Greeting, FYI, we noticed the following commit (built with gcc-9): commit: 82e080f31808330f67ded631246798ec3ea37cff ("mm: Remove the vma linked list") https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master in testcase: blktests version: blktests-x86_64-bd6b882-1_20220226 with following parameters: disk: 1HDD test: block-group-09 ucode: 0xec on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz with 32G memory caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 29.418341][ T743] BUG: KASAN: use-after-free in move_vma (mm/mremap.c:714) [ 29.424842][ T743] Read of size 8 at addr ffff888805c9e2a8 by task python3.7/743 [ 29.432285][ T743] [ 29.434458][ T743] CPU: 3 PID: 743 Comm: python3.7 Not tainted 5.17.0-rc4-00070-g82e080f31808 #1 [ 29.443284][ T743] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017 [ 29.451329][ T743] Call Trace: [ 29.454452][ T743] [ 29.457230][ T743] dump_stack_lvl (lib/dump_stack.c:107) [ 29.461564][ T743] print_address_description+0x21/0x180 [ 29.467971][ T743] ? move_vma (mm/mremap.c:714) [ 29.472132][ T743] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) [ 29.476812][ T743] ? move_vma (mm/mremap.c:714) [ 29.480972][ T743] move_vma (mm/mremap.c:714) [ 29.484962][ T743] ? move_page_tables (mm/mremap.c:571) [ 29.489985][ T743] ? security_mmap_addr (security/security.c:1594 (discriminator 13)) [ 29.492284][ T301] LKP: stdout: 284: Kernel tests: Boot OK! [ 29.494838][ T743] __do_sys_mremap (mm/mremap.c:1063) [ 29.494842][ T743] ? move_vma (mm/mremap.c:893) [ 29.500476][ T301] [ 29.505145][ T743] ? cap_capget (security/commoncap.c:1443) [ 29.505148][ T743] ? handle_mm_fault (mm/memory.c:4818) [ 29.505150][ T743] ? up_read (arch/x86/include/asm/atomic64_64.h:160 include/linux/atomic/atomic-long.h:71 include/linux/atomic/atomic-instrumented.h:1318 kernel/locking/rwsem.c:1293 kernel/locking/rwsem.c:1557) [ 29.524470][ T743] ? do_user_addr_fault (arch/x86/mm/fault.c:1422) [ 29.529494][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 29.533740][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 29.539454][ T743] RIP: 0033:0x7fd0b9a9201a [ 29.543699][ T743] Code: 73 01 c3 48 8b 0d 76 0e 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 19 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 46 0e 0c 00 f7 d8 64 89 01 48 All code ======== 0: 73 01 jae 0x3 2: c3 retq 3: 48 8b 0d 76 0e 0c 00 mov 0xc0e76(%rip),%rcx # 0xc0e80 a: f7 d8 neg %eax c: 64 89 01 mov %eax,%fs:(%rcx) f: 48 83 c8 ff or $0xffffffffffffffff,%rax 13: c3 retq 14: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 1b: 00 00 00 1e: 66 90 xchg %ax,%ax 20: 49 89 ca mov %rcx,%r10 23: b8 19 00 00 00 mov $0x19,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d 46 0e 0c 00 mov 0xc0e46(%rip),%rcx # 0xc0e80 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d 46 0e 0c 00 mov 0xc0e46(%rip),%rcx # 0xc0e56 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 29.563052][ T743] RSP: 002b:00007ffd9c276ca8 EFLAGS: 00000246 ORIG_RAX: 0000000000000019 [ 29.571272][ T743] RAX: ffffffffffffffda RBX: 00000000000a1000 RCX: 00007fd0b9a9201a [ 29.579055][ T743] RDX: 00000000000a1000 RSI: 0000000000051000 RDI: 00007fd0b93eb000 [ 29.586838][ T743] RBP: 0000000000051000 R08: 0000000000000000 R09: 00007fd0b93eb000 [ 29.594633][ T743] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 [ 29.602431][ T743] R13: 00007fd0b95802d8 R14: 00000000000a0010 R15: 0000000000051000 [ 29.610214][ T743] [ 29.613076][ T743] [ 29.615247][ T743] Allocated by task 743: [ 29.619318][ T743] kasan_save_stack (mm/kasan/common.c:39) [ 29.623824][ T743] __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) [ 29.628502][ T743] kmem_cache_alloc (mm/slab.h:733 mm/slub.c:3230 mm/slub.c:3238 mm/slub.c:3243) [ 29.633180][ T743] vm_area_dup (kernel/fork.c:358) [ 29.637348][ T743] __split_vma (mm/mmap.c:2255) [ 29.641511][ T743] do_mas_align_munmap (mm/mmap.c:2390) [ 29.646456][ T743] do_mas_munmap (mm/mmap.c:2508) [ 29.650881][ T743] __vm_munmap (mm/mmap.c:2764) [ 29.655133][ T743] __x64_sys_munmap (mm/mmap.c:2786) [ 29.659660][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 29.663919][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 29.669633][ T743] [ 29.671805][ T743] Freed by task 743: [ 29.675531][ T743] kasan_save_stack (mm/kasan/common.c:39) [ 29.680034][ T743] kasan_set_track (mm/kasan/common.c:45) [ 29.684456][ T743] kasan_set_free_info (mm/kasan/generic.c:372) [ 29.689218][ T743] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) [ 29.693898][ T743] kmem_cache_free (mm/slub.c:1754 mm/slub.c:3509 mm/slub.c:3526) [ 29.698402][ T743] do_mas_align_munmap (mm/mmap.c:2205 mm/mmap.c:2463) [ 29.703341][ T743] do_mas_munmap (mm/mmap.c:2508) [ 29.707759][ T743] do_munmap (mm/mmap.c:2519) [ 29.711747][ T743] move_vma (mm/mremap.c:698) [ 29.715734][ T743] __do_sys_mremap (mm/mremap.c:1063) [ 29.720410][ T743] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [ 29.724661][ T743] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) [ 29.730386][ T743] [ 29.732559][ T743] The buggy address belongs to the object at ffff888805c9e288 [ 29.732559][ T743] which belongs to the cache vm_area_struct of size 152 [ 29.746661][ T743] The buggy address is located 32 bytes inside of [ 29.746661][ T743] 152-byte region [ffff888805c9e288, ffff888805c9e320) [ 29.759656][ T743] The buggy address belongs to the page: [ 29.765109][ T743] page:0000000051b8737b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x805c9e [ 29.775143][ T743] memcg:ffff8887f5a57401 [ 29.779214][ T743] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff) [ 29.786830][ T743] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff88810021edc0 [ 29.795223][ T743] raw: 0000000000000000 0000000080120012 00000001ffffffff ffff8887f5a57401 [ 29.803632][ T743] page dumped because: kasan: bad access detected [ 29.809864][ T743] [ 29.812037][ T743] Memory state around the buggy address: [ 29.817491][ T743] ffff888805c9e180: fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb fb [ 29.825364][ T743] ffff888805c9e200: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 29.833238][ T743] >ffff888805c9e280: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 29.841107][ T743] ^ [ 29.846300][ T743] ffff888805c9e300: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb [ 29.854169][ T743] ffff888805c9e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc [ 29.862040][ T743] ================================================================== [ 29.869911][ T743] Disabling lock debugging due to kernel taint [ 29.875935][ T743] general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] SMP KASAN PTI [ 29.887123][ T743] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] [ 29.895356][ T743] CPU: 3 PID: 743 Comm: python3.7 Tainted: G B 5.17.0-rc4-00070-g82e080f31808 #1 [ 29.905567][ T743] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017 [ 29.913630][ T743] RIP: 0010:move_vma (mm/mremap.c:716) [ 29.918398][ T743] Code: 3c 02 00 0f 85 88 06 00 00 48 8b 73 08 4c 89 e7 e8 d6 6c fe ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 4b 06 00 00 48 81 48 20 00 00 10 00 eb 03 4c 63 All code ======== 0: 3c 02 cmp $0x2,%al 2: 00 0f add %cl,(%rdi) 4: 85 88 06 00 00 48 test %ecx,0x48000006(%rax) a: 8b 73 08 mov 0x8(%rbx),%esi d: 4c 89 e7 mov %r12,%rdi 10: e8 d6 6c fe ff callq 0xfffffffffffe6ceb 15: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx 1c: fc ff df 1f: 48 8d 78 20 lea 0x20(%rax),%rdi 23: 48 89 f9 mov %rdi,%rcx 26: 48 c1 e9 03 shr $0x3,%rcx 2a:* 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction 2e: 0f 85 4b 06 00 00 jne 0x67f 34: 48 81 48 20 00 00 10 orq $0x100000,0x20(%rax) 3b: 00 3c: eb 03 jmp 0x41 3e: 4c rex.WR 3f: 63 .byte 0x63 Code starting with the faulting instruction =========================================== 0: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) 4: 0f 85 4b 06 00 00 jne 0x655 a: 48 81 48 20 00 00 10 orq $0x100000,0x20(%rax) 11: 00 12: eb 03 jmp 0x17 14: 4c rex.WR 15: 63 .byte 0x63 To reproduce: git clone https://github.com/intel/lkp-tests.git cd lkp-tests sudo bin/lkp install job.yaml # job file is attached in this email bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run sudo bin/lkp run generated-yaml-file # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. --- 0DAY/LKP+ Test Infrastructure Open Source Technology Center https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation Thanks, Oliver Sang