Greeting, FYI, we noticed the following commit (built with gcc-9): commit: f009495a8def89a71b9e0b9025a39379d6f9097d ("Reimplement RLIMIT_MEMLOCK on top of ucounts") https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210215-204524 in testcase: trinity version: trinity-x86_64-4d2343bd-1_20210105 with following parameters: runtime: 300s test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +---------------------------------------------+------------+------------+ | | ebc4144c8c | f009495a8d | +---------------------------------------------+------------+------------+ | boot_successes | 12 | 3 | | boot_failures | 0 | 9 | | BUG:KASAN:use-after-free_in_user_shm_unlock | 0 | 9 | +---------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 379.451460] BUG: KASAN: use-after-free in user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) [ 379.452995] Read of size 8 at addr ffff888117ff7e90 by task trinity-c2/3961 [ 379.454626] [ 379.455018] CPU: 0 PID: 3961 Comm: trinity-c2 Tainted: G E 5.11.0-rc7-00017-gf009495a8def #1 [ 379.457212] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 379.459153] Call Trace: [ 379.459777] print_address_description+0x18/0x26f [ 379.461168] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) [ 379.462171] kasan_report (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413) [ 379.463132] ? user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) [ 379.464053] user_shm_unlock (kbuild/src/consumer/mm/mlock.c:839) [ 379.464986] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247) [ 379.465741] shmctl_do_lock (kbuild/src/consumer/ipc/shm.c:1124) [ 379.466611] ksys_shmctl+0x19b/0x1e2 [ 379.467620] ? __x32_compat_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1141) [ 379.468612] ? lock_acquire (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:5444) [ 379.469427] ? find_held_lock (kbuild/src/consumer/kernel/locking/lockdep.c:4956) [ 379.470301] ? __context_tracking_exit (kbuild/src/consumer/kernel/context_tracking.c:161) [ 379.471508] ? lock_downgrade (kbuild/src/consumer/kernel/locking/lockdep.c:5450) [ 379.472561] ? kvm_clock_read (kbuild/src/consumer/arch/x86/include/asm/preempt.h:84 kbuild/src/consumer/arch/x86/kernel/kvmclock.c:90) [ 379.473521] ? account_steal_time (kbuild/src/consumer/kernel/sched/cputime.c:212) [ 379.474581] ? account_other_time (kbuild/src/consumer/kernel/sched/cputime.c:245 kbuild/src/consumer/kernel/sched/cputime.c:262) [ 379.475544] ? mark_held_locks (kbuild/src/consumer/kernel/locking/lockdep.c:4000 (discriminator 1)) [ 379.476491] ? lockdep_hardirqs_on_prepare (kbuild/src/consumer/kernel/locking/lockdep.c:437 kbuild/src/consumer/kernel/locking/lockdep.c:4099) [ 379.477743] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) [ 379.478611] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) [ 379.479768] RIP: 0033:0x7f79708ebf59 [ 379.480640] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48 All code ======== 0: 00 c3 add %al,%bl 2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 9: 00 00 00 c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f41 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f17 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 379.484875] RSP: 002b:00007ffd0b8ac428 EFLAGS: 00000246 ORIG_RAX: 000000000000001f [ 379.486602] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 00007f79708ebf59 [ 379.488077] RDX: 0000000000000004 RSI: 000000000000000c RDI: 0000000000000000 [ 379.489493] RBP: 000000000000001f R08: 0000a7fc6cf3f14d R09: 0000000008000000 [ 379.491020] R10: ffffffffffffff71 R11: 0000000000000246 R12: 0000000000000002 [ 379.492661] R13: 00007f796f2bb058 R14: 00007f79707d46c0 R15: 00007f796f2bb000 [ 379.494454] [ 379.494871] Allocated by task 0: [ 379.495620] (stack is not available) [ 379.496488] [ 379.496893] Freed by task 10: [ 379.497655] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:38) [ 379.498658] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46) [ 379.499609] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358) [ 379.500681] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364) [ 379.501725] slab_free_freelist_hook (kbuild/src/consumer/mm/slub.c:1580) [ 379.502861] kmem_cache_free (kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159) [ 379.503731] rcu_process_callbacks (kbuild/src/consumer/include/linux/rcupdate.h:264 kbuild/src/consumer/kernel/rcu/tiny.c:99 kbuild/src/consumer/kernel/rcu/tiny.c:130) [ 379.504755] __do_softirq (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:27 kbuild/src/consumer/include/linux/jump_label.h:254 kbuild/src/consumer/include/linux/jump_label.h:264 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344) [ 379.505618] [ 379.505979] The buggy address belongs to the object at ffff888117ff7e00 [ 379.505979] which belongs to the cache cred_jar of size 176 [ 379.508744] The buggy address is located 144 bytes inside of [ 379.508744] 176-byte region [ffff888117ff7e00, ffff888117ff7eb0) [ 379.511290] The buggy address belongs to the page: [ 379.512399] page:0000000097ece402 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x117ff7 [ 379.514652] flags: 0x8000000000000200(slab) [ 379.515652] raw: 8000000000000200 dead000000000100 dead000000000122 ffff888100372a00 [ 379.517377] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 379.519257] page dumped because: kasan: bad access detected [ 379.520478] [ 379.520835] Memory state around the buggy address: [ 379.521953] ffff888117ff7d80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 379.523570] ffff888117ff7e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.525357] >ffff888117ff7e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 379.527029] ^ [ 379.527887] ffff888117ff7f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 379.529581] ffff888117ff7f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 379.531334] ================================================================== [ 379.533107] Disabling lock debugging due to kernel taint [ 379.755941] [main] kernel became tainted! (8224/8192) Last seed was 782038633 [ 379.756009] [ 379.773617] trinity: Detected kernel tainting. Last seed was 782038633 [ 379.773690] [ 379.789324] [main] exit_reason=7, but 3 children still running. [ 379.789394] [ 381.812865] [main] Bailing main loop because kernel became tainted.. [ 381.812932] [ 382.091273] [main] Ran 93208 syscalls. Successes: 23634 Failures: 67538 [ 382.091348] [ 405.279282] /lkp/lkp/src/tests/trinity: 45: kill: No such process [ 405.279354] [ 405.298590] [ 405.298646] [ 405.656613] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/vm-snb-124/trinity-300s-debian-10.4-x86_64-20200603.cgz-f009495a8def89a71b9e0b9025a39379d6f9097d-20210217-33540-1tuu5rt-2.yaml&job_state=post_run -O /dev/null [ 405.656700] [ 407.339684] kill 377 vmstat --timestamp -n 10 [ 407.339744] [ 407.453173] kill 375 dmesg --follow --decode [ 407.453237] [ 407.547712] wait for background processes: 379 meminfo [ 407.547783] [ 415.539948] sysrq: Emergency Sync [ 415.540999] Emergency Sync complete [ 415.544090] sysrq: Resetting Kboot worker: lkp-worker31 Elapsed time: 420 kvm=( qemu-system-x86_64 -enable-kvm -cpu SandyBridge -kernel $kernel -initrd initrd-vm-snb-124.cgz -m 8192 -smp 2 -device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::32032-:22 -boot order=nc -no-reboot -watchdog i6300esb -watchdog-action debug -rtc base=localtime -serial stdio -display none -monitor null ) append=( ip=::::vm-snb-124::dhcp root=/dev/ram0 To reproduce: # build kernel cd linux cp config-5.11.0-rc7-00017-gf009495a8def .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k job-script # job-script is attached in this email Thanks, Oliver Sang