* [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
@ 2025-10-10 8:39 kernel test robot
2025-10-13 9:44 ` Harry Yoo
2025-10-13 14:58 ` Vlastimil Babka
0 siblings, 2 replies; 8+ messages in thread
From: kernel test robot @ 2025-10-10 8:39 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: oe-lkp, lkp, linux-kernel, Vlastimil Babka, Harry Yoo, kasan-dev,
cgroups, linux-mm, oliver.sang
Hello,
kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
[test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
[test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:
runtime: 300s
group: group-01
nr_groups: 5
config: i386-randconfig-012-20251004
compiler: gcc-14
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
[ 66.142496][ C0] =============================================================================
[ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
[ 66.147370][ C0] -----------------------------------------------------------------------------
[ 66.147370][ C0]
[ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
[ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
[ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
[ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
[ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
[ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
[ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
[ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
[ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
[ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
[ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
[ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
[ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
[ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
[ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
[ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
[ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
[ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
[ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
[ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
[ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
[ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
[ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
[ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
[ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.180583][ C0] folio_prealloc+0x36/0x160
[ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
[ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
[ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
[ 66.184609][ C0]
[ 66.185960][ C0] Redzone edf89b40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.187388][ C0] Redzone edf89b50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
[ 66.189695][ C0] Object edf89b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.191175][ C0] Object edf89b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.192701][ C0] Object edf89b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.194259][ C0] Object edf89b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.195753][ C0] Object edf89ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.196836][ T248] sed invoked oom-killer: gfp_mask=0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), order=0, oom_score_adj=-1000
[ 66.197239][ C0] Object edf89bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 66.197395][ C0] Redzone edf89bc0: cc cc cc cc ....
[ 66.197402][ C0] Padding edf89bf4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
[ 66.197406][ C0] Disabling lock debugging due to kernel taint
[ 66.203107][ T248] CPU: 1 UID: 0 PID: 248 Comm: sed Not tainted 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
[ 66.203119][ T248] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 66.203122][ T248] Call Trace:
[ 66.203125][ T248] ? show_stack (arch/x86/kernel/dumpstack.c:319)
[ 66.203139][ T248] dump_stack_lvl (lib/dump_stack.c:122)
[ 66.203148][ T248] dump_stack (lib/dump_stack.c:130)
[ 66.203153][ T248] dump_header (mm/oom_kill.c:468 (discriminator 1))
[ 66.203165][ T248] oom_kill_process.cold (mm/oom_kill.c:450 (discriminator 1) mm/oom_kill.c:1041 (discriminator 1))
[ 66.203174][ T248] out_of_memory (mm/oom_kill.c:1180)
[ 66.203184][ T248] __alloc_pages_may_oom (mm/page_alloc.c:4026)
[ 66.203199][ T248] __alloc_pages_slowpath+0x39d/0x6e0
[ 66.203210][ T248] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
[ 66.203221][ T248] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
[ 66.203227][ T248] folio_prealloc+0x36/0x160
[ 66.203234][ T248] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
[ 66.203239][ T248] ? handle_pte_fault (include/linux/rcupdate.h:341 include/linux/rcupdate.h:871 include/linux/pgtable.h:136 mm/memory.c:6046)
[ 66.203244][ T248] ? handle_pte_fault (include/linux/spinlock.h:391 mm/memory.c:6092)
[ 66.203249][ T248] ? rcu_is_watching (kernel/rcu/tree.c:752 (discriminator 4))
[ 66.203256][ T248] do_pte_missing (mm/memory.c:4232)
[ 66.203260][ T248] ? handle_pte_fault (arch/x86/include/asm/preempt.h:104 (discriminator 1) include/linux/rcupdate.h:100 (discriminator 1) include/linux/rcupdate.h:873 (discriminator 1) include/linux/pgtable.h:136 (discriminator 1) mm/memory.c:6046 (discriminator 1))
[ 66.203267][ T248] handle_pte_fault (mm/memory.c:6052)
[ 66.203275][ T248] handle_mm_fault (mm/memory.c:6195 mm/memory.c:6364)
[ 66.203289][ T248] do_user_addr_fault (include/linux/sched/signal.h:423 (discriminator 1) arch/x86/mm/fault.c:1389 (discriminator 1))
[ 66.203301][ T248] exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:109 arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532)
[ 66.203310][ T248] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1489)
[ 66.203316][ T248] handle_exception (arch/x86/entry/entry_32.S:1055)
[ 66.203319][ T248] EIP: 0xb7d730cf
[ 66.203325][ T248] Code: 8d 04 33 8d 92 40 07 00 00 89 45 38 39 d5 ba 00 00 00 00 0f 44 fa 83 c9 01 09 f7 89 fa 8d 7b 08 83 ca 01 89 53 04 8b 54 24 04 <89> 48 04 89 f8 e8 a7 cb ff ff e9 93 f7 ff ff 8b 44 24 08 8b 74 24
All code
========
0: 8d 04 33 lea (%rbx,%rsi,1),%eax
3: 8d 92 40 07 00 00 lea 0x740(%rdx),%edx
9: 89 45 38 mov %eax,0x38(%rbp)
c: 39 d5 cmp %edx,%ebp
e: ba 00 00 00 00 mov $0x0,%edx
13: 0f 44 fa cmove %edx,%edi
16: 83 c9 01 or $0x1,%ecx
19: 09 f7 or %esi,%edi
1b: 89 fa mov %edi,%edx
1d: 8d 7b 08 lea 0x8(%rbx),%edi
20: 83 ca 01 or $0x1,%edx
23: 89 53 04 mov %edx,0x4(%rbx)
26: 8b 54 24 04 mov 0x4(%rsp),%edx
2a:* 89 48 04 mov %ecx,0x4(%rax) <-- trapping instruction
2d: 89 f8 mov %edi,%eax
2f: e8 a7 cb ff ff call 0xffffffffffffcbdb
34: e9 93 f7 ff ff jmp 0xfffffffffffff7cc
39: 8b 44 24 08 mov 0x8(%rsp),%eax
3d: 8b .byte 0x8b
3e: 74 24 je 0x64
Code starting with the faulting instruction
===========================================
0: 89 48 04 mov %ecx,0x4(%rax)
3: 89 f8 mov %edi,%eax
5: e8 a7 cb ff ff call 0xffffffffffffcbb1
a: e9 93 f7 ff ff jmp 0xfffffffffffff7a2
f: 8b 44 24 08 mov 0x8(%rsp),%eax
13: 8b .byte 0x8b
14: 74 24 je 0x3a
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251010/202510101652.7921fdc6-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-10 8:39 [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt kernel test robot
@ 2025-10-13 9:44 ` Harry Yoo
2025-10-13 14:23 ` Vlastimil Babka
2025-10-14 20:53 ` kmemleak and bpf_timer. Was: " Alexei Starovoitov
2025-10-13 14:58 ` Vlastimil Babka
1 sibling, 2 replies; 8+ messages in thread
From: Harry Yoo @ 2025-10-13 9:44 UTC (permalink / raw)
To: kernel test robot
Cc: Alexei Starovoitov, oe-lkp, lkp, linux-kernel, Vlastimil Babka,
kasan-dev, cgroups, linux-mm
On Fri, Oct 10, 2025 at 04:39:12PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>
> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
>
> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
>
> in testcase: trinity
> version: trinity-i386-abe9de86-1_20230429
> with following parameters:
>
> runtime: 300s
> group: group-01
> nr_groups: 5
>
> config: i386-randconfig-012-20251004
> compiler: gcc-14
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
>
> [ 66.142496][ C0] =============================================================================
> [ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
> [ 66.147370][ C0] -----------------------------------------------------------------------------
> [ 66.147370][ C0]
> [ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
> [ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
> [ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
> [ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
> [ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
> [ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
> [ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
> [ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
> [ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
> [ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> [ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
> [ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> [ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> [ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> [ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
> [ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
> [ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
> [ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
> [ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
> [ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
> [ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
> [ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
> [ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
> [ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
> [ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
> [ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
> [ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> [ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
> [ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> [ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> [ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> [ 66.180583][ C0] folio_prealloc+0x36/0x160
> [ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
> [ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
So here we are freeing an object that is allocated via kmalloc_nolock().
(And before being allocated via kmalloc_nolock(), it was freed via
kfree_rcu()).
> [ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
> [ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
fp=0xeac7a8b4
the address of the object is: 0xedf89b60.
0xedf89b60 - 0xeac7a8b4 = 0x330f2ac
If FP was not corrupted, the object pointed to by FP is
too far away for them to be in the same slab.
That may suggest that some code built a list of free objects
across multiple slabs/caches. That's what deferred free does!
But in free_deferred_objects(), we have:
> /*
> * In PREEMPT_RT irq_work runs in per-cpu kthread, so it's safe
> * to take sleeping spin_locks from __slab_free() and deactivate_slab().
> * In !PREEMPT_RT irq_work will run after local_unlock_irqrestore().
> */
> static void free_deferred_objects(struct irq_work *work)
> {
> struct defer_free *df = container_of(work, struct defer_free, work);
> struct llist_head *objs = &df->objects;
> struct llist_head *slabs = &df->slabs;
> struct llist_node *llnode, *pos, *t;
>
> if (llist_empty(objs) && llist_empty(slabs))
> return;
>
> llnode = llist_del_all(objs);
> llist_for_each_safe(pos, t, llnode) {
> struct kmem_cache *s;
> struct slab *slab;
> void *x = pos;
>
> slab = virt_to_slab(x);
> s = slab->slab_cache;
>
> /*
> * We used freepointer in 'x' to link 'x' into df->objects.
> * Clear it to NULL to avoid false positive detection
> * of "Freepointer corruption".
> */
> *(void **)x = NULL;
>
> /* Point 'x' back to the beginning of allocated object */
> x -= s->offset;
> __slab_free(s, slab, x, x, 1, _THIS_IP_);
> }
>
This should have cleared the FP before freeing it.
Oh wait, there are more in the dmesg:
> [ 67.073014][ C1] ------------[ cut here ]------------
> [ 67.074039][ C1] WARNING: CPU: 1 PID: 3894 at mm/slub.c:1209 object_err+0x4d/0x6d
> [ 67.075394][ C1] Modules linked in: evdev serio_raw tiny_power_button fuse drm drm_panel_orientation_quirks stm_p_basic
> [ 67.077222][ C1] CPU: 1 UID: 0 PID: 3894 Comm: sed Tainted: G B W 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
> [ 67.079495][ C1] Tainted: [B]=BAD_PAGE, [W]=WARN
> [ 67.080303][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 67.085915][ C1] EIP: object_err+0x4d/0x6d
> [ 67.086691][ C1] Code: 8b 45 fc e8 95 fe ff ff ba 01 00 00 00 b8 05 00 00 00 e8 46 1e 12 00 6a 01 31 c9 ba 01 00 00 00 b8 f8 84 76 db e8 b3 e1 2b 00 <0f> 0b 6a 01 31 c9 ba 01 00 00 00 b8 e0 84 76 db e8 9e e1 2b 00 83
> [ 67.089537][ C1] EAX: 00000000 EBX: c10012c0 ECX: 00000000 EDX: 00000000
> [ 67.090581][ C1] ESI: aacfa894 EDI: edf89320 EBP: ed7477b8 ESP: ed7477a0
> [ 67.091578][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
> [ 67.092767][ C1] CR0: 80050033 CR2: b7fa58c8 CR3: 01b5b000 CR4: 000406d0
> [ 67.093840][ C1] Call Trace:
> [ 67.094450][ C1] check_object.cold+0x11/0x17
> [ 67.095280][ C1] free_debug_processing+0x111/0x300
> [ 67.096076][ C1] free_to_partial_list+0x62/0x440
> [ 67.101664][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.104785][ C1] __slab_free+0x2b7/0x5d0
> [ 67.105539][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.106362][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.107090][ C1] free_deferred_objects+0x4d/0x110
Hmm... did we somehow clear wrong FP or is the freepointer set again
after we cleared it?
--
Cheers,
Harry / Hyeonggon
> [ 67.107872][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.108728][ C1] irq_work_single+0x65/0xa0
> [ 67.109517][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.110312][ C1] irq_work_run_list+0x49/0x70
> [ 67.111598][ C1] irq_work_run+0x13/0x30
> [ 67.112335][ C1] __sysvec_irq_work+0x31/0x180
> [ 67.113193][ C1] sysvec_irq_work+0x20/0x40
> [ 67.113929][ C1] handle_exception+0x130/0x130
> [ 67.114690][ C1] EIP: default_send_IPI_self+0x46/0x90
> [ 67.115541][ C1] Code: 10 74 14 90 f3 90 8b 0d 44 12 21 db 8b 91 00 d3 ff ff 80 e6 10 75 ed 0d 00 00 04 00 8b 1d 44 12 21 db 8d 93 00 d3 ff ff 89 02 <5b> 5d 31 c0 31 d2 31 c9 c3 90 bb e8 03 00 00 eb 1d 2e 8d b4 26 00
> [ 67.118357][ C1] EAX: 000400f6 EBX: fffff000 ECX: 00000000 EDX: ffffc300
> [ 67.119453][ C1] ESI: e3a744b4 EDI: 00000000 EBP: ed74798c ESP: ed747988
> [ 67.120512][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00000206
> [ 67.122323][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123079][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123844][ C1] ? default_send_IPI_self+0x46/0x90
> [ 67.124887][ C1] arch_irq_work_raise+0x2d/0x40
> [ 67.136148][ C1] __irq_work_queue_local+0x7d/0xf0
> [ 67.137164][ C1] irq_work_queue+0x31/0x80
> [ 67.137861][ C1] defer_free+0x88/0xc0
> [ 67.138648][ C1] kfree_nolock+0x28e/0x310
> [ 67.139653][ C1] __free_slab+0x255/0x270
> [ 67.140674][ C1] free_slab+0x3f/0xe0
> [ 67.141574][ C1] free_to_partial_list+0x1df/0x440
> [ 67.142787][ C1] __slab_free+0x2b7/0x5d0
> [ 67.147520][ C1] ? shrink_node+0x2a7/0x310
> [ 67.149260][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151002][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151677][ C1] ? shrink_node+0x2a7/0x310
> [ 67.153337][ C1] kfree+0x6e8/0x7c0
> [ 67.154927][ C1] ? shrink_node+0x2a7/0x310
> [ 67.155561][ C1] ? shrink_node+0x2a7/0x310
> [ 67.157219][ C1] shrink_node+0x2a7/0x310
> [ 67.158828][ C1] do_try_to_free_pages+0xdc/0x460
> [ 67.159562][ C1] try_to_free_pages+0xf5/0x150
> [ 67.161292][ C1] __alloc_pages_slowpath+0x28b/0x6e0
> [ 67.163233][ C1] __alloc_frozen_pages_noprof+0x311/0x360
> [ 67.165155][ C1] __folio_alloc_noprof+0x15/0x30
> [ 67.166890][ C1] folio_prealloc+0xa9/0x160
> [ 67.167616][ C1] ? __vmf_anon_prepare+0x70/0x100
> [ 67.169438][ C1] do_cow_fault+0x4b/0x1f0
> [ 67.171212][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.172994][ C1] do_pte_missing+0xe5/0x380
> [ 67.173688][ C1] ? mt_find+0x154/0x370
> [ 67.175381][ C1] handle_pte_fault+0x20a/0x360
> [ 67.177160][ C1] handle_mm_fault+0x1a4/0x440
> [ 67.178905][ C1] do_user_addr_fault+0x1e3/0x440
> [ 67.179640][ C1] exc_page_fault+0x59/0x1e0
> [ 67.182691][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.183626][ C1] handle_exception+0x130/0x130
> [ 67.185384][ C1] EIP: clear_user+0x64/0xb0
> [ 67.187106][ C1] Code: 00 00 b8 50 2b 87 db e8 0a 7b fe fe ba 42 00 00 00 b8 53 61 13 db e8 9b 1f 16 ff 89 da 83 e2 03 c1 eb 02 89 d9 31 c0 8d 76 00 <f3> ab 89 d1 f3 aa 8d 76 00 5a 89 c8 8d 65 f8 5b 5f 5d 31 d2 31 c9
> [ 67.192838][ C1] EAX: 00000000 EBX: 000001ce ECX: 000001ce EDX: 00000000
> [ 67.194893][ C1] ESI: ebb68e60 EDI: b7fa58c8 EBP: ed747e40 ESP: ed747e34
> [ 67.196892][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010246
> [ 67.199084][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.201015][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.202993][ C1] ? clear_user+0x64/0xb0
> [ 67.203649][ C1] elf_load+0x1e1/0x210
> [ 67.205361][ C1] load_elf_interp+0x358/0x400
> [ 67.207199][ C1] load_elf_binary+0xaac/0xdf0
> [ 67.209031][ C1] ? _raw_read_unlock+0x58/0x90
> [ 67.210775][ C1] exec_binprm+0x18b/0x3d0
> [ 67.211490][ C1] bprm_execve+0xc7/0x1b0
> [ 67.213251][ C1] do_execveat_common+0x1b8/0x1f0
> [ 67.215058][ C1] __ia32_sys_execve+0x2a/0x40
> [ 67.216813][ C1] ia32_sys_call+0xf28/0xf90
> [ 67.217503][ C1] do_int80_syscall_32+0x53/0x2c0
> [ 67.219303][ C1] entry_INT80_32+0xf0/0xf0
> [ 67.221070][ C1] EIP: 0xb7fba092
> [ 67.221648][ C1] Code: Unable to access opcode bytes at 0xb7fba068.
> [ 67.223619][ C1] EAX: ffffffda EBX: 02380764 ECX: 023884c8 EDX: 02388504
> [ 67.226356][ C1] ESI: 02380764 EDI: 023884c8 EBP: bfe2b794 ESP: bfe2b674
> [ 67.229021][ C1] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000292
> [ 67.235135][ C1] irq event stamp: 0
> [ 67.235815][ C1] hardirqs last enabled at (0): [<00000000>] 0x0
> [ 67.236788][ C1] hardirqs last disabled at (0): [<d973f5a4>] copy_process+0x6f4/0x18d0
> [ 67.239586][ C1] softirqs last enabled at (0): [<d973f5ae>] copy_process+0x6fe/0x18d0
> [ 67.241811][ C1] softirqs last disabled at (0): [<00000000>] 0x0
> [ 67.243308][ C1] ---[ end trace 0000000000000000 ]---
> [ 67.244517][ C1] FIX kmalloc-96: Object at 0xedf89320 not freed
> [ 66.184609][ C0]
> [ 66.185960][ C0] Redzone edf89b40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
> [ 66.187388][ C0] Redzone edf89b50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
> [ 66.189695][ C0] Object edf89b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.191175][ C0] Object edf89b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.192701][ C0] Object edf89b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.194259][ C0] Object edf89b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.195753][ C0] Object edf89ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.196836][ T248] sed invoked oom-killer: gfp_mask=0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), order=0, oom_score_adj=-1000
> [ 66.197239][ C0] Object edf89bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.197395][ C0] Redzone edf89bc0: cc cc cc cc ....
>
> [ 66.197402][ C0] Padding edf89bf4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
> [ 66.197406][ C0] Disabling lock debugging due to kernel taint
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-13 9:44 ` Harry Yoo
@ 2025-10-13 14:23 ` Vlastimil Babka
2025-10-13 18:30 ` Harry Yoo
2025-10-14 20:53 ` kmemleak and bpf_timer. Was: " Alexei Starovoitov
1 sibling, 1 reply; 8+ messages in thread
From: Vlastimil Babka @ 2025-10-13 14:23 UTC (permalink / raw)
To: Harry Yoo, kernel test robot
Cc: Alexei Starovoitov, oe-lkp, lkp, linux-kernel, kasan-dev,
cgroups, linux-mm
On 10/13/25 11:44, Harry Yoo wrote:
> On Fri, Oct 10, 2025 at 04:39:12PM +0800, kernel test robot wrote:
>>
>>
>> Hello,
>>
>> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>>
>> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
>> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
>>
>> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
>> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
>> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
>>
>> in testcase: trinity
>> version: trinity-i386-abe9de86-1_20230429
>> with following parameters:
>>
>> runtime: 300s
>> group: group-01
>> nr_groups: 5
>>
>> config: i386-randconfig-012-20251004
>> compiler: gcc-14
>> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>>
>> (please refer to attached dmesg/kmsg for entire log/backtrace)
>>
>> If you fix the issue in a separate patch/commit (i.e. not just a new version of
>> the same patch/commit), kindly add following tags
>> | Reported-by: kernel test robot <oliver.sang@intel.com>
>> | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
>>
>> [ 66.142496][ C0] =============================================================================
>> [ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
>> [ 66.147370][ C0] -----------------------------------------------------------------------------
>> [ 66.147370][ C0]
>> [ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
>> [ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
>> [ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
>> [ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
>> [ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
>> [ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
>> [ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
>> [ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
>> [ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
>> [ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
>> [ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
>> [ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
>> [ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
>> [ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
>> [ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
>> [ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
>> [ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
>> [ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
>
>> [ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
>> [ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
>> [ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
>> [ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
>> [ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
>> [ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
>> [ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
>> [ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
>> [ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
>> [ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
>> [ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
>> [ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
>> [ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
>> [ 66.180583][ C0] folio_prealloc+0x36/0x160
>> [ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
>> [ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
>
> So here we are freeing an object that is allocated via kmalloc_nolock().
> (And before being allocated via kmalloc_nolock(), it was freed via
> kfree_rcu()).
>
>> [ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
>> [ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
>
> fp=0xeac7a8b4
>
> the address of the object is: 0xedf89b60.
>
> 0xedf89b60 - 0xeac7a8b4 = 0x330f2ac
>
> If FP was not corrupted, the object pointed to by FP is
> too far away for them to be in the same slab.
>
> That may suggest that some code built a list of free objects
> across multiple slabs/caches. That's what deferred free does!
>
> But in free_deferred_objects(), we have:
>> /*
>> * In PREEMPT_RT irq_work runs in per-cpu kthread, so it's safe
>> * to take sleeping spin_locks from __slab_free() and deactivate_slab().
>> * In !PREEMPT_RT irq_work will run after local_unlock_irqrestore().
>> */
>> static void free_deferred_objects(struct irq_work *work)
>> {
>> struct defer_free *df = container_of(work, struct defer_free, work);
>> struct llist_head *objs = &df->objects;
>> struct llist_head *slabs = &df->slabs;
>> struct llist_node *llnode, *pos, *t;
>>
>> if (llist_empty(objs) && llist_empty(slabs))
>> return;
>>
>> llnode = llist_del_all(objs);
>> llist_for_each_safe(pos, t, llnode) {
>> struct kmem_cache *s;
>> struct slab *slab;
>> void *x = pos;
>>
>> slab = virt_to_slab(x);
>> s = slab->slab_cache;
>>
>> /*
>> * We used freepointer in 'x' to link 'x' into df->objects.
>> * Clear it to NULL to avoid false positive detection
>> * of "Freepointer corruption".
>> */
>> *(void **)x = NULL;
Oh wait, isn't it just the case that this is not using set_freepointer() and
with CONFIG_SLAB_FREELIST_HARDENED even the NULL is encoded as a non-NULL?
>>
>> /* Point 'x' back to the beginning of allocated object */
>> x -= s->offset;
>> __slab_free(s, slab, x, x, 1, _THIS_IP_);
>> }
>>
>
> This should have cleared the FP before freeing it.
>
> Oh wait, there are more in the dmesg:
>> [ 67.073014][ C1] ------------[ cut here ]------------
>> [ 67.074039][ C1] WARNING: CPU: 1 PID: 3894 at mm/slub.c:1209 object_err+0x4d/0x6d
>> [ 67.075394][ C1] Modules linked in: evdev serio_raw tiny_power_button fuse drm drm_panel_orientation_quirks stm_p_basic
>> [ 67.077222][ C1] CPU: 1 UID: 0 PID: 3894 Comm: sed Tainted: G B W 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
>> [ 67.079495][ C1] Tainted: [B]=BAD_PAGE, [W]=WARN
>> [ 67.080303][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
>> [ 67.085915][ C1] EIP: object_err+0x4d/0x6d
>> [ 67.086691][ C1] Code: 8b 45 fc e8 95 fe ff ff ba 01 00 00 00 b8 05 00 00 00 e8 46 1e 12 00 6a 01 31 c9 ba 01 00 00 00 b8 f8 84 76 db e8 b3 e1 2b 00 <0f> 0b 6a 01 31 c9 ba 01 00 00 00 b8 e0 84 76 db e8 9e e1 2b 00 83
>> [ 67.089537][ C1] EAX: 00000000 EBX: c10012c0 ECX: 00000000 EDX: 00000000
>> [ 67.090581][ C1] ESI: aacfa894 EDI: edf89320 EBP: ed7477b8 ESP: ed7477a0
>> [ 67.091578][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
>> [ 67.092767][ C1] CR0: 80050033 CR2: b7fa58c8 CR3: 01b5b000 CR4: 000406d0
>> [ 67.093840][ C1] Call Trace:
>> [ 67.094450][ C1] check_object.cold+0x11/0x17
>> [ 67.095280][ C1] free_debug_processing+0x111/0x300
>> [ 67.096076][ C1] free_to_partial_list+0x62/0x440
>> [ 67.101664][ C1] ? free_deferred_objects+0x3e/0x110
>> [ 67.104785][ C1] __slab_free+0x2b7/0x5d0
>> [ 67.105539][ C1] ? free_deferred_objects+0x3e/0x110
>> [ 67.106362][ C1] ? rcu_is_watching+0x3f/0x80
>> [ 67.107090][ C1] free_deferred_objects+0x4d/0x110
>
> Hmm... did we somehow clear wrong FP or is the freepointer set again
> after we cleared it?
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-10 8:39 [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt kernel test robot
2025-10-13 9:44 ` Harry Yoo
@ 2025-10-13 14:58 ` Vlastimil Babka
2025-10-13 21:33 ` Alexei Starovoitov
2025-10-14 13:11 ` Oliver Sang
1 sibling, 2 replies; 8+ messages in thread
From: Vlastimil Babka @ 2025-10-13 14:58 UTC (permalink / raw)
To: kernel test robot, Alexei Starovoitov
Cc: oe-lkp, lkp, linux-kernel, Harry Yoo, kasan-dev, cgroups, linux-mm
On 10/10/25 10:39, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>
> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
>
> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
>
> in testcase: trinity
> version: trinity-i386-abe9de86-1_20230429
> with following parameters:
>
> runtime: 300s
> group: group-01
> nr_groups: 5
>
>
>
> config: i386-randconfig-012-20251004
> compiler: gcc-14
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
Does this fix it?
----8<----
From 5f467c4e630a7a8e5ba024d31065413bddf22cec Mon Sep 17 00:00:00 2001
From: Vlastimil Babka <vbabka@suse.cz>
Date: Mon, 13 Oct 2025 16:56:28 +0200
Subject: [PATCH] slab: fix clearing freelist in free_deferred_objects()
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
---
mm/slub.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/mm/slub.c b/mm/slub.c
index f9f7f3942074..080d27fe253f 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -6377,15 +6377,16 @@ static void free_deferred_objects(struct irq_work *work)
slab = virt_to_slab(x);
s = slab->slab_cache;
+
+ /* Point 'x' back to the beginning of allocated object */
+ x -= s->offset;
/*
* We used freepointer in 'x' to link 'x' into df->objects.
* Clear it to NULL to avoid false positive detection
* of "Freepointer corruption".
*/
- *(void **)x = NULL;
+ set_freepointer(s, x, NULL);
- /* Point 'x' back to the beginning of allocated object */
- x -= s->offset;
__slab_free(s, slab, x, x, 1, _THIS_IP_);
}
--
2.51.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-13 14:23 ` Vlastimil Babka
@ 2025-10-13 18:30 ` Harry Yoo
0 siblings, 0 replies; 8+ messages in thread
From: Harry Yoo @ 2025-10-13 18:30 UTC (permalink / raw)
To: Vlastimil Babka
Cc: kernel test robot, Alexei Starovoitov, oe-lkp, lkp, linux-kernel,
kasan-dev, cgroups, linux-mm
On Mon, Oct 13, 2025 at 04:23:09PM +0200, Vlastimil Babka wrote:
> On 10/13/25 11:44, Harry Yoo wrote:
> > On Fri, Oct 10, 2025 at 04:39:12PM +0800, kernel test robot wrote:
> >>
> >>
> >> Hello,
> >>
> >> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
> >>
> >> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> >> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
> >>
> >> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> >> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> >> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
> >>
> >> in testcase: trinity
> >> version: trinity-i386-abe9de86-1_20230429
> >> with following parameters:
> >>
> >> runtime: 300s
> >> group: group-01
> >> nr_groups: 5
> >>
> >> config: i386-randconfig-012-20251004
> >> compiler: gcc-14
> >> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> >>
> >> (please refer to attached dmesg/kmsg for entire log/backtrace)
> >>
> >> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> >> the same patch/commit), kindly add following tags
> >> | Reported-by: kernel test robot <oliver.sang@intel.com>
> >> | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
> >>
> >> [ 66.142496][ C0] =============================================================================
> >> [ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
> >> [ 66.147370][ C0] -----------------------------------------------------------------------------
> >> [ 66.147370][ C0]
> >> [ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
> >> [ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
> >> [ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
> >> [ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
> >> [ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
> >> [ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
> >> [ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
> >> [ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
> >> [ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
> >> [ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> >> [ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
> >> [ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> >> [ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> >> [ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> >> [ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
> >> [ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
> >> [ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
> >> [ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
> >
> >> [ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
> >> [ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
> >> [ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
> >> [ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
> >> [ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
> >> [ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
> >> [ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
> >> [ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
> >> [ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> >> [ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
> >> [ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> >> [ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> >> [ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> >> [ 66.180583][ C0] folio_prealloc+0x36/0x160
> >> [ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
> >> [ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
> >
> > So here we are freeing an object that is allocated via kmalloc_nolock().
> > (And before being allocated via kmalloc_nolock(), it was freed via
> > kfree_rcu()).
> >
> >> [ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
> >> [ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
> >
> > fp=0xeac7a8b4
> >
> > the address of the object is: 0xedf89b60.
> >
> > 0xedf89b60 - 0xeac7a8b4 = 0x330f2ac
> >
> > If FP was not corrupted, the object pointed to by FP is
> > too far away for them to be in the same slab.
> >
> > That may suggest that some code built a list of free objects
> > across multiple slabs/caches. That's what deferred free does!
> >
> > But in free_deferred_objects(), we have:
> >> /*
> >> * In PREEMPT_RT irq_work runs in per-cpu kthread, so it's safe
> >> * to take sleeping spin_locks from __slab_free() and deactivate_slab().
> >> * In !PREEMPT_RT irq_work will run after local_unlock_irqrestore().
> >> */
> >> static void free_deferred_objects(struct irq_work *work)
> >> {
> >> struct defer_free *df = container_of(work, struct defer_free, work);
> >> struct llist_head *objs = &df->objects;
> >> struct llist_head *slabs = &df->slabs;
> >> struct llist_node *llnode, *pos, *t;
> >>
> >> if (llist_empty(objs) && llist_empty(slabs))
> >> return;
> >>
> >> llnode = llist_del_all(objs);
> >> llist_for_each_safe(pos, t, llnode) {
> >> struct kmem_cache *s;
> >> struct slab *slab;
> >> void *x = pos;
> >>
> >> slab = virt_to_slab(x);
> >> s = slab->slab_cache;
> >>
> >> /*
> >> * We used freepointer in 'x' to link 'x' into df->objects.
> >> * Clear it to NULL to avoid false positive detection
> >> * of "Freepointer corruption".
> >> */
> >> *(void **)x = NULL;
>
> Oh wait, isn't it just the case that this is not using set_freepointer() and
> with CONFIG_SLAB_FREELIST_HARDENED even the NULL is encoded as a non-NULL?
Oh, great observation! Obviously it should be fixed.
The fix posted in the other email looks great to me.
--
Cheers,
Harry / Hyeonggon
> >>
> >> /* Point 'x' back to the beginning of allocated object */
> >> x -= s->offset;
> >> __slab_free(s, slab, x, x, 1, _THIS_IP_);
> >> }
> >>
> >
> > This should have cleared the FP before freeing it.
> >
> > Oh wait, there are more in the dmesg:
> >> [ 67.073014][ C1] ------------[ cut here ]------------
> >> [ 67.074039][ C1] WARNING: CPU: 1 PID: 3894 at mm/slub.c:1209 object_err+0x4d/0x6d
> >> [ 67.075394][ C1] Modules linked in: evdev serio_raw tiny_power_button fuse drm drm_panel_orientation_quirks stm_p_basic
> >> [ 67.077222][ C1] CPU: 1 UID: 0 PID: 3894 Comm: sed Tainted: G B W 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
> >> [ 67.079495][ C1] Tainted: [B]=BAD_PAGE, [W]=WARN
> >> [ 67.080303][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> >> [ 67.085915][ C1] EIP: object_err+0x4d/0x6d
> >> [ 67.086691][ C1] Code: 8b 45 fc e8 95 fe ff ff ba 01 00 00 00 b8 05 00 00 00 e8 46 1e 12 00 6a 01 31 c9 ba 01 00 00 00 b8 f8 84 76 db e8 b3 e1 2b 00 <0f> 0b 6a 01 31 c9 ba 01 00 00 00 b8 e0 84 76 db e8 9e e1 2b 00 83
> >> [ 67.089537][ C1] EAX: 00000000 EBX: c10012c0 ECX: 00000000 EDX: 00000000
> >> [ 67.090581][ C1] ESI: aacfa894 EDI: edf89320 EBP: ed7477b8 ESP: ed7477a0
> >> [ 67.091578][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
> >> [ 67.092767][ C1] CR0: 80050033 CR2: b7fa58c8 CR3: 01b5b000 CR4: 000406d0
> >> [ 67.093840][ C1] Call Trace:
> >> [ 67.094450][ C1] check_object.cold+0x11/0x17
> >> [ 67.095280][ C1] free_debug_processing+0x111/0x300
> >> [ 67.096076][ C1] free_to_partial_list+0x62/0x440
> >> [ 67.101664][ C1] ? free_deferred_objects+0x3e/0x110
> >> [ 67.104785][ C1] __slab_free+0x2b7/0x5d0
> >> [ 67.105539][ C1] ? free_deferred_objects+0x3e/0x110
> >> [ 67.106362][ C1] ? rcu_is_watching+0x3f/0x80
> >> [ 67.107090][ C1] free_deferred_objects+0x4d/0x110
> >
> > Hmm... did we somehow clear wrong FP or is the freepointer set again
> > after we cleared it?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-13 14:58 ` Vlastimil Babka
@ 2025-10-13 21:33 ` Alexei Starovoitov
2025-10-14 13:11 ` Oliver Sang
1 sibling, 0 replies; 8+ messages in thread
From: Alexei Starovoitov @ 2025-10-13 21:33 UTC (permalink / raw)
To: Vlastimil Babka
Cc: kernel test robot, Alexei Starovoitov, oe-lkp, kbuild test robot,
LKML, Harry Yoo, kasan-dev, open list:CONTROL GROUP (CGROUP),
linux-mm
On Mon, Oct 13, 2025 at 7:58 AM Vlastimil Babka <vbabka@suse.cz> wrote:
>
> On 10/10/25 10:39, kernel test robot wrote:
> >
> >
> > Hello,
> >
> > kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
> >
> > commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
> >
> > [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> > [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> > [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
> >
> > in testcase: trinity
> > version: trinity-i386-abe9de86-1_20230429
> > with following parameters:
> >
> > runtime: 300s
> > group: group-01
> > nr_groups: 5
> >
> >
> >
> > config: i386-randconfig-012-20251004
> > compiler: gcc-14
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@intel.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
>
> Does this fix it?
> ----8<----
> From 5f467c4e630a7a8e5ba024d31065413bddf22cec Mon Sep 17 00:00:00 2001
> From: Vlastimil Babka <vbabka@suse.cz>
> Date: Mon, 13 Oct 2025 16:56:28 +0200
> Subject: [PATCH] slab: fix clearing freelist in free_deferred_objects()
>
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> mm/slub.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index f9f7f3942074..080d27fe253f 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -6377,15 +6377,16 @@ static void free_deferred_objects(struct irq_work *work)
> slab = virt_to_slab(x);
> s = slab->slab_cache;
>
> +
> + /* Point 'x' back to the beginning of allocated object */
> + x -= s->offset;
> /*
> * We used freepointer in 'x' to link 'x' into df->objects.
> * Clear it to NULL to avoid false positive detection
> * of "Freepointer corruption".
> */
> - *(void **)x = NULL;
> + set_freepointer(s, x, NULL);
>
> - /* Point 'x' back to the beginning of allocated object */
> - x -= s->offset;
> __slab_free(s, slab, x, x, 1, _THIS_IP_);
Thanks for the fix!
Acked-by: Alexei Starovoitov <ast@kernel.org>
The bot spotted it with CONFIG_SLAB_FREELIST_HARDENED=y.
It wasn't part of my tests. Sorry.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-13 14:58 ` Vlastimil Babka
2025-10-13 21:33 ` Alexei Starovoitov
@ 2025-10-14 13:11 ` Oliver Sang
1 sibling, 0 replies; 8+ messages in thread
From: Oliver Sang @ 2025-10-14 13:11 UTC (permalink / raw)
To: Vlastimil Babka
Cc: Alexei Starovoitov, oe-lkp, lkp, linux-kernel, Harry Yoo,
kasan-dev, cgroups, linux-mm, oliver.sang
hi, Vlastimil Babka,
On Mon, Oct 13, 2025 at 04:58:28PM +0200, Vlastimil Babka wrote:
> On 10/10/25 10:39, kernel test robot wrote:
> >
> >
> > Hello,
> >
> > kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
> >
> > commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
> >
> > [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> > [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> > [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
> >
> > in testcase: trinity
> > version: trinity-i386-abe9de86-1_20230429
> > with following parameters:
> >
> > runtime: 300s
> > group: group-01
> > nr_groups: 5
> >
> >
> >
> > config: i386-randconfig-012-20251004
> > compiler: gcc-14
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@intel.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
>
> Does this fix it?
yes, this fixed the issue we reported. thanks
Tested-by: kernel test robot <oliver.sang@intel.com>
> ----8<----
> From 5f467c4e630a7a8e5ba024d31065413bddf22cec Mon Sep 17 00:00:00 2001
> From: Vlastimil Babka <vbabka@suse.cz>
> Date: Mon, 13 Oct 2025 16:56:28 +0200
> Subject: [PATCH] slab: fix clearing freelist in free_deferred_objects()
>
> Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
> ---
> mm/slub.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index f9f7f3942074..080d27fe253f 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -6377,15 +6377,16 @@ static void free_deferred_objects(struct irq_work *work)
> slab = virt_to_slab(x);
> s = slab->slab_cache;
>
> +
> + /* Point 'x' back to the beginning of allocated object */
> + x -= s->offset;
> /*
> * We used freepointer in 'x' to link 'x' into df->objects.
> * Clear it to NULL to avoid false positive detection
> * of "Freepointer corruption".
> */
> - *(void **)x = NULL;
> + set_freepointer(s, x, NULL);
>
> - /* Point 'x' back to the beginning of allocated object */
> - x -= s->offset;
> __slab_free(s, slab, x, x, 1, _THIS_IP_);
> }
>
> --
> 2.51.0
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* kmemleak and bpf_timer. Was: [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
2025-10-13 9:44 ` Harry Yoo
2025-10-13 14:23 ` Vlastimil Babka
@ 2025-10-14 20:53 ` Alexei Starovoitov
1 sibling, 0 replies; 8+ messages in thread
From: Alexei Starovoitov @ 2025-10-14 20:53 UTC (permalink / raw)
To: Harry Yoo, Peilin Ye, Shakeel Butt, Vlastimil Babka
Cc: kernel test robot, kbuild test robot, LKML, linux-mm, bpf
On Mon, Oct 13, 2025 at 2:45 AM Harry Yoo <harry.yoo@oracle.com> wrote:
>
> So here we are freeing an object that is allocated via kmalloc_nolock().
> (And before being allocated via kmalloc_nolock(), it was freed via
> kfree_rcu()).
There is another problem here, but the root cause is the same.
I see this kmemleak splat:
[ 8.105530] kmemleak: Trying to color unknown object at
0xff11000100e918c0 as Black
[ 8.106521] Call Trace:
[ 8.106521] <TASK>
[ 8.106521] dump_stack_lvl+0x4b/0x70
[ 8.106521] kvfree_call_rcu+0xcb/0x3b0
[ 8.106521] ? hrtimer_cancel+0x21/0x40
[ 8.106521] bpf_obj_free_fields+0x193/0x200
[ 8.106521] htab_map_update_elem+0x29c/0x410
[ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b
[ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86
[ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0
it's due to combination of features and fixes,
but mainly this
commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path
in bpf_timer_init()")
__GFP_HIGH is confusing slab/kmemleak internals to skip
caling kmemleak_alloc_recursive(), so subsequent kfree_rcu()->
kvfree_call_rcu()->kmemleak_ignore() complains with above splat.
I think the only proper fix is to covert bpf_timer to use
kmalloc_nolock/kfree_nolock. I have a wip fix. Will send soon.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-10-14 20:53 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-10 8:39 [linus:master] [slab] af92793e52: BUG_kmalloc-#(Not_tainted):Freepointer_corrupt kernel test robot
2025-10-13 9:44 ` Harry Yoo
2025-10-13 14:23 ` Vlastimil Babka
2025-10-13 18:30 ` Harry Yoo
2025-10-14 20:53 ` kmemleak and bpf_timer. Was: " Alexei Starovoitov
2025-10-13 14:58 ` Vlastimil Babka
2025-10-13 21:33 ` Alexei Starovoitov
2025-10-14 13:11 ` Oliver Sang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox