Greeting, FYI, we noticed the following commit (built with gcc-9): commit: c632dadc104622423c7fa2ad6f0b2135ebe5610c ("Reimplement RLIMIT_NPROC on top of ucounts") https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210201-222426 in testcase: trinity version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28 with following parameters: runtime: 300s test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +------------------------------------------------------+------------+------------+ | | 841f02dc98 | c632dadc10 | +------------------------------------------------------+------------+------------+ | boot_successes | 3 | 0 | | boot_failures | 1 | 4 | | BUG:KASAN:slab-out-of-bounds_in_fq_pie_qdisc_enqueue | 1 | | | BUG:KASAN:null-ptr-deref_in_is_ucounts_overlimit | 0 | 4 | | canonical_address#:#[##] | 0 | 4 | | RIP:is_ucounts_overlimit | 0 | 4 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 4 | +------------------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 29.404316] BUG: KASAN: null-ptr-deref in is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) [ 29.405519] Read of size 8 at addr 0000000000000070 by task trinity-main/327 [ 29.406769] [ 29.407070] CPU: 0 PID: 327 Comm: trinity-main Not tainted 5.11.0-rc2-00005-gc632dadc1046 #1 [ 29.408563] Call Trace: [ 29.409043] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131) [ 29.409673] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:400 kbuild/src/consumer/mm/kasan/report.c:413) [ 29.410443] ? is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) [ 29.411245] check_memory_region (kbuild/src/consumer/mm/kasan/generic.c:179 kbuild/src/consumer/mm/kasan/generic.c:185) [ 29.411980] __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) [ 29.412702] is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) [ 29.413481] copy_process (kbuild/src/consumer/kernel/fork.c:1969) [ 29.414164] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4)) [ 29.414882] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138) [ 29.415744] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853) [ 29.416514] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465) [ 29.417177] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101) [ 29.417990] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425) [ 29.418683] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24)) [ 29.419379] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) [ 29.420107] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606) [ 29.420858] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) [ 29.421605] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571) [ 29.422280] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571) [ 29.422990] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290) [ 29.423940] ? syscall_trace_enter+0x78/0x2a0 [ 29.424819] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210) [ 29.425704] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566) [ 29.426415] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) [ 29.427064] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) [ 29.427930] RIP: 0033:0x44f39b [ 29.428471] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00 All code ======== 0: db 45 85 fildl -0x7b(%rbp) 3: f6 (bad) 4: 0f 85 95 01 00 00 jne 0x19f a: 64 4c 8b 04 25 10 00 mov %fs:0x10,%r8 11: 00 00 13: 31 d2 xor %edx,%edx 15: 4d 8d 90 d0 02 00 00 lea 0x2d0(%r8),%r10 1c: 31 f6 xor %esi,%esi 1e: bf 11 00 20 01 mov $0x1200011,%edi 23: b8 38 00 00 00 mov $0x38,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 0f 87 d6 00 00 00 ja 0x10c 36: 85 c0 test %eax,%eax 38: 41 89 c5 mov %eax,%r13d 3b: 0f .byte 0xf 3c: 85 dd test %ebx,%ebp ... Code starting with the faulting instruction =========================================== 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax 6: 0f 87 d6 00 00 00 ja 0xe2 c: 85 c0 test %eax,%eax e: 41 89 c5 mov %eax,%r13d 11: 0f .byte 0xf 12: 85 dd test %ebx,%ebp ... [ 29.431684] RSP: 002b:00007ffd7e3b30e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 [ 29.433032] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000044f39b [ 29.434290] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 29.435563] RBP: 00007ffd7e3b3110 R08: 0000000001e9c880 R09: 0000000001e9c880 [ 29.436780] R10: 0000000001e9cb50 R11: 0000000000000246 R12: 0000000000000000 [ 29.438033] R13: 0000000000000002 R14: 0000000000000000 R15: 00007ffd7e3b33a0 [ 29.439287] ================================================================== [ 29.440532] Disabling lock debugging due to kernel taint [ 29.441442] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] KASAN [ 29.443064] KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] [ 29.444393] CPU: 0 PID: 327 Comm: trinity-main Tainted: G B 5.11.0-rc2-00005-gc632dadc1046 #1 [ 29.446018] RIP: 0010:is_ucounts_overlimit (kbuild/src/consumer/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:838 kbuild/src/consumer/include/asm-generic/atomic-long.h:29 kbuild/src/consumer/include/linux/user_namespace.h:114 kbuild/src/consumer/kernel/ucount.c:295) [ 29.446909] Code: 20 00 00 00 48 89 45 c0 4c 8d 34 07 be 08 00 00 00 4c 89 f7 e8 29 40 4d 00 4c 89 f2 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> 3c 02 00 0f 85 38 01 00 00 49 8b 06 49 39 c5 0f 8c ca 00 00 00 All code ======== 0: 20 00 and %al,(%rax) 2: 00 00 add %al,(%rax) 4: 48 89 45 c0 mov %rax,-0x40(%rbp) 8: 4c 8d 34 07 lea (%rdi,%rax,1),%r14 c: be 08 00 00 00 mov $0x8,%esi 11: 4c 89 f7 mov %r14,%rdi 14: e8 29 40 4d 00 callq 0x4d4042 19: 4c 89 f2 mov %r14,%rdx 1c: 48 c1 ea 03 shr $0x3,%rdx 20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 27: fc ff df 2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 38 01 00 00 jne 0x16c 34: 49 8b 06 mov (%r14),%rax 37: 49 39 c5 cmp %rax,%r13 3a: 0f 8c ca 00 00 00 jl 0x10a Code starting with the faulting instruction =========================================== 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 0f 85 38 01 00 00 jne 0x142 a: 49 8b 06 mov (%r14),%rax d: 49 39 c5 cmp %rax,%r13 10: 0f 8c ca 00 00 00 jl 0xe0 [ 29.450051] RSP: 0018:ffff888106a7fb08 EFLAGS: 00010202 [ 29.450984] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 29.452146] RDX: 000000000000000e RSI: 0000000000000000 RDI: ffffffffa33e2ab0 [ 29.453271] RBP: ffff888106a7fb48 R08: 1ffffffff4670049 R09: fffffbfff467004a [ 29.454456] R10: ffffffffa338024b R11: fffffbfff4670049 R12: 000000000000000a [ 29.455700] R13: 0000000000003499 R14: 0000000000000070 R15: 1ffff11020d4ff81 [ 29.456979] FS: 0000000001e9c880(0000) GS:ffffffffa22ba000(0000) knlGS:0000000000000000 [ 29.458325] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 29.459327] CR2: 0000000001e9c830 CR3: 0000000106783000 CR4: 00000000000406f0 [ 29.460467] Call Trace: [ 29.460863] copy_process (kbuild/src/consumer/kernel/fork.c:1969) [ 29.461431] ? copy_process (kbuild/src/consumer/include/linux/rcupdate.h:253 (discriminator 4) kbuild/src/consumer/include/linux/rcupdate.h:642 (discriminator 4) kbuild/src/consumer/kernel/fork.c:1969 (discriminator 4)) [ 29.462023] ? do_raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock_debug.c:100 kbuild/src/consumer/kernel/locking/spinlock_debug.c:138) [ 29.462800] ? __cleanup_sighand (kbuild/src/consumer/kernel/fork.c:1853) [ 29.463450] kernel_clone (kbuild/src/consumer/kernel/fork.c:2465) [ 29.464120] ? kvm_sched_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:101) [ 29.464897] ? copy_init_mm (kbuild/src/consumer/kernel/fork.c:2425) [ 29.465572] ? __might_sleep (kbuild/src/consumer/kernel/sched/core.c:7856 (discriminator 24)) [ 29.466205] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) [ 29.466957] ? perf_syscall_enter (kbuild/src/consumer/arch/x86/include/asm/bitops.h:214 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/consumer/kernel/trace/trace_syscalls.c:606) [ 29.467704] ? __kasan_check_read (kbuild/src/consumer/mm/kasan/shadow.c:31) [ 29.468366] __do_sys_clone (kbuild/src/consumer/kernel/fork.c:2571) [ 29.468976] ? __do_sys_vfork (kbuild/src/consumer/kernel/fork.c:2571) [ 29.469629] ? __rseq_handle_notify_resume (kbuild/src/consumer/kernel/rseq.c:290) [ 29.470506] ? syscall_trace_enter+0x78/0x2a0 [ 29.471353] ? exit_to_user_mode_prepare (kbuild/src/consumer/kernel/entry/common.c:210) [ 29.472187] __x64_sys_clone (kbuild/src/consumer/kernel/fork.c:2566) [ 29.472840] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) [ 29.473454] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) [ 29.474313] RIP: 0033:0x44f39b [ 29.474845] Code: db 45 85 f6 0f 85 95 01 00 00 64 4c 8b 04 25 10 00 00 00 31 d2 4d 8d 90 d0 02 00 00 31 f6 bf 11 00 20 01 b8 38 00 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 d6 00 00 00 85 c0 41 89 c5 0f 85 dd 00 00 All code ======== 0: db 45 85 fildl -0x7b(%rbp) 3: f6 (bad) 4: 0f 85 95 01 00 00 jne 0x19f a: 64 4c 8b 04 25 10 00 mov %fs:0x10,%r8 11: 00 00 13: 31 d2 xor %edx,%edx 15: 4d 8d 90 d0 02 00 00 lea 0x2d0(%r8),%r10 1c: 31 f6 xor %esi,%esi 1e: bf 11 00 20 01 mov $0x1200011,%edi 23: b8 38 00 00 00 mov $0x38,%eax 28: 0f 05 syscall 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction 30: 0f 87 d6 00 00 00 ja 0x10c 36: 85 c0 test %eax,%eax 38: 41 89 c5 mov %eax,%r13d 3b: 0f .byte 0xf 3c: 85 dd test %ebx,%ebp To reproduce: # build kernel cd linux cp config-5.11.0-rc2-00005-gc632dadc1046 .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k job-script # job-script is attached in this email Thanks, Oliver Sang