On Wed, 2018-12-19 at 16:27 -0700, Jens Axboe wrote: +AD4 On 12/19/18 4:24 PM, Bart Van Assche wrote: +AD4 +AD4 Hello, +AD4 +AD4 +AD4 +AD4 If I run the srp blktests in a loop then I see the below call stack appearing +AD4 +AD4 sporadically. I have not yet had the time to analyze this but I'm reporting +AD4 +AD4 this here in case someone else would already have had a look at this. +AD4 +AD4 +AD4 +AD4 Bart. +AD4 +AD4 +AD4 +AD4 +AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9AD0APQA9 +AD4 +AD4 BUG: KASAN: use-after-free in bt+AF8-iter+-0x86/0xf0 +AD4 +AD4 Read of size 8 at addr ffff88803b335240 by task fio/21412 +AD4 +AD4 +AD4 +AD4 CPU: 0 PID: 21412 Comm: fio Tainted: G W 4.20.0-rc6-dbg+- +ACM-3 +AD4 +AD4 Hardware name: QEMU Standard PC (i440FX +- PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +AD4 +AD4 Call Trace: +AD4 +AD4 dump+AF8-stack+-0x86/0xca +AD4 +AD4 print+AF8-address+AF8-description+-0x71/0x239 +AD4 +AD4 kasan+AF8-report.cold.5+-0x242/0x301 +AD4 +AD4 +AF8AXw-asan+AF8-load8+-0x54/0x90 +AD4 +AD4 bt+AF8-iter+-0x86/0xf0 +AD4 +AD4 blk+AF8-mq+AF8-queue+AF8-tag+AF8-busy+AF8-iter+-0x373/0x5e0 +AD4 +AD4 blk+AF8-mq+AF8-in+AF8-flight+-0x96/0xb0 +AD4 +AD4 part+AF8-in+AF8-flight+-0x40/0x140 +AD4 +AD4 part+AF8-round+AF8-stats+-0x18e/0x370 +AD4 +AD4 blk+AF8-account+AF8-io+AF8-start+-0x3d7/0x670 +AD4 +AD4 blk+AF8-mq+AF8-bio+AF8-to+AF8-request+-0x19c/0x3a0 +AD4 +AD4 blk+AF8-mq+AF8-make+AF8-request+-0x7a9/0xcb0 +AD4 +AD4 generic+AF8-make+AF8-request+-0x41d/0x960 +AD4 +AD4 submit+AF8-bio+-0x9b/0x250 +AD4 +AD4 do+AF8-blockdev+AF8-direct+AF8-IO+-0x435c/0x4c70 +AD4 +AD4 +AF8AXw-blockdev+AF8-direct+AF8-IO+-0x79/0x88 +AD4 +AD4 ext4+AF8-direct+AF8-IO+-0x46c/0xc00 +AD4 +AD4 generic+AF8-file+AF8-direct+AF8-write+-0x119/0x210 +AD4 +AD4 +AF8AXw-generic+AF8-file+AF8-write+AF8-iter+-0x11c/0x280 +AD4 +AD4 ext4+AF8-file+AF8-write+AF8-iter+-0x1b8/0x6f0 +AD4 +AD4 aio+AF8-write+-0x204/0x310 +AD4 +AD4 io+AF8-submit+AF8-one+-0x9d3/0xe80 +AD4 +AD4 +AF8AXw-x64+AF8-sys+AF8-io+AF8-submit+-0x115/0x340 +AD4 +AD4 do+AF8-syscall+AF8-64+-0x71/0x210 +AD4 +AD4 entry+AF8-SYSCALL+AF8-64+AF8-after+AF8-hwframe+-0x49/0xbe +AD4 +AD4 RIP: 0033:0x7f02cf043219 +AD4 +AD4 I've seen this one before as well, it's not a new thing. As far as I can +AD4 tell, it's a false positive. There should be no possibility for a +AD4 use-after-free iterating the static tags/requests. Are you sure this is a false positive? I have not yet encountered any false positive KASAN complaints. According to the following gdb output this complaint refers to reading rq-+AD4-q: (gdb) list +ACo(bt+AF8-iter+-0x86) 0xffffffff816b9346 is in bt+AF8-iter (block/blk-mq-tag.c:237). 232 233 /+ACo 234 +ACo We can hit rq +AD0APQ NULL here, because the tagging functions 235 +ACo test and set the bit before assigning -+AD4-rqs+AFsAXQ. 236 +ACo-/ 237 if (rq +ACYAJg rq-+AD4-q +AD0APQ hctx-+AD4-queue) 238 iter+AF8-data-+AD4-fn(hctx, rq, iter+AF8-data-+AD4-data, reserved)+ADs 239 return true+ADs 240 +AH0 241 >From the disassembly output: 232 233 /+ACo 234 +ACo We can hit rq +AD0APQ NULL here, because the tagging functions 235 +ACo test and set the bit before assigning -+AD4-rqs+AFsAXQ. 236 +ACo-/ 237 if (rq +ACYAJg rq-+AD4-q +AD0APQ hctx-+AD4-queue) 0xffffffff816b9339 +ADwAKw-121+AD4: test +ACU-r12,+ACU-r12 0xffffffff816b933c +ADwAKw-124+AD4: je 0xffffffff816b935f +ADw-bt+AF8-iter+-159+AD4 0xffffffff816b933e +ADwAKw-126+AD4: mov +ACU-r12,+ACU-rdi 0xffffffff816b9341 +ADwAKw-129+AD4: callq 0xffffffff813bd3e0 +ADwAXwBf-asan+AF8-load8+AD4 0xffffffff816b9346 +ADwAKw-134+AD4: lea 0x138(+ACU-r13),+ACU-rdi 0xffffffff816b934d +ADwAKw-141+AD4: mov (+ACU-r12),+ACU-r14 0xffffffff816b9351 +ADwAKw-145+AD4: callq 0xffffffff813bd3e0 +ADwAXwBf-asan+AF8-load8+AD4 0xffffffff816b9356 +ADwAKw-150+AD4: cmp 0x138(+ACU-r13),+ACU-r14 0xffffffff816b935d +ADwAKw-157+AD4: je 0xffffffff816b936f +ADw-bt+AF8-iter+-175+AD4 BTW, rq may but does not have to refer to tags-+AD4-static+AF8-rqs+AFs...+AF0. It may also refer to hctx-+AD4-fq.flush+AF8-rq. Bart.
