BUG: KASAN: use-after-free in tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]

Backend ZFS 0.8.0+

[ 2820.531920] BUG: KASAN: use-after-free in tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.532066] Read of size 8 at addr ffff88832b1fffc0 by task ll_ost_io01_015/6408
[ 2820.532215]
[ 2820.532258] CPU: 2 PID: 6408 Comm: ll_ost_io01_015 Tainted: P O 5.4.0-1.ldiskfs.d.el7.x86_64 #1
[ 2820.532261] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 2820.532277] Call Trace:
[ 2820.532288] dump_stack+0x7b/0xba
[ 2820.532551] ? tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.532558] print_address_description.constprop.7.cold.9+0x9/0x350
[ 2820.532807] ? tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.533066] ? tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.533072] __kasan_report.cold.10+0x1b/0x3f
[ 2820.533211] ? obd_t10_performance_test+0x860/0x870 [obdclass]
[ 2820.533466] ? tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.533471] kasan_report+0x12/0x20
[ 2820.533476] __asan_load8+0x54/0x90
[ 2820.533735] tgt_brw_read+0x1ed2/0x2bf0 [ptlrpc]
[ 2820.533978] ? tgt_obd_idx_read+0xcf0/0xcf0 [ptlrpc]
[ 2820.533984] ? kasan_kmalloc+0x9/0x10
[ 2820.533989] ? __kmalloc+0x139/0x300
[ 2820.533992] ? __asan_loadN+0xf/0x20
[ 2820.534241] ? null_alloc_rs+0x11b/0x440 [ptlrpc]
[ 2820.534248] ? __kasan_check_write+0x14/0x20
[ 2820.534499] ? null_alloc_rs+0xe1/0x440 [ptlrpc]
[ 2820.534763] ? lustre_msg_buf_v2+0x53/0x220 [ptlrpc]
[ 2820.535010] ? lustre_init_msg_v2+0x90/0x150 [ptlrpc]
[ 2820.535260] ? lustre_msg_add_version+0x48/0xd0 [ptlrpc]
[ 2820.535515] ? lustre_pack_reply_v2+0x2fb/0x3e0 [ptlrpc]
[ 2820.535815] ? lustre_pack_reply_flags+0x108/0x2c0 [ptlrpc]
[ 2820.536057] ? lustre_pack_reply_v2+0x3e0/0x3e0 [ptlrpc]
[ 2820.536320] ? __req_capsule_get+0x3bd/0x8a0 [ptlrpc]
[ 2820.536560] ? lustre_pack_reply+0x11/0x20 [ptlrpc]
[ 2820.536810] tgt_request_handle+0xfd1/0x2290 [ptlrpc]
[ 2820.537062] ? tgt_hpreq_handler+0x440/0x440 [ptlrpc]
[ 2820.537308] ? lustre_msg_buf_v2+0x53/0x220 [ptlrpc]
[ 2820.537560] ptlrpc_server_handle_request+0x582/0x1100 [ptlrpc]
[ 2820.537812] ptlrpc_main+0x133f/0x20b0 [ptlrpc]
[ 2820.537821] ? __switch_to_asm+0x34/0x70
[ 2820.537825] ? __switch_to_asm+0x40/0x70
[ 2820.537829] ? __switch_to_asm+0x34/0x70
[ 2820.537834] ? __switch_to_asm+0x40/0x70
[ 2820.537838] ? __switch_to_asm+0x34/0x70
[ 2820.537842] ? __switch_to_asm+0x40/0x70
[ 2820.537845] ? __switch_to_asm+0x34/0x70
[ 2820.537849] ? __switch_to_asm+0x40/0x70
[ 2820.537854] ? finish_task_switch+0x99/0x3c0
[ 2820.537858] ? __switch_to_asm+0x34/0x70
[ 2820.538108] ? ptlrpc_register_service+0x1730/0x1730 [ptlrpc]
[ 2820.538114] ? _raw_write_lock_irqsave+0xe0/0xe0
[ 2820.538121] ? __kasan_check_read+0x11/0x20
[ 2820.538125] ? __kthread_parkme+0x90/0xb0
[ 2820.538129] kthread+0x1c8/0x1f0
[ 2820.538383] ? ptlrpc_register_service+0x1730/0x1730 [ptlrpc]
[ 2820.538387] ? kthread_parkme+0x50/0x50
[ 2820.538392] ret_from_fork+0x35/0x40
[ 2820.538395]
[ 2820.538446] The buggy address belongs to the page:
[ 2820.538551] page:ffffea000cac7fc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 2820.538567] flags: 0x17ffffc0000000()
[ 2820.538574] raw: 0017ffffc0000000 0000000000000000 ffffea000cac7fc8 0000000000000000
[ 2820.538578] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[ 2820.538580] page dumped because: kasan: bad access detected
[ 2820.538581]
[ 2820.538620] Memory state around the buggy address:
[ 2820.538720] ffff88832b1ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 2820.538858] ffff88832b1fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 2820.539007] >ffff88832b1fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 2820.545900] ^
[ 2820.553207] ffff88832b200000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2820.560810] ffff88832b200080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2820.567664] ==================================================================
[ 2820.572515] BUG: unable to handle page fault for address: ffff88832b1fffc0
[ 2820.578907] #PF: supervisor read access in kernel mode
[ 2820.584983] #PF: error_code(0x0000) - not-present page
[ 2820.591295] PGD 4201067 P4D 4201067 PUD 43e8f8067 PMD 43e79f067 PTE 800ffffcd4e00060
[ 2820.598229] Oops: 0000 1 SMP DEBUG_PAGEALLOC KASAN PTI
[ 2820.603718] CPU: 2 PID: 6408 Comm: ll_ost_io01_015 Tainted: P B O 5.4.0-1.ldiskfs.d.el7.x86_64 #1
[ 2820.610259] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 2820.616724] RIP: 0010:tgt_brw_read+0x1ed9/0x2bf0 [ptlrpc]
[ 2820.623412] Code: d8 fc ff ff 48 63 85 04 fd ff ff 48 c1 e0 06 48 8d 44 01 c0 48 89 c7 48 89 85 20 fd ff ff e8 ce 3e 80 df 48 8b 85 20 fd ff ff <48> 8b 10 48 8d 78 0c 48 89 95 e8 fc ff ff e8 b4 3d 80 df 48 8b 85
[ 2820.637179] RSP: 0018:ffff888370b47798 EFLAGS: 00010246
[ 2820.642660] RAX: ffff88832b1fffc0 RBX: ffff88837ec86640 RCX: ffffffff810de10a
[ 2820.648239] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
[ 2820.654496] RBP: ffff888370b47ae8 R08: fffffbfff06b5d31 R09: fffffbfff06b5d31
[ 2820.660961] R10: fffffbfff06b5d30 R11: ffffffff835ae987 R12: ffff88832b16d008
[ 2820.669786] R13: ffff88838fffa8f8 R14: 0000000000000000 R15: 0000000000000020
[ 2820.676400] FS: 0000000000000000(0000) GS:ffff88839ef00000(0000) knlGS:0000000000000000
[ 2820.683139] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2820.695062] CR2: ffff88832b1fffc0 CR3: 0000000388b2a002 CR4: 00000000003606e0
[ 2820.700826] Call Trace:
[ 2820.705421] ? tgt_obd_idx_read+0xcf0/0xcf0 [ptlrpc]
[ 2820.710537] ? kasan_kmalloc+0x9/0x10
[ 2820.715159] ? __kmalloc+0x139/0x300
[ 2820.719437] ? __asan_loadN+0xf/0x20
[ 2820.723796] ? null_alloc_rs+0x11b/0x440 [ptlrpc]
[ 2820.727784] ? __kasan_check_write+0x14/0x20
[ 2820.732379] ? null_alloc_rs+0xe1/0x440 [ptlrpc]
[ 2820.737131] ? lustre_msg_buf_v2+0x53/0x220 [ptlrpc]
[ 2820.742587] ? lustre_init_msg_v2+0x90/0x150 [ptlrpc]
[ 2820.747785] ? lustre_msg_add_version+0x48/0xd0 [ptlrpc]
[ 2820.752796] ? lustre_pack_reply_v2+0x2fb/0x3e0 [ptlrpc]
[ 2820.757775] ? lustre_pack_reply_flags+0x108/0x2c0 [ptlrpc]
[ 2820.762698] ? lustre_pack_reply_v2+0x3e0/0x3e0 [ptlrpc]
[ 2820.767725] ? __req_capsule_get+0x3bd/0x8a0 [ptlrpc]
[ 2820.772502] ? lustre_pack_reply+0x11/0x20 [ptlrpc]
[ 2820.776848] tgt_request_handle+0xfd1/0x2290 [ptlrpc]
[ 2820.781531] ? tgt_hpreq_handler+0x440/0x440 [ptlrpc]
[ 2820.786211] ? lustre_msg_buf_v2+0x53/0x220 [ptlrpc]
[ 2820.790904] ptlrpc_server_handle_request+0x582/0x1100 [ptlrpc]
[ 2820.795780] ptlrpc_main+0x133f/0x20b0 [ptlrpc]
[ 2820.800452] ? __switch_to_asm+0x34/0x70
[ 2820.804965] ? __switch_to_asm+0x40/0x70
[ 2820.809552] ? __switch_to_asm+0x34/0x70
[ 2820.814274] ? __switch_to_asm+0x40/0x70
[ 2820.818650] ? __switch_to_asm+0x34/0x70
[ 2820.822765] ? __switch_to_asm+0x40/0x70
[ 2820.826468] ? __switch_to_asm+0x34/0x70
[ 2820.830243] ? __switch_to_asm+0x40/0x70
[ 2820.833132] ? finish_task_switch+0x99/0x3c0
[ 2820.836913] ? __switch_to_asm+0x34/0x70
[ 2820.841261] ? ptlrpc_register_service+0x1730/0x1730 [ptlrpc]
[ 2820.844791] ? _raw_write_lock_irqsave+0xe0/0xe0
[ 2820.848628] ? __kasan_check_read+0x11/0x20
[ 2820.851419] ? __kthread_parkme+0x90/0xb0
[ 2820.854505] kthread+0x1c8/0x1f0
[ 2820.857877] ? ptlrpc_register_service+0x1730/0x1730 [ptlrpc]
[ 2820.861449] ? kthread_parkme+0x50/0x50
[ 2820.864577] ret_from_fork+0x35/0x40
[ 2820.867718] Modules linked in: osp(O) ofd(O) lfsck(O) ost(O) mgc(O) osd_zfs(O) lquota(O) fid(O) fld(O) ksocklnd(O) ptlrpc(O) obdclass(O) lnet(O) libcfs(O) fuse snd_hda_codec_generic ledtrig_audio crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_intel zfs(PO) snd_intel_nhlt aesni_intel crypto_simd snd_hda_codec zunicode(PO) cryptd zlua(PO) snd_hda_core zavl(PO) glue_helper snd_hwdep icp(PO) snd_seq zcommon(PO) snd_seq_device znvpair(PO) spl(O) joydev snd_pcm sg input_leds i2c_piix4 snd_timer pcspkr snd virtio_balloon soundcore qemu_fw_cfg ip_tables xfs libcrc32c sd_mod virtio_scsi virtio_net virtio_console net_failover failover virtio_blk sr_mod cdrom crc32c_intel ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt virtio_pci fb_sys_fops virtio_ring virtio ata_piix ttm drm libata floppy serio_raw dm_mirror dm_region_hash dm_log dm_mod
[ 2820.894323] CR2: ffff88832b1fffc0
[ 2820.898218] --[ end trace dcf3e4d370f3e55f ]--
[ 2820.902441] RIP: 0010:grep 
[ 2820.905567] Code: d8 fc ff ff 48 63 85 04 fd ff ff 48 c1 e0 06 48 8d 44 01 c0 48 89 c7 48 89 85 20 fd ff ff e8 ce 3e 80 df 48 8b 85 20 fd ff ff <48> 8b 10 48 8d 78 0c 48 89 95 e8 fc ff ff e8 b4 3d 80 df 48 8b 85
[ 2820.910985] RSP: 0018:ffff888370b47798 EFLAGS: 00010246
[ 2820.914597] RAX: ffff88832b1fffc0 RBX: ffff88837ec86640 RCX: ffffffff810de10a
[ 2820.919145] RDX: 0000000000000001 RSI: 0000000000000246 RDI: 0000000000000246
[ 2820.923091] RBP: ffff888370b47ae8 R08: fffffbfff06b5d31 R09: fffffbfff06b5d31
[ 2820.927011] R10: fffffbfff06b5d30 R11: ffffffff835ae987 R12: ffff88832b16d008
[ 2820.931135] R13: ffff88838fffa8f8 R14: 0000000000000000 R15: 0000000000000020
[ 2820.935620] FS: 0000000000000000(0000) GS:ffff88839ef00000(0000) knlGS:0000000000000000
[ 2820.940331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2820.944959] CR2: ffff88832b1fffc0 CR3: 0000000388b2a002 CR4: 00000000003606e0
[ 2820.949365] Kernel panic - not syncing: Fatal exception
[ 2820.955794] Kernel Offset: disabled
[ 2820.960023] --[ end Kernel panic - not syncing: Fatal exception ]--