On 2026-02-27 08:11, Heiko Carstens wrote:
On Thu, Feb 26, 2026 at 06:12:01PM -0700, Nathan Chancellor wrote:
Hi Mathieu,
On Thu, Feb 26, 2026 at 02:38:04PM -0500, Mathieu Desnoyers wrote:
I've successfully booted a defconfig s390x next-20260226 kernel in qemu
with 1 and 4 CPUs, and within a nested s390x VM on 2 cpus.
I guess I'll really need more info about your specific .config and
command line args to help further.
On s390 cpumask_set_cpu(0, mm_cpumask(&init_mm)); in arch_mm_preinit() writes
out-of-bounds into swap_attrs[] overwriting the terminating NULL.
This seems to happen because the return value of get_rss_stat_items_size() is
larger than PERCPU_COUNTER_TREE_ITEMS_STATIC_SIZE:
PERCPU_COUNTER_TREE_ITEMS_STATIC_SIZE: 18688
get_rss_stat_items_size(): 21504
Here I stopped looking further into this. I guess you will figure out
immediately what's wrong :)
Indeed!
So in get_rss_stat_items_size() we have:
static inline size_t get_rss_stat_items_size(void)
{
return percpu_counter_tree_items_size() * NR_MM_COUNTERS;
}
And just above:
#define MM_STRUCT_FLEXIBLE_ARRAY_INIT
\
{
\
[0 ... PERCPU_COUNTER_TREE_ITEMS_STATIC_SIZE + sizeof(cpumask_t) +
MM_CID_STATIC_SIZE - 1] = 0 \
}
Which fails to account for NR_MM_COUNTERS. Does the following fix your issue ?
#define MM_STRUCT_FLEXIBLE_ARRAY_INIT
\
{
\
[0 ... (PERCPU_COUNTER_TREE_ITEMS_STATIC_SIZE * NR_MM_COUNTERS) +
sizeof(cpumask_t) + MM_CID_STATIC_SIZE - 1] = 0 \
}
It would only cause issues when nr_cpu_ids grows closer to NR_CPUS, which
explains
why I could not reproduce it locally.
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com
