==================================================================
BUG: KASAN: use-after-free in iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890
Read of size 4 at addr ffff88006cf50488 by task loop6/15260

CPU: 0 PID: 15260 Comm: loop6 Not tainted 4.13.0-rc7-next-20170831+ #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
kvm_hv_get_msr: 384 callbacks suppressed
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008f
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008e
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008d
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008c
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008b
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008a
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000089
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000088
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000087
kvm [15652]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000086
kvm_hv_set_msr: 135 callbacks suppressed
kvm [15652]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1043
kvm [15652]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211043
kvm [15652]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1043
kvm [15652]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211043
kvm [15652]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000020 data 0x66c9000000091043
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x24e/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890
 generic_file_read_iter+0x1883/0x26c0 mm/filemap.c:2197
 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918
 call_read_iter include/linux/fs.h:1738 [inline]
 lo_rw_aio+0x9e9/0xc20 drivers/block/loop.c:501
 do_req_filebacked drivers/block/loop.c:539 [inline]
 loop_handle_cmd drivers/block/loop.c:1694 [inline]
 loop_queue_work+0x1f91/0x3900 drivers/block/loop.c:1708
*** Guest State ***
CR0: actual=0x0000000000000031, shadow=0x0000000060000011, gh_mask=fffffffffffffff7
CR4: actual=0x00000000002220d0, shadow=0x0000000000220080, gh_mask=ffffffffffffe871
CR3 = 0x00000000fffbc000
RSP = 0x0000000000000f80  RIP = 0x0000000000000000
RFLAGS=0x00000002         DR7 = 0x0000000000000400
Sysenter RSP=0000000000000f80 CS:RIP=0030:0000000000002810
CS:   sel=0x0030, attr=0x0409b, limit=0x000fffff, base=0x0000000000000000
DS:   sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
SS:   sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
ES:   sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
FS:   sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GS:   sel=0x0038, attr=0x04093, limit=0x000fffff, base=0x0000000000000000
GDTR:                           limit=0x000007ff, base=0x0000000000001000
LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800
IDTR:                           limit=0x000001ff, base=0x0000000000003800
TR:   sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000
EFER =     0x0000000000000001  PAT = 0x0007040600070406
DebugCtl = 0x0000000000000000  DebugExceptions = 0x0000000000000000
BndCfgS = 0x0000000000000000
Interruptibility = 00000000  ActivityState = 00000000
*** Host State ***
RIP = 0xffffffff811b8e2f  RSP = 0xffff880038d3f4c8
CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040
FSBase=00007f79fd118700 GSBase=ffff88006df00000 TRBase=ffff88006df23100
GDTBase=ffffffffff574000 IDTBase=ffffffffff57b000
CR0=0000000080050033 CR3=000000006bc5f000 CR4=00000000000026e0
Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d3fc80
EFER = 0x0000000000000d01  PAT = 0x0007040600070406
*** Control State ***
PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2
EntryControls=0001d1ff ExitControls=00afefff
ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000
VMEntry: intr_info=00000b0d errcode=00000000 ilen=00000000
VMExit: intr_info=00000000 errcode=00000000 ilen=00000000
        reason=80000021 qualification=0000000000000000
IDTVectoring: info=00000000 errcode=00000000
TSC Offset = 0xffffffc5a63df9d6
EPT pointer = 0x00000000698d701e
Virtual processor ID = 0x011c
 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635
 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:850
 kthread+0x39c/0x470 kernel/kthread.c:231
 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431

Allocated by task 15657:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561
 mempool_alloc_slab+0x44/0x60 mm/mempool.c:449
 mempool_alloc+0x16a/0x4b0 mm/mempool.c:329
 bio_alloc_bioset+0x3c7/0x750 block/bio.c:486
 bio_alloc include/linux/bio.h:417 [inline]
 submit_bh_wbc+0x104/0x680 fs/buffer.c:3110
 submit_bh fs/buffer.c:3142 [inline]
 block_read_full_page+0x6cf/0x950 fs/buffer.c:2355
 blkdev_readpage+0x1c/0x20 fs/block_dev.c:583
 do_generic_file_read mm/filemap.c:2082 [inline]
 generic_file_read_iter+0x1286/0x26c0 mm/filemap.c:2213
 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918
 call_read_iter include/linux/fs.h:1738 [inline]
 new_sync_read fs/read_write.c:400 [inline]
 __vfs_read+0x6ad/0xa00 fs/read_write.c:412
 vfs_read+0x124/0x360 fs/read_write.c:433
 SYSC_read fs/read_write.c:549 [inline]
 SyS_read+0xef/0x220 fs/read_write.c:542
 entry_SYSCALL_64_fastpath+0x1f/0xbe

Freed by task 0:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3503 [inline]
 kmem_cache_free+0x77/0x280 mm/slab.c:3763
 mempool_free_slab+0x1d/0x30 mm/mempool.c:456
 mempool_free+0xd4/0x1d0 mm/mempool.c:438
 bio_free+0x11c/0x190 block/bio.c:265
 bio_put+0x14f/0x180 block/bio.c:558
 end_bio_bh_io_sync+0xcd/0x110 fs/buffer.c:3038
 bio_endio+0x2f8/0x8d0 block/bio.c:1843
 req_bio_endio block/blk-core.c:204 [inline]
 blk_update_request+0x2a6/0xe20 block/blk-core.c:2738
 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509
 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:460
 __blk_mq_complete_request_remote+0x58/0x70 block/blk-mq.c:519
 flush_smp_call_function_queue+0x2d6/0x450 kernel/smp.c:247
 generic_smp_call_function_single_interrupt+0x13/0x30 kernel/smp.c:192
 smp_call_function_single_interrupt+0x10f/0x650 arch/x86/kernel/smp.c:295

The buggy address belongs to the object at ffff88006cf50400
 which belongs to the cache bio-0 of size 192
The buggy address is located 136 bytes inside of
 192-byte region [ffff88006cf50400, ffff88006cf504c0)
The buggy address belongs to the page:
page:ffffea0001b3d400 count:1 mapcount:0 mapping:ffff88006cf50000 index:0x0
flags: 0x500000000000100(slab)
raw: 0500000000000100 ffff88006cf50000 0000000000000000 0000000100000010
raw: ffffea0001a855a0 ffff88006c2b3550 ffff88006c01b840 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88006cf50380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
 ffff88006cf50400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88006cf50480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff88006cf50500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88006cf50580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================