Greeting, FYI, we noticed the following commit (built with gcc-11): commit: bf68be0c39b8ecc4223b948a9ee126af167d74f0 ("[PATCH v12 6/7] xfs: Implement ->notify_failure() for XFS") url: https://github.com/intel-lab-lkp/linux/commits/Shiyang-Ruan/fsdax-introduce-fs-query-to-support-reflink/20220411-001048 base: https://github.com/hnaz/linux-mm master patch link: https://lore.kernel.org/lkml/20220410160904.3758789-7-ruansy.fnst@fujitsu.com in testcase: xfstests version: xfstests-x86_64-1de1db8-1_20220217 with following parameters: disk: 4HDD fs: xfs test: xfs-group-05 ucode: 0x21 test-description: xfstests is a regression test suite for xfs and other files ystems. test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git on test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz with 8G memory caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 62.111233][ T1606] BUG: KASAN: null-ptr-deref in fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.117884][ T1606] Write of size 8 at addr 00000000000002f0 by task umount/1606 [ 62.125379][ T1606] [ 62.127616][ T1606] CPU: 2 PID: 1606 Comm: umount Not tainted 5.18.0-rc1-mm1-00194-gbf68be0c39b8 #1 [ 62.136760][ T1606] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013 [ 62.145339][ T1606] Call Trace: [ 62.148554][ T1606] [ 62.151404][ T1606] ? fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.155651][ T1606] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) [ 62.160110][ T1606] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) [ 62.164447][ T1606] ? fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.168677][ T1606] kasan_check_range (mm/kasan/generic.c:190) [ 62.173427][ T1606] fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.177519][ T1606] xfs_free_buftarg (fs/xfs/kmem.h:62 fs/xfs/xfs_buf.c:1917) xfs [ 62.182900][ T1606] xfs_fs_put_super (fs/xfs/xfs_super.c:1101) xfs [ 62.188326][ T1606] generic_shutdown_super (fs/super.c:464) [ 62.193636][ T1606] kill_block_super (fs/super.c:1395) [ 62.198325][ T1606] deactivate_locked_super (fs/super.c:339) [ 62.203656][ T1606] cleanup_mnt (fs/namespace.c:138 fs/namespace.c:1187) [ 62.208023][ T1606] ? path_umount (fs/namespace.c:1808) [ 62.212530][ T1606] task_work_run (kernel/task_work.c:166 (discriminator 1)) [ 62.216932][ T1606] exit_to_user_mode_loop (include/linux/resume_user_mode.h:49 kernel/entry/common.c:169) [ 62.222253][ T1606] exit_to_user_mode_prepare (kernel/entry/common.c:201) [ 62.227749][ T1606] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:27 include/linux/context_tracking_state.h:31 include/linux/context_tracking.h:40 kernel/entry/common.c:132 kernel/entry/common.c:296) [ 62.233149][ T1606] do_syscall_64 (arch/x86/entry/common.c:87) [ 62.237447][ T1606] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) [ 62.243288][ T1606] RIP: 0033:0x7fa858fee507 [ 62.247649][ T1606] Code: 19 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 19 0c 00 f7 d8 64 89 01 48 All code ======== 0: 19 0c 00 sbb %ecx,(%rax,%rax,1) 3: f7 d8 neg %eax 5: 64 89 01 mov %eax,%fs:(%rcx) 8: 48 83 c8 ff or $0xffffffffffffffff,%rax c: c3 retq d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 13: 31 f6 xor %esi,%esi 15: e9 09 00 00 00 jmpq 0x23 1a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 21: 00 00 23: b8 a6 00 00 00 mov $0xa6,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1993 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1969 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 62.267385][ T1606] RSP: 002b:00007ffe344b8b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 62.275814][ T1606] RAX: 0000000000000000 RBX: 00005639c92b5970 RCX: 00007fa858fee507 [ 62.283744][ T1606] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005639c92b5b80 [ 62.291682][ T1606] RBP: 0000000000000000 R08: 00005639c92b5ba0 R09: 00007fa85906fe80 [ 62.299622][ T1606] R10: 0000000000000000 R11: 0000000000000246 R12: 00005639c92b5b80 [ 62.307568][ T1606] R13: 00007fa8591141c4 R14: 00005639c92b5a68 R15: 0000000000000000 [ 62.315510][ T1606] [ 62.318445][ T1606] ================================================================== [ 62.326514][ T1606] Disabling lock debugging due to kernel taint [ 62.332634][ T1606] BUG: kernel NULL pointer dereference, address: 00000000000002f0 [ 62.340410][ T1606] #PF: supervisor write access in kernel mode [ 62.346422][ T1606] #PF: error_code(0x0002) - not-present page [ 62.352357][ T1606] PGD 0 P4D 0 [ 62.355658][ T1606] Oops: 0002 [#1] SMP KASAN PTI [ 62.360475][ T1606] CPU: 2 PID: 1606 Comm: umount Tainted: G B 5.18.0-rc1-mm1-00194-gbf68be0c39b8 #1 [ 62.371045][ T1606] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013 [ 62.379598][ T1606] RIP: 0010:fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.384466][ T1606] Code: 40 00 0f 1f 44 00 00 55 48 89 fd 53 48 85 f6 74 27 48 89 f3 48 8d bf f0 02 00 00 be 08 00 00 00 e8 9d a8 29 ff 48 89 d8 31 d2 48 0f b1 95 f0 02 00 00 48 39 c3 74 12 48 85 ed 74 0a 48 89 ef All code ======== 0: 40 00 0f add %cl,(%rdi) 3: 1f (bad) 4: 44 00 00 add %r8b,(%rax) 7: 55 push %rbp 8: 48 89 fd mov %rdi,%rbp b: 53 push %rbx c: 48 85 f6 test %rsi,%rsi f: 74 27 je 0x38 11: 48 89 f3 mov %rsi,%rbx 14: 48 8d bf f0 02 00 00 lea 0x2f0(%rdi),%rdi 1b: be 08 00 00 00 mov $0x8,%esi 20: e8 9d a8 29 ff callq 0xffffffffff29a8c2 25: 48 89 d8 mov %rbx,%rax 28: 31 d2 xor %edx,%edx 2a:* f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) <-- trapping instruction 31: 00 00 33: 48 39 c3 cmp %rax,%rbx 36: 74 12 je 0x4a 38: 48 85 ed test %rbp,%rbp 3b: 74 0a je 0x47 3d: 48 89 ef mov %rbp,%rdi Code starting with the faulting instruction =========================================== 0: f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) 7: 00 00 9: 48 39 c3 cmp %rax,%rbx c: 74 12 je 0x20 e: 48 85 ed test %rbp,%rbp 11: 74 0a je 0x1d 13: 48 89 ef mov %rbp,%rdi [ 62.404142][ T1606] RSP: 0018:ffffc90000f5fd90 EFLAGS: 00010246 [ 62.410137][ T1606] RAX: ffff888140f34000 RBX: ffff888140f34000 RCX: ffffffff811992e6 [ 62.418085][ T1606] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff85c0b600 [ 62.426032][ T1606] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff85c0b607 [ 62.433997][ T1606] R10: fffffbfff0b816c0 R11: 0000000000000000 R12: ffff8882189e80b8 [ 62.441943][ T1606] R13: ffff888140f34180 R14: ffff888140f34188 R15: ffff8881312f4180 [ 62.449876][ T1606] FS: 00007fa858bc8080(0000) GS:ffff8881aad00000(0000) knlGS:0000000000000000 [ 62.458774][ T1606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.465317][ T1606] CR2: 00000000000002f0 CR3: 0000000134b6a002 CR4: 00000000001706e0 [ 62.473283][ T1606] Call Trace: [ 62.476463][ T1606] [ 62.479331][ T1606] xfs_free_buftarg (fs/xfs/kmem.h:62 fs/xfs/xfs_buf.c:1917) xfs [ 62.484688][ T1606] xfs_fs_put_super (fs/xfs/xfs_super.c:1101) xfs [ 62.490091][ T1606] generic_shutdown_super (fs/super.c:464) [ 62.495390][ T1606] kill_block_super (fs/super.c:1395) [ 62.500072][ T1606] deactivate_locked_super (fs/super.c:339) [ 62.505394][ T1606] cleanup_mnt (fs/namespace.c:138 fs/namespace.c:1187) [ 62.509717][ T1606] ? path_umount (fs/namespace.c:1808) [ 62.514233][ T1606] task_work_run (kernel/task_work.c:166 (discriminator 1)) [ 62.518679][ T1606] exit_to_user_mode_loop (include/linux/resume_user_mode.h:49 kernel/entry/common.c:169) [ 62.524009][ T1606] exit_to_user_mode_prepare (kernel/entry/common.c:201) [ 62.529493][ T1606] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:27 include/linux/context_tracking_state.h:31 include/linux/context_tracking.h:40 kernel/entry/common.c:132 kernel/entry/common.c:296) [ 62.534902][ T1606] do_syscall_64 (arch/x86/entry/common.c:87) [ 62.539220][ T1606] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) [ 62.545042][ T1606] RIP: 0033:0x7fa858fee507 [ 62.549388][ T1606] Code: 19 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 19 0c 00 f7 d8 64 89 01 48 All code ======== 0: 19 0c 00 sbb %ecx,(%rax,%rax,1) 3: f7 d8 neg %eax 5: 64 89 01 mov %eax,%fs:(%rcx) 8: 48 83 c8 ff or $0xffffffffffffffff,%rax c: c3 retq d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 13: 31 f6 xor %esi,%esi 15: e9 09 00 00 00 jmpq 0x23 1a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 21: 00 00 23: b8 a6 00 00 00 mov $0xa6,%eax 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1993 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1969 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 62.569097][ T1606] RSP: 002b:00007ffe344b8b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 62.577467][ T1606] RAX: 0000000000000000 RBX: 00005639c92b5970 RCX: 00007fa858fee507 [ 62.585386][ T1606] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005639c92b5b80 [ 62.593265][ T1606] RBP: 0000000000000000 R08: 00005639c92b5ba0 R09: 00007fa85906fe80 [ 62.601248][ T1606] R10: 0000000000000000 R11: 0000000000000246 R12: 00005639c92b5b80 [ 62.609151][ T1606] R13: 00007fa8591141c4 R14: 00005639c92b5a68 R15: 0000000000000000 [ 62.617075][ T1606] [ 62.619995][ T1606] Modules linked in: xfs dm_mod netconsole btrfs blake2b_generic xor raid6_pq zstd_compress libcrc32c sd_mod t10_pi crc64_rocksoft_generic intel_rapl_msr crc64_rocksoft intel_rapl_common crc64 sg x86_pkg_temp_thermal intel_powerclamp coretemp ipmi_devintf i915 ipmi_msghandler kvm_intel kvm intel_gtt drm_buddy drm_dp_helper ttm irqbypass crct10dif_pclmul crc32_pclmul drm_kms_helper wmi_bmof crc32c_intel syscopyarea ghash_clmulni_intel rapl intel_cstate sysfillrect sysimgblt ahci fb_sys_fops libahci intel_uncore mei_me drm libata mei video wmi ip_tables [ 62.670932][ T1606] CR2: 00000000000002f0 [ 62.675025][ T1606] ---[ end trace 0000000000000000 ]--- [ 62.680557][ T1606] RIP: 0010:fs_put_dax (drivers/dax/super.c:116 (discriminator 1)) [ 62.685457][ T1606] Code: 40 00 0f 1f 44 00 00 55 48 89 fd 53 48 85 f6 74 27 48 89 f3 48 8d bf f0 02 00 00 be 08 00 00 00 e8 9d a8 29 ff 48 89 d8 31 d2 48 0f b1 95 f0 02 00 00 48 39 c3 74 12 48 85 ed 74 0a 48 89 ef All code ======== 0: 40 00 0f add %cl,(%rdi) 3: 1f (bad) 4: 44 00 00 add %r8b,(%rax) 7: 55 push %rbp 8: 48 89 fd mov %rdi,%rbp b: 53 push %rbx c: 48 85 f6 test %rsi,%rsi f: 74 27 je 0x38 11: 48 89 f3 mov %rsi,%rbx 14: 48 8d bf f0 02 00 00 lea 0x2f0(%rdi),%rdi 1b: be 08 00 00 00 mov $0x8,%esi 20: e8 9d a8 29 ff callq 0xffffffffff29a8c2 25: 48 89 d8 mov %rbx,%rax 28: 31 d2 xor %edx,%edx 2a:* f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) <-- trapping instruction 31: 00 00 33: 48 39 c3 cmp %rax,%rbx 36: 74 12 je 0x4a 38: 48 85 ed test %rbp,%rbp 3b: 74 0a je 0x47 3d: 48 89 ef mov %rbp,%rdi Code starting with the faulting instruction =========================================== 0: f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) 7: 00 00 9: 48 39 c3 cmp %rax,%rbx c: 74 12 je 0x20 e: 48 85 ed test %rbp,%rbp 11: 74 0a je 0x1d 13: 48 89 ef mov %rbp,%rdi To reproduce: git clone https://github.com/intel/lkp-tests.git cd lkp-tests sudo bin/lkp install job.yaml # job file is attached in this email bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run sudo bin/lkp run generated-yaml-file # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. -- 0-DAY CI Kernel Test Service https://01.org/lkp