kernel BUG at lib/maple_tree.c:1237!

kernel BUG at lib/maple_tree.c:1237!

[David Howells]

Hi Liam,

I managed to trigger a bug in the maple-tree.  I don't know that it's
definitely your bug as I had a process stuck in the D state, but I don't
believe it was doing anything that modified maple trees at the time, just
waiting for PG_writeback on a folio.  Anyway, I was running the generic/130
xfstest and pressed ctrl-C and got a bunch of oopses (see attached).

Unfortunately, I can't do anything to try and get more information as anything
that tries to clone() gets another oops.

The RIP is mas_alloc_nodes+0x55/0x16e:

	mas_set_alloc_req(mas, 0);
	if (mas->mas_flags & MA_STATE_PREALLOC) {
		if (allocated)
			return;
		BUG_ON(!allocated);  <------- 1237
		WARN_ON(!allocated);
	}

The base kernel is at commit bf3a69c6861f plus some of my patches, none of
which alter the maple-tree code or MM code.

David
---
kernel BUG at lib/maple_tree.c:1237!
invalid opcode: 0000 [#1] SMP PTI
CPU: 3 PID: 6242 Comm: rm Not tainted 6.8.0-build3+ #1653
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
RIP: 0010:mas_alloc_nodes+0x55/0x16e
Code: ff 41 89 c5 45 85 ed 0f 84 23 01 00 00 31 f6 48 89 df e8 94 c5 ff ff 44 8a 63 3e 41 83 e4 04 74 0b 48 85 ed 0f 85 06 01 00 00 <0f> 0b 48 85 ed 74 0a 48 8b 43 30 80 78 08 1e 75 3a 8b 74 24 0c 48
RSP: 0018:ffff888141683978 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888141683be8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888141683be8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000071
R10: 0000000000000032 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ae9ee6ace8 CR3: 000000011b0f2002 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die+0x30/0x49
 ? do_trap+0x7a/0xfd
 ? mas_alloc_nodes+0x55/0x16e
 ? mas_alloc_nodes+0x55/0x16e
 ? do_error_trap+0x6e/0x98
 ? mas_alloc_nodes+0x55/0x16e
 ? exc_invalid_op+0x49/0x5d
 ? mas_alloc_nodes+0x55/0x16e
 ? asm_exc_invalid_op+0x16/0x20
 ? mas_alloc_nodes+0x55/0x16e
 ? mas_alloc_nodes+0x42/0x16e
 mas_wr_node_store+0xa1/0x27b
 ? folios_put_refs+0x158/0x180
 ? mas_wr_slot_store+0xf5/0x102
 ? mas_wr_modify+0xac/0xc3
 ? kmem_cache_debug_flags+0xc/0x1d
 ? kmem_cache_alloc+0x199/0x1c4
 ? mas_wr_node_walk+0xce/0xe5
 mas_wr_modify+0x9e/0xc3
 mas_store_prealloc+0x55/0x80
 mmap_region+0x46d/0x607
 do_mmap+0x3cf/0x432
 vm_mmap_pgoff+0xcd/0x11e
 elf_load+0x90/0x21e
 load_elf_binary+0x449/0x99d
 search_binary_handler+0xb3/0x204
 exec_binprm+0x4a/0x132
 bprm_execve.part.0+0xe4/0x16b
 do_execveat_common.isra.0+0x193/0x1bc
 do_execve+0x1f/0x25
 __x64_sys_execve+0x26/0x2f
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7efea097f52b
Code: Unable to access opcode bytes at 0x7efea097f501.
RSP: 002b:00007ffc44619958 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 000055ae9f1183a0 RCX: 00007efea097f52b
RDX: 000055ae9f111080 RSI: 000055ae9ee6ace0 RDI: 000055ae9f1183a0
RBP: 00007ffc44619a50 R08: 0000000000000001 R09: 0000000000000004
R10: 000055ae9f11a730 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000055ae9f1183a0 R14: 000055ae9ee6ace0 R15: 000055ae9f111080
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mas_alloc_nodes+0x55/0x16e
Code: ff 41 89 c5 45 85 ed 0f 84 23 01 00 00 31 f6 48 89 df e8 94 c5 ff ff 44 8a 63 3e 41 83 e4 04 74 0b 48 85 ed 0f 85 06 01 00 00 <0f> 0b 48 85 ed 74 0a 48 8b 43 30 80 78 08 1e 75 3a 8b 74 24 0c 48
RSP: 0018:ffff888141683978 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888141683be8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888141683be8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000071
R10: 0000000000000032 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efea097f501 CR3: 000000011b0f2002 CR4: 00000000001706f0
stack segment: 0000 [#2] SMP PTI
CPU: 3 PID: 5912 Comm: (udev-worker) Tainted: G      D            6.8.0-build3+ #1653
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
RIP: 0010:kmem_cache_alloc+0xd7/0x1c4
Code: 28 74 05 48 85 ed 75 19 45 89 e9 4c 89 f1 83 ca ff 44 89 e6 48 89 df e8 04 ed ff ff 48 89 c5 eb 22 8b 43 28 48 89 ee 48 8b 3b <4c> 8b 7c 05 00 4c 89 fa e8 bf b9 ff ff 84 c0 74 af 8b 43 28 41 0f
RSP: 0018:ffff88810544bb60 EFLAGS: 00010286
RAX: 0000000000000080 RBX: ffff888100045b00 RCX: 00000000000091a7
RDX: 0000000000000001 RSI: ff88810ace190000 RDI: 0000000000032d90
RBP: ff88810ace190000 R08: ffff88840fbb2d90 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000002800
R13: 0000000000000100 R14: ffffffff81eaf5c3 R15: 0000000000000001
FS:  00007f993aecc980(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564286eb0320 CR3: 00000001416dc004 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die+0x30/0x49
 ? do_trap+0x7a/0xfd
 ? do_error_trap+0x6e/0x98
 ? exc_stack_segment+0x35/0x45
 ? asm_exc_stack_segment+0x22/0x30
 ? mas_alloc_nodes+0x76/0x16e
 ? kmem_cache_alloc+0xd7/0x1c4
 mas_alloc_nodes+0x76/0x16e
 ? cgroup_rstat_updated+0x49/0xa5
 mas_wr_node_store+0xa1/0x27b
 ? __slab_free+0x8c/0x233
 ? drain_obj_stock+0xa8/0xc9
 ? calculate_sigpending+0x2e/0x34
 ? __memcg_slab_free_hook+0x9b/0xb3
 ? __dequeue_signal+0xac/0xbc
 ? kmem_cache_free+0x114/0x154
 ? mas_wr_node_walk+0xce/0xe5
 mas_wr_modify+0x9e/0xc3
 mas_store_gfp+0x5a/0xb4
 do_vmi_align_munmap.isra.0+0x1c8/0x354
 __vm_munmap+0x92/0xcf
 __x64_sys_munmap+0x17/0x1e
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f993b8b40fb
Code: 73 01 c3 48 8b 0d 35 5d 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 05 5d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffec5ec8648 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000564286e9d840 RCX: 00007f993b8b40fb
RDX: 00000000ffffffff RSI: 0000000000c2dbec RDI: 00007f9939e00000
RBP: 00007ffec5ec8660 R08: 0000000000000010 R09: 0000000000000000
R10: 00007ffec5ec85d0 R11: 0000000000000206 R12: 0000564286e230d8
R13: 00007ffec5ec8710 R14: 0000564286e43a90 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mas_alloc_nodes+0x55/0x16e
Code: ff 41 89 c5 45 85 ed 0f 84 23 01 00 00 31 f6 48 89 df e8 94 c5 ff ff 44 8a
 63 3e 41 83 e4 04 74 0b 48 85 ed 0f 85 06 01 00 00 <0f> 0b 48 85 ed 74 0a 48 8b 43 30 80 78 08 1e 75 3a 8b 74 24 0c 48
RSP: 0018:ffff888141683978 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888141683be8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888141683be8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000071
R10: 0000000000000032 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000000
FS:  00007f993aecc980(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000564286eb0320 CR3: 00000001416dc004 CR4: 00000000001706f0
stack segment: 0000 [#3] SMP PTI
CPU: 3 PID: 6246 Comm: (sd-rmrf) Tainted: G      D            6.8.0-build3+ #1653
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
RIP: 0010:kmem_cache_alloc+0xd7/0x1c4
Code: 28 74 05 48 85 ed 75 19 45 89 e9 4c 89 f1 83 ca ff 44 89 e6 48 89 df e8 04 ed ff ff 48 89 c5 eb 22 8b 43 28 48 89 ee 48 8b 3b <4c> 8b 7c 05 00 4c 89 fa e8 bf b9 ff ff 84 c0 74 af 8b 43 28 41 0f
RSP: 0018:ffff8881048dfc60 EFLAGS: 00010286
RAX: 0000000000000080 RBX: ffff888100045b00 RCX: 00000000000091a7
RDX: 0000000000000001 RSI: ff88810ace190000 RDI: 0000000000032d90
RBP: ff88810ace190000 R08: ffff88840fbb2d90 R09: 0000000000000040
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000cc0
R13: 0000000000000100 R14: ffffffff81eaf5c3 R15: 0000000000000000
FS:  00007fd912b3f980(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd912f2f6a0 CR3: 0000000141694003 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die+0x30/0x49
 ? do_trap+0x7a/0xfd
 ? do_error_trap+0x6e/0x98
 ? exc_stack_segment+0x35/0x45
 ? asm_exc_stack_segment+0x22/0x30
 ? mas_alloc_nodes+0x76/0x16e
 ? kmem_cache_alloc+0xd7/0x1c4
 mas_alloc_nodes+0x76/0x16e
 mas_preallocate+0x123/0x18a
 mmap_region+0x44d/0x607
 do_mmap+0x3cf/0x432
 vm_mmap_pgoff+0xcd/0x11e
 ksys_mmap_pgoff+0x15b/0x189
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7fd912f2f6cc
Code: 1e fa 41 f7 c1 ff 0f 00 00 75 33 55 48 89 e5 41 54 41 89 cc 53 48 89 fb 48 85 ff 74 41 45 89 e2 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7c 5b 41 5c 5d c3 0f 1f 80 00 00 00 00 48 8b
RSP: 002b:00007ffc88b77340 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd912f2f6cc
RDX: 0000000000000003 RSI: 0000000000001000 RDI: 0000000000000000
RBP: 00007ffc88b77350 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000022
R13: 0000000000000009 R14: 000000000000000a R15: 0000000000000018
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mas_alloc_nodes+0x55/0x16e
Code: ff 41 89 c5 45 85 ed 0f 84 23 01 00 00 31 f6 48 89 df e8 94 c5 ff ff 44 8a 63 3e 41 83 e4 04 74 0b 48 85 ed 0f 85 06 01 00 00 <0f> 0b 48 85 ed 74 0a 48 8b 43 30 80 78 08 1e 75 3a 8b 74 24 0c 48
RSP: 0018:ffff888141683978 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888141683be8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888141683be8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000071
R10: 0000000000000032 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000000
FS:  00007fd912b3f980(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd912f2f6a0 CR3: 0000000141694003 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die+0x30/0x49
 ? do_trap+0x7a/0xfd
 ? do_error_trap+0x6e/0x98
 ? exc_stack_segment+0x35/0x45
 ? asm_exc_stack_segment+0x22/0x30
 ? mas_dup_build.constprop.0+0x64/0x210
 ? kmem_cache_alloc+0xd7/0x1c4
 ? kmem_cache_alloc+0x5d/0x1c4
 mas_dup_build.constprop.0+0x64/0x210
 ? pcpu_chunk_relocate+0x13/0x37
 __mt_dup+0x70/0xb9
 dup_mmap+0x164/0x4f7
 copy_process+0x7e1/0x1261
 kernel_clone+0xa1/0x204
 ? vfs_read+0x133/0x190
 __do_sys_clone+0x65/0x8b
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f4924f108e7
Code: c3 66 90 f3 0f 1e fa 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11
 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 39 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007ffe84193978 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4924f108e7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007ffe84193a80 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f4924c9df50 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mas_alloc_nodes+0x55/0x16e
Code: ff 41 89 c5 45 85 ed 0f 84 23 01 00 00 31 f6 48 89 df e8 94 c5 ff ff 44 8a 63 3e 41 83 e4 04 74 0b 48 85 ed 0f 85 06 01 00 00 <0f> 0b 48 85 ed 74 0a 48 8b 43 30 80 78 08 1e 75 3a 8b 74 24 0c 48
RSP: 0018:ffff888141683978 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888141683be8 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff888141683be8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000071
R10: 0000000000000032 R11: 0000000000000000 R12: 0000000000000004
R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000000
FS:  00007f4924c9dc80(0000) GS:ffff88840fb80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa08addde1c CR3: 000000011d5ae002 CR4: 00000000001706f0

Re: kernel BUG at lib/maple_tree.c:1237!

[Liam R. Howlett]

* David Howells <dhowells@redhat.com> [240319 14:09]:
> Hi Liam,
> 
> I managed to trigger a bug in the maple-tree.  I don't know that it's
> definitely your bug as I had a process stuck in the D state, but I don't
> believe it was doing anything that modified maple trees at the time, just
> waiting for PG_writeback on a folio.  Anyway, I was running the generic/130
> xfstest and pressed ctrl-C and got a bunch of oopses (see attached).
> 
> Unfortunately, I can't do anything to try and get more information as anything
> that tries to clone() gets another oops.
> 
> The RIP is mas_alloc_nodes+0x55/0x16e:
> 
> 	mas_set_alloc_req(mas, 0);
> 	if (mas->mas_flags & MA_STATE_PREALLOC) {
> 		if (allocated)
> 			return;
> 		BUG_ON(!allocated);  <------- 1237
> 		WARN_ON(!allocated);
> 	}
> 
> The base kernel is at commit bf3a69c6861f plus some of my patches, none of
> which alter the maple-tree code or MM code.
> 

How can we be stuck in D state on a BUG_ON()?

If this is a maple tree bug, then it's in the calculations done for
preallocation.  The last time that changed was in December in commit
4249f13c11be8b8b7bf93204185e150c3bdc968d.  Could you try reverting this
change?

From the trace, this is failing on loading a binary. Could you please
try changing BUG_ON() to MAS_BUG_ON(mas, !allocated) to get more
information?

I ran generic/130 here and it worked in my testing.  Does this happen
without your patches?  Maybe the changes you make are causing something
to happen more frequently?

Thanks,
Liam

And here's a GPF for you

[David Howells]

And now I got a GPF for you:

general protection fault, probably for non-canonical address 0xff8881044d950080: 0000 [#1] SMP PTI
CPU: 2 PID: 6451 Comm: check Not tainted 6.8.0-build3+ #1657
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
RIP: 0010:__kmem_cache_alloc_bulk+0x180/0x1e3
Code: 9c ff ff 4c 8b 44 24 08 84 c0 74 09 8b 43 28 31 f6 49 89 34 07 9c 5a fa eb 36 8b 43 28 48 89 df 48 89 54 24 10 4c 89 44 24 08 <49> 8b 04 07 49 89 00 4d 89 3a e8 66 9c ff ff 4c 8b 44 24 08 84 c0
RSP: 0018:ffff8881190f3b48 EFLAGS: 00010086
RAX: 0000000000000080 RBX: ffff888100045b00 RCX: ffff8881044d9350
RDX: 0000000000000286 RSI: 0000000000000cc0 RDI: ffff888100045b00
RBP: 0000000000000001 R08: ffff88840fb32d90 R09: 00000000ffffffc8
R10: ffff8881044d9358 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8881044d9350 R14: 0000000000000003 R15: ff8881044d950000
FS:  00007f2526d7b740(0000) GS:ffff88840fb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c639329e28 CR3: 000000011cd8e002 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die_addr+0x38/0x51
 ? exc_general_protection+0x229/0x25f
 ? asm_exc_general_protection+0x22/0x30
 ? __kmem_cache_alloc_bulk+0x180/0x1e3
 ? __kmem_cache_alloc_bulk+0x18f/0x1e3
 ? __rmqueue_pcplist+0x75/0x16f
 kmem_cache_alloc_bulk+0xa7/0x184
 mas_dup_build.constprop.0+0x120/0x210
 __mt_dup+0x70/0xb9
 dup_mmap+0x164/0x4f7
 copy_process+0x7e1/0x1261
 kernel_clone+0xa1/0x204
 ? memcg_rstat_updated+0x1a/0x77
 __do_sys_clone+0x65/0x8b
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f2526e5b8e7
Code: c3 66 90 f3 0f 1e fa 64 48 8b 04 25 10 00 00 00 45 31 c0 31 d2 31 f6 bf 11 00 20 01 4c 8d 90 d0 02 00 00 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 39 89 c2 85 c0 75 2c 64 48 8b 04 25 10 00 00
RSP: 002b:00007fffc77e2ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000038
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2526e5b8e7
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011
RBP: 00007fffc77e2ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 00007f2526d7ba10 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fffc77e3030 R15: 000055c639626140
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__kmem_cache_alloc_bulk+0x180/0x1e3
Code: 9c ff ff 4c 8b 44 24 08 84 c0 74 09 8b 43 28 31 f6 49 89 34 07 9c 5a fa eb 36 8b 43 28 48 89 df 48 89 54 24 10 4c 89 44 24 08 <49> 8b 04 07 49 89 00 4d 89 3a e8 66 9c ff ff 4c 8b 44 24 08 84 c0
RSP: 0018:ffff8881190f3b48 EFLAGS: 00010086
RAX: 0000000000000080 RBX: ffff888100045b00 RCX: ffff8881044d9350
RDX: 0000000000000286 RSI: 0000000000000cc0 RDI: ffff888100045b00
RBP: 0000000000000001 R08: ffff88840fb32d90 R09: 00000000ffffffc8
R10: ffff8881044d9358 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8881044d9350 R14: 0000000000000003 R15: ff8881044d950000
FS:  00007f2526d7b740(0000) GS:ffff88840fb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c639329e28 CR3: 000000011cd8e002 CR4: 00000000001706f0
note: check[6451] exited with irqs disabled
stack segment: 0000 [#2] SMP PTI
CPU: 2 PID: 328944 Comm: (udev-worker) Tainted: G      D            6.8.0-build3+ #1657
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
RIP: 0010:kmem_cache_alloc+0xd7/0x1c4
Code: 28 74 05 48 85 ed 75 19 45 89 e9 4c 89 f1 83 ca ff 44 89 e6 48 89 df e8 04 ed ff ff 48 89 c5 eb 22 8b 43 28 48 89 ee 48 8b 3b <4c> 8b 7c 05 00 4c 89 fa e8 bf b9 ff ff 84 c0 74 af 8b 43 28 41 0f
RSP: 0018:ffff888104f1bb60 EFLAGS: 00010286
RAX: 0000000000000080 RBX: ffff888100045b00 RCX: 00000000001401f8
RDX: 0000000000000001 RSI: ff8881044d950000 RDI: 0000000000032d90
RBP: ff8881044d950000 R08: ffff88840fb32d90 R09: 0000000000000001
R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000002800
R13: 0000000000000100 R14: ffffffff81eaf543 R15: 0000000000000001
FS:  00007f69e0d12980(0000) GS:ffff88840fb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559513d3e618 CR3: 0000000118ac0006 CR4: 00000000001706f0
Call Trace:
 <TASK>
 ? __die_body+0x1a/0x5b
 ? die+0x30/0x49
 ? do_trap+0x7a/0xfd
 ? do_error_trap+0x6e/0x98
 ? exc_stack_segment+0x35/0x45
 ? asm_exc_stack_segment+0x22/0x30
 ? mas_alloc_nodes+0x76/0x16e
 ? kmem_cache_alloc+0xd7/0x1c4
 mas_alloc_nodes+0x76/0x16e
 ? cgroup_rstat_updated+0x49/0xa5
 mas_wr_node_store+0xa1/0x27b
 ? __slab_free+0x8c/0x233
 ? drain_obj_stock+0xa8/0xc9
 ? calculate_sigpending+0x2f/0x34
 ? __memcg_slab_free_hook+0x9b/0xb3
 ? __dequeue_signal+0xac/0xbc
 ? kmem_cache_free+0x114/0x154
 ? mas_wr_node_walk+0xce/0xe5
 mas_wr_modify+0x9e/0xc3
 mas_store_gfp+0x5a/0xb4
 do_vmi_align_munmap.isra.0+0x1c8/0x354
 __vm_munmap+0x92/0xcf
 __x64_sys_munmap+0x17/0x1e
 do_syscall_64+0x86/0xe5
 entry_SYSCALL_64_after_hwframe+0x6c/0x74
RIP: 0033:0x7f69e0f300fb
Code: 73 01 c3 48 8b 0d 35 5d 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 05 5d 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007fffa0000ac8 EFLAGS: 00000206 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000559513d35840 RCX: 00007f69e0f300fb
RDX: 00000000ffffffff RSI: 0000000000c2dbec RDI: 00007f69df600000RBP: 00007fffa0000ae0 R08: 0000000000000010 R09: 0000000000000000
R10: 00007fffa0000a50 R11: 0000000000000206 R12: 0000559513cbb0d8
R13: 00007fffa0000b90 R14: 0000559513cdba90 R15: 0000000000000000
 </TASK>

Re: kernel BUG at lib/maple_tree.c:1237!

[David Howells]

Okay, it seems this was due to a double free in error handling in my modified
version of cifs.  The reason it's happening in the maple tree code is that the
netfs_io_subrequest struct might match the size of the maple tree nodes and be
sharing a slab.

David