[PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Jinjie Ruan]

Inject fault while probing btrfs.ko, if the first kzalloc() fails
in __static_call_init(), key->mods will no be initialized. And then
in static_call_del_module() the site_mod->mod will cause
wild-memory-access as below:

So assign key->mods to NULL in __static_call_init() if it fails
to fix the issue. And if kzalloc fails, it will just return in init
func, so it should break if it the key->mods is NULL in exit func.

 general protection fault, probably for non-canonical address 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
 KASAN: maybe wild-memory-access in range [0x5c002ace44fca500-0x5c002ace44fca507]
 CPU: 2 PID: 1843 Comm: modprobe Tainted: G        W        N 6.6.0-rc1+ #60
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
 RIP: 0010:static_call_del_module+0x113/0x280
 Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
 RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
 RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
 RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
 RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
 R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
 R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
 FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
 DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
 DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
 Call Trace:
  <TASK>
  ? __die_body+0x1b/0x60
  ? die_addr+0x43/0x70
  ? exc_general_protection+0x121/0x210
  ? asm_exc_general_protection+0x22/0x30
  ? static_call_del_module+0x113/0x280
  ? __SCT__tp_func_ipi_exit+0x8/0x8
  static_call_module_notify+0x27f/0x390
  ? rcu_segcblist_inc_len+0x17/0x20
  notifier_call_chain+0xbf/0x280
  notifier_call_chain_robust+0x7f/0xe0
  ? notifier_call_chain+0x280/0x280
  ? kasan_quarantine_put+0x46/0x160
  blocking_notifier_call_chain_robust+0x5b/0x80
  load_module+0x4d1d/0x69f0
  ? module_frob_arch_sections+0x20/0x20
  ? update_cfs_group+0x10c/0x2a0
  ? __wake_up_common+0x10b/0x5d0
  ? kernel_read_file+0x3ca/0x510
  ? __x64_sys_fsconfig+0x650/0x650
  ? __schedule+0xa0b/0x2a60
  ? init_module_from_file+0xd2/0x130
  init_module_from_file+0xd2/0x130
  ? __ia32_sys_init_module+0xa0/0xa0
  ? _raw_spin_lock_irqsave+0xe0/0xe0
  ? ptrace_stop+0x487/0x790
  idempotent_init_module+0x32d/0x6a0
  ? init_module_from_file+0x130/0x130
  ? __fget_light+0x57/0x500
  __x64_sys_finit_module+0xbb/0x130
  do_syscall_64+0x35/0x80
  entry_SYSCALL_64_after_hwframe+0x46/0xb0
 RIP: 0033:0x7f4ff691b839
 Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
 RSP: 002b:00007ffc07b09718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
 RAX: ffffffffffffffda RBX: 000055978f13e070 RCX: 00007f4ff691b839
 RDX: 0000000000000000 RSI: 000055978da1bc2e RDI: 0000000000000003
 RBP: 000055978da1bc2e R08: 0000000000000000 R09: 000055978f13ddb0
 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
 R13: 000055978f13e020 R14: 0000000000040000 R15: 000055978f13ddb0
  </TASK>
 Modules linked in: tifm_core(+)
 Dumping ftrace buffer:
    (ftrace buffer empty)
 ---[ end trace 0000000000000000 ]---
 RIP: 0010:static_call_del_module+0x113/0x280
 Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
 RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
 RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
 RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
 RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
 R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
 R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
 FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
 DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
 DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
 Kernel panic - not syncing: Fatal exception
 Dumping ftrace buffer:
    (ftrace buffer empty)
 Kernel Offset: disabled
 Rebooting in 1 seconds..

Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0 static")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
---
 kernel/static_call_inline.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 639397b5491c..e7aa70d33530 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
 			}
 
 			site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
-			if (!site_mod)
+			if (!site_mod) {
+				key->mods = NULL;
 				return -ENOMEM;
+			}
 
 			/*
 			 * When the key has a direct sites pointer, extract
@@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
 			;
 
 		if (!site_mod)
-			continue;
+			break;
 
 		*prev = site_mod->next;
 		kfree(site_mod);
-- 
2.34.1

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Peter Zijlstra]

On Fri, Sep 15, 2023 at 04:21:25PM +0800, Jinjie Ruan wrote:
> Inject fault while probing btrfs.ko, if the first kzalloc() fails
> in __static_call_init(), key->mods will no be initialized. And then
> in static_call_del_module() the site_mod->mod will cause
> wild-memory-access as below:
> 
> So assign key->mods to NULL in __static_call_init() if it fails
> to fix the issue. And if kzalloc fails, it will just return in init
> func, so it should break if it the key->mods is NULL in exit func.
> 

I don't think we need that full splat.

> 
> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0 static")

And that looks wrong, that just moved code around.

> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>  kernel/static_call_inline.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
> index 639397b5491c..e7aa70d33530 100644
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>  			}
>  
>  			site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
> -			if (!site_mod)
> +			if (!site_mod) {
> +				key->mods = NULL;
>  				return -ENOMEM;
> +			}
>  
>  			/*
>  			 * When the key has a direct sites pointer, extract
> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
>  			;
>  
>  		if (!site_mod)
> -			continue;
> +			break;
>  
>  		*prev = site_mod->next;
>  		kfree(site_mod);

The actual patch looks okay.

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Jinjie Ruan]

Hi, it seems that this bug still exit.

On 2023/9/15 16:21, Jinjie Ruan wrote:
> Inject fault while probing btrfs.ko, if the first kzalloc() fails
> in __static_call_init(), key->mods will no be initialized. And then
> in static_call_del_module() the site_mod->mod will cause
> wild-memory-access as below:
> 
> So assign key->mods to NULL in __static_call_init() if it fails
> to fix the issue. And if kzalloc fails, it will just return in init
> func, so it should break if it the key->mods is NULL in exit func.
> 
>  general protection fault, probably for non-canonical address 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
>  KASAN: maybe wild-memory-access in range [0x5c002ace44fca500-0x5c002ace44fca507]
>  CPU: 2 PID: 1843 Comm: modprobe Tainted: G        W        N 6.6.0-rc1+ #60
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>  RIP: 0010:static_call_del_module+0x113/0x280
>  Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>  RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>  RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>  RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>  RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>  R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>  R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>  FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>  DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>  DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>  Call Trace:
>   <TASK>
>   ? __die_body+0x1b/0x60
>   ? die_addr+0x43/0x70
>   ? exc_general_protection+0x121/0x210
>   ? asm_exc_general_protection+0x22/0x30
>   ? static_call_del_module+0x113/0x280
>   ? __SCT__tp_func_ipi_exit+0x8/0x8
>   static_call_module_notify+0x27f/0x390
>   ? rcu_segcblist_inc_len+0x17/0x20
>   notifier_call_chain+0xbf/0x280
>   notifier_call_chain_robust+0x7f/0xe0
>   ? notifier_call_chain+0x280/0x280
>   ? kasan_quarantine_put+0x46/0x160
>   blocking_notifier_call_chain_robust+0x5b/0x80
>   load_module+0x4d1d/0x69f0
>   ? module_frob_arch_sections+0x20/0x20
>   ? update_cfs_group+0x10c/0x2a0
>   ? __wake_up_common+0x10b/0x5d0
>   ? kernel_read_file+0x3ca/0x510
>   ? __x64_sys_fsconfig+0x650/0x650
>   ? __schedule+0xa0b/0x2a60
>   ? init_module_from_file+0xd2/0x130
>   init_module_from_file+0xd2/0x130
>   ? __ia32_sys_init_module+0xa0/0xa0
>   ? _raw_spin_lock_irqsave+0xe0/0xe0
>   ? ptrace_stop+0x487/0x790
>   idempotent_init_module+0x32d/0x6a0
>   ? init_module_from_file+0x130/0x130
>   ? __fget_light+0x57/0x500
>   __x64_sys_finit_module+0xbb/0x130
>   do_syscall_64+0x35/0x80
>   entry_SYSCALL_64_after_hwframe+0x46/0xb0
>  RIP: 0033:0x7f4ff691b839
>  Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>  RSP: 002b:00007ffc07b09718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>  RAX: ffffffffffffffda RBX: 000055978f13e070 RCX: 00007f4ff691b839
>  RDX: 0000000000000000 RSI: 000055978da1bc2e RDI: 0000000000000003
>  RBP: 000055978da1bc2e R08: 0000000000000000 R09: 000055978f13ddb0
>  R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
>  R13: 000055978f13e020 R14: 0000000000040000 R15: 000055978f13ddb0
>   </TASK>
>  Modules linked in: tifm_core(+)
>  Dumping ftrace buffer:
>     (ftrace buffer empty)
>  ---[ end trace 0000000000000000 ]---
>  RIP: 0010:static_call_del_module+0x113/0x280
>  Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>  RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>  RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>  RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>  RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>  R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>  R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>  FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>  DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>  DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>  Kernel panic - not syncing: Fatal exception
>  Dumping ftrace buffer:
>     (ftrace buffer empty)
>  Kernel Offset: disabled
>  Rebooting in 1 seconds..
> 
> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0 static")
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
>  kernel/static_call_inline.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
> index 639397b5491c..e7aa70d33530 100644
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>  			}
>  
>  			site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
> -			if (!site_mod)
> +			if (!site_mod) {
> +				key->mods = NULL;
>  				return -ENOMEM;
> +			}
>  
>  			/*
>  			 * When the key has a direct sites pointer, extract
> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
>  			;
>  
>  		if (!site_mod)
> -			continue;
> +			break;
>  
>  		*prev = site_mod->next;
>  		kfree(site_mod);

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Christophe Leroy]

Hi,

Le 02/09/2024 à 14:01, Jinjie Ruan a écrit :
> Hi, it seems that this bug still exit.

Can you provide more details ?

In particular, what makes you think it is the exact same bug ?

Christophe


> 
> On 2023/9/15 16:21, Jinjie Ruan wrote:
>> Inject fault while probing btrfs.ko, if the first kzalloc() fails
>> in __static_call_init(), key->mods will no be initialized. And then
>> in static_call_del_module() the site_mod->mod will cause
>> wild-memory-access as below:
>>
>> So assign key->mods to NULL in __static_call_init() if it fails
>> to fix the issue. And if kzalloc fails, it will just return in init
>> func, so it should break if it the key->mods is NULL in exit func.
>>
>>   general protection fault, probably for non-canonical address 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
>>   KASAN: maybe wild-memory-access in range [0x5c002ace44fca500-0x5c002ace44fca507]
>>   CPU: 2 PID: 1843 Comm: modprobe Tainted: G        W        N 6.6.0-rc1+ #60
>>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>>   RIP: 0010:static_call_del_module+0x113/0x280
>>   Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>   RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>   RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>   RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>   RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>   R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>   R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>   FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>   CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>   DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>   DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>   Call Trace:
>>    <TASK>
>>    ? __die_body+0x1b/0x60
>>    ? die_addr+0x43/0x70
>>    ? exc_general_protection+0x121/0x210
>>    ? asm_exc_general_protection+0x22/0x30
>>    ? static_call_del_module+0x113/0x280
>>    ? __SCT__tp_func_ipi_exit+0x8/0x8
>>    static_call_module_notify+0x27f/0x390
>>    ? rcu_segcblist_inc_len+0x17/0x20
>>    notifier_call_chain+0xbf/0x280
>>    notifier_call_chain_robust+0x7f/0xe0
>>    ? notifier_call_chain+0x280/0x280
>>    ? kasan_quarantine_put+0x46/0x160
>>    blocking_notifier_call_chain_robust+0x5b/0x80
>>    load_module+0x4d1d/0x69f0
>>    ? module_frob_arch_sections+0x20/0x20
>>    ? update_cfs_group+0x10c/0x2a0
>>    ? __wake_up_common+0x10b/0x5d0
>>    ? kernel_read_file+0x3ca/0x510
>>    ? __x64_sys_fsconfig+0x650/0x650
>>    ? __schedule+0xa0b/0x2a60
>>    ? init_module_from_file+0xd2/0x130
>>    init_module_from_file+0xd2/0x130
>>    ? __ia32_sys_init_module+0xa0/0xa0
>>    ? _raw_spin_lock_irqsave+0xe0/0xe0
>>    ? ptrace_stop+0x487/0x790
>>    idempotent_init_module+0x32d/0x6a0
>>    ? init_module_from_file+0x130/0x130
>>    ? __fget_light+0x57/0x500
>>    __x64_sys_finit_module+0xbb/0x130
>>    do_syscall_64+0x35/0x80
>>    entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>   RIP: 0033:0x7f4ff691b839
>>   Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>>   RSP: 002b:00007ffc07b09718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>>   RAX: ffffffffffffffda RBX: 000055978f13e070 RCX: 00007f4ff691b839
>>   RDX: 0000000000000000 RSI: 000055978da1bc2e RDI: 0000000000000003
>>   RBP: 000055978da1bc2e R08: 0000000000000000 R09: 000055978f13ddb0
>>   R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
>>   R13: 000055978f13e020 R14: 0000000000040000 R15: 000055978f13ddb0
>>    </TASK>
>>   Modules linked in: tifm_core(+)
>>   Dumping ftrace buffer:
>>      (ftrace buffer empty)
>>   ---[ end trace 0000000000000000 ]---
>>   RIP: 0010:static_call_del_module+0x113/0x280
>>   Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03 <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>   RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>   RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>   RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>   RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>   R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>   R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>   FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000) knlGS:0000000000000000
>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>   CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>   DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>   DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>   Kernel panic - not syncing: Fatal exception
>>   Dumping ftrace buffer:
>>      (ftrace buffer empty)
>>   Kernel Offset: disabled
>>   Rebooting in 1 seconds..
>>
>> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0 static")
>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>> ---
>>   kernel/static_call_inline.c | 6 ++++--
>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
>> index 639397b5491c..e7aa70d33530 100644
>> --- a/kernel/static_call_inline.c
>> +++ b/kernel/static_call_inline.c
>> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>>   			}
>>   
>>   			site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
>> -			if (!site_mod)
>> +			if (!site_mod) {
>> +				key->mods = NULL;
>>   				return -ENOMEM;
>> +			}
>>   
>>   			/*
>>   			 * When the key has a direct sites pointer, extract
>> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
>>   			;
>>   
>>   		if (!site_mod)
>> -			continue;
>> +			break;
>>   
>>   		*prev = site_mod->next;
>>   		kfree(site_mod);

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Jinjie Ruan]

On 2024/9/2 20:06, Christophe Leroy wrote:
> Hi,
> 
> Le 02/09/2024 à 14:01, Jinjie Ruan a écrit :
>> Hi, it seems that this bug still exit.
> 
> Can you provide more details ?
> 
> In particular, what makes you think it is the exact same bug ?

I apply this patch, and the problem not occurs.

> 
> Christophe
> 
> 
>>
>> On 2023/9/15 16:21, Jinjie Ruan wrote:
>>> Inject fault while probing btrfs.ko, if the first kzalloc() fails
>>> in __static_call_init(), key->mods will no be initialized. And then
>>> in static_call_del_module() the site_mod->mod will cause
>>> wild-memory-access as below:
>>>
>>> So assign key->mods to NULL in __static_call_init() if it fails
>>> to fix the issue. And if kzalloc fails, it will just return in init
>>> func, so it should break if it the key->mods is NULL in exit func.
>>>
>>>   general protection fault, probably for non-canonical address
>>> 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
>>>   KASAN: maybe wild-memory-access in range
>>> [0x5c002ace44fca500-0x5c002ace44fca507]
>>>   CPU: 2 PID: 1843 Comm: modprobe Tainted: G        W        N
>>> 6.6.0-rc1+ #60
>>>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>> 1.13.0-1ubuntu1.1 04/01/2014
>>>   RIP: 0010:static_call_del_module+0x113/0x280
>>>   Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75
>>> 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03
>>> <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>>   RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>>   RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>>   RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>>   RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>>   R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>>   R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>>   FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000)
>>> knlGS:0000000000000000
>>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>   CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>>   DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>>   DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>>   Call Trace:
>>>    <TASK>
>>>    ? __die_body+0x1b/0x60
>>>    ? die_addr+0x43/0x70
>>>    ? exc_general_protection+0x121/0x210
>>>    ? asm_exc_general_protection+0x22/0x30
>>>    ? static_call_del_module+0x113/0x280
>>>    ? __SCT__tp_func_ipi_exit+0x8/0x8
>>>    static_call_module_notify+0x27f/0x390
>>>    ? rcu_segcblist_inc_len+0x17/0x20
>>>    notifier_call_chain+0xbf/0x280
>>>    notifier_call_chain_robust+0x7f/0xe0
>>>    ? notifier_call_chain+0x280/0x280
>>>    ? kasan_quarantine_put+0x46/0x160
>>>    blocking_notifier_call_chain_robust+0x5b/0x80
>>>    load_module+0x4d1d/0x69f0
>>>    ? module_frob_arch_sections+0x20/0x20
>>>    ? update_cfs_group+0x10c/0x2a0
>>>    ? __wake_up_common+0x10b/0x5d0
>>>    ? kernel_read_file+0x3ca/0x510
>>>    ? __x64_sys_fsconfig+0x650/0x650
>>>    ? __schedule+0xa0b/0x2a60
>>>    ? init_module_from_file+0xd2/0x130
>>>    init_module_from_file+0xd2/0x130
>>>    ? __ia32_sys_init_module+0xa0/0xa0
>>>    ? _raw_spin_lock_irqsave+0xe0/0xe0
>>>    ? ptrace_stop+0x487/0x790
>>>    idempotent_init_module+0x32d/0x6a0
>>>    ? init_module_from_file+0x130/0x130
>>>    ? __fget_light+0x57/0x500
>>>    __x64_sys_finit_module+0xbb/0x130
>>>    do_syscall_64+0x35/0x80
>>>    entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>>   RIP: 0033:0x7f4ff691b839
>>>   Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8
>>> 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
>>> <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>>>   RSP: 002b:00007ffc07b09718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>>>   RAX: ffffffffffffffda RBX: 000055978f13e070 RCX: 00007f4ff691b839
>>>   RDX: 0000000000000000 RSI: 000055978da1bc2e RDI: 0000000000000003
>>>   RBP: 000055978da1bc2e R08: 0000000000000000 R09: 000055978f13ddb0
>>>   R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
>>>   R13: 000055978f13e020 R14: 0000000000040000 R15: 000055978f13ddb0
>>>    </TASK>
>>>   Modules linked in: tifm_core(+)
>>>   Dumping ftrace buffer:
>>>      (ftrace buffer empty)
>>>   ---[ end trace 0000000000000000 ]---
>>>   RIP: 0010:static_call_del_module+0x113/0x280
>>>   Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75
>>> 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03
>>> <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>>   RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>>   RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>>   RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>>   RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>>   R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>>   R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>>   FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000)
>>> knlGS:0000000000000000
>>>   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>   CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>>   DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>>   DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>>   Kernel panic - not syncing: Fatal exception
>>>   Dumping ftrace buffer:
>>>      (ftrace buffer empty)
>>>   Kernel Offset: disabled
>>>   Rebooting in 1 seconds..
>>>
>>> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0
>>> static")
>>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>> ---
>>>   kernel/static_call_inline.c | 6 ++++--
>>>   1 file changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
>>> index 639397b5491c..e7aa70d33530 100644
>>> --- a/kernel/static_call_inline.c
>>> +++ b/kernel/static_call_inline.c
>>> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>>>               }
>>>                 site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
>>> -            if (!site_mod)
>>> +            if (!site_mod) {
>>> +                key->mods = NULL;
>>>                   return -ENOMEM;
>>> +            }
>>>                 /*
>>>                * When the key has a direct sites pointer, extract
>>> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module
>>> *mod)
>>>               ;
>>>             if (!site_mod)
>>> -            continue;
>>> +            break;
>>>             *prev = site_mod->next;
>>>           kfree(site_mod);
> 

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Christophe Leroy]

Le 02/09/2024 à 14:07, Jinjie Ruan a écrit :
> 
> 
> On 2024/9/2 20:06, Christophe Leroy wrote:
>> Hi,
>>
>> Le 02/09/2024 à 14:01, Jinjie Ruan a écrit :
>>> Hi, it seems that this bug still exit.
>>
>> Can you provide more details ?
>>
>> In particular, what makes you think it is the exact same bug ?
> 
> I apply this patch, and the problem not occurs.

Ah, you mean the patch hasn't been applied yet ?

I thought you were telling that despite the patch the problem was still 
there.

Christophe

> 
>>
>> Christophe
>>
>>
>>>
>>> On 2023/9/15 16:21, Jinjie Ruan wrote:
>>>> Inject fault while probing btrfs.ko, if the first kzalloc() fails
>>>> in __static_call_init(), key->mods will no be initialized. And then
>>>> in static_call_del_module() the site_mod->mod will cause
>>>> wild-memory-access as below:
>>>>
>>>> So assign key->mods to NULL in __static_call_init() if it fails
>>>> to fix the issue. And if kzalloc fails, it will just return in init
>>>> func, so it should break if it the key->mods is NULL in exit func.
>>>>
>>>>    general protection fault, probably for non-canonical address
>>>> 0xeb800159c89f94a0: 0000 [#1] PREEMPT SMP KASAN
>>>>    KASAN: maybe wild-memory-access in range
>>>> [0x5c002ace44fca500-0x5c002ace44fca507]
>>>>    CPU: 2 PID: 1843 Comm: modprobe Tainted: G        W        N
>>>> 6.6.0-rc1+ #60
>>>>    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>>>> 1.13.0-1ubuntu1.1 04/01/2014
>>>>    RIP: 0010:static_call_del_module+0x113/0x280
>>>>    Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75
>>>> 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03
>>>> <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>>>    RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>>>    RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>>>    RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>>>    RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>>>    R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>>>    R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>>>    FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000)
>>>> knlGS:0000000000000000
>>>>    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>>    CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>>>    DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>>>    DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>>>    Call Trace:
>>>>     <TASK>
>>>>     ? __die_body+0x1b/0x60
>>>>     ? die_addr+0x43/0x70
>>>>     ? exc_general_protection+0x121/0x210
>>>>     ? asm_exc_general_protection+0x22/0x30
>>>>     ? static_call_del_module+0x113/0x280
>>>>     ? __SCT__tp_func_ipi_exit+0x8/0x8
>>>>     static_call_module_notify+0x27f/0x390
>>>>     ? rcu_segcblist_inc_len+0x17/0x20
>>>>     notifier_call_chain+0xbf/0x280
>>>>     notifier_call_chain_robust+0x7f/0xe0
>>>>     ? notifier_call_chain+0x280/0x280
>>>>     ? kasan_quarantine_put+0x46/0x160
>>>>     blocking_notifier_call_chain_robust+0x5b/0x80
>>>>     load_module+0x4d1d/0x69f0
>>>>     ? module_frob_arch_sections+0x20/0x20
>>>>     ? update_cfs_group+0x10c/0x2a0
>>>>     ? __wake_up_common+0x10b/0x5d0
>>>>     ? kernel_read_file+0x3ca/0x510
>>>>     ? __x64_sys_fsconfig+0x650/0x650
>>>>     ? __schedule+0xa0b/0x2a60
>>>>     ? init_module_from_file+0xd2/0x130
>>>>     init_module_from_file+0xd2/0x130
>>>>     ? __ia32_sys_init_module+0xa0/0xa0
>>>>     ? _raw_spin_lock_irqsave+0xe0/0xe0
>>>>     ? ptrace_stop+0x487/0x790
>>>>     idempotent_init_module+0x32d/0x6a0
>>>>     ? init_module_from_file+0x130/0x130
>>>>     ? __fget_light+0x57/0x500
>>>>     __x64_sys_finit_module+0xbb/0x130
>>>>     do_syscall_64+0x35/0x80
>>>>     entry_SYSCALL_64_after_hwframe+0x46/0xb0
>>>>    RIP: 0033:0x7f4ff691b839
>>>>    Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8
>>>> 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05
>>>> <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
>>>>    RSP: 002b:00007ffc07b09718 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>>>>    RAX: ffffffffffffffda RBX: 000055978f13e070 RCX: 00007f4ff691b839
>>>>    RDX: 0000000000000000 RSI: 000055978da1bc2e RDI: 0000000000000003
>>>>    RBP: 000055978da1bc2e R08: 0000000000000000 R09: 000055978f13ddb0
>>>>    R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
>>>>    R13: 000055978f13e020 R14: 0000000000040000 R15: 000055978f13ddb0
>>>>     </TASK>
>>>>    Modules linked in: tifm_core(+)
>>>>    Dumping ftrace buffer:
>>>>       (ftrace buffer empty)
>>>>    ---[ end trace 0000000000000000 ]---
>>>>    RIP: 0010:static_call_del_module+0x113/0x280
>>>>    Code: 3c 20 00 0f 85 ef 00 00 00 49 8b 6e 08 48 85 ed 75 0d eb 75
>>>> 48 85 db 74 70 49 89 ef 48 89 dd 48 8d 7d 08 48 89 f8 48 c1 e8 03
>>>> <42> 80 3c 20 00 75 78 48 89 e8 4c 8b 6d 08 48 c1 e8 03 42 80 3c 20
>>>>    RSP: 0018:ffff888101d3f860 EFLAGS: 00010206
>>>>    RAX: 0b800559c89f94a0 RBX: 5c002ace44fca4f8 RCX: ffffffffa0210f00
>>>>    RDX: ffffffffa0210ed4 RSI: ffffffffa0210edc RDI: 5c002ace44fca500
>>>>    RBP: 5c002ace44fca4f8 R08: 0000000000000000 R09: ffffed10233e4eea
>>>>    R10: ffffed10233e4ee9 R11: ffff888119f2774b R12: dffffc0000000000
>>>>    R13: 80002ace3cfca4f8 R14: ffffffff85196de0 R15: ffffffff84ee9f99
>>>>    FS:  00007f4ff6faa540(0000) GS:ffff888119f00000(0000)
>>>> knlGS:0000000000000000
>>>>    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>>    CR2: 00007ffc3d1f19e8 CR3: 0000000109fa6001 CR4: 0000000000170ee0
>>>>    DR0: ffffffff8faefce8 DR1: ffffffff8faefce9 DR2: ffffffff8faefcea
>>>>    DR3: ffffffff8faefceb DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>>>    Kernel panic - not syncing: Fatal exception
>>>>    Dumping ftrace buffer:
>>>>       (ftrace buffer empty)
>>>>    Kernel Offset: disabled
>>>>    Rebooting in 1 seconds..
>>>>
>>>> Fixes: 8fd4ddda2f49 ("static_call: Don't make __static_call_return0
>>>> static")
>>>> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
>>>> ---
>>>>    kernel/static_call_inline.c | 6 ++++--
>>>>    1 file changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
>>>> index 639397b5491c..e7aa70d33530 100644
>>>> --- a/kernel/static_call_inline.c
>>>> +++ b/kernel/static_call_inline.c
>>>> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>>>>                }
>>>>                  site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
>>>> -            if (!site_mod)
>>>> +            if (!site_mod) {
>>>> +                key->mods = NULL;
>>>>                    return -ENOMEM;
>>>> +            }
>>>>                  /*
>>>>                 * When the key has a direct sites pointer, extract
>>>> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module
>>>> *mod)
>>>>                ;
>>>>              if (!site_mod)
>>>> -            continue;
>>>> +            break;
>>>>              *prev = site_mod->next;
>>>>            kfree(site_mod);
>>

Re: [PATCH] static_call: Fix a wild-memory-access bug in static_call_del_module()

[Thomas Gleixner]

On Mon, Sep 02 2024 at 20:01, Jinjie Ruan wrote:
> On 2023/9/15 16:21, Jinjie Ruan wrote:
>> 
>> diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
>> index 639397b5491c..e7aa70d33530 100644
>> --- a/kernel/static_call_inline.c
>> +++ b/kernel/static_call_inline.c
>> @@ -256,8 +256,10 @@ static int __static_call_init(struct module *mod,
>>  			}
>>  
>>  			site_mod = kzalloc(sizeof(*site_mod), GFP_KERNEL);
>> -			if (!site_mod)
>> +			if (!site_mod) {
>> +				key->mods = NULL;
>>  				return -ENOMEM;

You fail to explain what setting key->mods to NULL prevents and why the
same problem does not happen when the kzalloc() five lines further down
fails.

Actually if you read the comment below carefully then you might find the
reason why the current code explodes and you might figure out why you
can't set the pointer to NULL.

>> +			}
>>  
>>  			/*
>>  			 * When the key has a direct sites pointer, extract
>> @@ -422,7 +424,7 @@ static void static_call_del_module(struct module *mod)
>>  			;
>>  
>>  		if (!site_mod)
>> -			continue;
>> +			break;

Now why does this "fix" things?

The unmodified kernel crashes dereferencing key->mods. That means there
is garbage in key->mods. But that garbage is not garbage:

struct static_call_key {
	void *func;
	union {
		/* bit 0: 0 = mods, 1 = sites */
		unsigned long type;
		struct static_call_mod *mods;
		struct static_call_site *sites;
	};
};

key->mods is actually key->sites, which holds the static call sites of
the key. It has bit 0 set.

As that code does not expect anything else than a valid static_call_mod
pointer it dereferences it unconditionally and crashes. See?

So why can't you set the pointer to NULL?

If that key is builtin and has actual builtin usage sites, then you
destroy the key. If the memory allocation fail was temporary then a
subsequent update of that static call will find no call site and the
kernel happily invokes the previous function.

Now that the root cause is properly analyzed, the proper fix is
obvious. See uncomplied below.

It does not need to do anything vs. the other kzalloc() fail because
that is harmless. The key has key->mods set, but key->mods->mod and
key->mods->next are both NULL in that case. So the inner loop breaks out
and continues to the next site which has the uninitialized one. If all
keys were already converted to mods _before_ this fail then the loop
simply iterates further, but will nowhere find a site_mod->mod == mod.

Thanks,

        tglx
---
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -411,6 +411,17 @@ static void static_call_del_module(struc
 
 	for (site = start; site < stop; site++) {
 		key = static_call_key(site);
+
+		/*
+		 * If the key was not updated due to a memory allocation
+		 * failure in __static_call_init() then treating key::sites
+		 * as key::mods in the code below would cause random memory
+		 * access and #GP. In that case all subsequent sites have
+		 * not been touched either, so stop iterating.
+		 */
+		if (static_call_key_sites(key))
+			break;
+
 		if (key == prev_key)
 			continue;

[PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.

If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.

This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.

The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:

        union {
                /* bit 0: 0 = mods, 1 = sites */
                unsigned long type;
                struct static_call_mod *mods;
                struct static_call_site *sites;
	};

key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.

As static_call_del_module() blindly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.

Cure it by checking whether the key has a sites or a mods pointer. 

If it is a sites pointer then the key is not to be touched. As the sites
are walked in the same order as in __static_call_init() the site walk
can be terminated because all subsequent sites have not been touched by
the init code due to the error exit.

If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.

A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.

Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
---
 kernel/static_call_inline.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -411,6 +411,17 @@ static void static_call_del_module(struc
 
 	for (site = start; site < stop; site++) {
 		key = static_call_key(site);
+
+		/*
+		 * If the key was not updated due to a memory allocation
+		 * failure in __static_call_init() then treating key::sites
+		 * as key::mods in the code below would cause random memory
+		 * access and #GP. In that case all subsequent sites have
+		 * not been touched either, so stop iterating.
+		 */
+		if (static_call_key_sites(key))
+			break;
+
 		if (key == prev_key)
 			continue;
 

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Jinjie Ruan]

On 2024/9/4 6:58, Thomas Gleixner wrote:
> Module insertion invokes static_call_add_module() to initialize the static
> calls in a module. static_call_add_module() invokes __static_call_init(),
> which allocates a struct static_call_mod to either encapsulate the built-in
> static call sites of the associated key into it so further modules can be
> added or to append the module to the module chain.
> 
> If that allocation fails the function returns with an error code and the
> module core invokes static_call_del_module() to clean up eventually added
> static_call_mod entries.
> 
> This works correctly, when all keys used by the module were converted over
> to a module chain before the failure. If not then static_call_del_module()
> causes a #GP as it blindly assumes that key::mods points to a valid struct
> static_call_mod.
> 
> The problem is that key::mods is not a individual struct member of struct
> static_call_key, it's part of a union to save space:
> 
>         union {
>                 /* bit 0: 0 = mods, 1 = sites */
>                 unsigned long type;
>                 struct static_call_mod *mods;
>                 struct static_call_site *sites;
> 	};
> 
> key::sites is a pointer to the list of built-in usage sites of the static
> call. The type of the pointer is differentiated by bit 0. A mods pointer
> has the bit clear, the sites pointer has the bit set.
> 
> As static_call_del_module() blindly assumes that the pointer is a valid
> static_call_mod type, it fails to check for this failure case and
> dereferences the pointer to the list of built-in call sites, which is
> obviously bogus.
> 
> Cure it by checking whether the key has a sites or a mods pointer. 
> 
> If it is a sites pointer then the key is not to be touched. As the sites
> are walked in the same order as in __static_call_init() the site walk
> can be terminated because all subsequent sites have not been touched by
> the init code due to the error exit.
> 
> If it was converted before the allocation fail, then the inner loop which
> searches for a module match will find nothing.
> 
> A fail in the second allocation in __static_call_init() is harmless and
> does not require special treatment. The first allocation succeeded and
> converted the key to a module chain. That first entry has mod::mod == NULL
> and mod::next == NULL, so the inner loop of static_call_del_module() will
> neither find a module match nor a module chain. The next site in the walk
> was either already converted, but can't match the module, or it will exit
> the outer loop because it has a static_call_site pointer and not a
> static_call_mod pointer.
> 
> Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
> Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: stable@vger.kernel.org
> Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
> ---
>  kernel/static_call_inline.c |   11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -411,6 +411,17 @@ static void static_call_del_module(struc
>  
>  	for (site = start; site < stop; site++) {
>  		key = static_call_key(site);
> +
> +		/*
> +		 * If the key was not updated due to a memory allocation
> +		 * failure in __static_call_init() then treating key::sites
> +		 * as key::mods in the code below would cause random memory
> +		 * access and #GP. In that case all subsequent sites have
> +		 * not been touched either, so stop iterating.
> +		 */
> +		if (static_call_key_sites(key))
> +			break;
> +

Hi, Thomas,

This patch seems not solve the issue, with this patch, the below problem
also occurs when inject fault when modprobe amdgpu:

[  700.274277] name failslab, interval 1, probability 0, space 0, times 0
[  700.275147] CPU: 6 UID: 0 PID: 9846 Comm: modprobe Tainted: G
W          6.11.0-rc6+ #48
[  700.275662] Tainted: [W]=WARN
[  700.275856] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[  700.276332] Call Trace:
[  700.276479]  <TASK>
[  700.276614]  dump_stack_lvl+0xba/0xe0
[  700.276846]  should_fail_ex+0x4b1/0x5b0
[  700.277083]  should_failslab+0xc2/0x120
[  700.277315]  __kmalloc_cache_noprof+0x6b/0x350
[  700.277590]  ? __static_call_init.part.0+0x158/0x5d0
[  700.277893]  __static_call_init.part.0+0x158/0x5d0
[  700.278185]  ? amdgpu_gmc_fw_reg_write_reg_wait+0x3ad/0x430 [amdgpu]
[  700.279871]  static_call_module_notify+0x9b/0x3d0
[  700.280158]  notifier_call_chain+0xad/0x2f0
[  700.280407]  blocking_notifier_call_chain_robust+0xc8/0x150
[  700.280739]  ? __pfx_blocking_notifier_call_chain_robust+0x10/0x10
[  700.281104]  load_module+0x5026/0x63e0
[  700.281323]  ? generic_file_read_iter+0x269/0x3a0
[  700.281629]  ? __pfx_load_module+0x10/0x10
[  700.281896]  ? selinux_file_permission+0x118/0x4b0
[  700.282176]  ? security_kernel_post_read_file+0x8d/0xc0
[  700.282484]  ? kernel_read_file+0x3e7/0x660
[  700.282743]  ? __pfx_kernel_read_file+0x10/0x10
[  700.283009]  ? __pfx___lock_acquire+0x10/0x10
[  700.283272]  ? lock_acquire+0x19d/0x530
[  700.283500]  ? init_module_from_file+0xe6/0x150
[  700.283756]  init_module_from_file+0xe6/0x150
[  700.284011]  ? __pfx_init_module_from_file+0x10/0x10
[  700.284308]  idempotent_init_module+0x37c/0x690
[  700.284569]  ? __pfx_idempotent_init_module+0x10/0x10
[  700.284860]  ? __startup_64+0x190/0x330
[  700.285082]  ? security_capable+0x8d/0xc0
[  700.285316]  __x64_sys_finit_module+0xcc/0x130
[  700.285569]  do_syscall_64+0xc1/0x1d0
[  700.285783]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  700.286070] RIP: 0033:0x7efe8bfb6839
[  700.286274] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[  700.287266] RSP: 002b:00007ffca29f00b8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[  700.287675] RAX: ffffffffffffffda RBX: 0000561a219bbca0 RCX:
00007efe8bfb6839
[  700.288064] RDX: 0000000000000000 RSI: 0000561a1dc1bc2e RDI:
0000000000000003
[  700.288447] RBP: 0000561a1dc1bc2e R08: 0000000000000000 R09:
0000561a219bbca0
[  700.288833] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[  700.289219] R13: 0000561a219bbe90 R14: 0000000000040000 R15:
0000561a219bbca0
[  700.289613]  </TASK>
[  700.289766] ------------[ cut here ]------------
[  700.290023] Failed to allocate memory for static calls
[  700.290048] WARNING: CPU: 6 PID: 9846 at
kernel/static_call_inline.c:456 static_call_module_notify+0x2d5/0x3d0
[  700.290899] Modules linked in: amdgpu(+) amdxcp drm_ttm_helper
drm_suballoc_helper [last unloaded: amdgpu]
[  700.291431] CPU: 6 UID: 0 PID: 9846 Comm: modprobe Tainted: G
W          6.11.0-rc6+ #48
[  700.291929] Tainted: [W]=WARN
[  700.292106] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[  700.292558] RIP: 0010:static_call_module_notify+0x2d5/0x3d0
[  700.292888] Code: 07 48 c7 c7 c0 94 ac 9d 41 bc 17 80 00 00 49 8d 34
07 e8 4e 2d d5 ff e8 d9 56 f1 ff 90 48 c7 c7 20 95 ac 9d e8 cc 3f bd ff
90 <0f> 0b 90 90 48 8b 7c 24 08 e8 6d ef ff ff 48 c7 c7 40 e6 a9 9e e8
[  700.293906] RSP: 0018:ff11000105437868 EFLAGS: 00010282
[  700.294207] RAX: 0000000000000000 RBX: 00000000fffffff4 RCX:
ffffffff9a16a61d
[  700.294595] RDX: ff1100010dad8000 RSI: 0000000000000004 RDI:
ff1100011ad28a08
[  700.295003] RBP: 00000000dcc77697 R08: 0000000000000001 R09:
ffe21c00235a5141
[  700.295388] R10: ff1100011ad28a0b R11: 0000000000000000 R12:
000000000000800d
[  700.295793] R13: dffffc0000000000 R14: ffffffff9e5f1808 R15:
ffffffffc1c9e325
[  700.296183] FS:  00007efe8c4a5540(0000) GS:ff1100011ad00000(0000)
knlGS:0000000000000000
[  700.296630] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  700.296966] CR2: 000055ec0729e838 CR3: 0000000114d16003 CR4:
0000000000771ef0
[  700.297366] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  700.297771] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[  700.298162] PKRU: 55555554
[  700.298314] Call Trace:
[  700.298461]  <TASK>
[  700.298589]  ? show_regs+0x73/0x80
[  700.298816]  ? __warn+0xe5/0x330
[  700.299010]  ? static_call_module_notify+0x2d5/0x3d0
[  700.299290]  ? report_bug+0x2a3/0x380
[  700.299501]  ? static_call_module_notify+0x2d5/0x3d0
[  700.299794]  ? handle_bug+0x5e/0xc0
[  700.299999]  ? exc_invalid_op+0x25/0x60
[  700.300222]  ? asm_exc_invalid_op+0x1a/0x20
[  700.300466]  ? __warn_printk+0x15d/0x200
[  700.300707]  ? static_call_module_notify+0x2d5/0x3d0
[  700.300991]  ? static_call_module_notify+0x2d4/0x3d0
[  700.301270]  notifier_call_chain+0xad/0x2f0
[  700.301521]  blocking_notifier_call_chain_robust+0xc8/0x150
[  700.301848]  ? __pfx_blocking_notifier_call_chain_robust+0x10/0x10
[  700.302219]  load_module+0x5026/0x63e0
[  700.302437]  ? generic_file_read_iter+0x269/0x3a0
[  700.302747]  ? __pfx_load_module+0x10/0x10
[  700.302989]  ? selinux_file_permission+0x118/0x4b0
[  700.303268]  ? security_kernel_post_read_file+0x8d/0xc0
[  700.303559]  ? kernel_read_file+0x3e7/0x660
[  700.303812]  ? __pfx_kernel_read_file+0x10/0x10
[  700.304066]  ? __pfx___lock_acquire+0x10/0x10
[  700.304316]  ? lock_acquire+0x19d/0x530
[  700.304543]  ? init_module_from_file+0xe6/0x150
[  700.304823]  init_module_from_file+0xe6/0x150
[  700.305077]  ? __pfx_init_module_from_file+0x10/0x10
[  700.305370]  idempotent_init_module+0x37c/0x690
[  700.305631]  ? __pfx_idempotent_init_module+0x10/0x10
[  700.305936]  ? __startup_64+0x190/0x330
[  700.306163]  ? security_capable+0x8d/0xc0
[  700.306395]  __x64_sys_finit_module+0xcc/0x130
[  700.306654]  do_syscall_64+0xc1/0x1d0
[  700.306891]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  700.307180] RIP: 0033:0x7efe8bfb6839
[  700.307387] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[  700.308395] RSP: 002b:00007ffca29f00b8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[  700.308828] RAX: ffffffffffffffda RBX: 0000561a219bbca0 RCX:
00007efe8bfb6839
[  700.309221] RDX: 0000000000000000 RSI: 0000561a1dc1bc2e RDI:
0000000000000003
[  700.309619] RBP: 0000561a1dc1bc2e R08: 0000000000000000 R09:
0000561a219bbca0
[  700.310034] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[  700.310434] R13: 0000561a219bbe90 R14: 0000000000040000 R15:
0000561a219bbca0
[  700.310867]  </TASK>
[  700.311002] irq event stamp: 65841
[  700.311200] hardirqs last  enabled at (65851): [<ffffffff9a2ef5b1>]
console_unlock+0x1b1/0x1c0
[  700.311678] hardirqs last disabled at (65860): [<ffffffff9a2ef596>]
console_unlock+0x196/0x1c0
[  700.312175] softirqs last  enabled at (65826): [<ffffffff9a184c32>]
handle_softirqs+0x512/0x770
[  700.312658] softirqs last disabled at (65805): [<ffffffff9a185824>]
irq_exit_rcu+0x94/0xc0
[  700.313130] ---[ end trace 0000000000000000 ]---
[  700.313418] Oops: general protection fault, probably for
non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
[  700.314079] KASAN: null-ptr-deref in range
[0x0000000000000008-0x000000000000000f]
[  700.314505] CPU: 6 UID: 0 PID: 9846 Comm: modprobe Tainted: G
W          6.11.0-rc6+ #48
[  700.314994] Tainted: [W]=WARN
[  700.315169] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[  700.315627] RIP: 0010:static_call_del_module+0x145/0x210
[  700.315935] Code: 66 f1 ff 48 85 db 75 12 eb 5c e8 26 66 f1 ff 4d 85
e4 74 52 49 89 de 4c 89 e3 e8 16 66 f1 ff 48 8d 7b 08 48 89 f8 48 c1 e8
03 <80> 3c 28 00 75 6e 48 89 d8 48 8b 53 08 48 c1 e8 03 80 3c 28 00 75
[  700.317483] RSP: 0018:ff11000105437818 EFLAGS: 00010202
[  700.317928] RAX: 0000000000000001 RBX: 0000000000000001 RCX:
ffffffff9a5955aa
[  700.318377] RDX: ff1100010dad8000 RSI: 0000000000000004 RDI:
0000000000000009
[  700.318845] RBP: dffffc0000000000 R08: 0000000000000001 R09:
ffe21c00235a5141
[  700.319363] R10: ff1100011ad28a0b R11: 0000000000000000 R12:
ffffffffc1ad3cc0
[  700.319810] R13: ffffffffc1c9e1d1 R14: ffffffffc1ad3cc8 R15:
ffffffffc1c9e340
[  700.320279] FS:  00007efe8c4a5540(0000) GS:ff1100011ad00000(0000)
knlGS:0000000000000000
[  700.320800] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  700.321189] CR2: 000055ec0729e838 CR3: 0000000114d16003 CR4:
0000000000771ef0
[  700.321638] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  700.322097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[  700.322918] PKRU: 55555554
[  700.323389] Call Trace:
[  700.323796]  <TASK>
[  700.324168]  ? show_regs+0x73/0x80
[  700.324780]  ? die_addr+0x46/0xc0
[  700.325358]  ? exc_general_protection+0x161/0x2a0
[  700.326130]  ? asm_exc_general_protection+0x26/0x30
[  700.326888]  ? static_call_del_module+0x13a/0x210
[  700.327584]  ? static_call_del_module+0x145/0x210
[  700.328237]  ? static_call_del_module+0x13a/0x210
[  700.328910]  static_call_module_notify+0x2e3/0x3d0
[  700.329590]  notifier_call_chain+0xad/0x2f0
[  700.330179]  blocking_notifier_call_chain_robust+0xc8/0x150
[  700.330776]  ? __pfx_blocking_notifier_call_chain_robust+0x10/0x10
[  700.331443]  load_module+0x5026/0x63e0
[  700.331871]  ? generic_file_read_iter+0x269/0x3a0
[  700.332516]  ? __pfx_load_module+0x10/0x10
[  700.333060]  ? selinux_file_permission+0x118/0x4b0
[  700.333723]  ? security_kernel_post_read_file+0x8d/0xc0
[  700.334470]  ? kernel_read_file+0x3e7/0x660
[  700.335041]  ? __pfx_kernel_read_file+0x10/0x10
[  700.335442]  ? __pfx___lock_acquire+0x10/0x10
[  700.335992]  ? lock_acquire+0x19d/0x530
[  700.336959]  ? init_module_from_file+0xe6/0x150
[  700.338077]  init_module_from_file+0xe6/0x150
[  700.339172]  ? __pfx_init_module_from_file+0x10/0x10
[  700.340397]  idempotent_init_module+0x37c/0x690
[  700.341521]  ? __pfx_idempotent_init_module+0x10/0x10
[  700.342735]  ? __startup_64+0x190/0x330
[  700.343524]  ? security_capable+0x8d/0xc0
[  700.344082]  __x64_sys_finit_module+0xcc/0x130
[  700.345035]  do_syscall_64+0xc1/0x1d0
[  700.345813]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  700.346864] RIP: 0033:0x7efe8bfb6839
[  700.347581] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00
48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f
05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
[  700.351338] RSP: 002b:00007ffca29f00b8 EFLAGS: 00000246 ORIG_RAX:
0000000000000139
[  700.352525] RAX: ffffffffffffffda RBX: 0000561a219bbca0 RCX:
00007efe8bfb6839
[  700.353354] RDX: 0000000000000000 RSI: 0000561a1dc1bc2e RDI:
0000000000000003
[  700.354195] RBP: 0000561a1dc1bc2e R08: 0000000000000000 R09:
0000561a219bbca0
[  700.355019] R10: 0000000000000003 R11: 0000000000000246 R12:
0000000000000000
[  700.355702] R13: 0000561a219bbe90 R14: 0000000000040000 R15:
0000561a219bbca0
[  700.356453]  </TASK>
[  700.356720] Modules linked in: amdgpu(+) amdxcp drm_ttm_helper
drm_suballoc_helper [last unloaded: amdgpu]
[  700.357844] Dumping ftrace buffer:
[  700.358243]    (ftrace buffer empty)
[  700.358721] ---[ end trace 0000000000000000 ]---
[  700.359241] RIP: 0010:static_call_del_module+0x145/0x210
[  700.359835] Code: 66 f1 ff 48 85 db 75 12 eb 5c e8 26 66 f1 ff 4d 85
e4 74 52 49 89 de 4c 89 e3 e8 16 66 f1 ff 48 8d 7b 08 48 89 f8 48 c1 e8
03 <80> 3c 28 00 75 6e 48 89 d8 48 8b 53 08 48 c1 e8 03 80 3c 28 00 75
[  700.361913] RSP: 0018:ff11000105437818 EFLAGS: 00010202
[  700.362603] RAX: 0000000000000001 RBX: 0000000000000001 RCX:
ffffffff9a5955aa
[  700.363374] RDX: ff1100010dad8000 RSI: 0000000000000004 RDI:
0000000000000009
[  700.364114] RBP: dffffc0000000000 R08: 0000000000000001 R09:
ffe21c00235a5141
[  700.365014] R10: ff1100011ad28a0b R11: 0000000000000000 R12:
ffffffffc1ad3cc0
[  700.365784] R13: ffffffffc1c9e1d1 R14: ffffffffc1ad3cc8 R15:
ffffffffc1c9e340
[  700.366458] FS:  00007efe8c4a5540(0000) GS:ff1100011ad00000(0000)
knlGS:0000000000000000
[  700.367325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  700.368062] CR2: 000055ec0729e838 CR3: 0000000114d16003 CR4:
0000000000771ef0
[  700.368851] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  700.370439] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[  700.371814] PKRU: 55555554
[  700.372292] Kernel panic - not syncing: Fatal exception
[  700.373772] Dumping ftrace buffer:
[  700.374235]    (ftrace buffer empty)
[  700.374707] Kernel Offset: 0x19000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[  700.376056] Rebooting in 1 seconds..


>  		if (key == prev_key)
>  			continue;
>  

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

On Wed, Sep 04 2024 at 11:32, Jinjie Ruan wrote:
> On 2024/9/4 6:58, Thomas Gleixner wrote:
>> +		/*
>> +		 * If the key was not updated due to a memory allocation
>> +		 * failure in __static_call_init() then treating key::sites
>> +		 * as key::mods in the code below would cause random memory
>> +		 * access and #GP. In that case all subsequent sites have
>> +		 * not been touched either, so stop iterating.
>> +		 */
>> +		if (static_call_key_sites(key))
>> +			break;
>> +
>
> Hi, Thomas,
>
> This patch seems not solve the issue, with this patch, the below problem
> also occurs when inject fault when modprobe amdgpu:

That's a different problem.

 Oops: general protection fault, probably for
 non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI

It's dereferencing a NULL pointer at 0x1. That's odd because bit 0 is
set, which looks like a sites pointer. So static_call_key_sites() should
return true, but obviously does not. So how does that happen?

It can't be a built-in key, so it's a module local one with key::sites
== 0x1. So static_call_key_sites() sees bit 0 set, and then returns
key::sites & ~0x01, which is obviously NULL. So the condition is false
and the code below uses key::mods == 0x1....

So the check must be:

	if (!static_call_key_has_mods(key))
        	break;

I missed the module local case completely in my analysis. Can you please
modify the condition and retest?

Thanks,

        tglx

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

On Wed, Sep 04 2024 at 09:08, Thomas Gleixner wrote:
> On Wed, Sep 04 2024 at 11:32, Jinjie Ruan wrote:
> So the check must be:
>
> 	if (!static_call_key_has_mods(key))
>         	break;
>
> I missed the module local case completely in my analysis. Can you please
> modify the condition and retest?

That said. This code is pointlessly noisy for the failure case.

Allocation fails are not a reason to warn about. -ENOMEM is propagated
all the way to the caller, so it's sufficient to emit a pr_warn().

Peter?

Thanks,

        tglx
---
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -453,7 +453,7 @@ static int static_call_module_notify(str
 	case MODULE_STATE_COMING:
 		ret = static_call_add_module(mod);
 		if (ret) {
-			WARN(1, "Failed to allocate memory for static calls");
+			pr_warn("Failed to allocate memory for static calls\n");
 			static_call_del_module(mod);
 		}
 		break;

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Jinjie Ruan]

On 2024/9/4 15:08, Thomas Gleixner wrote:
> On Wed, Sep 04 2024 at 11:32, Jinjie Ruan wrote:
>> On 2024/9/4 6:58, Thomas Gleixner wrote:
>>> +		/*
>>> +		 * If the key was not updated due to a memory allocation
>>> +		 * failure in __static_call_init() then treating key::sites
>>> +		 * as key::mods in the code below would cause random memory
>>> +		 * access and #GP. In that case all subsequent sites have
>>> +		 * not been touched either, so stop iterating.
>>> +		 */
>>> +		if (static_call_key_sites(key))
>>> +			break;
>>> +
>>
>> Hi, Thomas,
>>
>> This patch seems not solve the issue, with this patch, the below problem
>> also occurs when inject fault when modprobe amdgpu:
> 
> That's a different problem.
> 
>  Oops: general protection fault, probably for
>  non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI
> 
> It's dereferencing a NULL pointer at 0x1. That's odd because bit 0 is
> set, which looks like a sites pointer. So static_call_key_sites() should
> return true, but obviously does not. So how does that happen?
> 
> It can't be a built-in key, so it's a module local one with key::sites
> == 0x1. So static_call_key_sites() sees bit 0 set, and then returns
> key::sites & ~0x01, which is obviously NULL. So the condition is false
> and the code below uses key::mods == 0x1....
> 
> So the check must be:
> 
> 	if (!static_call_key_has_mods(key))
>         	break;

Hi, Thomas,

with this patch, the issue not occurs again，

but there are some memory leak here same to the following problem:

Link:
https://lore.kernel.org/all/20221112114602.1268989-4-liushixin2@huawei.com/

unreferenced object 0xff11000104078480 (size 32):
  comm "modprobe", pid 16978, jiffies 4295928553
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 07 04 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 86f0f2f0):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000432b600 (size 32):
  comm "modprobe", pid 16994, jiffies 4295929985
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 32 04 00 00 11 ff 00 00 00 00 00 00 00 00  y.2.............
  backtrace (crc 32209446):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000115b24ac0 (size 32):
  comm "modprobe", pid 17010, jiffies 4295931422
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 b2 15 01 00 11 ff 02 00 00 00 01 00 00 00  y...............
  backtrace (crc b9fe288c):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100010196bc40 (size 32):
  comm "modprobe", pid 17032, jiffies 4295933559
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 96 01 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc e311731b):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000009b4ee40 (size 32):
  comm "modprobe", pid 17038, jiffies 4295934300
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 b4 09 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc ebd506c):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000a3fe300 (size 32):
  comm "modprobe", pid 17044, jiffies 4295935011
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 3f 0a 00 00 11 ff 00 00 00 fc ff df 41 57  y.?...........AW
  backtrace (crc b6459b1e):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000007ef52c0 (size 32):
  comm "modprobe", pid 17050, jiffies 4295935726
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 ef 07 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 9c68acac):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000798b980 (size 32):
  comm "modprobe", pid 17066, jiffies 4295937149
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 98 07 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 13cab529):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000006d79100 (size 32):
  comm "modprobe", pid 17072, jiffies 4295937871
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 d7 06 00 00 11 ff 34 0a 0e 00 00 00 00 00  y.......4.......
  backtrace (crc 468c4c12):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000eb6d300 (size 32):
  comm "modprobe", pid 17088, jiffies 4295939305
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 b6 0e 00 00 11 ff 44 24 08 89 0c 24 e8 9d  y.......D$...$..
  backtrace (crc 39abd416):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000001029680 (size 32):
  comm "modprobe", pid 17114, jiffies 4295941403
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 02 01 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 84d963e1):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000101919f80 (size 32):
  comm "modprobe", pid 17130, jiffies 4295942829
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 91 01 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 86dcd9db):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000108634800 (size 32):
  comm "modprobe", pid 17136, jiffies 4295943552
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 63 08 01 00 11 ff 00 00 00 00 00 00 00 00  y.c.............
  backtrace (crc 893b4b39):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000051d5640 (size 32):
  comm "modprobe", pid 17142, jiffies 4295944268
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 1d 05 00 00 11 ff 00 00 00 00 00 fc ff df  y...............
  backtrace (crc 4dd0396e):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001013def40 (size 32):
  comm "modprobe", pid 17148, jiffies 4295944996
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 3d 01 01 00 11 ff 40 2b 0d 00 00 00 d4 ff  y.=.....@+......
  backtrace (crc 72d18c0f):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000102f95280 (size 32):
  comm "modprobe", pid 17154, jiffies 4295945705
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 f9 02 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 8492240a):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000a957fc0 (size 32):
  comm "modprobe", pid 17170, jiffies 4295947128
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 95 0a 00 00 11 ff 65 63 6b 00 00 00 00 00  y.......eck.....
  backtrace (crc a37aa232):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000ec1d300 (size 32):
  comm "modprobe", pid 17186, jiffies 4295948570
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 c1 0e 00 00 11 ff 69 6e 69 73 68 00 00 00  y.......inish...
  backtrace (crc 66341c55):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000108066ac0 (size 32):
  comm "modprobe", pid 17212, jiffies 4295950745
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 06 08 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 8145aa7d):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000125e2980 (size 32):
  comm "modprobe", pid 17218, jiffies 4295951462
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 5e 12 00 00 11 ff 00 00 00 00 00 00 00 00  y.^.............
  backtrace (crc 80eaf345):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000002460380 (size 32):
  comm "modprobe", pid 17264, jiffies 4295954895
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 00 00 00 00 00 00 00 ed 1e 00 00 00 d4 ff  y...............
  backtrace (crc aaffd3fe):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000009b4e180 (size 32):
  comm "modprobe", pid 17290, jiffies 4295957017
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 b4 09 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc ebd506c):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000040cf140 (size 32):
  comm "modprobe", pid 17306, jiffies 4295958400
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 0c 04 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 526d8572):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000006d77f80 (size 32):
  comm "modprobe", pid 17322, jiffies 4295959804
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 d7 06 00 00 11 ff f4 11 0e 00 00 00 00 00  y...............
  backtrace (crc 59f3c311):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001013d3180 (size 32):
  comm "modprobe", pid 17398, jiffies 4295965375
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 3d 01 01 00 11 ff 69 6e 69 73 68 00 00 00  y.=.....inish...
  backtrace (crc 99084885):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000f1826c0 (size 32):
  comm "modprobe", pid 17414, jiffies 4295966816
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 18 0f 00 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc caba89a6):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000100d2a240 (size 32):
  comm "modprobe", pid 17450, jiffies 4295969601
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 d2 00 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 6692d274):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000524ea40 (size 32):
  comm "modprobe", pid 17466, jiffies 4295971059
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 24 05 00 00 11 ff 2b 00 00 00 00 00 00 00  y.$.....+.......
  backtrace (crc d5da4419):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000102f957c0 (size 32):
  comm "modprobe", pid 17482, jiffies 4295972468
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 f9 02 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 8492240a):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001072e3d00 (size 32):
  comm "modprobe", pid 17526, jiffies 4295976765
  hex dump (first 32 bytes):
    61 6d 64 67 70 75 5f 73 79 6e 63 5f 65 6e 74 72  amdgpu_sync_entr
    79 00 2e 07 01 00 11 ff 00 00 00 00 00 00 00 00  y...............
  backtrace (crc 580819a6):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<00000000c53a6d7f>] 0xffffffffc01503a2
    [<00000000c68a3256>] 0xffffffffc0058026
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000a3fdb60 (size 16):
  comm "modprobe", pid 17578, jiffies 4295981003
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000005e51280 (size 16):
  comm "modprobe", pid 17594, jiffies 4295982450
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000071a1b60 (size 16):
  comm "modprobe", pid 17609, jiffies 4295983945
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100010f4a2ae0 (size 16):
  comm "modprobe", pid 17646, jiffies 4295986890
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000f20bd80 (size 16):
  comm "modprobe", pid 17662, jiffies 4295988248
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000100d26a00 (size 16):
  comm "modprobe", pid 17718, jiffies 4295992419
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100010152d240 (size 16):
  comm "modprobe", pid 17734, jiffies 4295993810
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 00 00  amdgpu_fence....
  backtrace (crc 9f81b1cd):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001013ce0a0 (size 16):
  comm "modprobe", pid 17750, jiffies 4295995280
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000005e51dc0 (size 16):
  comm "modprobe", pid 17756, jiffies 4295996002
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000008b1bf80 (size 16):
  comm "modprobe", pid 17782, jiffies 4295998115
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000114116820 (size 16):
  comm "modprobe", pid 17798, jiffies 4295999501
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100011101d5e0 (size 16):
  comm "modprobe", pid 17825, jiffies 4296001629
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000009718320 (size 16):
  comm "modprobe", pid 17831, jiffies 4296002346
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100011515d660 (size 16):
  comm "modprobe", pid 17847, jiffies 4296003774
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000114a85080 (size 16):
  comm "modprobe", pid 17854, jiffies 4296004484
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000eb139a0 (size 16):
  comm "modprobe", pid 17860, jiffies 4296005214
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000009718b60 (size 16):
  comm "modprobe", pid 17876, jiffies 4296006637
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000005b81fc0 (size 16):
  comm "modprobe", pid 17892, jiffies 4296008053
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000071a1b40 (size 16):
  comm "modprobe", pid 17898, jiffies 4296008778
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000f20bb00 (size 16):
  comm "modprobe", pid 17904, jiffies 4296009509
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000df76200 (size 16):
  comm "modprobe", pid 17930, jiffies 4296011592
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000064b1ba0 (size 16):
  comm "modprobe", pid 17965, jiffies 4296014396
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001011cbe80 (size 16):
  comm "modprobe", pid 17971, jiffies 4296015146
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000f073bc0 (size 16):
  comm "modprobe", pid 17987, jiffies 4296016566
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000107214fe0 (size 16):
  comm "modprobe", pid 18003, jiffies 4296017979
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000df769c0 (size 16):
  comm "modprobe", pid 18019, jiffies 4296019396
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100010f4a28a0 (size 16):
  comm "modprobe", pid 18035, jiffies 4296020834
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100000383b980 (size 16):
  comm "modprobe", pid 18041, jiffies 4296021552
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000023b4e60 (size 16):
  comm "modprobe", pid 18047, jiffies 4296022306
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff11000008b1b940 (size 16):
  comm "modprobe", pid 18053, jiffies 4296023061
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff1100010b8d64c0 (size 16):
  comm "modprobe", pid 18059, jiffies 4296023783
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110001151a1ac0 (size 16):
  comm "modprobe", pid 18075, jiffies 4296025098
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150
unreferenced object 0xff110000050fcea0 (size 16):
  comm "modprobe", pid 18101, jiffies 4296027230
  hex dump (first 16 bytes):
    61 6d 64 67 70 75 5f 66 65 6e 63 65 00 00 11 ff  amdgpu_fence....
  backtrace (crc e15a7d50):
    [<000000001b48c137>] __kmalloc_node_track_caller_noprof+0x33c/0x410
    [<000000003ab002c7>] kstrdup+0x3f/0x80
    [<00000000479d3195>] kstrdup_const+0x39/0x60
    [<000000005f96320e>] kvasprintf_const+0xf9/0x190
    [<00000000725db2e2>] kobject_set_name_vargs+0x5a/0x150
    [<00000000745aee9e>] kobject_init_and_add+0xcd/0x170
    [<00000000c0d3244b>] sysfs_slab_add+0x172/0x210
    [<00000000a6c0a88d>] __kmem_cache_create+0x215/0x5c0
    [<0000000081d00250>] kmem_cache_create_usercopy+0x213/0x340
    [<000000006d9fd37f>] kmem_cache_create+0x11/0x20
    [<000000009827d27d>] 0xffffffffc00c8052
    [<00000000d74769dd>] 0xffffffffc0058038
    [<00000000b58b0e32>] do_one_initcall+0xdc/0x550
    [<0000000040a69501>] do_init_module+0x241/0x630
    [<00000000bca76796>] load_module+0x52be/0x63e0
    [<000000006d613fc0>] init_module_from_file+0xe6/0x150


> 
> I missed the module local case completely in my analysis. Can you please
> modify the condition and retest?
> 
> Thanks,
> 
>         tglx
> 
> 
> 
> 
> 

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Peter Zijlstra]

On Wed, Sep 04, 2024 at 10:00:52AM +0200, Thomas Gleixner wrote:
> On Wed, Sep 04 2024 at 09:08, Thomas Gleixner wrote:
> > On Wed, Sep 04 2024 at 11:32, Jinjie Ruan wrote:
> > So the check must be:
> >
> > 	if (!static_call_key_has_mods(key))
> >         	break;
> >
> > I missed the module local case completely in my analysis. Can you please
> > modify the condition and retest?
> 
> That said. This code is pointlessly noisy for the failure case.
> 
> Allocation fails are not a reason to warn about. -ENOMEM is propagated
> all the way to the caller, so it's sufficient to emit a pr_warn().
> 
> Peter?

Yeah, I think that should do.

> Thanks,
> 
>         tglx
> ---
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -453,7 +453,7 @@ static int static_call_module_notify(str
>  	case MODULE_STATE_COMING:
>  		ret = static_call_add_module(mod);
>  		if (ret) {
> -			WARN(1, "Failed to allocate memory for static calls");
> +			pr_warn("Failed to allocate memory for static calls\n");
>  			static_call_del_module(mod);
>  		}
>  		break;

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

On Wed, Sep 04 2024 at 16:03, Jinjie Ruan wrote:
> On 2024/9/4 15:08, Thomas Gleixner wrote:
>> So the check must be:
>> 
>> 	if (!static_call_key_has_mods(key))
>>         	break;
>
> Hi, Thomas,
>
> with this patch, the issue not occurs again，
>
> but there are some memory leak here same to the following problem:

That has absolutely nothing to do with static calls and the memory
allocation failure case there.

The module passed all preparatory steps, otherwise it would not be able
to create a kmem_cache from the module init() function:

     kmem_cache_create+0x11/0x20
     do_one_initcall+0xdc/0x550
     do_init_module+0x241/0x630

amdgpu_init()

	r = amdgpu_sync_init();
	if (r)
		goto error_sync;

	r = amdgpu_fence_slab_init();
	if (r)
		goto error_fence;

        <SNIP>
        
	return pci_register_driver(&amdgpu_kms_pci_driver);

error_fence:
	amdgpu_sync_fini();
error_sync:
        return r;

Can you spot the problem?

Thanks,

        tglx

[PATCH] static_call: Replace pointless WARN_ON() in static_call_module_notify()

[Thomas Gleixner]

static_call_module_notify() triggers a WARN_ON(), when memory allocation
fails in __static_call_add_module().

That's not really justified, because the failure case must be correctly
handled by the well known call chain and the error code is passed
through to the initiating userspace application.

A memory allocation fail is not a fatal problem, but the WARN_ON() takes
the machine out when panic_on_warn is set.

Replace it with a pr_warn().

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 kernel/static_call_inline.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -453,7 +453,7 @@ static int static_call_module_notify(str
 	case MODULE_STATE_COMING:
 		ret = static_call_add_module(mod);
 		if (ret) {
-			WARN(1, "Failed to allocate memory for static calls");
+			pr_warn("Failed to allocate memory for static calls\n");
 			static_call_del_module(mod);
 		}
 		break;

[PATCH v2] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.

If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.

This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.

The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:

        union {
                /* bit 0: 0 = mods, 1 = sites */
                unsigned long type;
                struct static_call_mod *mods;
                struct static_call_site *sites;
	};

key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.

As static_call_del_module() blidly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.

Cure it by checking whether the key has a sites or a mods pointer. 

If it's a sites pointer then the key is not to be touched. As the sites are
walked in the same order as in __static_call_init() the site walk can be
terminated because all subsequent sites have not been touched by the init
code due to the error exit.

If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.

A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.

Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
---
V2: Use static_call_key_has_mods() instead
---
 kernel/static_call_inline.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -411,6 +411,17 @@ static void static_call_del_module(struc
 
 	for (site = start; site < stop; site++) {
 		key = static_call_key(site);
+
+		/*
+		 * If the key was not updated due to a memory allocation
+		 * failure in __static_call_init() then treating key::sites
+		 * as key::mods in the code below would cause random memory
+		 * access and #GP. In that case all subsequent sites have
+		 * not been touched either, so stop iterating.
+		 */
+		if (!static_call_key_has_mods(key))
+			break;
+
 		if (key == prev_key)
 			continue;
 

Re: [PATCH v2] static_call: Handle module init failure correctly in static_call_del_module()

[Jinjie Ruan]

On 2024/9/4 17:09, Thomas Gleixner wrote:
> Module insertion invokes static_call_add_module() to initialize the static
> calls in a module. static_call_add_module() invokes __static_call_init(),
> which allocates a struct static_call_mod to either encapsulate the built-in
> static call sites of the associated key into it so further modules can be
> added or to append the module to the module chain.
> 
> If that allocation fails the function returns with an error code and the
> module core invokes static_call_del_module() to clean up eventually added
> static_call_mod entries.
> 
> This works correctly, when all keys used by the module were converted over
> to a module chain before the failure. If not then static_call_del_module()
> causes a #GP as it blindly assumes that key::mods points to a valid struct
> static_call_mod.
> 
> The problem is that key::mods is not a individual struct member of struct
> static_call_key, it's part of a union to save space:
> 
>         union {
>                 /* bit 0: 0 = mods, 1 = sites */
>                 unsigned long type;
>                 struct static_call_mod *mods;
>                 struct static_call_site *sites;
> 	};
> 
> key::sites is a pointer to the list of built-in usage sites of the static
> call. The type of the pointer is differentiated by bit 0. A mods pointer
> has the bit clear, the sites pointer has the bit set.
> 
> As static_call_del_module() blidly assumes that the pointer is a valid
> static_call_mod type, it fails to check for this failure case and
> dereferences the pointer to the list of built-in call sites, which is
> obviously bogus.
> 
> Cure it by checking whether the key has a sites or a mods pointer. 
> 
> If it's a sites pointer then the key is not to be touched. As the sites are
> walked in the same order as in __static_call_init() the site walk can be
> terminated because all subsequent sites have not been touched by the init
> code due to the error exit.
> 
> If it was converted before the allocation fail, then the inner loop which
> searches for a module match will find nothing.
> 
> A fail in the second allocation in __static_call_init() is harmless and
> does not require special treatment. The first allocation succeeded and
> converted the key to a module chain. That first entry has mod::mod == NULL
> and mod::next == NULL, so the inner loop of static_call_del_module() will
> neither find a module match nor a module chain. The next site in the walk
> was either already converted, but can't match the module, or it will exit
> the outer loop because it has a static_call_site pointer and not a
> static_call_mod pointer.
> 
> Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
> Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
> ---
> V2: Use static_call_key_has_mods() instead
> ---
>  kernel/static_call_inline.c |   11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> --- a/kernel/static_call_inline.c
> +++ b/kernel/static_call_inline.c
> @@ -411,6 +411,17 @@ static void static_call_del_module(struc
>  
>  	for (site = start; site < stop; site++) {
>  		key = static_call_key(site);
> +
> +		/*
> +		 * If the key was not updated due to a memory allocation
> +		 * failure in __static_call_init() then treating key::sites
> +		 * as key::mods in the code below would cause random memory
> +		 * access and #GP. In that case all subsequent sites have
> +		 * not been touched either, so stop iterating.
> +		 */
> +		if (!static_call_key_has_mods(key))
> +			break;
> +

Tested-by: Jinjie Ruan <ruanjinjie@huawei.com>

>  		if (key == prev_key)
>  			continue;
>  

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Jinjie Ruan]

On 2024/9/4 16:51, Thomas Gleixner wrote:
> On Wed, Sep 04 2024 at 16:03, Jinjie Ruan wrote:
>> On 2024/9/4 15:08, Thomas Gleixner wrote:
>>> So the check must be:
>>>
>>> 	if (!static_call_key_has_mods(key))
>>>         	break;
>>
>> Hi, Thomas,
>>
>> with this patch, the issue not occurs again，
>>
>> but there are some memory leak here same to the following problem:
> 
> That has absolutely nothing to do with static calls and the memory
> allocation failure case there.
> 
> The module passed all preparatory steps, otherwise it would not be able
> to create a kmem_cache from the module init() function:
> 
>      kmem_cache_create+0x11/0x20
>      do_one_initcall+0xdc/0x550
>      do_init_module+0x241/0x630
> 
> amdgpu_init()
> 
> 	r = amdgpu_sync_init();
> 	if (r)
> 		goto error_sync;
> 
> 	r = amdgpu_fence_slab_init();
> 	if (r)
> 		goto error_fence;
> 
>         <SNIP>
>         
> 	return pci_register_driver(&amdgpu_kms_pci_driver);
> 
> error_fence:
> 	amdgpu_sync_fini();
> error_sync:
>         return r;
> 
> Can you spot the problem?

I see, let me test it.

> 
> Thanks,
> 
>         tglx

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Jinjie Ruan]

On 2024/9/4 16:51, Thomas Gleixner wrote:
> On Wed, Sep 04 2024 at 16:03, Jinjie Ruan wrote:
>> On 2024/9/4 15:08, Thomas Gleixner wrote:
>>> So the check must be:
>>>
>>> 	if (!static_call_key_has_mods(key))
>>>         	break;
>>
>> Hi, Thomas,
>>
>> with this patch, the issue not occurs again，
>>
>> but there are some memory leak here same to the following problem:
> 
> That has absolutely nothing to do with static calls and the memory
> allocation failure case there.
> 
> The module passed all preparatory steps, otherwise it would not be able
> to create a kmem_cache from the module init() function:
> 
>      kmem_cache_create+0x11/0x20
>      do_one_initcall+0xdc/0x550
>      do_init_module+0x241/0x630
> 
> amdgpu_init()
> 
> 	r = amdgpu_sync_init();
> 	if (r)
> 		goto error_sync;
> 
> 	r = amdgpu_fence_slab_init();
> 	if (r)
> 		goto error_fence;
> 
>         <SNIP>
>         
> 	return pci_register_driver(&amdgpu_kms_pci_driver);
> 
> error_fence:
> 	amdgpu_sync_fini();
> error_sync:
>         return r;
> 
> Can you spot the problem?

Hi, Thomas,

It seems that it is not the memory leak source,

I test with the following patch, the memory leak also occurs,

but with the Link patch, the problem solved and the memory leak missed.

 drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
index 094498a0964b..3589e4768bd6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -3032,11 +3032,11 @@ static int __init amdgpu_init(void)

        r = amdgpu_sync_init();
        if (r)
-               goto error_sync;
+               return r;

        r = amdgpu_fence_slab_init();
        if (r)
-               goto error_fence;
+               goto error_sync;

        DRM_INFO("amdgpu kernel modesetting enabled.\n");
        amdgpu_register_atpx_handler();
@@ -3046,12 +3046,18 @@ static int __init amdgpu_init(void)
        amdgpu_amdkfd_init();

        /* let modprobe override vga console setting */
-       return pci_register_driver(&amdgpu_kms_pci_driver);
+       r = pci_register_driver(&amdgpu_kms_pci_driver);
+       if (r)
+               goto error_fence;
+
+       return 0;

 error_fence:
-       amdgpu_sync_fini();
+       amdgpu_fence_slab_fini();

 error_sync:
+       amdgpu_sync_fini();
+
        return r;
 }


> 
> Thanks,
> 
>         tglx

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Thomas Gleixner]

On Thu, Sep 05 2024 at 11:34, Jinjie Ruan wrote:
> On 2024/9/4 16:51, Thomas Gleixner wrote:
>> Can you spot the problem?
>
> It seems that it is not the memory leak source,

That's possible, but the code in there is definitely incorrect when
pci_register_driver() fails. Simply because module->exit() is not
invoked when module->init() fails.

> but with the Link patch, the problem solved and the memory leak missed.

Sure, but the change log of this patch is not really helpful at all and
you sent me a gazillion of leak dumps, but failed to explain what the
actual failure scenario is.

So without a coherent description how to reproduce this issue there is
not much I can do than looking at the code. The amdgpu init() function
was an obvious candidate, but there seems to be some other way to cause
that problem.

Now you at least provided the information that the missing cleanup in
the init() function is not the problem. So the obvious place to look is
in the module core code whether there is a failure path _after_
module->init() returned success.

do_init_module()
        ret = do_one_initcall(mod->init);
        ...
	ret = module_enable_rodata_ro(mod, true);
	if (ret)
		goto fail_mutex_unlock;

and that error path does _not_ invoke module->exit(), which is obviously
not correct. Luis?

I assume that's not the problem when looking at the change log of that:

 https://lore.kernel.org/all/20221112114602.1268989-4-liushixin2@huawei.com/

> Following the rules stated in the comment for kobject_init_and_add():
>  If this function returns an error, kobject_put() must be called to
>  properly clean up the memory associated with the object.
> 
> kobject_put() is more appropriate for error handling after kobject_init().

Why? The rules are exactly the same, no?

> And we can use this function to solve this problem.

Which function and which problem?

> For the cache created early, the related sysfs_slab_add() is called in
> slab_sysfs_init(). Skip free these kmem_cache since they are important
> for system. Keep them working without sysfs.

Let me try to decode this. I assume that sysfs_slab_add() fails after
kobject_init_and_add() or kobject_init_and_add) itself fails.

So the problem is that there are two ways how this can be invoked:

   1) from slab_sysfs_init() for the kmem_cache instances which have
      been allocated during early boot before sysfs was available.

   2) from kmem_cache_create() after early boot

So what Liu tries to avoid is to invoke kobject_put(), because
kobject_put() would not only free the name (which is what the leak
complains about), but also invoke the release callback, which would 
try to destroy the kmem_cache itself.

That's a problem for the mm people to solve, but that does not make my
observations about the amdgpu init() function and the error path in
do_init_module() moot :)

Thanks,

        tglx

[tip: locking/urgent] static_call: Replace pointless WARN_ON() in static_call_module_notify()

[tip-bot2 for Thomas Gleixner]

The following commit has been merged into the locking/urgent branch of tip:

Commit-ID:     fe513c2ef0a172a58f158e2e70465c4317f0a9a2
Gitweb:        https://git.kernel.org/tip/fe513c2ef0a172a58f158e2e70465c4317f0a9a2
Author:        Thomas Gleixner <tglx@linutronix.de>
AuthorDate:    Wed, 04 Sep 2024 11:08:28 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Fri, 06 Sep 2024 16:29:22 +02:00

static_call: Replace pointless WARN_ON() in static_call_module_notify()

static_call_module_notify() triggers a WARN_ON(), when memory allocation
fails in __static_call_add_module().

That's not really justified, because the failure case must be correctly
handled by the well known call chain and the error code is passed
through to the initiating userspace application.

A memory allocation fail is not a fatal problem, but the WARN_ON() takes
the machine out when panic_on_warn is set.

Replace it with a pr_warn().

Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx
---
 kernel/static_call_inline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 7bb0962..5259cda 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -453,7 +453,7 @@ static int static_call_module_notify(struct notifier_block *nb,
 	case MODULE_STATE_COMING:
 		ret = static_call_add_module(mod);
 		if (ret) {
-			WARN(1, "Failed to allocate memory for static calls");
+			pr_warn("Failed to allocate memory for static calls\n");
 			static_call_del_module(mod);
 		}
 		break;

[tip: locking/urgent] static_call: Handle module init failure correctly in static_call_del_module()

[tip-bot2 for Thomas Gleixner]

The following commit has been merged into the locking/urgent branch of tip:

Commit-ID:     4b30051c4864234ec57290c3d142db7c88f10d8a
Gitweb:        https://git.kernel.org/tip/4b30051c4864234ec57290c3d142db7c88f10d8a
Author:        Thomas Gleixner <tglx@linutronix.de>
AuthorDate:    Wed, 04 Sep 2024 11:09:07 +02:00
Committer:     Peter Zijlstra <peterz@infradead.org>
CommitterDate: Fri, 06 Sep 2024 16:29:21 +02:00

static_call: Handle module init failure correctly in static_call_del_module()

Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.

If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.

This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.

The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:

        union {
                /* bit 0: 0 = mods, 1 = sites */
                unsigned long type;
                struct static_call_mod *mods;
                struct static_call_site *sites;
	};

key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.

As static_call_del_module() blidly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.

Cure it by checking whether the key has a sites or a mods pointer.

If it's a sites pointer then the key is not to be touched. As the sites are
walked in the same order as in __static_call_init() the site walk can be
terminated because all subsequent sites have not been touched by the init
code due to the error exit.

If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.

A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.

Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx
---
 kernel/static_call_inline.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 639397b..7bb0962 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -411,6 +411,17 @@ static void static_call_del_module(struct module *mod)
 
 	for (site = start; site < stop; site++) {
 		key = static_call_key(site);
+
+		/*
+		 * If the key was not updated due to a memory allocation
+		 * failure in __static_call_init() then treating key::sites
+		 * as key::mods in the code below would cause random memory
+		 * access and #GP. In that case all subsequent sites have
+		 * not been touched either, so stop iterating.
+		 */
+		if (!static_call_key_has_mods(key))
+			break;
+
 		if (key == prev_key)
 			continue;
 

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Luis Chamberlain]

On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
> Now you at least provided the information that the missing cleanup in
> the init() function is not the problem. So the obvious place to look is
> in the module core code whether there is a failure path _after_
> module->init() returned success.
> 
> do_init_module()
>         ret = do_one_initcall(mod->init);
>         ...
> 	ret = module_enable_rodata_ro(mod, true);
> 	if (ret)
> 		goto fail_mutex_unlock;
> 
> and that error path does _not_ invoke module->exit(), which is obviously
> not correct. Luis?

You're spot on this needs fixing.

  Luis

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Luis Chamberlain]

On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
> On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
> > Now you at least provided the information that the missing cleanup in
> > the init() function is not the problem. So the obvious place to look is
> > in the module core code whether there is a failure path _after_
> > module->init() returned success.
> > 
> > do_init_module()
> >         ret = do_one_initcall(mod->init);
> >         ...
> > 	ret = module_enable_rodata_ro(mod, true);
> > 	if (ret)
> > 		goto fail_mutex_unlock;
> > 
> > and that error path does _not_ invoke module->exit(), which is obviously
> > not correct. Luis?
> 
> You're spot on this needs fixing.

Christophe, this is a regression caused by the second hunk of your commit
d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
Sadly there are a few issues with trying to get to call mod->exit():

- We should try try_stop_module()  and that can fail
- source_list may not be empty and that would block removal
- mod->exit may not exist

I'm wondering if instead we should try to do the module_enable_rodata_ro()
before the init, but that requires a bit more careful evaluation...

  Luis

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Mike Rapoport]

On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
> On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
> > On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
> > > Now you at least provided the information that the missing cleanup in
> > > the init() function is not the problem. So the obvious place to look is
> > > in the module core code whether there is a failure path _after_
> > > module->init() returned success.
> > > 
> > > do_init_module()
> > >         ret = do_one_initcall(mod->init);
> > >         ...
> > > 	ret = module_enable_rodata_ro(mod, true);
> > > 	if (ret)
> > > 		goto fail_mutex_unlock;
> > > 
> > > and that error path does _not_ invoke module->exit(), which is obviously
> > > not correct. Luis?
> > 
> > You're spot on this needs fixing.
> 
> Christophe, this is a regression caused by the second hunk of your commit
> d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
> Sadly there are a few issues with trying to get to call mod->exit():
> 
> - We should try try_stop_module()  and that can fail
> - source_list may not be empty and that would block removal
> - mod->exit may not exist
> 
> I'm wondering if instead we should try to do the module_enable_rodata_ro()
> before the init, but that requires a bit more careful evaluation...

There is ro_after_init section, we can't really make it RO before ->init()
 
>   Luis

-- 
Sincerely yours,
Mike.

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Christophe Leroy]

Hi Luis,

Le 24/09/2024 à 09:22, Mike Rapoport a écrit :
> On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
>> On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
>>> On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
>>>> Now you at least provided the information that the missing cleanup in
>>>> the init() function is not the problem. So the obvious place to look is
>>>> in the module core code whether there is a failure path _after_
>>>> module->init() returned success.
>>>>
>>>> do_init_module()
>>>>          ret = do_one_initcall(mod->init);
>>>>          ...
>>>> 	ret = module_enable_rodata_ro(mod, true);
>>>> 	if (ret)
>>>> 		goto fail_mutex_unlock;
>>>>
>>>> and that error path does _not_ invoke module->exit(), which is obviously
>>>> not correct. Luis?
>>>
>>> You're spot on this needs fixing.
>>
>> Christophe, this is a regression caused by the second hunk of your commit
>> d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
>> Sadly there are a few issues with trying to get to call mod->exit():
>>
>> - We should try try_stop_module()  and that can fail
>> - source_list may not be empty and that would block removal
>> - mod->exit may not exist
>>
>> I'm wondering if instead we should try to do the module_enable_rodata_ro()
>> before the init, but that requires a bit more careful evaluation...
> 
> There is ro_after_init section, we can't really make it RO before ->init()
>   

Surprisingly I never received Luis's email allthough I got this answer 
from Mike that I overlooked.

So coming back here from 
https://lore.kernel.org/all/ZyQhbHxDTRXTJgIx@bombadil.infradead.org/

As far as I understand, indeed once init is called it is too late to 
fail, right ? Especially when the module has no exit() path or when 
CONFIG_MODULE_UNLOAD is not built in.

So the only thing we can do then is a big fat warning telling 
set_memory_ro() on ro_after_init memory has failed ?

Maybe we should try and change it to RO then back to RW before calling 
init, to be on a safer side hopping that if change to RO works once it 
will work twice ?

Christophe

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Luis Chamberlain]

+ Other new module maintainers

On Fri, Nov 08, 2024 at 09:12:03AM +0100, Christophe Leroy wrote:
> Hi Luis,
> 
> Le 24/09/2024 à 09:22, Mike Rapoport a écrit :
> > On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
> > > On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
> > > > On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
> > > > > Now you at least provided the information that the missing cleanup in
> > > > > the init() function is not the problem. So the obvious place to look is
> > > > > in the module core code whether there is a failure path _after_
> > > > > module->init() returned success.
> > > > > 
> > > > > do_init_module()
> > > > >          ret = do_one_initcall(mod->init);
> > > > >          ...
> > > > > 	ret = module_enable_rodata_ro(mod, true);
> > > > > 	if (ret)
> > > > > 		goto fail_mutex_unlock;
> > > > > 
> > > > > and that error path does _not_ invoke module->exit(), which is obviously
> > > > > not correct. Luis?
> > > > 
> > > > You're spot on this needs fixing.
> > > 
> > > Christophe, this is a regression caused by the second hunk of your commit
> > > d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
> > > Sadly there are a few issues with trying to get to call mod->exit():
> > > 
> > > - We should try try_stop_module()  and that can fail
> > > - source_list may not be empty and that would block removal
> > > - mod->exit may not exist
> > > 
> > > I'm wondering if instead we should try to do the module_enable_rodata_ro()
> > > before the init, but that requires a bit more careful evaluation...
> > 
> > There is ro_after_init section, we can't really make it RO before ->init()
> 
> Surprisingly I never received Luis's email

So odd..

> allthough I got this answer from Mike that I overlooked.
> 
> So coming back here from
> https://lore.kernel.org/all/ZyQhbHxDTRXTJgIx@bombadil.infradead.org/
> 
> As far as I understand, indeed once init is called it is too late to fail,

Partly yes, party no. Party yes in that its a can of worms we have not
had to deal with before, and also I worry about deadlocks, and the code
to address this seems complex. right ?


> Especially when the module has no exit() path or when
> CONFIG_MODULE_UNLOAD is not built in.

That's exactly the other extreme case I fear for.

> So the only thing we can do then is a big fat warning telling
> set_memory_ro() on ro_after_init memory has failed ?

I suspect this is more sensible to do.

> Maybe we should try and change it to RO then back to RW before calling init,
> to be on a safer side hopping that if change to RO works once it will work
> twice ?

That's another approach wich could work, if we proove that this does
work, it's a nice best effort and I think less or a mess to the codebase
then special-casing the error handling of trying to deal with the
driver's exit.

Daniel Gomez has been looking at this, so his feedback here would be
valuable.

  Luis

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Daniel Gomez]

On Fri Nov 8, 2024 at 4:49 PM CET, Luis Chamberlain wrote:
> + Other new module maintainers
>
> On Fri, Nov 08, 2024 at 09:12:03AM +0100, Christophe Leroy wrote:
>> Hi Luis,
>> 
>> Le 24/09/2024 à 09:22, Mike Rapoport a écrit :
>> > On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
>> > > On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
>> > > > On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
>> > > > > Now you at least provided the information that the missing cleanup in
>> > > > > the init() function is not the problem. So the obvious place to look is
>> > > > > in the module core code whether there is a failure path _after_
>> > > > > module->init() returned success.
>> > > > > 
>> > > > > do_init_module()
>> > > > >          ret = do_one_initcall(mod->init);
>> > > > >          ...
>> > > > > 	ret = module_enable_rodata_ro(mod, true);
>> > > > > 	if (ret)
>> > > > > 		goto fail_mutex_unlock;
>> > > > > 
>> > > > > and that error path does _not_ invoke module->exit(), which is obviously
>> > > > > not correct. Luis?
>> > > > 
>> > > > You're spot on this needs fixing.
>> > > 
>> > > Christophe, this is a regression caused by the second hunk of your commit
>> > > d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
>> > > Sadly there are a few issues with trying to get to call mod->exit():
>> > > 
>> > > - We should try try_stop_module()  and that can fail
>> > > - source_list may not be empty and that would block removal
>> > > - mod->exit may not exist
>> > > 
>> > > I'm wondering if instead we should try to do the module_enable_rodata_ro()
>> > > before the init, but that requires a bit more careful evaluation...
>> > 
>> > There is ro_after_init section, we can't really make it RO before ->init()
>> 
>> Surprisingly I never received Luis's email
>
> So odd..
>
>> allthough I got this answer from Mike that I overlooked.
>> 
>> So coming back here from
>> https://lore.kernel.org/all/ZyQhbHxDTRXTJgIx@bombadil.infradead.org/
>> 
>> As far as I understand, indeed once init is called it is too late to fail,
>
> Partly yes, party no. Party yes in that its a can of worms we have not
> had to deal with before, and also I worry about deadlocks, and the code
> to address this seems complex. right ?

I have a RFC ready with this, I'll send this now so we can discuss on
with a proposal.

>
>
>> Especially when the module has no exit() path or when
>> CONFIG_MODULE_UNLOAD is not built in.
>
> That's exactly the other extreme case I fear for.
>
>> So the only thing we can do then is a big fat warning telling
>> set_memory_ro() on ro_after_init memory has failed ?
>
> I suspect this is more sensible to do.

I came to the same conclusion while trying to fix this path. + I added
an alternative for discussion.

>
>> Maybe we should try and change it to RO then back to RW before calling init,
>> to be on a safer side hopping that if change to RO works once it will work
>> twice ?
>
> That's another approach wich could work, if we proove that this does
> work, it's a nice best effort and I think less or a mess to the codebase
> then special-casing the error handling of trying to deal with the
> driver's exit.
>
> Daniel Gomez has been looking at this, so his feedback here would be
> valuable.

What if we detect ro_after_init first, and block any module
initialization depending on this ro_after_init to actually start loading
it? That way we can stop and unload the module successfully.

>
>   Luis

Re: [PATCH] static_call: Handle module init failure correctly in static_call_del_module()

[Daniel Gomez]

On Fri Nov 8, 2024 at 5:09 PM CET, Daniel Gomez wrote:
> On Fri Nov 8, 2024 at 4:49 PM CET, Luis Chamberlain wrote:
>> + Other new module maintainers
>>
>> On Fri, Nov 08, 2024 at 09:12:03AM +0100, Christophe Leroy wrote:
>>> Hi Luis,
>>> 
>>> Le 24/09/2024 à 09:22, Mike Rapoport a écrit :
>>> > On Thu, Sep 19, 2024 at 02:53:34AM -0700, Luis Chamberlain wrote:
>>> > > On Fri, Sep 06, 2024 at 04:24:56PM -0700, Luis Chamberlain wrote:
>>> > > > On Thu, Sep 05, 2024 at 11:44:00AM +0200, Thomas Gleixner wrote:
>>> > > > > Now you at least provided the information that the missing cleanup in
>>> > > > > the init() function is not the problem. So the obvious place to look is
>>> > > > > in the module core code whether there is a failure path _after_
>>> > > > > module->init() returned success.
>>> > > > > 
>>> > > > > do_init_module()
>>> > > > >          ret = do_one_initcall(mod->init);
>>> > > > >          ...
>>> > > > > 	ret = module_enable_rodata_ro(mod, true);
>>> > > > > 	if (ret)
>>> > > > > 		goto fail_mutex_unlock;
>>> > > > > 
>>> > > > > and that error path does _not_ invoke module->exit(), which is obviously
>>> > > > > not correct. Luis?
>>> > > > 
>>> > > > You're spot on this needs fixing.
>>> > > 
>>> > > Christophe, this is a regression caused by the second hunk of your commit
>>> > > d1909c0221739 ("module: Don't ignore errors from set_memory_XX()") on v6.9.
>>> > > Sadly there are a few issues with trying to get to call mod->exit():
>>> > > 
>>> > > - We should try try_stop_module()  and that can fail
>>> > > - source_list may not be empty and that would block removal
>>> > > - mod->exit may not exist
>>> > > 
>>> > > I'm wondering if instead we should try to do the module_enable_rodata_ro()
>>> > > before the init, but that requires a bit more careful evaluation...
>>> > 
>>> > There is ro_after_init section, we can't really make it RO before ->init()
>>> 
>>> Surprisingly I never received Luis's email
>>
>> So odd..
>>
>>> allthough I got this answer from Mike that I overlooked.
>>> 
>>> So coming back here from
>>> https://lore.kernel.org/all/ZyQhbHxDTRXTJgIx@bombadil.infradead.org/
>>> 
>>> As far as I understand, indeed once init is called it is too late to fail,
>>
>> Partly yes, party no. Party yes in that its a can of worms we have not
>> had to deal with before, and also I worry about deadlocks, and the code
>> to address this seems complex. right ?
>
> I have a RFC ready with this, I'll send this now so we can discuss on
> with a proposal.
>
>>
>>
>>> Especially when the module has no exit() path or when
>>> CONFIG_MODULE_UNLOAD is not built in.
>>
>> That's exactly the other extreme case I fear for.
>>
>>> So the only thing we can do then is a big fat warning telling
>>> set_memory_ro() on ro_after_init memory has failed ?
>>
>> I suspect this is more sensible to do.
>
> I came to the same conclusion while trying to fix this path. + I added
> an alternative for discussion.
>
>>
>>> Maybe we should try and change it to RO then back to RW before calling init,
>>> to be on a safer side hopping that if change to RO works once it will work
>>> twice ?
>>
>> That's another approach wich could work, if we proove that this does
>> work, it's a nice best effort and I think less or a mess to the codebase
>> then special-casing the error handling of trying to deal with the
>> driver's exit.
>>
>> Daniel Gomez has been looking at this, so his feedback here would be
>> valuable.
>
> What if we detect ro_after_init first, and block any module
> initialization depending on this ro_after_init to actually start loading
> it? That way we can stop and unload the module successfully.

In case I'm missing someone, I've just sent the RFC here:

https://lore.kernel.org/linux-modules/20241108-modules-ro_after_init-v3-0-6dd041b588a5@samsung.com/T/#t

Please ignore "v3" prefix. That was a mistake. Not sure why b4 added
that.

>
>>
>>   Luis