Hello, FYI this happens in mainline kernel 4.15.0-rc1. It looks like a new regression and hard to bisect. It occurs in 1 out of 57 boots. [ 10.009610] chown (367) used greatest stack depth: 26944 bytes left Kernel tests: Boot OK! [ 30.357729] trinity-main uses obsolete (PF_INET,SOCK_PACKET) [ 31.301433] sock: process `trinity-main' is using obsolete setsockopt SO_BSDCOMPAT [ 31.310289] ================================================================== [ 31.311490] BUG: KASAN: slab-out-of-bounds in perf_callchain_user+0x494/0x530: perf_callchain_store at include/linux/perf_event.h:1128 (inlined by) perf_callchain_user at arch/x86/events/core.c:2485 [ 31.312659] Write of size 8 at addr ffff880011101300 by task trinity-main/518 [ 31.313842] [ 31.314110] CPU: 0 PID: 518 Comm: trinity-main Not tainted 4.15.0-rc1 #138 [ 31.315231] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 31.316589] Call Trace: [ 31.317012] ? dump_stack+0x7d/0xb4: dump_stack at lib/dump_stack.c:55 [ 31.317599] ? print_address_description+0x7c/0x21c: print_address_description at mm/kasan/report.c:253 [ 31.318407] ? perf_callchain_user+0x494/0x530: perf_callchain_store at include/linux/perf_event.h:1128 (inlined by) perf_callchain_user at arch/x86/events/core.c:2485 [ 31.319142] ? kasan_report+0x225/0x24b: kasan_report_error at mm/kasan/report.c:352 (inlined by) kasan_report at mm/kasan/report.c:409 [ 31.319790] ? perf_callchain_user+0x494/0x530: perf_callchain_store at include/linux/perf_event.h:1128 (inlined by) perf_callchain_user at arch/x86/events/core.c:2485 [ 31.320523] ? perf_callchain_kernel+0x20d/0x248: perf_callchain_kernel at arch/x86/events/core.c:2350 (discriminator 1) [ 31.321300] ? perf_callchain_kernel+0x248/0x248: perf_callchain_user at arch/x86/events/core.c:2443 [ 31.322063] ? arch_perf_update_userpage+0x17d/0x17d: perf_callchain_kernel at arch/x86/events/core.c:2338 [ 31.322887] ? get_perf_callchain+0x2e4/0x356: set_fs at arch/x86/include/asm/uaccess.h:32 (inlined by) get_perf_callchain at kernel/events/callchain.c:243 [ 31.323606] ? put_callchain_buffers+0x42/0x42: get_perf_callchain at kernel/events/callchain.c:199 [ 31.324346] ? irq_exit+0x86/0xa7: irq_exit at kernel/softirq.c:409 [ 31.324907] ? perf_callchain+0xbb/0xc8: perf_callchain at kernel/events/callchain.c:193 [ 31.325541] ? schedule+0x29/0x42: constant_test_bit at arch/x86/include/asm/bitops.h:325 (discriminator 1) (inlined by) test_ti_thread_flag at include/linux/thread_info.h:79 (discriminator 1) (inlined by) need_resched at include/linux/sched.h:1620 (discriminator 1) (inlined by) schedule at kernel/sched/core.c:3436 (discriminator 1) [ 31.326100] ? perf_prepare_sample+0x12b/0x832: perf_prepare_sample at kernel/events/core.c:6004 [ 31.326841] ? is_bpf_text_address+0xc/0x1a: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __rcu_read_unlock at include/linux/rcupdate.h:89 (inlined by) rcu_read_unlock at include/linux/rcupdate.h:686 (inlined by) is_bpf_text_address at kernel/bpf/core.c:466 [ 31.327531] ? perf_output_sample+0x9e7/0x9e7: perf_prepare_sample at kernel/events/core.c:5987 [ 31.328251] ? __kernel_text_address+0x9/0x2b: __kernel_text_address at kernel/extable.c:107 [ 31.328972] ? unwind_next_frame+0x7a/0x101: unwind_next_frame at arch/x86/kernel/unwind_guess.c:38 (discriminator 2) [ 31.329662] ? unwind_get_return_address+0x6f/0x99: unwind_get_return_address at arch/x86/kernel/unwind_guess.c:15 (discriminator 2) [ 31.330452] ? __unwind_start+0xb2/0xb2: unwind_get_return_address at arch/x86/kernel/unwind_guess.c:9 [ 31.331094] ? perf_event_output_backward+0x78/0xe1: __perf_event_output at kernel/events/core.c:6122 (inlined by) perf_event_output_backward at kernel/events/core.c:6146 [ 31.331900] ? perf_event_output_forward+0xe1/0xe1: perf_event_output_backward at kernel/events/core.c:6145 [ 31.332691] ? memcmp+0x26/0x46: memcmp at lib/string.c:861 [ 31.333216] ? depot_save_stack+0x16b/0x3fd: find_stack at lib/stackdepot.c:175 (inlined by) depot_save_stack at lib/stackdepot.c:225 [ 31.333917] ? kasan_kmalloc+0x120/0x143: set_track at mm/kasan/kasan.c:459 (inlined by) kasan_kmalloc at mm/kasan/kasan.c:551 [ 31.334562] ? __perf_event_account_interrupt+0x9f/0x10d: __perf_event_account_interrupt at kernel/events/core.c:7320 [ 31.335437] ? __perf_event_overflow+0xbd/0x12f: perf_event_fasync at kernel/events/core.c:5414 (discriminator 1) (inlined by) __perf_event_overflow at kernel/events/core.c:7373 (discriminator 1) [ 31.336182] ? perf_swevent_overflow+0x49/0x61: perf_swevent_overflow at kernel/events/core.c:7447 [ 31.336923] ? ___perf_sw_event+0x1b9/0x1f1: do_perf_sw_event at kernel/events/core.c:7588 (inlined by) ___perf_sw_event at kernel/events/core.c:7619 [ 31.337614] ? perf_pending_event+0x6e/0x6e: ___perf_sw_event at kernel/events/core.c:7612 [ 31.338309] ? address_space_init_once+0xbd/0xc8: address_space_init_once at fs/inode.c:356 [ 31.339070] ? __list_add_valid+0x40/0x87: __list_add_valid at lib/list_debug.c:26 (discriminator 8) [ 31.339743] ? cache_grow_end+0xd3/0x140: __list_add at include/linux/list.h:60 (inlined by) list_add at include/linux/list.h:79 (inlined by) fixup_slab_list at mm/slab.c:2840 (inlined by) cache_grow_end at mm/slab.c:2732 [ 31.340391] ? do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.341085] ? _raw_spin_unlock+0x5/0xd: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:152 (inlined by) _raw_spin_unlock at kernel/locking/spinlock.c:183 [ 31.341728] ? schedule+0x29/0x42: constant_test_bit at arch/x86/include/asm/bitops.h:325 (discriminator 1) (inlined by) test_ti_thread_flag at include/linux/thread_info.h:79 (discriminator 1) (inlined by) need_resched at include/linux/sched.h:1620 (discriminator 1) (inlined by) schedule at kernel/sched/core.c:3436 (discriminator 1) [ 31.342282] ? sk_prot_alloc+0x35/0xff [ 31.343007] ? init_timer_key+0x1d/0xe9: __read_once_size at include/linux/compiler.h:183 (inlined by) atomic_read at arch/x86/include/asm/atomic.h:27 (inlined by) static_key_count at include/linux/jump_label.h:191 (inlined by) static_key_false at include/linux/jump_label.h:201 (inlined by) trace_timer_init at include/trace/events/timer.h:33 (inlined by) debug_init at kernel/time/timer.c:741 (inlined by) init_timer_key at kernel/time/timer.c:789 [ 31.343642] ? sock_init_data+0x42/0x39e: sock_init_data at net/core/sock.c:2690 [ 31.344302] ? SyS_socket+0x72/0xf5 [ 31.344884] ? rb_next+0x66/0x75: rb_next at lib/rbtree.c:553 (discriminator 1) [ 31.345426] ? __update_load_avg_cfs_rq+0x20/0x29e [ 31.346312] ? set_next_entity+0x91c/0x92f: set_next_entity at kernel/sched/fair.c:4182 [ 31.346994] ? pick_next_entity+0x143/0x151: pick_next_entity at kernel/sched/fair.c:4244 [ 31.347687] ? __list_add_valid+0x40/0x87: __list_add_valid at lib/list_debug.c:26 (discriminator 8) [ 31.348354] ? pick_next_task_fair+0x31f/0x7a4: __write_once_size at include/linux/compiler.h:212 (inlined by) __list_add at include/linux/list.h:66 (inlined by) list_add at include/linux/list.h:79 (inlined by) list_move at include/linux/list.h:171 (inlined by) pick_next_task_fair at kernel/sched/fair.c:6682 [ 31.349093] ? __mutex_init+0x58/0x73: __write_once_size at include/linux/compiler.h:211 (inlined by) atomic_set at arch/x86/include/asm/atomic.h:39 (inlined by) osq_lock_init at include/linux/osq_lock.h:30 (inlined by) __mutex_init at kernel/locking/mutex.c:45 [ 31.349710] ? load_balance+0xdab/0xdab: pick_next_task_fair at kernel/sched/fair.c:6576 [ 31.350344] ? alloc_file+0x142/0x156: alloc_file at fs/file_table.c:179 [ 31.350954] ? __schedule+0x933/0x967: perf_sw_event_sched at include/linux/perf_event.h:1043 (inlined by) perf_event_task_sched_out at include/linux/perf_event.h:1081 (inlined by) prepare_task_switch at kernel/sched/core.c:2592 (inlined by) context_switch at kernel/sched/core.c:2764 (inlined by) __schedule at kernel/sched/core.c:3375 [ 31.351560] ? __schedule+0x933/0x967: perf_sw_event_sched at include/linux/perf_event.h:1043 (inlined by) perf_event_task_sched_out at include/linux/perf_event.h:1081 (inlined by) prepare_task_switch at kernel/sched/core.c:2592 (inlined by) context_switch at kernel/sched/core.c:2764 (inlined by) __schedule at kernel/sched/core.c:3375 [ 31.352170] ? sock_init_data+0x38b/0x39e: __write_once_size at include/linux/compiler.h:211 (inlined by) atomic_set at arch/x86/include/asm/atomic.h:39 (inlined by) sock_init_data at net/core/sock.c:2755 [ 31.352847] ? schedule+0x29/0x42: constant_test_bit at arch/x86/include/asm/bitops.h:325 (discriminator 1) (inlined by) test_ti_thread_flag at include/linux/thread_info.h:79 (discriminator 1) (inlined by) need_resched at include/linux/sched.h:1620 (discriminator 1) (inlined by) schedule at kernel/sched/core.c:3436 (discriminator 1) [ 31.353401] ? sysctl_net_exit+0x13/0x13: __schedule at kernel/sched/core.c:3288 [ 31.354051] ? schedule+0x29/0x42: constant_test_bit at arch/x86/include/asm/bitops.h:325 (discriminator 1) (inlined by) test_ti_thread_flag at include/linux/thread_info.h:79 (discriminator 1) (inlined by) need_resched at include/linux/sched.h:1620 (discriminator 1) (inlined by) schedule at kernel/sched/core.c:3436 (discriminator 1) [ 31.354605] ? exit_to_usermode_loop+0x36/0xa1: exit_to_usermode_loop at arch/x86/entry/common.c:153 [ 31.355346] ? syscall_return_slowpath+0x9f/0xbe: get_current at arch/x86/include/asm/current.h:15 (inlined by) prepare_exit_to_usermode at arch/x86/entry/common.c:209 (inlined by) syscall_return_slowpath at arch/x86/entry/common.c:264 [ 31.356108] ? entry_SYSCALL_64_fastpath+0x93/0x95: entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:243 [ 31.356897] [ 31.357157] Allocated by task 518: [ 31.357732] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.358392] memcg_check_events+0x20/0x277: memcg_check_events at mm/memcontrol.c:673 [ 31.359073] get_random_u32+0xaf/0xbf: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) get_random_u32 at drivers/char/random.c:2153 [ 31.359690] __list_add_valid+0x40/0x87: __list_add_valid at lib/list_debug.c:26 (discriminator 8) [ 31.360325] cache_grow_end+0xd3/0x140: __list_add at include/linux/list.h:60 (inlined by) list_add at include/linux/list.h:79 (inlined by) fixup_slab_list at mm/slab.c:2840 (inlined by) cache_grow_end at mm/slab.c:2732 [ 31.360947] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.361610] _raw_spin_unlock+0x5/0xd: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:152 (inlined by) _raw_spin_unlock at kernel/locking/spinlock.c:183 [ 31.362221] cache_alloc_refill+0x26e/0x2f3: cache_alloc_refill at mm/slab.c:3050 [ 31.362922] expand_files+0x0/0x2a2: expand_files at fs/file.c:201 [ 31.363502] kmem_cache_alloc_trace+0x186/0x229: __read_once_size at include/linux/compiler.h:183 (inlined by) atomic_read at arch/x86/include/asm/atomic.h:27 (inlined by) static_key_count at include/linux/jump_label.h:191 (inlined by) memcg_kmem_enabled at include/linux/memcontrol.h:1123 (inlined by) slab_post_alloc_hook at mm/slab.h:445 (inlined by) slab_alloc at mm/slab.c:3385 (inlined by) kmem_cache_alloc_trace at mm/slab.c:3611 [ 31.364252] perf_event_alloc+0x6a/0xc87: kmalloc at include/linux/slab.h:499 (inlined by) kzalloc at include/linux/slab.h:688 (inlined by) perf_event_alloc at kernel/events/core.c:9367 [ 31.364906] _raw_spin_unlock+0x5/0xd: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:152 (inlined by) _raw_spin_unlock at kernel/locking/spinlock.c:183 [ 31.365517] __ptrace_may_access+0x78/0x1de: __ptrace_may_access at kernel/ptrace.c:293 [ 31.366209] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.366878] SyS_perf_event_open+0x54c/0xf6a [ 31.367584] SyS_perf_event_open+0x0/0xf6a [ 31.368267] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.369004] entry_SYSCALL_64_fastpath+0x23/0x95: entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210 [ 31.369769] __lru_cache_add+0xc8/0xf2: __read_once_size at include/linux/compiler.h:183 (inlined by) PageTail at include/linux/page-flags.h:156 (inlined by) PageCompound at include/linux/page-flags.h:161 (inlined by) __lru_cache_add at mm/swap.c:408 [ 31.370388] do_raw_read_lock+0xd/0x40: do_raw_read_lock at kernel/locking/spinlock_debug.c:153 [ 31.371011] do_raw_read_unlock+0xd/0x30: do_raw_read_unlock at kernel/locking/spinlock_debug.c:172 [ 31.371660] mod_node_page_state+0x19/0x84: mod_node_state at mm/vmstat.c:539 (inlined by) mod_node_page_state at mm/vmstat.c:577 [ 31.372339] __list_add_valid+0x40/0x87: __list_add_valid at lib/list_debug.c:26 (discriminator 8) [ 31.372973] cache_grow_end+0xd3/0x140: __list_add at include/linux/list.h:60 (inlined by) list_add at include/linux/list.h:79 (inlined by) fixup_slab_list at mm/slab.c:2840 (inlined by) cache_grow_end at mm/slab.c:2732 [ 31.373596] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.374264] _raw_spin_unlock+0x5/0xd: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:152 (inlined by) _raw_spin_unlock at kernel/locking/spinlock.c:183 [ 31.374873] cache_alloc_refill+0x26e/0x2f3: cache_alloc_refill at mm/slab.c:3050 [ 31.375565] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.376229] SyS_perf_event_open+0x54c/0xf6a [ 31.376944] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.377684] kmem_cache_alloc_node_trace+0x18f/0x23d: __read_once_size at include/linux/compiler.h:183 (inlined by) atomic_read at arch/x86/include/asm/atomic.h:27 (inlined by) static_key_count at include/linux/jump_label.h:191 (inlined by) memcg_kmem_enabled at include/linux/memcontrol.h:1123 (inlined by) slab_post_alloc_hook at mm/slab.h:445 (inlined by) slab_alloc_node at mm/slab.c:3328 (inlined by) kmem_cache_alloc_node_trace at mm/slab.c:3654 [ 31.378495] __kmalloc_node+0x2d/0x4c: __do_kmalloc_node at mm/slab.c:3675 (inlined by) __kmalloc_node at mm/slab.c:3682 [ 31.379110] get_callchain_buffers+0xc2/0x185: alloc_callchain_buffers at kernel/events/callchain.c:91 (inlined by) get_callchain_buffers at kernel/events/callchain.c:138 [ 31.379837] perf_event_alloc+0x8c8/0xc87: perf_event_alloc at kernel/events/core.c:9506 [ 31.380498] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.381174] SyS_perf_event_open+0x54c/0xf6a [ 31.381887] SyS_perf_event_open+0x0/0xf6a [ 31.382564] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.383303] entry_SYSCALL_64_fastpath+0x23/0x95: entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210 [ 31.384069] cache_grow_end+0xd3/0x140: __list_add at include/linux/list.h:60 (inlined by) list_add at include/linux/list.h:79 (inlined by) fixup_slab_list at mm/slab.c:2840 (inlined by) cache_grow_end at mm/slab.c:2732 [ 31.384698] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.385359] _raw_spin_unlock+0x5/0xd: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:152 (inlined by) _raw_spin_unlock at kernel/locking/spinlock.c:183 [ 31.385973] cache_alloc_refill+0x26e/0x2f3: cache_alloc_refill at mm/slab.c:3050 [ 31.386659] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.387332] SyS_perf_event_open+0x54c/0xf6a [ 31.388035] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.388771] kmem_cache_alloc_node_trace+0x1b4/0x23d: __read_once_size at include/linux/compiler.h:183 (inlined by) atomic_read at arch/x86/include/asm/atomic.h:27 (inlined by) static_key_count at include/linux/jump_label.h:191 (inlined by) static_key_false at include/linux/jump_label.h:201 (inlined by) trace_kmalloc_node at include/trace/events/kmem.h:100 (inlined by) kmem_cache_alloc_node_trace at mm/slab.c:3657 [ 31.389583] __kmalloc_node+0x2d/0x4c: __do_kmalloc_node at mm/slab.c:3675 (inlined by) __kmalloc_node at mm/slab.c:3682 [ 31.390195] get_callchain_buffers+0xc2/0x185: alloc_callchain_buffers at kernel/events/callchain.c:91 (inlined by) get_callchain_buffers at kernel/events/callchain.c:138 [ 31.390919] perf_event_alloc+0x8c8/0xc87: perf_event_alloc at kernel/events/core.c:9506 [ 31.391582] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.392252] SyS_perf_event_open+0x54c/0xf6a [ 31.392957] SyS_perf_event_open+0x0/0xf6a [ 31.393636] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.394375] kmem_cache_alloc_node_trace+0x1b4/0x23d: __read_once_size at include/linux/compiler.h:183 (inlined by) atomic_read at arch/x86/include/asm/atomic.h:27 (inlined by) static_key_count at include/linux/jump_label.h:191 (inlined by) static_key_false at include/linux/jump_label.h:201 (inlined by) trace_kmalloc_node at include/trace/events/kmem.h:100 (inlined by) kmem_cache_alloc_node_trace at mm/slab.c:3657 [ 31.395193] __kmalloc_node+0x42/0x4c: __do_kmalloc_node at mm/slab.c:3675 (inlined by) __kmalloc_node at mm/slab.c:3682 [ 31.395811] get_callchain_buffers+0xc2/0x185: alloc_callchain_buffers at kernel/events/callchain.c:91 (inlined by) get_callchain_buffers at kernel/events/callchain.c:138 [ 31.396525] perf_event_alloc+0x8c8/0xc87: perf_event_alloc at kernel/events/core.c:9506 [ 31.397192] do_raw_spin_unlock+0xae/0xc0: debug_spin_unlock at kernel/locking/spinlock_debug.c:103 (inlined by) do_raw_spin_unlock at kernel/locking/spinlock_debug.c:134 [ 31.397861] SyS_perf_event_open+0x54c/0xf6a [ 31.398565] SyS_perf_event_open+0x0/0xf6a [ 31.399248] trace_hardirqs_on_thunk+0x1a/0x1c: trace_hardirqs_on_thunk at arch/x86/entry/thunk_64.S:42 [ 31.399981] entry_SYSCALL_64_fastpath+0x23/0x95: entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210 [ 31.400744] [ 31.401002] Freed by task 0: [ 31.401484] (stack is not available) [ 31.402081] Attached the full dmesg, kconfig and reproduce scripts. Thanks, Fengguang