Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: d8d59b4758bcd1064cef503614702af402725bf1 ("mm/page_alloc: Protect PCP lists with a spinlock")
https://git.kernel.org/cgit/linux/kernel/git/mel/linux.git mm-pcpllist-v1r1
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------------+------------+------------+
| | 22ddc6d47e | d8d59b4758 |
+-------------------------------------------------------+------------+------------+
| boot_successes | 10 | 0 |
| boot_failures | 0 | 10 |
| BUG:KASAN:stack-out-of-bounds_in_free_unref_page_list | 0 | 10 |
| UBSAN:array-index-out-of-bounds_in_include/linux/mm.h | 0 | 10 |
| canonical_address#:#[##] | 0 | 10 |
| RIP:free_unref_page_list | 0 | 10 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 10 |
+-------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 3.816780][ T7] BUG: KASAN: stack-out-of-bounds in free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] Read of size 8 at addr ffffc9000007f460 by task kworker/u4:0/7
[ 3.816780][ T7]
[ 3.816780][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.17.0-rc5-00013-gd8d59b4758bc #1
[ 3.816780][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 3.816780][ T7] Workqueue: events_unbound async_run_entry_fn
[ 3.816780][ T7] Call Trace:
[ 3.816780][ T7] <TASK>
[ 3.816780][ T7] dump_stack_lvl (lib/dump_stack.c:107)
[ 3.816780][ T7] print_address_description+0x21/0x180
[ 3.816780][ T7] ? free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459)
[ 3.816780][ T7] ? free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] ? memory_failure_queue_kick (mm/page_owner.c:104)
[ 3.816780][ T7] release_pages (mm/swap.c:903)
[ 3.816780][ T7] ? xa_get_order (lib/xarray.c:1763)
[ 3.816780][ T7] ? pagevec_move_tail_fn (mm/swap.c:903)
[ 3.816780][ T7] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161)
[ 3.816780][ T7] ? __mod_memcg_lruvec_state (mm/memcontrol.c:638 mm/memcontrol.c:714)
[ 3.816780][ T7] __pagevec_lru_add (include/linux/pagevec.h:57 mm/swap.c:1076)
[ 3.816780][ T7] ? lru_cache_disable (mm/swap.c:1062)
[ 3.816780][ T7] ? scan_shadow_nodes (mm/workingset.c:435)
[ 3.816780][ T7] folio_add_lru (mm/swap.c:469)
[ 3.816780][ T7] filemap_add_folio (mm/filemap.c:945)
[ 3.816780][ T7] ? add_to_page_cache_locked (mm/filemap.c:945)
[ 3.816780][ T7] ? policy_node (include/linux/nodemask.h:265 mm/mempolicy.c:1869)
[ 3.816780][ T7] __filemap_get_folio (mm/filemap.c:2002)
[ 3.816780][ T7] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1))
[ 3.816780][ T7] ? filemap_map_pages (mm/filemap.c:1940)
[ 3.816780][ T7] pagecache_get_page (mm/folio-compat.c:125)
[ 3.816780][ T7] simple_write_begin (fs/libfs.c:561)
[ 3.816780][ T7] generic_perform_write (mm/filemap.c:3767)
[ 3.816780][ T7] ? trace_event_raw_event_filemap_set_wb_err (mm/filemap.c:3730)
[ 3.816780][ T7] ? inode_update_time (fs/inode.c:2059)
[ 3.816780][ T7] ? generic_write_checks (fs/read_write.c:1649)
[ 3.816780][ T7] __generic_file_write_iter (mm/filemap.c:3893)
[ 3.816780][ T7] generic_file_write_iter (include/linux/fs.h:782 mm/filemap.c:3925)
[ 3.816780][ T7] __kernel_write (fs/read_write.c:535 (discriminator 1))
[ 3.816780][ T7] ? do_iter_readv_writev (fs/read_write.c:512)
[ 3.816780][ T7] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567)
[ 3.816780][ T7] ? do_truncate (fs/open.c:41)
[ 3.816780][ T7] kernel_write (include/linux/fs.h:2949 fs/read_write.c:565 fs/read_write.c:554)
[ 3.816780][ T7] xwrite+0x31/0x62
[ 3.816780][ T7] do_copy (init/initramfs.c:396)
[ 3.816780][ T7] ? xwrite+0x62/0x62
[ 3.816780][ T7] ? vfs_truncate (fs/open.c:116)
[ 3.816780][ T7] ? do_name (init/initramfs.c:361)
[ 3.816780][ T7] write_buffer (init/initramfs.c:432 (discriminator 1))
[ 3.816780][ T7] flush_buffer (init/initramfs.c:444)
[ 3.816780][ T7] __gunzip (lib/decompress_inflate.c:161)
[ 3.816780][ T7] ? write_buffer (init/initramfs.c:438)
[ 3.816780][ T7] ? bunzip2 (lib/decompress_inflate.c:39)
[ 3.816780][ T7] ? __gunzip (lib/decompress_inflate.c:207)
[ 3.816780][ T7] gunzip (lib/decompress_inflate.c:207)
[ 3.816780][ T7] ? initrd_load (init/initramfs.c:46)
[ 3.816780][ T7] unpack_to_rootfs (init/initramfs.c:502)
[ 3.816780][ T7] ? initrd_load (init/initramfs.c:46)
[ 3.816780][ T7] ? do_header (init/initramfs.c:465)
[ 3.816780][ T7] ? __switch_to (arch/x86/include/asm/bitops.h:55 include/asm-generic/bitops/instrumented-atomic.h:29 include/linux/thread_info.h:89 arch/x86/include/asm/fpu/sched.h:65 arch/x86/kernel/process_64.c:622)
[ 3.816780][ T7] ? __switch_to_asm (arch/x86/entry/entry_64.S:254)
[ 3.816780][ T7] ? reserve_initrd_mem (init/initramfs.c:672)
[ 3.816780][ T7] do_populate_rootfs (init/initramfs.c:686)
[ 3.816780][ T7] async_run_entry_fn (arch/x86/include/asm/jump_label.h:27 kernel/async.c:129)
[ 3.816780][ T7] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
[ 3.816780][ T7] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2455)
[ 3.816780][ T7] ? process_one_work (kernel/workqueue.c:2397)
[ 3.816780][ T7] kthread (kernel/kthread.c:377)
[ 3.816780][ T7] ? kthread_complete_and_exit (kernel/kthread.c:332)
[ 3.816780][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 3.816780][ T7] </TASK>
[ 3.816780][ T7]
[ 3.816780][ T7] addr ffffc9000007f460 is located in stack of task kworker/u4:0/7 at offset 56 in frame:
[ 3.816780][ T7] release_pages (mm/swap.c:903)
[ 3.816780][ T7]
[ 3.816780][ T7] this frame has 2 objects:
[ 3.816780][ T7] [32, 40) 'flags'
[ 3.816780][ T7] [64, 80) 'pages_to_free'
[ 3.816780][ T7]
[ 3.816780][ T7] Memory state around the buggy address:
[ 3.816780][ T7] ffffc9000007f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.816780][ T7] ffffc9000007f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.816780][ T7] >ffffc9000007f400: 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 00 f3
[ 3.816780][ T7] ^
[ 3.816780][ T7] ffffc9000007f480: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.816780][ T7] ffffc9000007f500: 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00
[ 3.816780][ T7] ==================================================================
[ 3.816780][ T7] Disabling lock debugging due to kernel taint
[ 3.816780][ T7] ================================================================================
[ 3.816780][ T7] UBSAN: array-index-out-of-bounds in include/linux/mm.h:1543:50
[ 3.816780][ T7] index 7 is out of range for type 'zone [5]'
[ 3.816780][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.17.0-rc5-00013-gd8d59b4758bc #1
[ 3.816780][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 3.816780][ T7] Workqueue: events_unbound async_run_entry_fn
[ 3.816780][ T7] Call Trace:
[ 3.816780][ T7] <TASK>
[ 3.816780][ T7] dump_stack_lvl (lib/dump_stack.c:107)
[ 3.816780][ T7] ubsan_epilogue (lib/ubsan.c:152)
[ 3.816780][ T7] __ubsan_handle_out_of_bounds.cold (lib/ubsan.c:291 lib/ubsan.c:278)
[ 3.816780][ T7] ? free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] free_unref_page_list (include/linux/mm.h:1543 mm/page_alloc.c:3465)
[ 3.816780][ T7] ? memory_failure_queue_kick (mm/page_owner.c:104)
[ 3.816780][ T7] release_pages (mm/swap.c:903)
[ 3.816780][ T7] ? xa_get_order (lib/xarray.c:1763)
[ 3.816780][ T7] ? pagevec_move_tail_fn (mm/swap.c:903)
[ 3.816780][ T7] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161)
[ 3.816780][ T7] ? __mod_memcg_lruvec_state (mm/memcontrol.c:638 mm/memcontrol.c:714)
[ 3.816780][ T7] __pagevec_lru_add (include/linux/pagevec.h:57 mm/swap.c:1076)
[ 3.816780][ T7] ? lru_cache_disable (mm/swap.c:1062)
[ 3.816780][ T7] ? scan_shadow_nodes (mm/workingset.c:435)
[ 3.816780][ T7] folio_add_lru (mm/swap.c:469)
[ 3.816780][ T7] filemap_add_folio (mm/filemap.c:945)
[ 3.816780][ T7] ? add_to_page_cache_locked (mm/filemap.c:945)
[ 3.816780][ T7] ? policy_node (include/linux/nodemask.h:265 mm/mempolicy.c:1869)
[ 3.816780][ T7] __filemap_get_folio (mm/filemap.c:2002)
[ 3.816780][ T7] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1))
[ 3.816780][ T7] ? filemap_map_pages (mm/filemap.c:1940)
[ 3.816780][ T7] pagecache_get_page (mm/folio-compat.c:125)
[ 3.816780][ T7] simple_write_begin (fs/libfs.c:561)
[ 3.816780][ T7] generic_perform_write (mm/filemap.c:3767)
[ 3.816780][ T7] ? trace_event_raw_event_filemap_set_wb_err (mm/filemap.c:3730)
[ 3.816780][ T7] ? inode_update_time (fs/inode.c:2059)
[ 3.816780][ T7] ? generic_write_checks (fs/read_write.c:1649)
[ 3.816780][ T7] __generic_file_write_iter (mm/filemap.c:3893)
[ 3.816780][ T7] generic_file_write_iter (include/linux/fs.h:782 mm/filemap.c:3925)
[ 3.816780][ T7] __kernel_write (fs/read_write.c:535 (discriminator 1))
[ 3.816780][ T7] ? do_iter_readv_writev (fs/read_write.c:512)
[ 3.816780][ T7] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567)
[ 3.816780][ T7] ? do_truncate (fs/open.c:41)
[ 3.816780][ T7] kernel_write (include/linux/fs.h:2949 fs/read_write.c:565 fs/read_write.c:554)
[ 3.816780][ T7] xwrite+0x31/0x62
[ 3.816780][ T7] do_copy (init/initramfs.c:396)
[ 3.816780][ T7] ? xwrite+0x62/0x62
[ 3.816780][ T7] ? vfs_truncate (fs/open.c:116)
[ 3.816780][ T7] ? do_name (init/initramfs.c:361)
[ 3.816780][ T7] write_buffer (init/initramfs.c:432 (discriminator 1))
[ 3.816780][ T7] flush_buffer (init/initramfs.c:444)
[ 3.816780][ T7] __gunzip (lib/decompress_inflate.c:161)
[ 3.816780][ T7] ? write_buffer (init/initramfs.c:438)
[ 3.816780][ T7] ? bunzip2 (lib/decompress_inflate.c:39)
[ 3.816780][ T7] ? __gunzip (lib/decompress_inflate.c:207)
[ 3.816780][ T7] gunzip (lib/decompress_inflate.c:207)
[ 3.816780][ T7] ? initrd_load (init/initramfs.c:46)
[ 3.816780][ T7] unpack_to_rootfs (init/initramfs.c:502)
[ 3.816780][ T7] ? initrd_load (init/initramfs.c:46)
[ 3.816780][ T7] ? do_header (init/initramfs.c:465)
[ 3.816780][ T7] ? __switch_to (arch/x86/include/asm/bitops.h:55 include/asm-generic/bitops/instrumented-atomic.h:29 include/linux/thread_info.h:89 arch/x86/include/asm/fpu/sched.h:65 arch/x86/kernel/process_64.c:622)
[ 3.816780][ T7] ? __switch_to_asm (arch/x86/entry/entry_64.S:254)
[ 3.816780][ T7] ? reserve_initrd_mem (init/initramfs.c:672)
[ 3.816780][ T7] do_populate_rootfs (init/initramfs.c:686)
[ 3.816780][ T7] async_run_entry_fn (arch/x86/include/asm/jump_label.h:27 kernel/async.c:129)
[ 3.816780][ T7] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2312)
[ 3.816780][ T7] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2455)
[ 3.816780][ T7] ? process_one_work (kernel/workqueue.c:2397)
[ 3.816780][ T7] kthread (kernel/kthread.c:377)
[ 3.816780][ T7] ? kthread_complete_and_exit (kernel/kthread.c:332)
[ 3.816780][ T7] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 3.816780][ T7] </TASK>
[ 3.816780][ T7] ================================================================================
[ 3.816780][ T7] general protection fault, probably for non-canonical address 0xdffffc00000005f4: 0000 [#1] SMP KASAN PTI
[ 3.816780][ T7] KASAN: probably user-memory-access in range [0x0000000000002fa0-0x0000000000002fa7]
[ 3.816780][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.17.0-rc5-00013-gd8d59b4758bc #1
[ 3.816780][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 3.816780][ T7] Workqueue: events_unbound async_run_entry_fn
[ 3.816780][ T7] RIP: 0010:free_unref_page_list (mm/page_alloc.c:3466)
[ 3.816780][ T7] Code: 06 00 00 48 8d 44 6d 00 48 8d 04 c0 48 c1 e0 06 49 8d 7c 04 60 49 8d 0c 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 00 06 00 00 48 8d 44 6d 00 48 89 0c 24 48 8d 04
All code
========
0: 06 (bad)
1: 00 00 add %al,(%rax)
3: 48 8d 44 6d 00 lea 0x0(%rbp,%rbp,2),%rax
8: 48 8d 04 c0 lea (%rax,%rax,8),%rax
c: 48 c1 e0 06 shl $0x6,%rax
10: 49 8d 7c 04 60 lea 0x60(%r12,%rax,1),%rdi
15: 49 8d 0c 04 lea (%r12,%rax,1),%rcx
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 00 06 00 00 jne 0x634
34: 48 8d 44 6d 00 lea 0x0(%rbp,%rbp,2),%rax
39: 48 89 0c 24 mov %rcx,(%rsp)
3d: 48 rex.W
3e: 8d .byte 0x8d
3f: 04 .byte 0x4
Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 00 06 00 00 jne 0x60a
a: 48 8d 44 6d 00 lea 0x0(%rbp,%rbp,2),%rax
f: 48 89 0c 24 mov %rcx,(%rsp)
13: 48 rex.W
14: 8d .byte 0x8d
15: 04 .byte 0x4
[ 3.816780][ T7] RSP: 0000:ffffc9000007f348 EFLAGS: 00010002
[ 3.816780][ T7] RAX: dffffc0000000000 RBX: 0000000000000246 RCX: 0000000000002f40
[ 3.816780][ T7] RDX: 00000000000005f4 RSI: ffffc9000007f020 RDI: 0000000000002fa0
[ 3.816780][ T7] RBP: 0000000000000007 R08: 0000000000000050 R09: fffff5200000fdee
[ 3.816780][ T7] R10: ffffc9000007ef6f R11: fffff5200000fded R12: 0000000000000000
[ 3.816780][ T7] R13: ffffc9000007f460 R14: fffffbfff427b942 R15: ffffc9000007f460
[ 3.816780][ T7] FS: 0000000000000000(0000) GS:ffff88839d600000(0000) knlGS:0000000000000000
[ 3.816780][ T7] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.816780][ T7] CR2: ffff88843ffff000 CR3: 0000000294414000 CR4: 00000000000006f0
[ 3.816780][ T7] Call Trace:
[ 3.816780][ T7] <TASK>
[ 3.816780][ T7] ? memory_failure_queue_kick (mm/page_owner.c:104)
[ 3.816780][ T7] release_pages (mm/swap.c:903)
[ 3.816780][ T7] ? xa_get_order (lib/xarray.c:1763)
[ 3.816780][ T7] ? pagevec_move_tail_fn (mm/swap.c:903)
[ 3.816780][ T7] ? _raw_read_unlock_irqrestore (kernel/locking/spinlock.c:161)
[ 3.816780][ T7] ? __mod_memcg_lruvec_state (mm/memcontrol.c:638 mm/memcontrol.c:714)
[ 3.816780][ T7] __pagevec_lru_add (include/linux/pagevec.h:57 mm/swap.c:1076)
[ 3.816780][ T7] ? lru_cache_disable (mm/swap.c:1062)
[ 3.816780][ T7] ? scan_shadow_nodes (mm/workingset.c:435)
[ 3.816780][ T7] folio_add_lru (mm/swap.c:469)
[ 3.816780][ T7] filemap_add_folio (mm/filemap.c:945)
[ 3.816780][ T7] ? add_to_page_cache_locked (mm/filemap.c:945)
[ 3.816780][ T7] ? policy_node (include/linux/nodemask.h:265 mm/mempolicy.c:1869)
[ 3.816780][ T7] __filemap_get_folio (mm/filemap.c:2002)
[ 3.816780][ T7] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1))
[ 3.816780][ T7] ? filemap_map_pages (mm/filemap.c:1940)
[ 3.816780][ T7] pagecache_get_page (mm/folio-compat.c:125)
[ 3.816780][ T7] simple_write_begin (fs/libfs.c:561)
[ 3.816780][ T7] generic_perform_write (mm/filemap.c:3767)
[ 3.816780][ T7] ? trace_event_raw_event_filemap_set_wb_err (mm/filemap.c:3730)
[ 3.816780][ T7] ? inode_update_time (fs/inode.c:2059)
[ 3.816780][ T7] ? generic_write_checks (fs/read_write.c:1649)
[ 3.816780][ T7] __generic_file_write_iter (mm/filemap.c:3893)
[ 3.816780][ T7] generic_file_write_iter (include/linux/fs.h:782 mm/filemap.c:3925)
[ 3.816780][ T7] __kernel_write (fs/read_write.c:535 (discriminator 1))
[ 3.816780][ T7] ? do_iter_readv_writev (fs/read_write.c:512)
[ 3.816780][ T7] ? up_write (arch/x86/include/asm/atomic64_64.h:172 include/linux/atomic/atomic-long.h:95 include/linux/atomic/atomic-instrumented.h:1348 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1567)
[ 3.816780][ T7] ? do_truncate (fs/open.c:41)
[ 3.816780][ T7] kernel_write (include/linux/fs.h:2949 fs/read_write.c:565 fs/read_write.c:554)
[ 3.816780][ T7] xwrite+0x31/0x62
[ 3.816780][ T7] do_copy (init/initramfs.c:396)
[ 3.816780][ T7] ? xwrite+0x62/0x62
[ 3.816780][ T7] ? vfs_truncate (fs/open.c:116)
To reproduce:
# build kernel
cd linux
cp config-5.17.0-rc5-00013-gd8d59b4758bc .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang