* [linux-next:master] [vfs] 632586fb1b: WARNING:at_mm/slub.c:#cache_from_obj
@ 2024-06-21 9:24 kernel test robot
2024-06-21 9:40 ` Christian Brauner
0 siblings, 1 reply; 2+ messages in thread
From: kernel test robot @ 2024-06-21 9:24 UTC (permalink / raw)
To: Mateusz Guzik
Cc: oe-lkp, lkp, Linux Memory Management List, Christian Brauner,
Jan Kara, linux-fsdevel, oliver.sang
Hello,
kernel test robot noticed "WARNING:at_mm/slub.c:#cache_from_obj" on:
commit: 632586fb1b5da157f060730549ad45ba9f5e0371 ("vfs: shave a branch in getname_flags")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 6906a84c482f098d31486df8dc98cead21cce2d0]
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 300s
group: group-04
nr_groups: 5
compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
we noticed the issue does not always happen, 27 out of 50 runs as below.
but keeps clean on parent.
dff60734fc7606fa 632586fb1b5da157f060730549a
---------------- ---------------------------
fail:runs %reproduction fail:runs
| | |
:50 54% 27:50 dmesg.BUG:KASAN:double-free_in_getname_flags
:50 54% 27:50 dmesg.RIP:cache_from_obj
:50 54% 27:50 dmesg.WARNING:at_mm/slub.c:#cache_from_obj
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202406211634.7ef4671b-lkp@intel.com
[ 270.294992][ T3903] ------------[ cut here ]------------
[ 270.296024][ T3903] cache_from_obj: Wrong slab cache. names_cache but object is from kmalloc-64
[ 270.297635][ T3903] WARNING: CPU: 1 PID: 3903 at mm/slub.c:4490 cache_from_obj (mm/slub.c:4490 (discriminator 1))
[ 270.299438][ T3903] Modules linked in:
[ 270.300188][ T3903] CPU: 1 PID: 3903 Comm: trinity-c7 Not tainted 6.10.0-rc1-00012-g632586fb1b5d #1
[ 270.301728][ T3903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 270.303625][ T3903] RIP: 0010:cache_from_obj (mm/slub.c:4490 (discriminator 1))
[ 270.304640][ T3903] Code: d0 4c 8d 70 ff 4c 89 f3 e9 cd fd ff ff 90 49 8b 4e 60 49 8b 55 60 48 c7 c6 58 30 7c 86 48 c7 c7 08 bd a3 87 e8 1b 12 80 ff 90 <0f> 0b 90 90 b9 01 00 00 00 31 d2 be 01 00 00 00 48 c7 c7 00 e7 84
All code
========
0: d0 4c 8d 70 rorb 0x70(%rbp,%rcx,4)
4: ff 4c 89 f3 decl -0xd(%rcx,%rcx,4)
8: e9 cd fd ff ff jmp 0xfffffffffffffdda
d: 90 nop
e: 49 8b 4e 60 mov 0x60(%r14),%rcx
12: 49 8b 55 60 mov 0x60(%r13),%rdx
16: 48 c7 c6 58 30 7c 86 mov $0xffffffff867c3058,%rsi
1d: 48 c7 c7 08 bd a3 87 mov $0xffffffff87a3bd08,%rdi
24: e8 1b 12 80 ff call 0xffffffffff801244
29: 90 nop
2a:* 0f 0b ud2 <-- trapping instruction
2c: 90 nop
2d: 90 nop
2e: b9 01 00 00 00 mov $0x1,%ecx
33: 31 d2 xor %edx,%edx
35: be 01 00 00 00 mov $0x1,%esi
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: c7 .byte 0xc7
3d: 00 e7 add %ah,%bh
3f: 84 .byte 0x84
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 90 nop
3: 90 nop
4: b9 01 00 00 00 mov $0x1,%ecx
9: 31 d2 xor %edx,%edx
b: be 01 00 00 00 mov $0x1,%esi
10: 48 rex.W
11: c7 .byte 0xc7
12: c7 .byte 0xc7
13: 00 e7 add %ah,%bh
15: 84 .byte 0x84
[ 270.322649][ T3903] RSP: 0000:ffffc90005877da0 EFLAGS: 00010246
[ 270.323751][ T3903] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
[ 270.325199][ T3903] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 270.326772][ T3903] RBP: ffffc90005877dd0 R08: 0000000000000000 R09: 0000000000000000
[ 270.328141][ T3903] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888163657c00
[ 270.329532][ T3903] R13: ffff88810037ea00 R14: ffff8881000418c0 R15: 0000000000000000
[ 270.337444][ T3903] FS: 0000000000000000(0000) GS:ffff8883ae600000(0063) knlGS:00000000f7f8a040
[ 270.339031][ T3903] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 270.340221][ T3903] CR2: 0000000000000004 CR3: 0000000107680000 CR4: 00000000000406b0
[ 270.341572][ T3903] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 270.354716][ T3903] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 270.356112][ T3903] Call Trace:
[ 270.356773][ T3903] <TASK>
[ 270.357370][ T3903] ? show_regs (arch/x86/kernel/dumpstack.c:479)
[ 270.358166][ T3903] ? cache_from_obj (mm/slub.c:4490 (discriminator 1))
[ 270.359164][ T3903] ? __warn (kernel/panic.c:693)
[ 270.359930][ T3903] ? cache_from_obj (mm/slub.c:4490 (discriminator 1))
[ 270.360833][ T3903] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[ 270.361735][ T3903] ? handle_bug (arch/x86/kernel/traps.c:239 (discriminator 1))
[ 270.362633][ T3903] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[ 270.363485][ T3903] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
[ 270.364477][ T3903] ? cache_from_obj (mm/slub.c:4490 (discriminator 1))
[ 270.365528][ T3903] ? __might_fault (mm/memory.c:6233 (discriminator 1))
[ 270.366514][ T3903] kmem_cache_free (mm/slub.c:4508)
[ 270.367386][ T3903] ? strncpy_from_user (lib/strncpy_from_user.c:145)
[ 270.368374][ T3903] ? ftrace_likely_update (arch/x86/include/asm/smap.h:56 kernel/trace/trace_branch.c:229)
[ 270.369368][ T3903] getname_flags (fs/namei.c:197)
[ 270.370337][ T3903] user_path_at (fs/namei.c:2936)
[ 270.371150][ T3903] __ia32_sys_oldumount (fs/namespace.c:1916 fs/namespace.c:1934 fs/namespace.c:1932 fs/namespace.c:1932)
[ 270.372081][ T3903] ? __pfx___ia32_sys_oldumount (fs/namespace.c:1932)
[ 270.373093][ T3903] ? ftrace_likely_update (arch/x86/include/asm/smap.h:56 kernel/trace/trace_branch.c:229)
[ 270.374009][ T3903] ia32_sys_call (arch/x86/entry/syscall_32.c:42)
[ 270.375005][ T3903] do_int80_emulation (arch/x86/entry/common.c:165 (discriminator 1) arch/x86/entry/common.c:253 (discriminator 1))
[ 270.375956][ T3903] asm_int80_emulation (arch/x86/include/asm/idtentry.h:626)
[ 270.376722][ T3903] RIP: 0023:0xf7f90092
[ 270.377483][ T3903] Code: 00 00 00 e9 90 ff ff ff ff a3 24 00 00 00 68 30 00 00 00 e9 80 ff ff ff ff a3 f8 ff ff ff 66 90 00 00 00 00 00 00 00 00 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
All code
========
0: 00 00 add %al,(%rax)
2: 00 e9 add %ch,%cl
4: 90 nop
5: ff (bad)
6: ff (bad)
7: ff (bad)
8: ff a3 24 00 00 00 jmp *0x24(%rbx)
e: 68 30 00 00 00 push $0x30
13: e9 80 ff ff ff jmp 0xffffffffffffff98
18: ff a3 f8 ff ff ff jmp *-0x8(%rbx)
1e: 66 90 xchg %ax,%ax
...
28: cd 80 int $0x80
2a:* c3 ret <-- trapping instruction
2b: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
32: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
38: 8b 1c 24 mov (%rsp),%ebx
3b: c3 ret
3c: 8d .byte 0x8d
3d: b4 26 mov $0x26,%ah
...
Code starting with the faulting instruction
===========================================
0: c3 ret
1: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
8: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
e: 8b 1c 24 mov (%rsp),%ebx
11: c3 ret
12: 8d .byte 0x8d
13: b4 26 mov $0x26,%ah
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240621/202406211634.7ef4671b-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [linux-next:master] [vfs] 632586fb1b: WARNING:at_mm/slub.c:#cache_from_obj
2024-06-21 9:24 [linux-next:master] [vfs] 632586fb1b: WARNING:at_mm/slub.c:#cache_from_obj kernel test robot
@ 2024-06-21 9:40 ` Christian Brauner
0 siblings, 0 replies; 2+ messages in thread
From: Christian Brauner @ 2024-06-21 9:40 UTC (permalink / raw)
To: kernel test robot
Cc: Mateusz Guzik, oe-lkp, lkp, Linux Memory Management List,
Jan Kara, linux-fsdevel
On Fri, Jun 21, 2024 at 05:24:13PM GMT, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "WARNING:at_mm/slub.c:#cache_from_obj" on:
>
> commit: 632586fb1b5da157f060730549ad45ba9f5e0371 ("vfs: shave a branch in getname_flags")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
Thanks for the report. This is an entertaining typo:
diff --git a/fs/namei.c b/fs/namei.c
index 7bb0419a083d..3d3674c21d3c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -193,7 +193,7 @@ getname_flags(const char __user *filename, int flags)
}
/* The empty path is special. */
if (unlikely(!len) && !(flags & LOOKUP_EMPTY)) {
- __putname(result);
+ __putname(kname);
kfree(result);
return ERR_PTR(-ENOENT);
}
Folding this into the patch.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-06-21 9:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-21 9:24 [linux-next:master] [vfs] 632586fb1b: WARNING:at_mm/slub.c:#cache_from_obj kernel test robot
2024-06-21 9:40 ` Christian Brauner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox