[16703.628603] ================================================================== [16703.629458] BUG: KASAN: use-after-free in xfs_log_item_in_current_chkpt+0x139/0x160 [xfs] [16703.631009] Read of size 8 at addr ffff88804ea5f608 by task fsstress/527999 [16703.632263] [16703.632498] CPU: 1 PID: 527999 Comm: fsstress Tainted: G D 5.16.0-rc4-xfsx #rc4 0a71ed7e61af687f84c452a434253ed2e13639c8 [16703.633764] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [16703.634840] Call Trace: [16703.635130] [16703.635392] dump_stack_lvl+0x45/0x59 [16703.635837] print_address_description.constprop.0+0x1f/0x140 [16703.636603] ? xfs_log_item_in_current_chkpt+0x139/0x160 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.637806] kasan_report.cold+0x83/0xdf [16703.638261] ? xfs_log_item_in_current_chkpt+0x139/0x160 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.639456] xfs_log_item_in_current_chkpt+0x139/0x160 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.641021] xfs_defer_finish_noroll+0x3bb/0x1e30 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.642140] ? lock_acquire+0x425/0x4d0 [16703.642604] ? xfs_defer_cancel+0x220/0x220 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.643657] ? srcu_notifier_call_chain+0x10a/0x160 [16703.644198] __xfs_trans_commit+0x6c8/0xcf0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.645345] ? xfs_trans_free_items+0x2f0/0x2f0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.646672] ? rcu_read_lock_sched_held+0x12/0x70 [16703.647209] ? xfs_defer_add+0x45d/0x870 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.648245] xfs_reflink_remap_extent+0x66f/0x10e0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.649423] ? xfs_reflink_set_inode_flag+0x8a0/0x8a0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.650601] ? __up_read+0x194/0x720 [16703.651015] ? up_write+0x470/0x470 [16703.651422] xfs_reflink_remap_blocks+0x2dd/0xa90 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.652555] ? xfs_reflink_update_dest+0x440/0x440 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.653683] ? xfs_flush_unmap_range+0xce/0x110 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.654788] xfs_file_remap_range+0x27b/0xc30 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.656303] ? lock_downgrade+0x6d0/0x6d0 [16703.656761] ? xfs_file_xchg_range+0x5b0/0x5b0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.657854] ? preempt_count_add+0x7f/0x150 [16703.658330] vfs_dedupe_file_range_one+0x368/0x420 [16703.658877] vfs_dedupe_file_range+0x37c/0x5d0 [16703.659375] do_vfs_ioctl+0x308/0x1260 [16703.659806] ? vfs_fileattr_set+0x9f0/0x9f0 [16703.660273] ? make_kgid+0x13/0x20 [16703.660676] ? xfs_vn_getattr+0x31f/0xdd0 [xfs f3b81f428157db81fd2e66bf8dd3093926e8d20d] [16703.661731] ? __do_sys_newfstat+0xf3/0x110 [16703.662199] ? __ia32_sys_fstat+0x70/0x70 [16703.662651] ? cp_new_stat+0x5a0/0x5a0 [16703.663081] __x64_sys_ioctl+0xa1/0x170 [16703.663519] do_syscall_64+0x35/0x80 [16703.663934] entry_SYSCALL_64_after_hwframe+0x44/0xae [16703.664494] RIP: 0033:0x7f2c71a2950b [16703.664897] Code: 0f 1e fa 48 8b 05 85 39 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 55 39 0d 00 f7 d8 64 89 01 48 [16703.666791] RSP: 002b:00007ffe8c0e03c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [16703.667588] RAX: ffffffffffffffda RBX: 00005600862a8740 RCX: 00007f2c71a2950b [16703.668330] RDX: 00005600862a7be0 RSI: 00000000c0189436 RDI: 0000000000000004 [16703.669079] RBP: 000000000000000b R08: 0000000000000027 R09: 0000000000000003 [16703.670703] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000005a [16703.672028] R13: 00005600862804a8 R14: 0000000000016000 R15: 00005600862a8a20 [16703.673376] [16703.673832] [16703.674165] Allocated by task 464064: [16703.674967] kasan_save_stack+0x1e/0x50 [16703.675866] __kasan_kmalloc+0x81/0xa0 [16703.676625] kmem_alloc+0xcd/0x2c0 [xfs] [16703.677277] xlog_cil_ctx_alloc+0x17/0x1e0 [xfs] [16703.677999] xlog_cil_push_work+0x141/0x13d0 [xfs] [16703.678728] process_one_work+0x7f6/0x1380 [16703.679188] worker_thread+0x59d/0x1040 [16703.679620] kthread+0x3b0/0x490 [16703.679985] ret_from_fork+0x1f/0x30 [16703.680403] [16703.680595] Freed by task 51: [16703.680934] kasan_save_stack+0x1e/0x50 [16703.681363] kasan_set_track+0x21/0x30 [16703.681778] kasan_set_free_info+0x20/0x30 [16703.682229] __kasan_slab_free+0xed/0x130 [16703.682676] slab_free_freelist_hook+0x7f/0x160 [16703.683167] kfree+0xde/0x340 [16703.683513] xlog_cil_committed+0xbfd/0xfe0 [xfs] [16703.684234] xlog_cil_process_committed+0x103/0x1c0 [xfs] [16703.685025] xlog_state_do_callback+0x45d/0xbd0 [xfs] [16703.685783] xlog_ioend_work+0x116/0x1c0 [xfs] [16703.686476] process_one_work+0x7f6/0x1380 [16703.686927] worker_thread+0x59d/0x1040 [16703.687359] kthread+0x3b0/0x490 [16703.687725] ret_from_fork+0x1f/0x30 [16703.688126] [16703.688319] Last potentially related work creation: [16703.688849] kasan_save_stack+0x1e/0x50 [16703.689274] __kasan_record_aux_stack+0xb7/0xc0 [16703.689797] insert_work+0x48/0x2e0 [16703.690192] __queue_work+0x4e7/0xda0 [16703.690608] queue_work_on+0x69/0x80 [16703.691009] xlog_cil_push_now.isra.0+0x16b/0x210 [xfs] [16703.691793] xlog_cil_force_seq+0x1b7/0x850 [xfs] [16703.692517] xfs_log_force_seq+0x1c7/0x670 [xfs] [16703.693222] xfs_file_fsync+0x7c1/0xa60 [xfs] [16703.693892] __x64_sys_fsync+0x52/0x80 [16703.694312] do_syscall_64+0x35/0x80 [16703.694705] entry_SYSCALL_64_after_hwframe+0x44/0xae [16703.695250] [16703.695448] The buggy address belongs to the object at ffff88804ea5f600 [16703.695448] which belongs to the cache kmalloc-256 of size 256 [16703.696735] The buggy address is located 8 bytes inside of [16703.696735] 256-byte region [ffff88804ea5f600, ffff88804ea5f700) [16703.697923] The buggy address belongs to the page: [16703.698450] page:ffffea00013a9780 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804ea5ea00 pfn:0x4ea5e [16703.699554] head:ffffea00013a9780 order:1 compound_mapcount:0 [16703.700169] flags: 0x4fff80000010200(slab|head|node=1|zone=1|lastcpupid=0xfff) [16703.700948] raw: 04fff80000010200 ffffea0001245908 ffffea00011bd388 ffff888004c42b40 [16703.701763] raw: ffff88804ea5ea00 0000000000100009 00000001ffffffff 0000000000000000 [16703.702571] page dumped because: kasan: bad access detected [16703.703164] [16703.703363] Memory state around the buggy address: [16703.703880] ffff88804ea5f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [16703.704647] ffff88804ea5f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [16703.705408] >ffff88804ea5f600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [16703.706180] ^ [16703.706581] ffff88804ea5f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [16703.707336] ffff88804ea5f700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [16703.708093] ==================================================================