From: kernel test robot <oliver.sang@intel.com>
To: Alexei Starovoitov <ast@kernel.org>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
<linux-kernel@vger.kernel.org>, Vlastimil Babka <vbabka@suse.cz>,
Harry Yoo <harry.yoo@oracle.com>, <kasan-dev@googlegroups.com>,
<cgroups@vger.kernel.org>, <linux-mm@kvack.org>,
<oliver.sang@intel.com>
Subject: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
Date: Fri, 10 Oct 2025 16:39:12 +0800 [thread overview]
Message-ID: <202510101652.7921fdc6-lkp@intel.com> (raw)
Hello,
kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
[test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
[test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 300s
group: group-01
nr_groups: 5
config: i386-randconfig-012-20251004
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
[ 66.142496][ C0] =============================================================================
[ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
[ 66.147370][ C0] -----------------------------------------------------------------------------
[ 66.147370][ C0]
[ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
[ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
[ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
[ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
[ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
[ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
[ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
[ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
[ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
[ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
[ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
[ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
[ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
[ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
[ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
[ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
[ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
[ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
[ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
[ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
[ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
[ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.180583][ C0] folio_prealloc+0x36/0x160
[ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
[ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
[ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
[ 66.184609][ C0]
[ 66.185960][ C0] Redzone edf89b40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.187388][ C0] Redzone edf89b50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.189695][ C0] Object edf89b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.191175][ C0] Object edf89b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.192701][ C0] Object edf89b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.194259][ C0] Object edf89b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.195753][ C0] Object edf89ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.196836][ T248] sed invoked oom-killer: gfp_mask=0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), order=0, oom_score_adj=-1000
[ 66.197239][ C0] Object edf89bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.197395][ C0] Redzone edf89bc0: cc cc cc cc ....
[ 66.197402][ C0] Padding edf89bf4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
[ 66.197406][ C0] Disabling lock debugging due to kernel taint
[ 66.203107][ T248] CPU: 1 UID: 0 PID: 248 Comm: sed Not tainted 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
[ 66.203119][ T248] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 66.203122][ T248] Call Trace:
[ 66.203125][ T248] ? show_stack (arch/x86/kernel/dumpstack.c:319)
[ 66.203139][ T248] dump_stack_lvl (lib/dump_stack.c:122)
[ 66.203148][ T248] dump_stack (lib/dump_stack.c:130)
[ 66.203153][ T248] dump_header (mm/oom_kill.c:468 (discriminator 1))
[ 66.203165][ T248] oom_kill_process.cold (mm/oom_kill.c:450 (discriminator 1) mm/oom_kill.c:1041 (discriminator 1))
[ 66.203174][ T248] out_of_memory (mm/oom_kill.c:1180)
[ 66.203184][ T248] __alloc_pages_may_oom (mm/page_alloc.c:4026)
[ 66.203199][ T248] __alloc_pages_slowpath+0x39d/0x6e0
[ 66.203210][ T248] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.203221][ T248] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.203227][ T248] folio_prealloc+0x36/0x160
[ 66.203234][ T248] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.203239][ T248] ? handle_pte_fault (include/linux/rcupdate.h:341 include/linux/rcupdate.h:871 include/linux/pgtable.h:136 mm/memory.c:6046)
[ 66.203244][ T248] ? handle_pte_fault (include/linux/spinlock.h:391 mm/memory.c:6092)
[ 66.203249][ T248] ? rcu_is_watching (kernel/rcu/tree.c:752 (discriminator 4))
[ 66.203256][ T248] do_pte_missing (mm/memory.c:4232)
[ 66.203260][ T248] ? handle_pte_fault (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/rcupdate.h:100 (discriminator 1) include/linux/rcupdate.h:873 (discriminator 1) include/linux/pgtable.h:136 (discriminator 1) mm/memory.c:6046 (discriminator 1))
[ 66.203267][ T248] handle_pte_fault (mm/memory.c:6052)
[ 66.203275][ T248] handle_mm_fault (mm/memory.c:6195 mm/memory.c:6364)
[ 66.203289][ T248] do_user_addr_fault (include/linux/sched/signal.h:423 (discriminator 1) arch/x86/mm/fault.c:1389 (discriminator 1))
[ 66.203301][ T248] exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:109 arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532)
[ 66.203310][ T248] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1489)
[ 66.203316][ T248] handle_exception (arch/x86/entry/entry_32.S:1055)
[ 66.203319][ T248] EIP: 0xb7d730cf
[ 66.203325][ T248] Code: 8d 04 33 8d 92 40 07 00 00 89 45 38 39 d5 ba 00 00 00 00 0f 44 fa 83 c9 01 09 f7 89 fa 8d 7b 08 83 ca 01 89 53 04 8b 54 24 04 <89> 48 04 89 f8 e8 a7 cb ff ff e9 93 f7 ff ff 8b 44 24 08 8b 74 24
All code
========
0: 8d 04 33 lea (%rbx,%rsi,1),%eax
3: 8d 92 40 07 00 00 lea 0x740(%rdx),%edx
9: 89 45 38 mov %eax,0x38(%rbp)
c: 39 d5 cmp %edx,%ebp
e: ba 00 00 00 00 mov $0x0,%edx
13: 0f 44 fa cmove %edx,%edi
16: 83 c9 01 or $0x1,%ecx
19: 09 f7 or %esi,%edi
1b: 89 fa mov %edi,%edx
1d: 8d 7b 08 lea 0x8(%rbx),%edi
20: 83 ca 01 or $0x1,%edx
23: 89 53 04 mov %edx,0x4(%rbx)
26: 8b 54 24 04 mov 0x4(%rsp),%edx
2a:* 89 48 04 mov %ecx,0x4(%rax) <-- trapping instruction
2d: 89 f8 mov %edi,%eax
2f: e8 a7 cb ff ff call 0xffffffffffffcbdb
34: e9 93 f7 ff ff jmp 0xfffffffffffff7cc
39: 8b 44 24 08 mov 0x8(%rsp),%eax
3d: 8b .byte 0x8b
3e: 74 24 je 0x64
Code starting with the faulting instruction
===========================================
0: 89 48 04 mov %ecx,0x4(%rax)
3: 89 f8 mov %edi,%eax
5: e8 a7 cb ff ff call 0xffffffffffffcbb1
a: e9 93 f7 ff ff jmp 0xfffffffffffff7a2
f: 8b 44 24 08 mov 0x8(%rsp),%eax
13: 8b .byte 0x8b
14: 74 24 je 0x3a
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251010/202510101652.7921fdc6-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2025-10-10 8:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 8:39 kernel test robot [this message]
2025-10-13 9:44 ` Harry Yoo
2025-10-13 14:23 ` Vlastimil Babka
2025-10-13 18:30 ` Harry Yoo
2025-10-14 20:53 ` kmemleak and bpf_timer. Was: " Alexei Starovoitov
2025-10-13 14:58 ` Vlastimil Babka
2025-10-13 21:33 ` Alexei Starovoitov
2025-10-14 13:11 ` Oliver Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202510101652.7921fdc6-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=ast@kernel.org \
--cc=cgroups@vger.kernel.org \
--cc=harry.yoo@oracle.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=oe-lkp@lists.linux.dev \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox