================================================================== BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:522 [inline] BUG: KASAN: use-after-free in relay_switch_subbuf+0x8d1/0x940 kernel/relay.c:761 Read of size 8 at addr ffff88803a3ce938 by task kworker/0:1H/69 CPU: 0 PID: 69 Comm: kworker/0:1H Not tainted 5.10.105 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 d_inode include/linux/dcache.h:522 [inline] relay_switch_subbuf+0x8d1/0x940 kernel/relay.c:761 relay_reserve include/linux/relay.h:261 [inline] trace_note.constprop.0+0x42f/0x550 kernel/trace/blktrace.c:95 trace_note_tsk kernel/trace/blktrace.c:126 [inline] __blk_add_trace.constprop.0+0xa7a/0xbd0 kernel/trace/blktrace.c:266 blk_add_trace_rq.constprop.0+0x362/0x470 kernel/trace/blktrace.c:844 trace_block_rq_issue include/trace/events/block.h:207 [inline] blk_mq_start_request+0x20d/0x480 block/blk-mq.c:734 scsi_queue_rq+0x1059/0x2920 drivers/scsi/scsi_lib.c:1686 blk_mq_dispatch_rq_list+0x36d/0x1be0 block/blk-mq.c:1369 __blk_mq_do_dispatch_sched+0x3bf/0x8e0 block/blk-mq-sched.c:187 blk_mq_do_dispatch_sched block/blk-mq-sched.c:200 [inline] __blk_mq_sched_dispatch_requests+0x361/0x490 block/blk-mq-sched.c:316 blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:342 __blk_mq_run_hw_queue+0x12c/0x290 block/blk-mq.c:1517 blk_mq_run_work_fn+0x55/0x70 block/blk-mq.c:1795 process_one_work+0x9a9/0x1590 kernel/workqueue.c:2279 worker_thread+0x61d/0x1310 kernel/workqueue.c:2425 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 496940: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:532 [inline] slab_alloc_node mm/slub.c:2896 [inline] slab_alloc mm/slub.c:2904 [inline] kmem_cache_alloc+0x13b/0x350 mm/slub.c:2909 __d_alloc+0x2a/0x990 fs/dcache.c:1709 d_alloc fs/dcache.c:1788 [inline] d_alloc_parallel+0x111/0x1aa0 fs/dcache.c:2540 lookup_open.isra.0+0x922/0x1230 fs/namei.c:3026 open_last_lookups fs/namei.c:3169 [inline] path_openat+0x961/0x26c0 fs/namei.c:3357 do_filp_open+0x17e/0x3c0 fs/namei.c:3387 do_sys_openat2+0x16d/0x420 fs/open.c:1180 do_sys_open fs/open.c:1196 [inline] __do_sys_openat fs/open.c:1212 [inline] __se_sys_openat fs/open.c:1207 [inline] __x64_sys_openat+0x13f/0x1f0 fs/open.c:1207 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2963 [inline] call_rcu+0x8a/0xa00 kernel/rcu/tree.c:3037 dentry_free+0xc3/0x160 fs/dcache.c:350 __dentry_kill+0x47d/0x5c0 fs/dcache.c:593 dentry_kill fs/dcache.c:717 [inline] dput+0x676/0xc40 fs/dcache.c:878 do_renameat2+0x75f/0xba0 fs/namei.c:4452 __do_sys_rename fs/namei.c:4494 [inline] __se_sys_rename fs/namei.c:4492 [inline] __x64_sys_rename+0x5d/0x80 fs/namei.c:4492 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0x9e/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2963 [inline] call_rcu+0x8a/0xa00 kernel/rcu/tree.c:3037 dentry_free+0xc3/0x160 fs/dcache.c:350 __dentry_kill+0x47d/0x5c0 fs/dcache.c:593 dentry_kill fs/dcache.c:705 [inline] dput+0x76a/0xc40 fs/dcache.c:878 path_put+0x2d/0x60 fs/namei.c:496 perf_fill_ns_link_info+0x1ab/0x1f0 kernel/events/core.c:7885 perf_event_namespaces.part.0+0xef/0x180 kernel/events/core.c:7926 perf_event_namespaces+0x3b/0x50 kernel/events/core.c:7894 __do_sys_setns+0xceb/0x16d0 kernel/nsproxy.c:566 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88803a3ce8d0 which belongs to the cache dentry of size 312 The buggy address is located 104 bytes inside of 312-byte region [ffff88803a3ce8d0, ffff88803a3cea08) The buggy address belongs to the page: page:0000000093b184d9 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803a3ce8d0 pfn:0x3a3ce head:0000000093b184d9 order:1 compound_mapcount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 ffffea00005d9200 0000000500000005 ffff888007fed000 raw: ffff88803a3ce8d0 0000000080150013 00000001ffffffff ffff888038011f01 page dumped because: kasan: bad access detected page->mem_cgroup:ffff888038011f01 Memory state around the buggy address: ffff88803a3ce800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88803a3ce880: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 >ffff88803a3ce900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88803a3ce980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88803a3cea00: 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 ================================================================== general protection fault, probably for non-canonical address 0xdffffc000000000a: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000050-0x0000000000000057] CPU: 0 PID: 69 Comm: kworker/0:1H Tainted: G B 5.10.105 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn RIP: 0010:relay_switch_subbuf+0x216/0x940 kernel/relay.c:761 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 06 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 73 68 49 8d 7e 50 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 8e 06 00 00 49 8b 55 28 49 8b 5e 50 48 b9 00 00 RSP: 0018:ffff88800f42f700 EFLAGS: 00010016 RAX: 0000000000000001 RBX: ffff88803a3ce8d0 RCX: 000000000000000a RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000050 RBP: 0000000000000708 R08: 0000000000000000 R09: ffffffff84e9be83 R10: fffffbfff09d37d0 R11: 0000000000000001 R12: 0000000000000040 R13: ffff88803aae4000 R14: 0000000000000000 R15: 00000000000000f0 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f770d8e3000 CR3: 0000000061592000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: relay_reserve include/linux/relay.h:261 [inline] trace_note.constprop.0+0x42f/0x550 kernel/trace/blktrace.c:95 trace_note_tsk kernel/trace/blktrace.c:126 [inline] __blk_add_trace.constprop.0+0xa7a/0xbd0 kernel/trace/blktrace.c:266 blk_add_trace_rq.constprop.0+0x362/0x470 kernel/trace/blktrace.c:844 trace_block_rq_issue include/trace/events/block.h:207 [inline] blk_mq_start_request+0x20d/0x480 block/blk-mq.c:734 scsi_queue_rq+0x1059/0x2920 drivers/scsi/scsi_lib.c:1686 EXT4-fs (loop3): VFS: Found ext4 filesystem with invalid superblock checksum. Run e2fsck? blk_mq_dispatch_rq_list+0x36d/0x1be0 block/blk-mq.c:1369 __blk_mq_do_dispatch_sched+0x3bf/0x8e0 block/blk-mq-sched.c:187 blk_mq_do_dispatch_sched block/blk-mq-sched.c:200 [inline] __blk_mq_sched_dispatch_requests+0x361/0x490 block/blk-mq-sched.c:316 blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:342 __blk_mq_run_hw_queue+0x12c/0x290 block/blk-mq.c:1517 blk_mq_run_work_fn+0x55/0x70 block/blk-mq.c:1795 process_one_work+0x9a9/0x1590 kernel/workqueue.c:2279 worker_thread+0x61d/0x1310 kernel/workqueue.c:2425 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: ---[ end trace 19f8377f45fcd67c ]--- RIP: 0010:relay_switch_subbuf+0x216/0x940 kernel/relay.c:761 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 cf 06 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 73 68 49 8d 7e 50 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 8e 06 00 00 49 8b 55 28 49 8b 5e 50 48 b9 00 00 RSP: 0018:ffff88800f42f700 EFLAGS: 00010016 RAX: 0000000000000001 RBX: ffff88803a3ce8d0 RCX: 000000000000000a RDX: dffffc0000000000 RSI: 0000000000000004 RDI: 0000000000000050 RBP: 0000000000000708 R08: 0000000000000000 R09: ffffffff84e9be83 R10: fffffbfff09d37d0 R11: 0000000000000001 R12: 0000000000000040 R13: ffff88803aae4000 R14: 0000000000000000 R15: 00000000000000f0 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f770d8e3000 CR3: 0000000061592000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 note: kworker/0:1H[69] exited with preempt_count 5 BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 69, name: kworker/0:1H INFO: lockdep is turned off. irq event stamp: 3866494 hardirqs last enabled at (3866493): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] hardirqs last enabled at (3866493): [] _raw_spin_unlock_irqrestore+0x34/0x40 kernel/locking/spinlock.c:191 hardirqs last disabled at (3866494): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (3866494): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (3866444): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (3866395): [] asm_call_irq_on_stack+0x12/0x20 CPU: 0 PID: 69 Comm: kworker/0:1H Tainted: G B D 5.10.105 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_run_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ___might_sleep.cold+0x141/0x16f kernel/sched/core.c:7291 percpu_down_read include/linux/percpu-rwsem.h:49 [inline] cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:733 [inline] exit_signals+0x23/0x850 kernel/signal.c:2833 do_exit+0x30a/0x2770 kernel/exit.c:767 rewind_stack_do_exit+0x17/0x20 arch/x86/entry/entry_64.S:1482 RIP: 0000:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess): 0: 48 89 fa mov %rdi,%rdx 3: 48 c1 ea 03 shr $0x3,%rdx 7: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) b: 0f 85 cf 06 00 00 jne 0x6e0 11: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx 18: fc ff df 1b: 4c 8b 73 68 mov 0x68(%rbx),%r14 1f: 49 8d 7e 50 lea 0x50(%r14),%rdi 23: 48 89 f9 mov %rdi,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx * 2a: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction 2e: 0f 85 8e 06 00 00 jne 0x6c2 34: 49 8b 55 28 mov 0x28(%r13),%rdx 38: 49 8b 5e 50 mov 0x50(%r14),%rbx 3c: 48 rex.W 3d: b9 .byte 0xb9