BUG: KASAN: slab-out-of-bounds in kmem_cache_alloc+0x48/0x3b8 on 6.6.89-3 #530
Description
Hi, I encountered a slab-out-of-bounds issue when booting the kernel on the Orion o6, which is built with this config.
This configuration is almost identical to the default linux-sky1 configuration, except that it uses LLVM for compilation and CONFIG_DEBUG_INFO and CONFIG_BLK_DEV_NULL_BLK are enabled. I believe these changes should not cause the kernel to crash.
The cmdline is like this:
root=UUID=ce95976e-7c04-4b82-8251-c780b6b3fac1 console=ttyAMA0,115200n8 earlycon=pl011,0x040d0000 acpi=force quiet splash loglevel=4 rw earlycon consoleblank=0 console=tty1 coherent_pool=2M irqchip.gicv3_pseudo_nmi=0 cgroup_enable=cpuset cgroup_memory=1 cgroup_enable=memory swapaccount=1 kasan=on kasan.mode=sync
and the log is shown below:
[ 0.000000] [pid:0,cpu0,swapper/0]==================================================================
[ 0.000000] [pid:0,cpu0,swapper/0]BUG: KASAN: slab-out-of-bounds in kmem_cache_alloc+0x48/0x3b8
[ 0.000000] [pid:0,cpu0,swapper/0]Read at addr fcff19f30000d91c by task swapper/0/0
[ 0.000000] [pid:0,cpu0,swapper/0]Pointer tag: [fc], memory tag: [f0]
[ 0.000000] [pid:0,cpu0,swapper/0]
[ 0.000000] [pid:0,cpu0,swapper/0]CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.6.89-3 #3
[ 0.000000] [pid:0,cpu0,swapper/0]Call trace:
[ 0.000000] [pid:0,cpu0,swapper/0] dump_backtrace+0xf0/0x13c
[ 0.000000] [pid:0,cpu0,swapper/0] show_stack+0x18/0x34
[ 0.000000] [pid:0,cpu0,swapper/0] dump_stack_lvl+0x50/0x68
[ 0.000000] [pid:0,cpu0,swapper/0] print_report+0x1e0/0x438
[ 0.000000] [pid:0,cpu0,swapper/0] kasan_report+0xac/0x108
[ 0.000000] [pid:0,cpu0,swapper/0] __do_kernel_fault+0xb0/0x1dc
[ 0.000000] [pid:0,cpu0,swapper/0] do_bad_area+0x30/0xe0
[ 0.000000] [pid:0,cpu0,swapper/0] do_tag_check_fault+0x1c/0x2c
[ 0.000000] [pid:0,cpu0,swapper/0] do_mem_abort+0x40/0xec
[ 0.000000] [pid:0,cpu0,swapper/0] el1_abort+0x3c/0x5c
[ 0.000000] [pid:0,cpu0,swapper/0] el1h_64_sync_handler+0x60/0xac
[ 0.000000] [pid:0,cpu0,swapper/0] el1h_64_sync+0x64/0x68
[ 0.000000] [pid:0,cpu0,swapper/0] kmem_cache_alloc+0x48/0x3b8
[ 0.000000] [pid:0,cpu0,swapper/0] trace_create_new_event+0xb4/0x184
[ 0.000000] [pid:0,cpu0,swapper/0] __trace_early_add_events+0x78/0x18c
[ 0.000000] [pid:0,cpu0,swapper/0] event_trace_enable+0x128/0x144
[ 0.000000] [pid:0,cpu0,swapper/0] trace_event_init+0x14/0x24
[ 0.000000] [pid:0,cpu0,swapper/0] trace_init+0x10/0x30
[ 0.000000] [pid:0,cpu0,swapper/0] start_kernel+0x17c/0x3b4
[ 0.000000] [pid:0,cpu0,swapper/0] __primary_switched+0xbc/0xc4
[ 0.000000] [pid:0,cpu0,swapper/0]
[ 0.000000] [pid:0,cpu0,swapper/0]Allocated by task 0:
[ 0.000000] [pid:0,cpu0,swapper/0] kasan_save_stack+0x40/0x6c
[ 0.000000] [pid:0,cpu0,swapper/0] save_stack_info+0x34/0x12c
[ 0.000000] [pid:0,cpu0,swapper/0] kasan_save_alloc_info+0x14/0x20
[ 0.000000] [pid:0,cpu0,swapper/0] __kasan_slab_alloc+0x13c/0x144
[ 0.000000] [pid:0,cpu0,swapper/0] kmem_cache_alloc+0x1b0/0x3b8
[ 0.000000] [pid:0,cpu0,swapper/0] kmem_cache_create_usercopy+0xec/0x234
[ 0.000000] [pid:0,cpu0,swapper/0] kmem_cache_create+0x14/0x20
[ 0.000000] [pid:0,cpu0,swapper/0] event_trace_memsetup+0x4c/0x60
[ 0.000000] [pid:0,cpu0,swapper/0] trace_event_init+0x10/0x24
[ 0.000000] [pid:0,cpu0,swapper/0] trace_init+0x10/0x30
[ 0.000000] [pid:0,cpu0,swapper/0] start_kernel+0x17c/0x3b4
[ 0.000000] [pid:0,cpu0,swapper/0] __primary_switched+0xbc/0xc4
[ 0.000000] [pid:0,cpu0,swapper/0]
[ 0.000000] [pid:0,cpu0,swapper/0]The buggy address belongs to the object at ffff19f30000d900
which belongs to the cache kmem_cache of size 200
[ 0.000000] [pid:0,cpu0,swapper/0]The buggy address is located 28 bytes inside of
200-byte region [ffff19f30000d900, ffff19f30000d9c8)
[ 0.000000] [pid:0,cpu0,swapper/0]
[ 0.000000] [pid:0,cpu0,swapper/0]The buggy address belongs to the physical page:
[ 0.000000] [pid:0,cpu0,swapper/0]page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10000c
[ 0.000000] [pid:0,cpu0,swapper/0]head:(____ptrval____) order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 0.000000] [pid:0,cpu0,swapper/0]flags: 0xbfffc0000000840(slab|head|node=0|zone=2|lastcpupid=0xffff|kasantag=0x0)
[ 0.000000] [pid:0,cpu0,swapper/0]page_type: 0xffffffff()
[ 0.000000] [pid:0,cpu0,swapper/0]raw: 0bfffc0000000840 f8ff19f300002000 dead000000000122 0000000000000000
[ 0.000000] [pid:0,cpu0,swapper/0]raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 0.000000] [pid:0,cpu0,swapper/0]page dumped because: kasan: bad access detected
[ 0.000000] [pid:0,cpu0,swapper/0]
[ 0.000000] [pid:0,cpu0,swapper/0]Memory state around the buggy address:
[ 0.000000] [pid:0,cpu0,swapper/0] ffff19f30000d700: fc fc fc fc f0 f0 f0 f0 fc fc fc fc fc fe fe fe
[ 0.000000] [pid:0,cpu0,swapper/0] ffff19f30000d800: fd fd fd fd fd fd fd fd fd fd fd fd fd fe fe fe
[ 0.000000] [pid:0,cpu0,swapper/0]>ffff19f30000d900: f0 f0 f0 f0 f0 f0 f0 f0 fc fc fc fc fc fe fe fe
[ 0.000000] [pid:0,cpu0,swapper/0] ^
[ 0.000000] [pid:0,cpu0,swapper/0] ffff19f30000da00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 0.000000] [pid:0,cpu0,swapper/0] ffff19f30000db00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[ 0.000000] [pid:0,cpu0,swapper/0]==================================================================
I am glad to provide further information and help if you encounter problems when reproducing or fixing the issue.