[PATCH] maple_tree: use KMEM_CACHE to create maple_node caches
kernel test robot
oliver.sang at intel.com
Mon Nov 4 18:34:09 PST 2024
Hello,
we noticed Matthew Wilcox NACKed this patch in
https://lore.kernel.org/all/ZyjLpXKx5qcLYQ3S@casper.infradead.org/
we send below report FYI in case it could supply some useful information to
you. just ignore otherwise. thanks
kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in_mas_store_gfp" on:
commit: 6fa40fae6ea5ad7990555fa7460739ee44088111 ("[PATCH] maple_tree: use KMEM_CACHE to create maple_node caches")
url: https://github.com/intel-lab-lkp/linux/commits/Ke-Sun/maple_tree-use-KMEM_CACHE-to-create-maple_node-caches/20241104-141720
base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-nonmm-unstable
patch link: https://lore.kernel.org/all/20241104061617.450907-1-sunke@kylinos.cn/
patch subject: [PATCH] maple_tree: use KMEM_CACHE to create maple_node caches
in testcase: boot
config: x86_64-rhel-8.3-kselftests
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+----------------------------------------------------------------------------------------------+------------+------------+
| | d61ee4ec5d | 6fa40fae6e |
+----------------------------------------------------------------------------------------------+------------+------------+
| boot_successes | 18 | 0 |
| boot_failures | 0 | 18 |
| BUG:KASAN:slab-out-of-bounds_in_mas_store_gfp | 0 | 14 |
| Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN_PTI | 0 | 18 |
| KASAN:null-ptr-deref_in_range[#-#] | 0 | 18 |
| RIP:mas_wr_store_type | 0 | 11 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 18 |
| BUG:KASAN:slab-out-of-bounds_in_mas_put_in_tree | 0 | 4 |
| RIP:mas_put_in_tree | 0 | 4 |
| RIP:mas_ascend | 0 | 3 |
+----------------------------------------------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang at intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202411051011.b1d218e6-oliver.sang@intel.com
[ 3.482690][ T0] BUG: KASAN: slab-out-of-bounds in mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477)
[ 3.483624][ T0] Read of size 8 at addr ffff88810028b600 by task swapper/0/0
[ 3.484595][ T0]
[ 3.484906][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc5-00131-g6fa40fae6ea5 #1
[ 3.486154][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 3.487534][ T0] Call Trace:
[ 3.487952][ T0] <TASK>
[ 3.488337][ T0] dump_stack_lvl (lib/dump_stack.c:124)
[ 3.488949][ T0] print_address_description+0x2c/0x3a0
[ 3.489867][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477)
[ 3.490508][ T0] print_report (mm/kasan/report.c:489)
[ 3.491108][ T0] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 3.491762][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477)
[ 3.492391][ T0] kasan_report (mm/kasan/report.c:603)
[ 3.492999][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477)
[ 3.493672][ T0] mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477)
[ 3.494258][ T0] ? __pfx_mas_store_gfp (lib/maple_tree.c:5470)
[ 3.494930][ T0] ? init_desc (kernel/irq/irqdesc.c:213)
[ 3.495526][ T0] early_irq_init (kernel/irq/irqdesc.c:174 kernel/irq/irqdesc.c:585)
[ 3.496148][ T0] ? __pfx_early_irq_init (kernel/irq/irqdesc.c:563)
[ 3.496833][ T0] ? __trace_define_field (include/linux/list.h:150 include/linux/list.h:169 kernel/trace/trace_events.c:138)
[ 3.497557][ T0] start_kernel (init/main.c:1008)
[ 3.498161][ T0] x86_64_start_reservations (arch/x86/kernel/head64.c:495)
[ 3.498918][ T0] x86_64_start_kernel (arch/x86/kernel/head64.c:437 (discriminator 17))
[ 3.499599][ T0] common_startup_64 (arch/x86/kernel/head_64.S:414)
[ 3.500276][ T0] </TASK>
[ 3.500684][ T0]
[ 3.500996][ T0] The buggy address belongs to the object at ffff88810028b500
[ 3.500996][ T0] which belongs to the cache maple_node of size 256
[ 3.502884][ T0] The buggy address is located 0 bytes to the right of
[ 3.502884][ T0] allocated 256-byte region [ffff88810028b500, ffff88810028b600)
[ 3.504826][ T0]
[ 3.505139][ T0] The buggy address belongs to the physical page:
[ 3.506009][ T0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10028b
[ 3.507141][ T0] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 3.508110][ T0] page_type: f5(slab)
[ 3.508638][ T0] raw: 0017ffffc0000000 ffff88810004fdc0 dead000000000122 0000000000000000
[ 3.509777][ T0] raw: 0000000000000000 00000000800c000c 00000001f5000000 0000000000000000
[ 3.510920][ T0] page dumped because: kasan: bad access detected
[ 3.511773][ T0]
[ 3.512072][ T0] Memory state around the buggy address:
[ 3.512839][ T0] ffff88810028b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3.513930][ T0] ffff88810028b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3.514979][ T0] >ffff88810028b600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 3.516054][ T0] ^
[ 3.516582][ T0] ffff88810028b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3.517681][ T0] ffff88810028b700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 3.518763][ T0] ==================================================================
[ 3.519871][ T0] Disabling lock debugging due to kernel taint
[ 3.520761][ T0] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI
[ 3.522464][ T0] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 3.523522][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B 6.12.0-rc5-00131-g6fa40fae6ea5 #1
[ 3.524900][ T0] Tainted: [B]=BAD_PAGE
[ 3.525438][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 3.526808][ T0] RIP: 0010:mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198)
[ 3.527581][ T0] Code: 00 0f 85 a9 0e 00 00 4d 8b 75 00 e8 3a d0 0a 00 85 c0 0f 85 33 02 00 00 44 0f b6 74 24 20 4a 8d 6c f5 00 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 6e 0e 00 00 49 8d 7f 48 4c 8b 75 00 48 89 f8
All code
========
0: 00 0f add %cl,(%rdi)
2: 85 a9 0e 00 00 4d test %ebp,0x4d00000e(%rcx)
8: 8b 75 00 mov 0x0(%rbp),%esi
b: e8 3a d0 0a 00 callq 0xad04a
10: 85 c0 test %eax,%eax
12: 0f 85 33 02 00 00 jne 0x24b
18: 44 0f b6 74 24 20 movzbl 0x20(%rsp),%r14d
1e: 4a 8d 6c f5 00 lea 0x0(%rbp,%r14,8),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
2a:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 0f 85 6e 0e 00 00 jne 0xea3
35: 49 8d 7f 48 lea 0x48(%r15),%rdi
39: 4c 8b 75 00 mov 0x0(%rbp),%r14
3d: 48 89 f8 mov %rdi,%rax
Code starting with the faulting instruction
===========================================
0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
5: 0f 85 6e 0e 00 00 jne 0xe79
b: 49 8d 7f 48 lea 0x48(%r15),%rdi
f: 4c 8b 75 00 mov 0x0(%rbp),%r14
13: 48 89 f8 mov %rdi,%rax
[ 3.530219][ T0] RSP: 0000:ffffffffa8a07bf8 EFLAGS: 00010046
[ 3.531055][ T0] RAX: 0000000000000000 RBX: ffffffffa8a07e8d RCX: 1ffffffff5140faa
[ 3.532126][ T0] RDX: 0000000000000005 RSI: 0000000000000002 RDI: ffffffffa8a07e60
[ 3.533193][ T0] RBP: 0000000000000000 R08: 0000000000000001 R09: 1ffffffff5140fcc
[ 3.534285][ T0] R10: 0000000000000000 R11: ffffffffa8a07d40 R12: dffffc0000000000
[ 3.535366][ T0] R13: ffffffffa8a07e50 R14: 0000000000000000 R15: ffffffffa8a07d38
[ 3.536432][ T0] FS: 0000000000000000(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000
[ 3.537616][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.538481][ T0] CR2: ffff88843ffff000 CR3: 00000000aec7e000 CR4: 00000000000000b0
[ 3.539544][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3.540540][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3.541553][ T0] Call Trace:
[ 3.541978][ T0] <TASK>
[ 3.542348][ T0] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460)
[ 3.542896][ T0] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693)
[ 3.543641][ T0] ? asm_exc_general_protection (arch/x86/include/asm/idtentry.h:617)
[ 3.544411][ T0] ? mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198)
[ 3.545114][ T0] ? mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198)
[ 3.545833][ T0] mas_store_gfp (lib/maple_tree.c:212 lib/maple_tree.c:4145 lib/maple_tree.c:4268 lib/maple_tree.c:5477)
[ 3.546457][ T0] ? __pfx_mas_store_gfp (lib/maple_tree.c:5470)
[ 3.547141][ T0] ? init_desc (kernel/irq/irqdesc.c:213)
[ 3.547738][ T0] early_irq_init (kernel/irq/irqdesc.c:174 kernel/irq/irqdesc.c:585)
[ 3.548380][ T0] ? __pfx_early_irq_init (kernel/irq/irqdesc.c:563)
[ 3.549074][ T0] ? __trace_define_field (include/linux/list.h:150 include/linux/list.h:169 kernel/trace/trace_events.c:138)
[ 3.549825][ T0] start_kernel (init/main.c:1008)
[ 3.550392][ T0] x86_64_start_reservations (arch/x86/kernel/head64.c:495)
[ 3.551107][ T0] x86_64_start_kernel (arch/x86/kernel/head64.c:437 (discriminator 17))
[ 3.551765][ T0] common_startup_64 (arch/x86/kernel/head_64.S:414)
[ 3.552417][ T0] </TASK>
[ 3.552804][ T0] Modules linked in:
[ 3.553314][ T0] ---[ end trace 0000000000000000 ]---
[ 3.554036][ T0] RIP: 0010:mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198)
[ 3.554798][ T0] Code: 00 0f 85 a9 0e 00 00 4d 8b 75 00 e8 3a d0 0a 00 85 c0 0f 85 33 02 00 00 44 0f b6 74 24 20 4a 8d 6c f5 00 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 6e 0e 00 00 49 8d 7f 48 4c 8b 75 00 48 89 f8
All code
========
0: 00 0f add %cl,(%rdi)
2: 85 a9 0e 00 00 4d test %ebp,0x4d00000e(%rcx)
8: 8b 75 00 mov 0x0(%rbp),%esi
b: e8 3a d0 0a 00 callq 0xad04a
10: 85 c0 test %eax,%eax
12: 0f 85 33 02 00 00 jne 0x24b
18: 44 0f b6 74 24 20 movzbl 0x20(%rsp),%r14d
1e: 4a 8d 6c f5 00 lea 0x0(%rbp,%r14,8),%rbp
23: 48 89 e8 mov %rbp,%rax
26: 48 c1 e8 03 shr $0x3,%rax
2a:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 0f 85 6e 0e 00 00 jne 0xea3
35: 49 8d 7f 48 lea 0x48(%r15),%rdi
39: 4c 8b 75 00 mov 0x0(%rbp),%r14
3d: 48 89 f8 mov %rdi,%rax
Code starting with the faulting instruction
===========================================
0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
5: 0f 85 6e 0e 00 00 jne 0xe79
b: 49 8d 7f 48 lea 0x48(%r15),%rdi
f: 4c 8b 75 00 mov 0x0(%rbp),%r14
13: 48 89 f8 mov %rdi,%rax
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241105/202411051011.b1d218e6-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
More information about the maple-tree
mailing list