BUG at mm/slub.c (slab_alloc_node) 5.14.11-hardened1

[icasdri]

I'm hitting a BUG_ON in slab_alloc_node on linux-hardened 5.14.11-hardened1

[54157.197925] ------------[ cut here ]------------
[54157.197930] kernel BUG at mm/slub.c:3035!
[54157.197939] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[54157.197944] CPU: 1 PID: 26863 Comm: updatedb Kdump: loaded Tainted: G        W         5.14.11-hardened1-2-hardened-debug-debug #1
[54157.197950] RIP: 0010:__kmalloc_node+0x427/0x460
[54157.197959] Code: 8b 78 08 8b 44 24 04 8d 4a 01 45 89 e1 41 b8 00 10 00 00 4c 89 fa 50 49 d3 e0 4c 89 e9 e8 01 65 f9 ff 5a e9 7e fe ff ff 0f 0b <0f> 0b 49 8b 46 08 f0 48 83 28 01 0f 85 91 fc ff ff 49 8b 46 08 4c
[54157.197963] RSP: 0018:ffffc9000288b870 EFLAGS: 00010286
[54157.197967] RAX: ffff8881451e9b0c RBX: 0000000000000dc0 RCX: ffff8881451e9b0c
[54157.197969] RDX: 00000000000000c0 RSI: 0000000000000000 RDI: 0000000000000000
[54157.197972] RBP: ffff888100041800 R08: 0101010101010101 R09: 0000000080140014
[54157.197974] R10: 000000000014a4d2 R11: ffffc9cac9c98b89 R12: 0000000000000dc0
[54157.197976] R13: 00000000000000a0 R14: 0000000000000000 R15: ffffffff812ea149
[54157.197979] FS:  00006602d747e600(0000) GS:ffff888257240000(0000) knlGS:0000000000000000
[54157.197982] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[54157.197984] CR2: 000010840c6e2000 CR3: 000000020c0d8001 CR4: 00000000001706e0
[54157.197987] Call Trace:
[54157.197991]  memcg_alloc_page_obj_cgroups+0x39/0x90
[54157.197997]  allocate_slab+0xdf/0x4c0
[54157.198004]  ___slab_alloc+0x3f3/0x5c0
[54157.198009]  ? __d_alloc+0x22/0x1e0
[54157.198014]  ? __d_alloc+0x22/0x1e0
[54157.198016]  __slab_alloc.constprop.0+0x52/0x90
[54157.198022]  ? __d_alloc+0x22/0x1e0
[54157.198025]  kmem_cache_alloc+0x367/0x3b0
[54157.198029]  __d_alloc+0x22/0x1e0
[54157.198032]  d_alloc+0x1b/0xa0
[54157.198036]  d_alloc_parallel+0x60/0x550
[54157.198042]  __lookup_slow+0x5c/0x140
[54157.198047]  walk_component+0x141/0x1b0
[54157.198052]  path_lookupat+0x5f/0x190
[54157.198056]  filename_lookup+0xc7/0x1d0
[54157.198063]  vfs_statx+0x86/0x140
[54157.198069]  __do_sys_newfstatat+0x47/0x80
[54157.198076]  do_syscall_64+0x66/0x90
[54157.198084]  ? do_syscall_64+0xe/0x90
[54157.198089]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[54157.198095] RIP: 0033:0x6602d739fd8e
[54157.198098] Code: 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 07 00 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 41 89 ca b8 06 01 00 00 0f 05 <3d> 00 f0 ff ff 77 0b 31 c0 c3 0f 1f 84 00 00 00 00 00 48 8b 15 a9
[54157.198101] RSP: 002b:00007629721423b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000106
[54157.198105] RAX: ffffffffffffffda RBX: 000006f7f47ee5f0 RCX: 00006602d739fd8e
[54157.198107] RDX: 0000762972142430 RSI: 000006f7f4841849 RDI: 00000000ffffff9c
[54157.198110] RBP: 000006f7f4841849 R08: 0000000000000003 R09: 000006f7ba2db740
[54157.198112] R10: 0000000000000100 R11: 0000000000000246 R12: 0000000000000002
[54157.198114] R13: 0000000000000003 R14: 0000762972142610 R15: 0000000000000003

Task here was updatedb which from my understanding crawls the entire filesystem for indexing purposes (so it might be thrashing the slab allocator for all the path lookups).

slub.c:3035 is the BUG_ON in the following snippet near the end of slab_alloc_node

if (has_sanitize_verify(s) && object) {
    /* KASAN hasn't unpoisoned the object yet (this is done in the
     * post-alloc hook), so let's do it temporarily.
     */
    kasan_unpoison_object_data(s, object);
    BUG_ON(memchr_inv(object, 0, s->object_size));  // <---- slub.c:3035
    if (s->ctor)
        s->ctor(object);
    kasan_poison_object_data(s, object);
} else {
    init = slab_want_init_on_alloc(gfpflags, s);
}

I will try to repro in a VM so I can post coredump + debuginfo.

[anthraxx]

Are you still seeing this problem? This should only happen if there were none cleared bytes, which indicate a corruption.

[anthraxx]

@icasdri are you still experiencing this issue?