07 83 e8 01 7f 19 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 ff b8 3c 00 00 00 0f 05 f5 89 95 74 ff ff ff e8 9a d0 ff ff 83 bd 74 ff ff ff 01 0f 85 > Feb 09 15:14:29 testnode2 kernel: RSP: 002b:00007fca497fad30 EFLAGS: 00000246 ORIG_RAX: 000000000000003c > Feb 09 15:14:29 testnode2 kernel: RAX: ffffffffffffffda RBX: 00007fca497fb6c0 RCX: 00007fca4fbf5f89 > Feb 09 15:14:29 testnode2 kernel: RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000000000000 > Feb 09 15:14:29 testnode2 kernel: RBP: 00007fca497fadf0 R08: 0000557abe711cb0 R09: 0000557abe711cc8 > Feb 09 15:14:29 testnode2 kernel: R10: 0000000000000008 R11: 0000000000000246 R12: 00007fca497fb6c0 > Feb 09 15:14:29 testnode2 kernel: R13: 00007ffc5119c9c0 R14: 00007fca497fbcdc R15: 00007ffc5119cac7 > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: Allocated by task 136663: > Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50 > Feb 09 15:14:29 testnode2 kernel: kasan_save_track+0x10/0x30 > Feb 09 15:14:29 testnode2 kernel: __kasan_slab_alloc+0x7a/0x90 > Feb 09 15:14:29 testnode2 kernel: kmem_cache_alloc_noprof+0x238/0x7a0 > Feb 09 15:14:29 testnode2 kernel: mempool_alloc_noprof+0x150/0x250 > Feb 09 15:14:29 testnode2 kernel: bio_alloc_bioset+0x1d7/0x720 > Feb 09 15:14:29 testnode2 kernel: blkdev_direct_IO+0x3a7/0x1f40 > Feb 09 15:14:29 testnode2 kernel: blkdev_write_iter+0x52b/0xba0 > Feb 09 15:14:29 testnode2 kernel: aio_write+0x33a/0x7c0 > Feb 09 15:14:29 testnode2 kernel: io_submit_one+0xd97/0x1a00 > Feb 09 15:14:29 testnode2 kernel: __x64_sys_io_submit+0x15d/0x2b0 > Feb 09 15:14:29 testnode2 kernel: do_syscall_64+0x95/0x540 > Feb 09 15:14:29 testnode2 kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: Freed by task 37: > Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50 > Feb 09 15:14:29 testnode2 kernel: kasan_save_track+0x10/0x30 > Feb 09 15:14:29 testnode2 kernel: kasan_save_free_info+0x37/0x70 > Feb 09 15:14:29 testnode2 kernel: __kasan_slab_free+0x67/0x80 > Feb 09 15:14:29 testnode2 kernel: slab_free_after_rcu_debug+0xf5/0x200 > Feb 09 15:14:29 testnode2 kernel: rcu_do_batch+0x37a/0xd90 > Feb 09 15:14:29 testnode2 kernel: rcu_core+0x6f1/0xad0 > Feb 09 15:14:29 testnode2 kernel: handle_softirqs+0x1ee/0x790 > Feb 09 15:14:29 testnode2 kernel: run_ksoftirqd+0x3b/0x60 > Feb 09 15:14:29 testnode2 kernel: smpboot_thread_fn+0x2fd/0x9a0 > Feb 09 15:14:29 testnode2 kernel: kthread+0x3af/0x770 > Feb 09 15:14:29 testnode2 kernel: ret_from_fork+0x55c/0x810 > Feb 09 15:14:29 testnode2 kernel: ret_from_fork_asm+0x1a/0x30 > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: Last potentially related work creation: > Feb 09 15:14:29 testnode2 kernel: kasan_save_stack+0x2c/0x50 > Feb 09 15:14:29 testnode2 kernel: kasan_record_aux_stack+0xac/0xc0 > Feb 09 15:14:29 testnode2 kernel: kmem_cache_free+0x4af/0x6d0 > Feb 09 15:14:29 testnode2 kernel: mempool_free+0xbe/0x110 > Feb 09 15:14:29 testnode2 kernel: blk_update_request+0x443/0x1190 > Feb 09 15:14:29 testnode2 kernel: scsi_end_request+0x70/0x7b0 > Feb 09 15:14:29 testnode2 kernel: scsi_io_completion+0xea/0x1440 > Feb 09 15:14:29 testnode2 kernel: blk_complete_reqs+0xa8/0x120 > Feb 09 15:14:29 testnode2 kernel: handle_softirqs+0x1ee/0x790 > Feb 09 15:14:29 testnode2 kernel: run_ksoftirqd+0x3b/0x60 > Feb 09 15:14:29 testnode2 kernel: smpboot_thread_fn+0x2fd/0x9a0 > Feb 09 15:14:29 testnode2 kernel: kthread+0x3af/0x770 > Feb 09 15:14:29 testnode2 kernel: ret_from_fork+0x55c/0x810 > Feb 09 15:14:29 testnode2 kernel: ret_from_fork_asm+0x1a/0x30 > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: The buggy address belongs to the object at ffff8881580daf00 > which belongs to the cache bio-264 of size 264 > Feb 09 15:14:29 testnode2 kernel: The buggy address is located 72 bytes to the right of > allocated 264-byte region [ffff8881580daf00, ffff8881580db008) > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: The buggy address belongs to the physical page: > Feb 09 15:14:29 testnode2 kernel: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1580da > Feb 09 15:14:29 testnode2 kernel: head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > Feb 09 15:14:29 testnode2 kernel: flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff) > Feb 09 15:14:29 testnode2 kernel: page_type: f5(slab) > Feb 09 15:14:29 testnode2 kernel: raw: 0017ffffc0000040 ffff88810536c500 dead000000000122 0000000000000000 > Feb 09 15:14:29 testnode2 kernel: raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 > Feb 09 15:14:29 testnode2 kernel: head: 0017ffffc0000040 ffff88810536c500 dead000000000122 0000000000000000 > Feb 09 15:14:29 testnode2 kernel: head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 > Feb 09 15:14:29 testnode2 kernel: head: 0017ffffc0000001 ffffea0005603681 00000000ffffffff 00000000ffffffff > Feb 09 15:14:29 testnode2 kernel: head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 > Feb 09 15:14:29 testnode2 kernel: page dumped because: kasan: bad access detected > Feb 09 15:14:29 testnode2 kernel: > Feb 09 15:14:29 testnode2 kernel: Memory state around the buggy address: > Feb 09 15:14:29 testnode2 kernel: ffff8881580daf00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > Feb 09 15:14:29 testnode2 kernel: ffff8881580daf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > Feb 09 15:14:29 testnode2 kernel: >ffff8881580db000: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > Feb 09 15:14:29 testnode2 kernel: ^ > Feb 09 15:14:29 testnode2 kernel: ffff8881580db080: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > Feb 09 15:14:29 testnode2 kernel: ffff8881580db100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > Feb 09 15:14:29 testnode2 kernel: ================================================================== > Feb 09 15:14:34 testnode2 kernel: device-mapper: zone: dm-0 using emulated zone append > Feb 09 15:16:09 testnode2 kernel: null_blk: disk nullb0 created > Feb 09 15:16:09 testnode2 kernel: null_blk: module loaded