Greeting, FYI, we noticed the following commit (built with gcc-9): commit: 53944f171a89dff4e2a3d76f42e6eedb551bb861 ("mm: remove HARDENED_USERCOPY_FALLBACK") https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master in testcase: trinity version: trinity-i386-4d2343bd-1_20200320 with following parameters: runtime: 300s group: group-02 test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +------------------------------------------+------------+------------+ | | 755804d169 | 53944f171a | +------------------------------------------+------------+------------+ | boot_successes | 60 | 60 | | boot_failures | 2 | 2 | | WARNING:at_mm/usercopy.c:#usercopy_warn | 2 | | | EIP:usercopy_warn | 2 | | | kernel_BUG_at_mm/usercopy.c | 0 | 2 | | invalid_opcode:#[##] | 0 | 2 | | EIP:usercopy_abort | 0 | 2 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 2 | +------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot <oliver.sang(a)intel.com&gt; [ 236.008036][ T474] kernel BUG at mm/usercopy.c:99! [ 236.008547][ T474] invalid opcode: 0000 [#1] SMP [ 236.009010][ T474] CPU: 1 PID: 474 Comm: trinity-c2 Not tainted 5.15.0-00198-g53944f171a89 #1 2d2e3460c0be319e189daed65084612fe4630632 [ 236.010194][ T474] EIP: usercopy_abort (mm/usercopy.c:99 (discriminator 16)) [ 236.010665][ T474] Code: c6 c1 ff 75 0c 0f 45 de b9 99 1f c5 c1 be 70 bf c5 c1 ff 75 08 0f 45 ce 57 52 ff 75 f0 50 53 51 68 f1 bf c5 c1 e8 37 ef ff ff <0f> 0b 55 89 d1 8b 50 04 8b 00 8b 52 40 89 e5 8b 40 0c e8 83 b7 ba All code ======== 0: c6 c1 ff mov $0xff,%cl 3: 75 0c jne 0x11 5: 0f 45 de cmovne %esi,%ebx 8: b9 99 1f c5 c1 mov $0xc1c51f99,%ecx d: be 70 bf c5 c1 mov $0xc1c5bf70,%esi 12: ff 75 08 pushq 0x8(%rbp) 15: 0f 45 ce cmovne %esi,%ecx 18: 57 push %rdi 19: 52 push %rdx 1a: ff 75 f0 pushq -0x10(%rbp) 1d: 50 push %rax 1e: 53 push %rbx 1f: 51 push %rcx 20: 68 f1 bf c5 c1 pushq $0xffffffffc1c5bff1 25: e8 37 ef ff ff callq 0xffffffffffffef61 2a:* 0f 0b ud2 <-- trapping instruction 2c: 55 push %rbp 2d: 89 d1 mov %edx,%ecx 2f: 8b 50 04 mov 0x4(%rax),%edx 32: 8b 00 mov (%rax),%eax 34: 8b 52 40 mov 0x40(%rdx),%edx 37: 89 e5 mov %esp,%ebp 39: 8b 40 0c mov 0xc(%rax),%eax 3c: e8 .byte 0xe8 3d: 83 .byte 0x83 3e: b7 ba mov $0xba,%bh Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 55 push %rbp 3: 89 d1 mov %edx,%ecx 5: 8b 50 04 mov 0x4(%rax),%edx 8: 8b 00 mov (%rax),%eax a: 8b 52 40 mov 0x40(%rdx),%edx d: 89 e5 mov %esp,%ebp f: 8b 40 0c mov 0xc(%rax),%eax 12: e8 .byte 0xe8 13: 83 .byte 0x83 14: b7 ba mov $0xba,%bh [ 236.012512][ T474] EAX: 00000061 EBX: c1c8c5ef ECX: eb1f508c EDX: eb1eee74 [ 236.013200][ T474] ESI: c1c5bf70 EDI: c1c633f9 EBP: f5b11e38 ESP: f5b11e04 [ 236.013876][ T474] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010286 [ 236.014606][ T474] CR0: 80050033 CR2: 00000010 CR3: 341b3000 CR4: 000406d0 [ 236.015299][ T474] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 236.015995][ T474] DR6: fffe0ff0 DR7: 00000400 [ 236.020811][ T474] Call Trace: [ 236.021128][ T474] __check_heap_object (mm/slab.c:4208) [ 236.021609][ T474] __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286) [ 236.022116][ T474] dn_getsockopt (include/linux/uaccess.h:200 net/decnet/af_decnet.c:1630 net/decnet/af_decnet.c:1508) decnet [ 236.022985][ T474] ? dn_recvmsg (net/decnet/af_decnet.c:1503) decnet [ 236.023855][ T474] __sys_getsockopt (net/socket.c:2220) [ 236.024322][ T474] __ia32_sys_getsockopt (net/socket.c:2232) [ 236.024803][ T474] __do_fast_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:178) [ 236.025297][ T474] ? syscall_exit_to_user_mode (kernel/entry/common.c:303) [ 236.025851][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.026359][ T474] ? syscall_exit_to_user_mode (kernel/entry/common.c:303) [ 236.026912][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.027422][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.027935][ T474] ? syscall_exit_to_user_mode (kernel/entry/common.c:303) [ 236.028484][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.028998][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.029500][ T474] ? __do_fast_syscall_32 (arch/x86/entry/common.c:182) [ 236.030010][ T474] ? irqentry_exit_to_user_mode (kernel/entry/common.c:316) [ 236.030586][ T474] ? irqentry_exit (kernel/entry/common.c:404) [ 236.031057][ T474] do_fast_syscall_32 (arch/x86/entry/common.c:203) [ 236.031558][ T474] do_SYSENTER_32 (arch/x86/entry/common.c:247) [ 236.032016][ T474] entry_SYSENTER_32 (arch/x86/entry/entry_32.S:872) [ 236.032537][ T474] EIP: 0xb7f89545 [ 236.032908][ T474] Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 All code ======== 0: c4 01 10 03 (bad) 4: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi 8: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b87411 e: 10 06 adc %al,(%rsi) 10: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 14: 10 07 adc %al,(%rdi) 16: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi 1a: 10 08 adc %cl,(%rax) 1c: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 20: 00 51 52 add %dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov %esp,%ebp 26: 0f 34 sysenter 28: cd 80 int $0x80 2a:* 5d pop %rbp <-- trapping instruction 2b: 5a pop %rdx 2c: 59 pop %rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 8d 76 00 lea 0x0(%rsi),%esi 35: 58 pop %rax 36: b8 77 00 00 00 mov $0x77,%eax 3b: cd 80 int $0x80 3d: 90 nop 3e: 8d .byte 0x8d 3f: 76 .byte 0x76 Code starting with the faulting instruction =========================================== 0: 5d pop %rbp 1: 5a pop %rdx 2: 59 pop %rcx 3: c3 retq 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 8d 76 00 lea 0x0(%rsi),%esi b: 58 pop %rax c: b8 77 00 00 00 mov $0x77,%eax 11: cd 80 int $0x80 13: 90 nop 14: 8d .byte 0x8d 15: 76 .byte 0x76 To reproduce: # build kernel cd linux cp config-5.15.0-00198-g53944f171a89 .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. --- 0DAY/LKP+ Test Infrastructure Open Source Technology Center https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation Thanks, Oliver Sang