[linux-next:master] [mm] 6be5e186fd: UBSAN:shift-out-of-bounds_in_mm/vmscan.c

kernel test robot <oliver.sang@xxxxxxxxx> · Tue, 28 May 2024 16:38:13 +0800

Hello,

kernel test robot noticed "UBSAN:shift-out-of-bounds_in_mm/vmscan.c" on:

commit: 6be5e186fd655df4b3ba267054de2eaaadc71340 ("mm: vmscan: restore incremental cgroup iteration")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:

	runtime: 300s
	group: group-01
	nr_groups: 5

compiler: clang-18
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)

+--------------------------------------------+------------+------------+
|                                            | 327eaca22f | 6be5e186fd |
+--------------------------------------------+------------+------------+
| UBSAN:shift-out-of-bounds_in_mm/vmscan.c   | 0          | 5          |
| UBSAN:shift-out-of-bounds_in_mm/shrinker.c | 0          | 4          |
+--------------------------------------------+------------+------------+

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202405281603.337d8284-lkp@xxxxxxxxx

[   89.138129][ T3641] ------------[ cut here ]------------
[   89.139149][ T3641] UBSAN: shift-out-of-bounds in mm/vmscan.c:4702:21
[   89.140258][ T3641] shift exponent -1 is negative
[   89.140922][ T3641] CPU: 0 PID: 3641 Comm: trinity-c5 Tainted: G                T  6.9.0-11986-g6be5e186fd65 #1 b52e1df0cfc6b45fcedea06291dcc02f3c365315
[   89.142504][ T3641] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[   89.143783][ T3641] Call Trace:
[ 89.144289][ T3641] dump_stack_lvl (lib/dump_stack.c:116) 
[ 89.144943][ T3641] ? vprintk (kernel/printk/printk_safe.c:?) 
[ 89.145537][ T3641] dump_stack (lib/dump_stack.c:123) 
[ 89.146140][ T3641] __ubsan_handle_shift_out_of_bounds (lib/ubsan.c:232 lib/ubsan.c:468) 
[ 89.147025][ T3641] shrink_node (mm/vmscan.c:?) 
[ 89.147693][ T3641] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) 
[ 89.148409][ T3641] ? allow_direct_reclaim (mm/vmscan.c:6355) 
[ 89.149122][ T3641] try_to_free_pages (mm/vmscan.c:? mm/vmscan.c:6503) 
[ 89.149775][ T3641] __alloc_pages_slowpath (mm/page_alloc.c:3859) 
[ 89.150449][ T3641] ? get_page_from_freelist (mm/page_alloc.c:3158) 
[ 89.151204][ T3641] __alloc_pages_noprof (mm/page_alloc.c:4673) 
[ 89.151916][ T3641] dup_task_struct (include/linux/gfp.h:269 include/linux/gfp.h:296 kernel/fork.c:358 kernel/fork.c:1115) 
[ 89.152566][ T3641] copy_process (kernel/fork.c:2221) 
[ 89.153225][ T3641] kernel_clone (kernel/fork.c:2797) 
[ 89.153860][ T3641] ? local_clock_noinstr (kernel/sched/build_utility.c:301) 
[ 89.154559][ T3641] __ia32_sys_clone (kernel/fork.c:2908) 
[ 89.155214][ T3641] ? trace_sys_enter (include/trace/events/syscalls.h:18) 
[ 89.155863][ T3641] ia32_sys_call (kbuild/obj/consumer/i386-randconfig-013-20240525/./arch/x86/include/generated/asm/syscalls_32.h:?) 
[ 89.156511][ T3641] __do_fast_syscall_32 (arch/x86/entry/common.c:?) 
[ 89.157200][ T3641] ? irqentry_exit_to_user_mode (kernel/entry/common.c:234) 
[ 89.157940][ T3641] do_fast_syscall_32 (arch/x86/entry/common.c:411) 
[ 89.158624][ T3641] do_SYSENTER_32 (arch/x86/entry/common.c:449) 
[ 89.159279][ T3641] entry_SYSENTER_32 (arch/x86/entry/entry_32.S:836) 
[   89.159946][ T3641] EIP: 0xb7f4b539
[ 89.160481][ T3641] Code: 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 0f 1f 00 58 b8 77 00 00 00 cd 80 90 0f 1f
All code
========
   0:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
   4:	10 07                	adc    %al,(%rdi)
   6:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   a:	10 08                	adc    %cl,(%rax)
   c:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
	...
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:*	89 e5                	mov    %esp,%ebp		<-- trapping instruction
  26:	0f 34                	sysenter
  28:	cd 80                	int    $0x80
  2a:	5d                   	pop    %rbp
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	ret
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	0f 1f 00             	nopl   (%rax)
  35:	58                   	pop    %rax
  36:	b8 77 00 00 00       	mov    $0x77,%eax
  3b:	cd 80                	int    $0x80
  3d:	90                   	nop
  3e:	0f                   	.byte 0xf
  3f:	1f                   	(bad)

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	ret
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	0f 1f 00             	nopl   (%rax)
   b:	58                   	pop    %rax
   c:	b8 77 00 00 00       	mov    $0x77,%eax
  11:	cd 80                	int    $0x80
  13:	90                   	nop
  14:	0f                   	.byte 0xf
  15:	1f                   	(bad)
[   89.162727][ T3641] EAX: ffffffda EBX: 01200011 ECX: 00000000 EDX: 00000000
[   89.163576][ T3641] ESI: 00000000 EDI: b7f462e8 EBP: 00000000 ESP: bfe67200
[   89.164430][ T3641] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000286
[   89.165448][ T3641] ---[ end trace ]---

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240528/202405281603.337d8284-lkp@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki