[kasan bug] slab-use-after-free in nvmet_find_get_subsys

John Garry john.g.garry at oracle.com
Wed Apr 29 07:50:27 PDT 2026 

JFYI, while hacking away at the rework of 
https://lore.kernel.org/linux-nvme/328010ad-0d56-4f5e-a37a-e25914da08b5@flourine.local/T/#m926929b41d49f6d851c3cbb680f24115174bf737, 
I noticed this kasan bug report:

[ 2440.008916] block nvme2n1: no usable path - requeuing I/O
[ 2444.991612] block nvme2n1: no available path - failing I/O
[ 2445.036229] nvmet: Created nvm controller 1 for subsystem
blktests-subsystem-1 for NQN
nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349.
[ 2445.037497] nvme nvme2: creating 12 I/O queues.
[ 2445.040938] 
==================================================================
[ 2445.041235] BUG: KASAN: slab-use-after-free in
nvmet_find_get_subsys+0x541/0x5b0 [nvmet]
[ 2445.041556] Read of size 8 at addr ffff888102ece520 by task
kworker/u49:5/7677

[ 2445.041976] CPU: 5 UID: 0 PID: 7677 Comm: kworker/u49:5 Not tainted
7.0.0-rc3-00140-ge72100575e13 #50 PREEMPT(full)
[ 2445.041979] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 2445.041981] Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop]
[ 2445.041990] Call Trace:
[ 2445.041998]  <TASK>
[ 2445.042000]  dump_stack_lvl+0x91/0xf0
[ 2445.042035]  print_report+0xd1/0x660
[ 2445.042060]  ? __virt_addr_valid+0x23a/0x440
[ 2445.042077]  ? kasan_complete_mode_report_info+0x6a/0x210
[ 2445.042081]  kasan_report+0xf3/0x130
[ 2445.042083]  ? nvmet_find_get_subsys+0x541/0x5b0 [nvmet]
[ 2445.042095]  ? nvmet_find_get_subsys+0x541/0x5b0 [nvmet]
[ 2445.042106]  __asan_report_load8_noabort+0x14/0x30
[ 2445.042108]  nvmet_find_get_subsys+0x541/0x5b0 [nvmet]
[ 2445.042120]  ? __pfx_nvmet_find_get_subsys+0x10/0x10 [nvmet]
[ 2445.042131]  ? __pfx_sg_copy_buffer+0x10/0x10
[ 2445.042151]  nvmet_ctrl_find_get+0xb0/0x510 [nvmet]
[ 2445.042162]  ? kasan_save_track+0x14/0x40
[ 2445.042164]  ? collect_procs_ksm+0x3a1/0x4d0
[ 2445.042167]  ? __pfx_nvmet_ctrl_find_get+0x10/0x10 [nvmet]
[ 2445.042178]  ? sg_pcopy_to_buffer+0xf/0x30
[ 2445.042181]  nvmet_execute_io_connect+0x238/0x510 [nvmet]
[ 2445.042193]  nvme_loop_execute_work+0x38/0x50 [nvme_loop]
[ 2445.042195]  process_one_work+0x84b/0x1a20
[ 2445.042207]  ? __pfx_process_one_work+0x10/0x10
[ 2445.042209]  ? do_raw_spin_lock+0x136/0x290
[ 2445.042220]  ? assign_work+0x170/0x390
[ 2445.042223]  worker_thread+0x6f0/0x11f0
[ 2445.042226]  ? _raw_spin_unlock_irqrestore+0x51/0x80
[ 2445.042234]  ? trace_hardirqs_on+0x24/0x190
[ 2445.042249]  ? __pfx_worker_thread+0x10/0x10
[ 2445.042270]  kthread+0x391/0x4c0
[ 2445.042275]  ? calculate_sigpending+0x84/0xb0
[ 2445.042282]  ? __pfx_kthread+0x10/0x10
[ 2445.042285]  ret_from_fork+0x79f/0xa50
[ 2445.042302]  ? __pfx_ret_from_fork+0x10/0x10
[ 2445.042304]  ? __switch_to+0x381/0xe50
[ 2445.042312]  ? __pfx_kthread+0x10/0x10
[ 2445.042314]  ret_from_fork_asm+0x1a/0x30
[ 2445.042325]  </TASK>

[ 2445.052641] Allocated by task 8141:
[ 2445.052887]  kasan_save_stack+0x39/0x70
[ 2445.052895]  kasan_save_track+0x14/0x40
[ 2445.052898]  kasan_save_alloc_info+0x37/0x60
[ 2445.052900]  __kasan_kmalloc+0xc3/0xd0
[ 2445.052902]  __kmalloc_cache_noprof+0x25c/0x700
[ 2445.052922]  nvmet_ports_make+0x163/0xc80 [nvmet]
[ 2445.052939]  configfs_mkdir+0x484/0xe60
[ 2445.052950]  vfs_mkdir+0x2a0/0x6e0
[ 2445.052958]  filename_mkdirat+0x413/0x560
[ 2445.052963]  __x64_sys_mkdir+0x6c/0xa0
[ 2445.052965]  x64_sys_call+0x955/0x26e0
[ 2445.052968]  do_syscall_64+0xe2/0x1520
[ 2445.052974]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 2445.053218] Freed by task 8375:
[ 2445.053458]  kasan_save_stack+0x39/0x70
[ 2445.053461]  kasan_save_track+0x14/0x40
[ 2445.053463]  kasan_save_free_info+0x3b/0x60
[ 2445.053465]  __kasan_slab_free+0x6f/0xa0
[ 2445.053468]  kfree+0x1fb/0x5e0
[ 2445.053470]  nvmet_port_release+0x151/0x1b0 [nvmet]
[ 2445.053482]  config_item_cleanup+0x12a/0x200
[ 2445.053491]  config_item_put+0x5a/0x80
[ 2445.053493]  configfs_rmdir+0x797/0xfd0
[ 2445.053496]  vfs_rmdir+0x2ac/0x840
[ 2445.053498]  filename_rmdir+0x391/0x5a0
[ 2445.053500]  __x64_sys_rmdir+0x47/0x70
[ 2445.053504]  x64_sys_call+0x1fff/0x26e0
[ 2445.053506]  do_syscall_64+0xe2/0x1520
[ 2445.053508]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

[ 2445.053738] The buggy address belongs to the object at ffff888102ece000
                 which belongs to the cache kmalloc-rnd-11-2k of size 2048
[ 2445.054206] The buggy address is located 1312 bytes inside of
                 freed 2048-byte region [ffff888102ece000, ffff888102ece800)

[ 2445.054901] The buggy address belongs to the physical page:
[ 2445.055125] page: refcount:0 mapcount:0 mapping:0000000000000000
index:0xffff888102ecd000 pfn:0x102ec8
[ 2445.055131] head: order:3 mapcount:0 entire_mapcount:0
nr_pages_mapped:0 pincount:0
[ 2445.055133] flags:
0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 2445.055143] page_type: f5(slab)
[ 2445.055146] raw: 0017ffffc0000240 ffff888100058640 ffff888100057648
ffffea00040bb810
[ 2445.055148] raw: ffff888102ecd000 0000000800080007 00000000f5000000
0000000000000000
[ 2445.055150] head: 0017ffffc0000240 ffff888100058640
ffff888100057648 ffffea00040bb810
[ 2445.055152] head: ffff888102ecd000 0000000800080007
00000000f5000000 0000000000000000
[ 2445.055154] head: 0017ffffc0000003 ffffea00040bb201
00000000ffffffff 00000000ffffffff
[ 2445.055156] head: ffffffffffffffff 0000000000000000
00000000ffffffff 0000000000000008
[ 2445.055157] page dumped because: kasan: bad access detected

[ 2445.055371] Memory state around the buggy address:
[ 2445.055597]  ffff888102ece400: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2445.055824]  ffff888102ece480: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2445.056049] >ffff888102ece500: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2445.056271]                                ^
[ 2445.056504]  ffff888102ece580: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2445.056736]  ffff888102ece600: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 2445.056967] 
==================================================================
[ 2445.057266] Disabling lock debugging due to kernel taint
[ 2445.057282] nvmet: connect request for invalid subsystem
blktests-subsystem-1!
[ 2445.057361] nvme nvme2: Connect Invalid Data Parameter, subsysnqn
"blktests-subsystem-1"

The kernel baseline is 8658b6054439 nvme-auth: Include SC_C in RVAL 
controller hash

I do not have a reproducer. I will analyze when I get a chance.

John

More information about the Linux-nvme mailing list