Greeting,
FYI, we noticed BUG:KASAN:out-of-bounds_in__poison_element due to commit (built with gcc-11):
commit: ec1c2fec0d563537617775e3994a9d064f16003f ("mempool: do not use ksize() for poisoning")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Link: https://lore.kernel.org/oe-lkp/202210312110.1fe5d224-oliver.sang@xxxxxxxxx
[ 2.680111][ T1] ==================================================================
[ 2.680621][ T1] BUG: KASAN: out-of-bounds in __poison_element+0x19/0x50
[ 2.680621][ T1] Write of size 18446612686373417535 at addr ffff88810080c040 by task swapper/0/1
[ 2.680621][ T1]
[ 2.680621][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc1-00236-gec1c2fec0d56 #1
[ 2.680621][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 2.680621][ T1] Call Trace:
[ 2.680621][ T1] <TASK>
[ 2.680621][ T1] dump_stack_lvl+0x45/0x59
[ 2.680621][ T1] print_address_description+0x87/0x2a3
[ 2.680621][ T1] print_report+0x101/0x1e7
[ 2.680621][ T1] ? __poison_element+0x19/0x50
[ 2.680621][ T1] ? kasan_addr_to_slab+0x9/0xa0
[ 2.680621][ T1] ? __poison_element+0x19/0x50
[ 2.680621][ T1] kasan_report+0xc0/0x1b0
[ 2.680621][ T1] ? mempool_init_node+0x291/0x670
[ 2.680621][ T1] ? __poison_element+0x19/0x50
[ 2.680621][ T1] ? kasan_check_range+0x144/0x190
[ 2.680621][ T1] ? memset+0x20/0x40
[ 2.680621][ T1] ? __poison_element+0x19/0x50
[ 2.680621][ T1] ? mempool_init_node+0x313/0x670
[ 2.680621][ T1] ? mempool_init+0xd/0x10
[ 2.680621][ T1] ? bioset_init+0x2f7/0x720
[ 2.680621][ T1] ? rcu_tasks_kthread+0x41/0xa0
[ 2.680621][ T1] ? init_bio+0xca/0x10c
[ 2.680621][ T1] ? blkdev_init+0x1b/0x1b
[ 2.680621][ T1] ? do_one_initcall+0xae/0x390
[ 2.680621][ T1] ? trace_event_raw_event_initcall_level+0x160/0x160
[ 2.680621][ T1] ? parameq+0xd0/0xd0
[ 2.680621][ T1] ? do_initcalls+0x1cd/0x1fd
[ 2.680621][ T1] ? kernel_init_freeable+0x249/0x27a
[ 2.680621][ T1] ? rest_init+0x200/0x200
[ 2.680621][ T1] ? kernel_init+0x14/0x130
[ 2.680621][ T1] ? ret_from_fork+0x1f/0x30
[ 2.680621][ T1] </TASK>
[ 2.680621][ T1]
[ 2.680621][ T1] Allocated by task 1:
[ 2.680621][ T1] kasan_save_stack+0x23/0x50
[ 2.680621][ T1] kasan_set_track+0x21/0x30
[ 2.680621][ T1] __kasan_slab_alloc+0x54/0x60
[ 2.680621][ T1] kmem_cache_alloc+0x17e/0x4b0
[ 2.680621][ T1] mempool_init_node+0x291/0x670
[ 2.680621][ T1] mempool_init+0xd/0x10
[ 2.680621][ T1] bioset_init+0x2f7/0x720
[ 2.680621][ T1] init_bio+0xca/0x10c
[ 2.680621][ T1] do_one_initcall+0xae/0x390
[ 2.680621][ T1] do_initcalls+0x1cd/0x1fd
[ 2.680621][ T1] kernel_init_freeable+0x249/0x27a
[ 2.680621][ T1] kernel_init+0x14/0x130
[ 2.680621][ T1] ret_from_fork+0x1f/0x30
[ 2.680621][ T1]
[ 2.680621][ T1] The buggy address belongs to the object at ffff88810080c040
[ 2.680621][ T1] which belongs to the cache bio-192 of size 192
[ 2.680621][ T1] The buggy address is located 0 bytes inside of
[ 2.680621][ T1] 192-byte region [ffff88810080c040, ffff88810080c100)
[ 2.680621][ T1]
[ 2.680621][ T1] The buggy address belongs to the physical page:
[ 2.680621][ T1] page:ffffea0004020300 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810080c1c0 pfn:0x10080c
[ 2.680621][ T1] head:ffffea0004020300 order:1 compound_mapcount:0 compound_pincount:0
[ 2.680621][ T1] flags: 0x8000000000010200(slab|head|zone=2)
[ 2.680621][ T1] raw: 8000000000010200 ffff888111e10bc8 ffff888111e10bc8 ffff888100807240
[ 2.680621][ T1] raw: ffff88810080c1c0 0000000000150001 00000001ffffffff 0000000000000000
[ 2.680621][ T1] page dumped because: kasan: bad access detected
[ 2.680621][ T1] page_owner tracks the page as allocated
[ 2.680621][ T1] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2680099528, free_ts 0
[ 2.680621][ T1] get_page_from_freelist+0x486/0x8b0
[ 2.680621][ T1] __alloc_pages+0x261/0x600
[ 2.680621][ T1] allocate_slab+0x1ed/0x2c0
[ 2.680621][ T1] ___slab_alloc+0x3be/0xae0
[ 2.680621][ T1] kmem_cache_alloc+0x3aa/0x4b0
[ 2.680621][ T1] mempool_init_node+0x291/0x670
[ 2.680621][ T1] mempool_init+0xd/0x10
[ 2.680621][ T1] bioset_init+0x2f7/0x720
[ 2.680621][ T1] init_bio+0xca/0x10c
[ 2.680621][ T1] do_one_initcall+0xae/0x390
[ 2.680621][ T1] do_initcalls+0x1cd/0x1fd
[ 2.680621][ T1] kernel_init_freeable+0x249/0x27a
[ 2.680621][ T1] kernel_init+0x14/0x130
[ 2.680621][ T1] ret_from_fork+0x1f/0x30
[ 2.680621][ T1] page_owner free stack trace missing
[ 2.680621][ T1]
[ 2.680621][ T1] Memory state around the buggy address:
[ 2.680621][ T1] ffff88810080bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.680621][ T1] ffff88810080bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.680621][ T1] >ffff88810080c000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 2.680621][ T1] ^
[ 2.680621][ T1] ffff88810080c080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.680621][ T1] ffff88810080c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.680621][ T1] ==================================================================
[ 2.680636][ T1] Disabling lock debugging due to kernel taint
[ 2.681642][ T1] BUG: unable to handle page fault for address: ffffde204020264f
[ 2.682621][ T1] #PF: supervisor read access in kernel mode
[ 2.682621][ T1] #PF: error_code(0x0000) - not-present page
[ 2.682621][ T1] PGD 10002a067 P4D 10002a067 PUD 0
[ 2.682621][ T1] Oops: 0000 [#1] SMP KASAN
[ 2.682621][ T1] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 6.1.0-rc1-00236-gec1c2fec0d56 #1
[ 2.682621][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 2.682621][ T1] RIP: 0010:__poison_element+0x2a/0x50
[ 2.682621][ T1] Code: 55 53 48 89 fb 48 8d 6e ff be 6b 00 00 00 48 89 ea 48 01 eb e8 17 f2 16 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 48 89 da 83 e2 07 38 d0 7f 04 84 c0 75 06 c6 03 a5 5b
[ 2.682621][ T1] RSP: 0000:ffff888100b3fd28 EFLAGS: 00010a03
[ 2.682621][ T1] RAX: dffffc0000000000 RBX: ffff11020101327f RCX: fffffbfff122e081
[ 2.682621][ T1] RDX: 1fffe2204020264f RSI: 0000000000000008 RDI: ffffffff89170400
[ 2.682621][ T1] RBP: ffff88810080723f R08: ffffffff8117d9c1 R09: ffffffff89170407
[ 2.682621][ T1] R10: fffffbfff122e080 R11: 0000000000000000 R12: ffff88810080c040
[ 2.682621][ T1] R13: dffffc0000000000 R14: 0000000000000cc0 R15: ffffffff89d24178
[ 2.682621][ T1] FS: 0000000000000000(0000) GS:ffff8883ae800000(0000) knlGS:0000000000000000
[ 2.682621][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.682621][ T1] CR2: ffffde204020264f CR3: 0000000006e77000 CR4: 00000000000406f0
[ 2.682621][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.682621][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.682621][ T1] Call Trace:
[ 2.682621][ T1] <TASK>
[ 2.682621][ T1] mempool_init_node+0x313/0x670
[ 2.682621][ T1] mempool_init+0xd/0x10
[ 2.682621][ T1] bioset_init+0x2f7/0x720
[ 2.682621][ T1] ? rcu_tasks_kthread+0x41/0xa0
[ 2.682621][ T1] init_bio+0xca/0x10c
[ 2.682621][ T1] ? blkdev_init+0x1b/0x1b
[ 2.682621][ T1] do_one_initcall+0xae/0x390
[ 2.682621][ T1] ? trace_event_raw_event_initcall_level+0x160/0x160
[ 2.682621][ T1] ? parameq+0xd0/0xd0
[ 2.682621][ T1] do_initcalls+0x1cd/0x1fd
[ 2.682621][ T1] kernel_init_freeable+0x249/0x27a
[ 2.682621][ T1] ? rest_init+0x200/0x200
[ 2.682621][ T1] kernel_init+0x14/0x130
[ 2.682621][ T1] ret_from_fork+0x1f/0x30
[ 2.682621][ T1] </TASK>
[ 2.682621][ T1] Modules linked in:
[ 2.682621][ T1] CR2: ffffde204020264f
[ 2.682621][ T1] ---[ end trace 0000000000000000 ]---
[ 2.682621][ T1] RIP: 0010:__poison_element+0x2a/0x50
[ 2.682621][ T1] Code: 55 53 48 89 fb 48 8d 6e ff be 6b 00 00 00 48 89 ea 48 01 eb e8 17 f2 16 00 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 04 02 48 89 da 83 e2 07 38 d0 7f 04 84 c0 75 06 c6 03 a5 5b
[ 2.682621][ T1] RSP: 0000:ffff888100b3fd28 EFLAGS: 00010a03
[ 2.682621][ T1] RAX: dffffc0000000000 RBX: ffff11020101327f RCX: fffffbfff122e081
[ 2.682621][ T1] RDX: 1fffe2204020264f RSI: 0000000000000008 RDI: ffffffff89170400
[ 2.682621][ T1] RBP: ffff88810080723f R08: ffffffff8117d9c1 R09: ffffffff89170407
[ 2.682621][ T1] R10: fffffbfff122e080 R11: 0000000000000000 R12: ffff88810080c040
[ 2.682621][ T1] R13: dffffc0000000000 R14: 0000000000000cc0 R15: ffffffff89d24178
[ 2.682621][ T1] FS: 0000000000000000(0000) GS:ffff8883ae800000(0000) knlGS:0000000000000000
[ 2.682621][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.682621][ T1] CR2: ffffde204020264f CR3: 0000000006e77000 CR4: 00000000000406f0
[ 2.682621][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.682621][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.682621][ T1] Kernel panic - not syncing: Fatal exception
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
#!/bin/sh
export_top_env()
{
export suite='boot'
export testcase='boot'
export category='functional'
export timeout='10m'
export job_origin='boot.yaml'
export queue_cmdline_keys='branch
commit'
export queue='bisect'
export testbox='vm-snb'
export tbox_group='vm-snb'
export branch='linux-review/Peter-Xu/mm-hugetlb-Make-huge_pte_offset-thread-safe-for-pmd-unshare/20221031-053221'
export commit='ec1c2fec0d563537617775e3994a9d064f16003f'
export kconfig='x86_64-randconfig-a014-20221031'
export nr_vm=300
export submit_id='635f4cb62704326c7a932fc0'
export job_file='/lkp/jobs/scheduled/vm-meta-238/boot-1-debian-11.1-i386-20220923.cgz-ec1c2fec0d563537617775e3994a9d064f16003f-20221031-27770-1cmft9-2.yaml'
export id='1d99f3b33d6ca3065df3f50ded4156ae934ccad9'
export queuer_version='/zday/lkp'
export model='qemu-system-x86_64 -enable-kvm -cpu SandyBridge'
export nr_cpu=2
export memory='16G'
export need_kconfig=\{\"KVM_GUEST\"\=\>\"y\"\}
export ssh_base_port=23032
export kernel_cmdline='vmalloc=256M initramfs_async=0 page_owner=on'
export rootfs='debian-11.1-i386-20220923.cgz'
export compiler='gcc-11'
export enqueue_time='2022-10-31 12:19:03 +0800'
export _id='635f50182704326c7a932fc2'
export _rt='/result/boot/1/vm-snb/debian-11.1-i386-20220923.cgz/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f'
export user='lkp'
export LKP_SERVER='internal-lkp-server'
export result_root='/result/boot/1/vm-snb/debian-11.1-i386-20220923.cgz/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f/3'
export scheduler_version='/lkp/lkp/.src-20221029-175619'
export arch='i386'
export max_uptime=600
export initrd='/osimage/debian/debian-11.1-i386-20220923.cgz'
export bootloader_append='root=/dev/ram0
RESULT_ROOT=/result/boot/1/vm-snb/debian-11.1-i386-20220923.cgz/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f/3
BOOT_IMAGE=/pkg/linux/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f/vmlinuz-6.1.0-rc1-00236-gec1c2fec0d56
branch=linux-review/Peter-Xu/mm-hugetlb-Make-huge_pte_offset-thread-safe-for-pmd-unshare/20221031-053221
job=/lkp/jobs/scheduled/vm-meta-238/boot-1-debian-11.1-i386-20220923.cgz-ec1c2fec0d563537617775e3994a9d064f16003f-20221031-27770-1cmft9-2.yaml
user=lkp
ARCH=x86_64
kconfig=x86_64-randconfig-a014-20221031
commit=ec1c2fec0d563537617775e3994a9d064f16003f
vmalloc=256M initramfs_async=0 page_owner=on
initcall_debug
max_uptime=600
LKP_SERVER=internal-lkp-server
selinux=0
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
net.ifnames=0
printk.devkmsg=on
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
drbd.minor_count=8
systemd.log_level=err
ignore_loglevel
console=tty0
earlyprintk=ttyS0,115200
console=ttyS0,115200
vga=normal
rw'
export modules_initrd='/pkg/linux/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f/modules.cgz'
export bm_initrd='/osimage/deps/debian-11.1-i386-20220923.cgz/run-ipconfig_20220923.cgz,/osimage/deps/debian-11.1-i386-20220923.cgz/lkp_20220923.cgz,/osimage/deps/debian-11.1-i386-20220923.cgz/rsync-rootfs_20220923.cgz'
export lkp_initrd='/osimage/user/lkp/lkp-i386.cgz'
export site='inn'
export LKP_CGI_PORT=80
export LKP_CIFS_PORT=139
export schedule_notify_address=
export meta_host='vm-meta-238'
export kernel='/pkg/linux/x86_64-randconfig-a014-20221031/gcc-11/ec1c2fec0d563537617775e3994a9d064f16003f/vmlinuz-6.1.0-rc1-00236-gec1c2fec0d56'
export dequeue_time='2022-10-31 12:35:09 +0800'
export job_initrd='/lkp/jobs/scheduled/vm-meta-238/boot-1-debian-11.1-i386-20220923.cgz-ec1c2fec0d563537617775e3994a9d064f16003f-20221031-27770-1cmft9-2.cgz'
[ -n "$LKP_SRC" ] ||
export LKP_SRC=/lkp/${user:-lkp}/src
}
run_job()
{
echo $$ > $TMP/run-job.pid
. $LKP_SRC/lib/http.sh
. $LKP_SRC/lib/job.sh
. $LKP_SRC/lib/env.sh
export_top_env
run_monitor $LKP_SRC/monitors/one-shot/wrapper boot-slabinfo
run_monitor $LKP_SRC/monitors/one-shot/wrapper boot-meminfo
run_monitor $LKP_SRC/monitors/one-shot/wrapper memmap
run_monitor $LKP_SRC/monitors/no-stdout/wrapper boot-time
run_monitor $LKP_SRC/monitors/wrapper kmsg
run_monitor $LKP_SRC/monitors/wrapper heartbeat
run_monitor $LKP_SRC/monitors/wrapper meminfo
run_monitor $LKP_SRC/monitors/wrapper oom-killer
run_monitor $LKP_SRC/monitors/plain/watchdog
run_test $LKP_SRC/tests/wrapper sleep 1
}
extract_stats()
{
export stats_part_begin=
export stats_part_end=
$LKP_SRC/stats/wrapper boot-slabinfo
$LKP_SRC/stats/wrapper boot-meminfo
$LKP_SRC/stats/wrapper memmap
$LKP_SRC/stats/wrapper boot-memory
$LKP_SRC/stats/wrapper boot-time
$LKP_SRC/stats/wrapper kernel-size
$LKP_SRC/stats/wrapper kmsg
$LKP_SRC/stats/wrapper sleep
$LKP_SRC/stats/wrapper meminfo
$LKP_SRC/stats/wrapper time sleep.time
$LKP_SRC/stats/wrapper dmesg
$LKP_SRC/stats/wrapper kmsg
$LKP_SRC/stats/wrapper last_state
$LKP_SRC/stats/wrapper stderr
$LKP_SRC/stats/wrapper time
}
"$@"
Attachment:
dmesg.xz
Description: application/xz
