Hello, we noticed Matthew Wilcox NACKed this patch in https://lore.kernel.org/all/ZyjLpXKx5qcLYQ3S@xxxxxxxxxxxxxxxxxxxx/ we send below report FYI in case it could supply some useful information to you. just ignore otherwise. thanks kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in_mas_store_gfp" on: commit: 6fa40fae6ea5ad7990555fa7460739ee44088111 ("[PATCH] maple_tree: use KMEM_CACHE to create maple_node caches") url: https://github.com/intel-lab-lkp/linux/commits/Ke-Sun/maple_tree-use-KMEM_CACHE-to-create-maple_node-caches/20241104-141720 base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-nonmm-unstable patch link: https://lore.kernel.org/all/20241104061617.450907-1-sunke@xxxxxxxxxx/ patch subject: [PATCH] maple_tree: use KMEM_CACHE to create maple_node caches in testcase: boot config: x86_64-rhel-8.3-kselftests compiler: gcc-12 test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G (please refer to attached dmesg/kmsg for entire log/backtrace) +----------------------------------------------------------------------------------------------+------------+------------+ | | d61ee4ec5d | 6fa40fae6e | +----------------------------------------------------------------------------------------------+------------+------------+ | boot_successes | 18 | 0 | | boot_failures | 0 | 18 | | BUG:KASAN:slab-out-of-bounds_in_mas_store_gfp | 0 | 14 | | Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN_PTI | 0 | 18 | | KASAN:null-ptr-deref_in_range[#-#] | 0 | 18 | | RIP:mas_wr_store_type | 0 | 11 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 18 | | BUG:KASAN:slab-out-of-bounds_in_mas_put_in_tree | 0 | 4 | | RIP:mas_put_in_tree | 0 | 4 | | RIP:mas_ascend | 0 | 3 | +----------------------------------------------------------------------------------------------+------------+------------+ If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-lkp/202411051011.b1d218e6-oliver.sang@xxxxxxxxx [ 3.482690][ T0] BUG: KASAN: slab-out-of-bounds in mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477) [ 3.483624][ T0] Read of size 8 at addr ffff88810028b600 by task swapper/0/0 [ 3.484595][ T0] [ 3.484906][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-rc5-00131-g6fa40fae6ea5 #1 [ 3.486154][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 3.487534][ T0] Call Trace: [ 3.487952][ T0] <TASK> [ 3.488337][ T0] dump_stack_lvl (lib/dump_stack.c:124) [ 3.488949][ T0] print_address_description+0x2c/0x3a0 [ 3.489867][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477) [ 3.490508][ T0] print_report (mm/kasan/report.c:489) [ 3.491108][ T0] ? kasan_addr_to_slab (mm/kasan/common.c:37) [ 3.491762][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477) [ 3.492391][ T0] kasan_report (mm/kasan/report.c:603) [ 3.492999][ T0] ? mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477) [ 3.493672][ T0] mas_store_gfp (lib/maple_tree.c:546 lib/maple_tree.c:578 lib/maple_tree.c:1368 lib/maple_tree.c:4132 lib/maple_tree.c:4266 lib/maple_tree.c:5477) [ 3.494258][ T0] ? __pfx_mas_store_gfp (lib/maple_tree.c:5470) [ 3.494930][ T0] ? init_desc (kernel/irq/irqdesc.c:213) [ 3.495526][ T0] early_irq_init (kernel/irq/irqdesc.c:174 kernel/irq/irqdesc.c:585) [ 3.496148][ T0] ? __pfx_early_irq_init (kernel/irq/irqdesc.c:563) [ 3.496833][ T0] ? __trace_define_field (include/linux/list.h:150 include/linux/list.h:169 kernel/trace/trace_events.c:138) [ 3.497557][ T0] start_kernel (init/main.c:1008) [ 3.498161][ T0] x86_64_start_reservations (arch/x86/kernel/head64.c:495) [ 3.498918][ T0] x86_64_start_kernel (arch/x86/kernel/head64.c:437 (discriminator 17)) [ 3.499599][ T0] common_startup_64 (arch/x86/kernel/head_64.S:414) [ 3.500276][ T0] </TASK> [ 3.500684][ T0] [ 3.500996][ T0] The buggy address belongs to the object at ffff88810028b500 [ 3.500996][ T0] which belongs to the cache maple_node of size 256 [ 3.502884][ T0] The buggy address is located 0 bytes to the right of [ 3.502884][ T0] allocated 256-byte region [ffff88810028b500, ffff88810028b600) [ 3.504826][ T0] [ 3.505139][ T0] The buggy address belongs to the physical page: [ 3.506009][ T0] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10028b [ 3.507141][ T0] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) [ 3.508110][ T0] page_type: f5(slab) [ 3.508638][ T0] raw: 0017ffffc0000000 ffff88810004fdc0 dead000000000122 0000000000000000 [ 3.509777][ T0] raw: 0000000000000000 00000000800c000c 00000001f5000000 0000000000000000 [ 3.510920][ T0] page dumped because: kasan: bad access detected [ 3.511773][ T0] [ 3.512072][ T0] Memory state around the buggy address: [ 3.512839][ T0] ffff88810028b500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 3.513930][ T0] ffff88810028b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 3.514979][ T0] >ffff88810028b600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 3.516054][ T0] ^ [ 3.516582][ T0] ffff88810028b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 3.517681][ T0] ffff88810028b700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 3.518763][ T0] ================================================================== [ 3.519871][ T0] Disabling lock debugging due to kernel taint [ 3.520761][ T0] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 3.522464][ T0] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] [ 3.523522][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B 6.12.0-rc5-00131-g6fa40fae6ea5 #1 [ 3.524900][ T0] Tainted: [B]=BAD_PAGE [ 3.525438][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 3.526808][ T0] RIP: 0010:mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198) [ 3.527581][ T0] Code: 00 0f 85 a9 0e 00 00 4d 8b 75 00 e8 3a d0 0a 00 85 c0 0f 85 33 02 00 00 44 0f b6 74 24 20 4a 8d 6c f5 00 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 6e 0e 00 00 49 8d 7f 48 4c 8b 75 00 48 89 f8 All code ======== 0: 00 0f add %cl,(%rdi) 2: 85 a9 0e 00 00 4d test %ebp,0x4d00000e(%rcx) 8: 8b 75 00 mov 0x0(%rbp),%esi b: e8 3a d0 0a 00 callq 0xad04a 10: 85 c0 test %eax,%eax 12: 0f 85 33 02 00 00 jne 0x24b 18: 44 0f b6 74 24 20 movzbl 0x20(%rsp),%r14d 1e: 4a 8d 6c f5 00 lea 0x0(%rbp,%r14,8),%rbp 23: 48 89 e8 mov %rbp,%rax 26: 48 c1 e8 03 shr $0x3,%rax 2a:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 0f 85 6e 0e 00 00 jne 0xea3 35: 49 8d 7f 48 lea 0x48(%r15),%rdi 39: 4c 8b 75 00 mov 0x0(%rbp),%r14 3d: 48 89 f8 mov %rdi,%rax Code starting with the faulting instruction =========================================== 0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 5: 0f 85 6e 0e 00 00 jne 0xe79 b: 49 8d 7f 48 lea 0x48(%r15),%rdi f: 4c 8b 75 00 mov 0x0(%rbp),%r14 13: 48 89 f8 mov %rdi,%rax [ 3.530219][ T0] RSP: 0000:ffffffffa8a07bf8 EFLAGS: 00010046 [ 3.531055][ T0] RAX: 0000000000000000 RBX: ffffffffa8a07e8d RCX: 1ffffffff5140faa [ 3.532126][ T0] RDX: 0000000000000005 RSI: 0000000000000002 RDI: ffffffffa8a07e60 [ 3.533193][ T0] RBP: 0000000000000000 R08: 0000000000000001 R09: 1ffffffff5140fcc [ 3.534285][ T0] R10: 0000000000000000 R11: ffffffffa8a07d40 R12: dffffc0000000000 [ 3.535366][ T0] R13: ffffffffa8a07e50 R14: 0000000000000000 R15: ffffffffa8a07d38 [ 3.536432][ T0] FS: 0000000000000000(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 [ 3.537616][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.538481][ T0] CR2: ffff88843ffff000 CR3: 00000000aec7e000 CR4: 00000000000000b0 [ 3.539544][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 3.540540][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 3.541553][ T0] Call Trace: [ 3.541978][ T0] <TASK> [ 3.542348][ T0] ? die_addr (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:460) [ 3.542896][ T0] ? exc_general_protection (arch/x86/kernel/traps.c:751 arch/x86/kernel/traps.c:693) [ 3.543641][ T0] ? asm_exc_general_protection (arch/x86/include/asm/idtentry.h:617) [ 3.544411][ T0] ? mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198) [ 3.545114][ T0] ? mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198) [ 3.545833][ T0] mas_store_gfp (lib/maple_tree.c:212 lib/maple_tree.c:4145 lib/maple_tree.c:4268 lib/maple_tree.c:5477) [ 3.546457][ T0] ? __pfx_mas_store_gfp (lib/maple_tree.c:5470) [ 3.547141][ T0] ? init_desc (kernel/irq/irqdesc.c:213) [ 3.547738][ T0] early_irq_init (kernel/irq/irqdesc.c:174 kernel/irq/irqdesc.c:585) [ 3.548380][ T0] ? __pfx_early_irq_init (kernel/irq/irqdesc.c:563) [ 3.549074][ T0] ? __trace_define_field (include/linux/list.h:150 include/linux/list.h:169 kernel/trace/trace_events.c:138) [ 3.549825][ T0] start_kernel (init/main.c:1008) [ 3.550392][ T0] x86_64_start_reservations (arch/x86/kernel/head64.c:495) [ 3.551107][ T0] x86_64_start_kernel (arch/x86/kernel/head64.c:437 (discriminator 17)) [ 3.551765][ T0] common_startup_64 (arch/x86/kernel/head_64.S:414) [ 3.552417][ T0] </TASK> [ 3.552804][ T0] Modules linked in: [ 3.553314][ T0] ---[ end trace 0000000000000000 ]--- [ 3.554036][ T0] RIP: 0010:mas_wr_store_type (lib/maple_tree.c:795 lib/maple_tree.c:808 lib/maple_tree.c:3526 lib/maple_tree.c:4198) [ 3.554798][ T0] Code: 00 0f 85 a9 0e 00 00 4d 8b 75 00 e8 3a d0 0a 00 85 c0 0f 85 33 02 00 00 44 0f b6 74 24 20 4a 8d 6c f5 00 48 89 e8 48 c1 e8 03 <42> 80 3c 20 00 0f 85 6e 0e 00 00 49 8d 7f 48 4c 8b 75 00 48 89 f8 All code ======== 0: 00 0f add %cl,(%rdi) 2: 85 a9 0e 00 00 4d test %ebp,0x4d00000e(%rcx) 8: 8b 75 00 mov 0x0(%rbp),%esi b: e8 3a d0 0a 00 callq 0xad04a 10: 85 c0 test %eax,%eax 12: 0f 85 33 02 00 00 jne 0x24b 18: 44 0f b6 74 24 20 movzbl 0x20(%rsp),%r14d 1e: 4a 8d 6c f5 00 lea 0x0(%rbp,%r14,8),%rbp 23: 48 89 e8 mov %rbp,%rax 26: 48 c1 e8 03 shr $0x3,%rax 2a:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction 2f: 0f 85 6e 0e 00 00 jne 0xea3 35: 49 8d 7f 48 lea 0x48(%r15),%rdi 39: 4c 8b 75 00 mov 0x0(%rbp),%r14 3d: 48 89 f8 mov %rdi,%rax Code starting with the faulting instruction =========================================== 0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 5: 0f 85 6e 0e 00 00 jne 0xe79 b: 49 8d 7f 48 lea 0x48(%r15),%rdi f: 4c 8b 75 00 mov 0x0(%rbp),%r14 13: 48 89 f8 mov %rdi,%rax The kernel config and materials to reproduce are available at: https://download.01.org/0day-ci/archive/20241105/202411051011.b1d218e6-oliver.sang@xxxxxxxxx -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki