| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aOzKEsav2RubINEO@hyeyoo>
Date: Mon, 13 Oct 2025 18:44:50 +0900
From: Harry Yoo <harry.yoo@...cle.com>
To: kernel test robot <oliver.sang@...el.com>
Cc: Alexei Starovoitov <ast@...nel.org>, oe-lkp@...ts.linux.dev, lkp@...el.com,
linux-kernel@...r.kernel.org, Vlastimil Babka <vbabka@...e.cz>,
kasan-dev@...glegroups.com, cgroups@...r.kernel.org,
linux-mm@...ck.org
Subject: Re: [linus:master] [slab] af92793e52:
BUG_kmalloc-#(Not_tainted):Freepointer_corrupt
On Fri, Oct 10, 2025 at 04:39:12PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG_kmalloc-#(Not_tainted):Freepointer_corrupt" on:
>
> commit: af92793e52c3a99b828ed4bdd277fd3e11c18d08 ("slab: Introduce kmalloc_nolock() and kfree_nolock().")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
>
> [test failed on linus/master ec714e371f22f716a04e6ecb2a24988c92b26911]
> [test failed on linux-next/master 0b2f041c47acb45db82b4e847af6e17eb66cd32d]
> [test failed on fix commit 83d59d81b20c09c256099d1c15d7da21969581bd]
>
> in testcase: trinity
> version: trinity-i386-abe9de86-1_20230429
> with following parameters:
>
> runtime: 300s
> group: group-01
> nr_groups: 5
>
> config: i386-randconfig-012-20251004
> compiler: gcc-14
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@...el.com>
> | Closes: https://lore.kernel.org/oe-lkp/202510101652.7921fdc6-lkp@intel.com
>
> [ 66.142496][ C0] =============================================================================
> [ 66.146355][ C0] BUG kmalloc-96 (Not tainted): Freepointer corrupt
> [ 66.147370][ C0] -----------------------------------------------------------------------------
> [ 66.147370][ C0]
> [ 66.149155][ C0] Allocated in alloc_slab_obj_exts+0x33c/0x460 age=7 cpu=0 pid=3651
> [ 66.150496][ C0] kmalloc_nolock_noprof (mm/slub.c:4798 mm/slub.c:5658)
> [ 66.151371][ C0] alloc_slab_obj_exts (mm/slub.c:2102 (discriminator 3))
> [ 66.152250][ C0] __alloc_tagging_slab_alloc_hook (mm/slub.c:2208 (discriminator 1) mm/slub.c:2224 (discriminator 1))
> [ 66.153248][ C0] __kmalloc_cache_noprof (mm/slub.c:5698)
> [ 66.154093][ C0] set_mm_walk (include/linux/slab.h:953 include/linux/slab.h:1090 mm/vmscan.c:3852)
> [ 66.154810][ C0] try_to_inc_max_seq (mm/vmscan.c:4077)
> [ 66.155627][ C0] try_to_shrink_lruvec (mm/vmscan.c:4860 mm/vmscan.c:4903)
> [ 66.156512][ C0] shrink_node (mm/vmscan.c:4952 mm/vmscan.c:5091 mm/vmscan.c:6078)
> [ 66.157363][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> [ 66.158233][ C0] try_to_free_pages (mm/vmscan.c:6644)
> [ 66.159023][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> [ 66.159977][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> [ 66.160941][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> [ 66.161739][ C0] shmem_alloc_and_add_folio+0x40/0x200
> [ 66.162752][ C0] shmem_get_folio_gfp+0x30b/0x880
> [ 66.163649][ C0] shmem_fallocate (mm/shmem.c:3813)
> [ 66.164498][ C0] Freed in kmem_cache_free_bulk+0x1b/0x50 age=89 cpu=1 pid=248
> [ 66.169568][ C0] kmem_cache_free_bulk (mm/slub.c:4875 (discriminator 3) mm/slub.c:5197 (discriminator 3) mm/slub.c:5228 (discriminator 3))
> [ 66.170518][ C0] kmem_cache_free_bulk (mm/slub.c:7226)
> [ 66.171368][ C0] kvfree_rcu_bulk (include/linux/slab.h:827 mm/slab_common.c:1522)
> [ 66.172133][ C0] kfree_rcu_monitor (mm/slab_common.c:1728 (discriminator 3) mm/slab_common.c:1802 (discriminator 3))
> [ 66.173002][ C0] kfree_rcu_shrink_scan (mm/slab_common.c:2155)
> [ 66.173852][ C0] do_shrink_slab (mm/shrinker.c:438)
> [ 66.174640][ C0] shrink_slab (mm/shrinker.c:665)
> [ 66.175446][ C0] shrink_node (mm/vmscan.c:338 (discriminator 1) mm/vmscan.c:4960 (discriminator 1) mm/vmscan.c:5091 (discriminator 1) mm/vmscan.c:6078 (discriminator 1))
> [ 66.176205][ C0] do_try_to_free_pages (mm/vmscan.c:6336 mm/vmscan.c:6398)
> [ 66.177017][ C0] try_to_free_pages (mm/vmscan.c:6644)
> [ 66.177808][ C0] __alloc_pages_slowpath+0x28b/0x6e0
> [ 66.178851][ C0] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161)
> [ 66.179753][ C0] __folio_alloc_noprof (mm/page_alloc.c:5183 mm/page_alloc.c:5192)
> [ 66.180583][ C0] folio_prealloc+0x36/0x160
> [ 66.181430][ C0] do_anonymous_page (mm/memory.c:4997 mm/memory.c:5054)
> [ 66.182288][ C0] do_pte_missing (mm/memory.c:4232)
So here we are freeing an object that is allocated via kmalloc_nolock().
(And before being allocated via kmalloc_nolock(), it was freed via
kfree_rcu()).
> [ 66.183062][ C0] Slab 0xe41bfb28 objects=21 used=17 fp=0xedf89320 flags=0x40000200(workingset|zone=1)
> [ 66.184609][ C0] Object 0xedf89b60 @offset=2912 fp=0xeac7a8b4
fp=0xeac7a8b4
the address of the object is: 0xedf89b60.
0xedf89b60 - 0xeac7a8b4 = 0x330f2ac
If FP was not corrupted, the object pointed to by FP is
too far away for them to be in the same slab.
That may suggest that some code built a list of free objects
across multiple slabs/caches. That's what deferred free does!
But in free_deferred_objects(), we have:
> /*
> * In PREEMPT_RT irq_work runs in per-cpu kthread, so it's safe
> * to take sleeping spin_locks from __slab_free() and deactivate_slab().
> * In !PREEMPT_RT irq_work will run after local_unlock_irqrestore().
> */
> static void free_deferred_objects(struct irq_work *work)
> {
> struct defer_free *df = container_of(work, struct defer_free, work);
> struct llist_head *objs = &df->objects;
> struct llist_head *slabs = &df->slabs;
> struct llist_node *llnode, *pos, *t;
>
> if (llist_empty(objs) && llist_empty(slabs))
> return;
>
> llnode = llist_del_all(objs);
> llist_for_each_safe(pos, t, llnode) {
> struct kmem_cache *s;
> struct slab *slab;
> void *x = pos;
>
> slab = virt_to_slab(x);
> s = slab->slab_cache;
>
> /*
> * We used freepointer in 'x' to link 'x' into df->objects.
> * Clear it to NULL to avoid false positive detection
> * of "Freepointer corruption".
> */
> *(void **)x = NULL;
>
> /* Point 'x' back to the beginning of allocated object */
> x -= s->offset;
> __slab_free(s, slab, x, x, 1, _THIS_IP_);
> }
>
This should have cleared the FP before freeing it.
Oh wait, there are more in the dmesg:
> [ 67.073014][ C1] ------------[ cut here ]------------
> [ 67.074039][ C1] WARNING: CPU: 1 PID: 3894 at mm/slub.c:1209 object_err+0x4d/0x6d
> [ 67.075394][ C1] Modules linked in: evdev serio_raw tiny_power_button fuse drm drm_panel_orientation_quirks stm_p_basic
> [ 67.077222][ C1] CPU: 1 UID: 0 PID: 3894 Comm: sed Tainted: G B W 6.17.0-rc3-00014-gaf92793e52c3 #1 PREEMPTLAZY 2cffa6c1ad8b595a5f5738a3e143d70494d8da79
> [ 67.079495][ C1] Tainted: [B]=BAD_PAGE, [W]=WARN
> [ 67.080303][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [ 67.085915][ C1] EIP: object_err+0x4d/0x6d
> [ 67.086691][ C1] Code: 8b 45 fc e8 95 fe ff ff ba 01 00 00 00 b8 05 00 00 00 e8 46 1e 12 00 6a 01 31 c9 ba 01 00 00 00 b8 f8 84 76 db e8 b3 e1 2b 00 <0f> 0b 6a 01 31 c9 ba 01 00 00 00 b8 e0 84 76 db e8 9e e1 2b 00 83
> [ 67.089537][ C1] EAX: 00000000 EBX: c10012c0 ECX: 00000000 EDX: 00000000
> [ 67.090581][ C1] ESI: aacfa894 EDI: edf89320 EBP: ed7477b8 ESP: ed7477a0
> [ 67.091578][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
> [ 67.092767][ C1] CR0: 80050033 CR2: b7fa58c8 CR3: 01b5b000 CR4: 000406d0
> [ 67.093840][ C1] Call Trace:
> [ 67.094450][ C1] check_object.cold+0x11/0x17
> [ 67.095280][ C1] free_debug_processing+0x111/0x300
> [ 67.096076][ C1] free_to_partial_list+0x62/0x440
> [ 67.101664][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.104785][ C1] __slab_free+0x2b7/0x5d0
> [ 67.105539][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.106362][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.107090][ C1] free_deferred_objects+0x4d/0x110
Hmm... did we somehow clear wrong FP or is the freepointer set again
after we cleared it?
--
Cheers,
Harry / Hyeonggon
> [ 67.107872][ C1] ? free_deferred_objects+0x3e/0x110
> [ 67.108728][ C1] irq_work_single+0x65/0xa0
> [ 67.109517][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.110312][ C1] irq_work_run_list+0x49/0x70
> [ 67.111598][ C1] irq_work_run+0x13/0x30
> [ 67.112335][ C1] __sysvec_irq_work+0x31/0x180
> [ 67.113193][ C1] sysvec_irq_work+0x20/0x40
> [ 67.113929][ C1] handle_exception+0x130/0x130
> [ 67.114690][ C1] EIP: default_send_IPI_self+0x46/0x90
> [ 67.115541][ C1] Code: 10 74 14 90 f3 90 8b 0d 44 12 21 db 8b 91 00 d3 ff ff 80 e6 10 75 ed 0d 00 00 04 00 8b 1d 44 12 21 db 8d 93 00 d3 ff ff 89 02 <5b> 5d 31 c0 31 d2 31 c9 c3 90 bb e8 03 00 00 eb 1d 2e 8d b4 26 00
> [ 67.118357][ C1] EAX: 000400f6 EBX: fffff000 ECX: 00000000 EDX: ffffc300
> [ 67.119453][ C1] ESI: e3a744b4 EDI: 00000000 EBP: ed74798c ESP: ed747988
> [ 67.120512][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00000206
> [ 67.122323][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123079][ C1] ? exc_nmi_kvm_vmx+0x10/0x10
> [ 67.123844][ C1] ? default_send_IPI_self+0x46/0x90
> [ 67.124887][ C1] arch_irq_work_raise+0x2d/0x40
> [ 67.136148][ C1] __irq_work_queue_local+0x7d/0xf0
> [ 67.137164][ C1] irq_work_queue+0x31/0x80
> [ 67.137861][ C1] defer_free+0x88/0xc0
> [ 67.138648][ C1] kfree_nolock+0x28e/0x310
> [ 67.139653][ C1] __free_slab+0x255/0x270
> [ 67.140674][ C1] free_slab+0x3f/0xe0
> [ 67.141574][ C1] free_to_partial_list+0x1df/0x440
> [ 67.142787][ C1] __slab_free+0x2b7/0x5d0
> [ 67.147520][ C1] ? shrink_node+0x2a7/0x310
> [ 67.149260][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151002][ C1] ? shrink_slab+0x266/0x4a0
> [ 67.151677][ C1] ? shrink_node+0x2a7/0x310
> [ 67.153337][ C1] kfree+0x6e8/0x7c0
> [ 67.154927][ C1] ? shrink_node+0x2a7/0x310
> [ 67.155561][ C1] ? shrink_node+0x2a7/0x310
> [ 67.157219][ C1] shrink_node+0x2a7/0x310
> [ 67.158828][ C1] do_try_to_free_pages+0xdc/0x460
> [ 67.159562][ C1] try_to_free_pages+0xf5/0x150
> [ 67.161292][ C1] __alloc_pages_slowpath+0x28b/0x6e0
> [ 67.163233][ C1] __alloc_frozen_pages_noprof+0x311/0x360
> [ 67.165155][ C1] __folio_alloc_noprof+0x15/0x30
> [ 67.166890][ C1] folio_prealloc+0xa9/0x160
> [ 67.167616][ C1] ? __vmf_anon_prepare+0x70/0x100
> [ 67.169438][ C1] do_cow_fault+0x4b/0x1f0
> [ 67.171212][ C1] ? rcu_is_watching+0x3f/0x80
> [ 67.172994][ C1] do_pte_missing+0xe5/0x380
> [ 67.173688][ C1] ? mt_find+0x154/0x370
> [ 67.175381][ C1] handle_pte_fault+0x20a/0x360
> [ 67.177160][ C1] handle_mm_fault+0x1a4/0x440
> [ 67.178905][ C1] do_user_addr_fault+0x1e3/0x440
> [ 67.179640][ C1] exc_page_fault+0x59/0x1e0
> [ 67.182691][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.183626][ C1] handle_exception+0x130/0x130
> [ 67.185384][ C1] EIP: clear_user+0x64/0xb0
> [ 67.187106][ C1] Code: 00 00 b8 50 2b 87 db e8 0a 7b fe fe ba 42 00 00 00 b8 53 61 13 db e8 9b 1f 16 ff 89 da 83 e2 03 c1 eb 02 89 d9 31 c0 8d 76 00 <f3> ab 89 d1 f3 aa 8d 76 00 5a 89 c8 8d 65 f8 5b 5f 5d 31 d2 31 c9
> [ 67.192838][ C1] EAX: 00000000 EBX: 000001ce ECX: 000001ce EDX: 00000000
> [ 67.194893][ C1] ESI: ebb68e60 EDI: b7fa58c8 EBP: ed747e40 ESP: ed747e34
> [ 67.196892][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010246
> [ 67.199084][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.201015][ C1] ? pvclock_clocksource_read_nowd+0x190/0x190
> [ 67.202993][ C1] ? clear_user+0x64/0xb0
> [ 67.203649][ C1] elf_load+0x1e1/0x210
> [ 67.205361][ C1] load_elf_interp+0x358/0x400
> [ 67.207199][ C1] load_elf_binary+0xaac/0xdf0
> [ 67.209031][ C1] ? _raw_read_unlock+0x58/0x90
> [ 67.210775][ C1] exec_binprm+0x18b/0x3d0
> [ 67.211490][ C1] bprm_execve+0xc7/0x1b0
> [ 67.213251][ C1] do_execveat_common+0x1b8/0x1f0
> [ 67.215058][ C1] __ia32_sys_execve+0x2a/0x40
> [ 67.216813][ C1] ia32_sys_call+0xf28/0xf90
> [ 67.217503][ C1] do_int80_syscall_32+0x53/0x2c0
> [ 67.219303][ C1] entry_INT80_32+0xf0/0xf0
> [ 67.221070][ C1] EIP: 0xb7fba092
> [ 67.221648][ C1] Code: Unable to access opcode bytes at 0xb7fba068.
> [ 67.223619][ C1] EAX: ffffffda EBX: 02380764 ECX: 023884c8 EDX: 02388504
> [ 67.226356][ C1] ESI: 02380764 EDI: 023884c8 EBP: bfe2b794 ESP: bfe2b674
> [ 67.229021][ C1] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000292
> [ 67.235135][ C1] irq event stamp: 0
> [ 67.235815][ C1] hardirqs last enabled at (0): [<00000000>] 0x0
> [ 67.236788][ C1] hardirqs last disabled at (0): [<d973f5a4>] copy_process+0x6f4/0x18d0
> [ 67.239586][ C1] softirqs last enabled at (0): [<d973f5ae>] copy_process+0x6fe/0x18d0
> [ 67.241811][ C1] softirqs last disabled at (0): [<00000000>] 0x0
> [ 67.243308][ C1] ---[ end trace 0000000000000000 ]---
> [ 67.244517][ C1] FIX kmalloc-96: Object at 0xedf89320 not freed
> [ 66.184609][ C0]
> [ 66.185960][ C0] Redzone edf89b40: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
> [ 66.187388][ C0] Redzone edf89b50: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
> [ 66.189695][ C0] Object edf89b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.191175][ C0] Object edf89b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.192701][ C0] Object edf89b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.194259][ C0] Object edf89b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.195753][ C0] Object edf89ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.196836][ T248] sed invoked oom-killer: gfp_mask=0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO|__GFP_COMP), order=0, oom_score_adj=-1000
> [ 66.197239][ C0] Object edf89bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> [ 66.197395][ C0] Redzone edf89bc0: cc cc cc cc ....
>
> [ 66.197402][ C0] Padding edf89bf4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
> [ 66.197406][ C0] Disabling lock debugging due to kernel taint
Powered by blists - more mailing lists