Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/hisilicon/hibmc: fix irq_request()&amp;#39;s irq name variable is local<br /> <br /> The local variable is passed in request_irq (), and there will be use<br /> after free problem, which will make request_irq failed. Using the global<br /> irq name instead of it to fix.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ad7173: fix channels index for syscalib_mode<br /> <br /> Fix the index used to look up the channel when accessing the<br /> syscalib_mode attribute. The address field is a 0-based index (same<br /> as scan_index) that it used to access the channel in the<br /> ad7173_channels array throughout the driver. The channels field, on<br /> the other hand, may not match the address field depending on the<br /> channel configuration specified in the device tree and could result<br /> in an out-of-bounds access.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: prevent softlockup in jbd2_log_do_checkpoint()<br /> <br /> Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()<br /> periodically release j_list_lock after processing a batch of buffers to<br /> avoid long hold times on the j_list_lock. However, since both functions<br /> contend for j_list_lock, the combined time spent waiting and processing<br /> can be significant.<br /> <br /> jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when<br /> need_resched() is true to avoid softlockups during prolonged operations.<br /> But jbd2_log_do_checkpoint() only exits its loop when need_resched() is<br /> true, relying on potentially sleeping functions like __flush_batch() or<br /> wait_on_buffer() to trigger rescheduling. If those functions do not sleep,<br /> the kernel may hit a softlockup.<br /> <br /> watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]<br /> CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10<br /> Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017<br /> Workqueue: writeback wb_workfn (flush-7:2)<br /> pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : native_queued_spin_lock_slowpath+0x358/0x418<br /> lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> Call trace:<br /> native_queued_spin_lock_slowpath+0x358/0x418<br /> jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]<br /> add_transaction_credits+0x3bc/0x418 [jbd2]<br /> start_this_handle+0xf8/0x560 [jbd2]<br /> jbd2__journal_start+0x118/0x228 [jbd2]<br /> __ext4_journal_start_sb+0x110/0x188 [ext4]<br /> ext4_do_writepages+0x3dc/0x740 [ext4]<br /> ext4_writepages+0xa4/0x190 [ext4]<br /> do_writepages+0x94/0x228<br /> __writeback_single_inode+0x48/0x318<br /> writeback_sb_inodes+0x204/0x590<br /> __writeback_inodes_wb+0x54/0xf8<br /> wb_writeback+0x2cc/0x3d8<br /> wb_do_writeback+0x2e0/0x2f8<br /> wb_workfn+0x80/0x2a8<br /> process_one_work+0x178/0x3e8<br /> worker_thread+0x234/0x3b8<br /> kthread+0xf0/0x108<br /> ret_from_fork+0x10/0x20<br /> <br /> So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid<br /> softlockup.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Fix configfs group list head handling<br /> <br /> Doing a list_del() on the epf_group field of struct pci_epf_driver in<br /> pci_epf_remove_cfs() is not correct as this field is a list head, not<br /> a list entry. This list_del() call triggers a KASAN warning when an<br /> endpoint function driver which has a configfs attribute group is torn<br /> down:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198<br /> Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319<br /> <br /> CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE<br /> Hardware name: Radxa ROCK 5B (DT)<br /> Call trace:<br /> show_stack+0x2c/0x84 (C)<br /> dump_stack_lvl+0x70/0x98<br /> print_report+0x17c/0x538<br /> kasan_report+0xb8/0x190<br /> __asan_report_store8_noabort+0x20/0x2c<br /> pci_epf_remove_cfs+0x17c/0x198<br /> pci_epf_unregister_driver+0x18/0x30<br /> nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]<br /> __arm64_sys_delete_module+0x264/0x424<br /> invoke_syscall+0x70/0x260<br /> el0_svc_common.constprop.0+0xac/0x230<br /> do_el0_svc+0x40/0x58<br /> el0_svc+0x48/0xdc<br /> el0t_64_sync_handler+0x10c/0x138<br /> el0t_64_sync+0x198/0x19c<br /> ...<br /> <br /> Remove this incorrect list_del() call from pci_epf_remove_cfs().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: mdt_loader: Ensure we don&amp;#39;t read past the ELF header<br /> <br /> When the MDT loader is used in remoteproc, the ELF header is sanitized<br /> beforehand, but that&amp;#39;s not necessary the case for other clients.<br /> <br /> Validate the size of the firmware buffer to ensure that we don&amp;#39;t read<br /> past the end as we iterate over the header. e_phentsize and e_shentsize<br /> are validated as well, to ensure that the assumptions about step size in<br /> the traversal are valid.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: rzg2l_adc: Set driver data before enabling runtime PM<br /> <br /> When stress-testing the system by repeatedly unbinding and binding the ADC<br /> device in a loop, and the ADC is a supplier for another device (e.g., a<br /> thermal hardware block that reads temperature through the ADC), it may<br /> happen that the ADC device is runtime-resumed immediately after runtime PM<br /> is enabled, triggered by its consumer. At this point, since drvdata is not<br /> yet set and the driver&amp;#39;s runtime PM callbacks rely on it, a crash can<br /> occur. To avoid this, set drvdata just after it was allocated.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mremap: fix WARN with uffd that has remap events disabled<br /> <br /> Registering userfaultd on a VMA that spans at least one PMD and then<br /> mremap()&amp;#39;ing that VMA can trigger a WARN when recovering from a failed<br /> page table move due to a page table allocation error.<br /> <br /> The code ends up doing the right thing (recurse, avoiding moving actual<br /> page tables), but triggering that WARN is unpleasant:<br /> <br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]<br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]<br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852<br /> Modules linked in:<br /> CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]<br /> RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]<br /> RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852<br /> Code: ...<br /> RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645<br /> RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007<br /> RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000<br /> R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000<br /> FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0<br /> Call Trace:<br /> <br /> copy_vma_and_data+0x468/0x790 mm/mremap.c:1215<br /> move_vma+0x548/0x1780 mm/mremap.c:1282<br /> mremap_to+0x1b7/0x450 mm/mremap.c:1406<br /> do_mremap+0xfad/0x1f80 mm/mremap.c:1921<br /> __do_sys_mremap+0x119/0x170 mm/mremap.c:1977<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f00d0b8ebe9<br /> Code: ...<br /> RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019<br /> RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9<br /> RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000<br /> RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000<br /> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002<br /> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005<br /> <br /> <br /> The underlying issue is that we recurse during the original page table<br /> move, but not during the recovery move.<br /> <br /> Fix it by checking for both VMAs and performing the check before the<br /> pmd_none() sanity check.<br /> <br /> Add a new helper where we perform+document that check for the PMD and PUD<br /> level.<br /> <br /> Thanks to Harry for bisecting.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: acomp - Fix CFI failure due to type punning<br /> <br /> To avoid a crash when control flow integrity is enabled, make the<br /> workspace ("stream") free function use a consistent type, and call it<br /> through a function pointer that has that same type.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: subpage: keep TOWRITE tag until folio is cleaned<br /> <br /> btrfs_subpage_set_writeback() calls folio_start_writeback() the first time<br /> a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag<br /> even if there are still dirty blocks in the folio. This can break ordering<br /> guarantees, such as those required by btrfs_wait_ordered_extents().<br /> <br /> That ordering breakage leads to a real failure. For example, running<br /> generic/464 on a zoned setup will hit the following ASSERT. This happens<br /> because the broken ordering fails to flush existing dirty pages before the<br /> file size is truncated.<br /> <br /> assertion failed: !list_empty(&amp;ordered-&gt;list) :: 0, in fs/btrfs/zoned.c:1899<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/zoned.c:1899!<br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)<br /> Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021<br /> Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]<br /> RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]<br /> RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246<br /> RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff<br /> RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8<br /> R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00<br /> R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680<br /> FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> ? srso_return_thunk+0x5/0x5f<br /> btrfs_finish_ordered_io+0x4a/0x60 [btrfs]<br /> btrfs_work_helper+0xf9/0x490 [btrfs]<br /> process_one_work+0x204/0x590<br /> ? srso_return_thunk+0x5/0x5f<br /> worker_thread+0x1d6/0x3d0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x118/0x230<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x205/0x260<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or<br /> for compressed writes, it locks several folios for delalloc and starts<br /> writing them out. Let&amp;#39;s call the last locked folio folio X. Suppose the<br /> write range only partially covers folio X, leaving some pages dirty.<br /> Process A calls btrfs_subpage_set_writeback() when building a bio. This<br /> function call clears the TOWRITE tag of folio X, whose size = 8K and<br /> the block size = 4K. It is following state.<br /> <br /> 0 4K 8K<br /> |/////|/////| (flag: DIRTY, tag: DIRTY)<br /> Process A will write this range.<br /> <br /> Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It<br /> calls tag_pages_for_writeback() to tag dirty folios with<br /> PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,<br /> B collects tagged folios using filemap_get_folios_tag() and must wait for<br /> folio X to be written before returning from writepages().<br /> <br /> 0 4K 8K<br /> |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE)<br /> <br /> However, between tagging and collecting, process A may call<br /> btrfs_subpage_set_writeback() and clear folio X&amp;#39;s TOWRITE tag.<br /> 0 4K 8K<br /> | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY)<br /> <br /> As a result, process B won&amp;#39;t see folio X in its batch, and returns without<br /> waiting for it. This breaks the WB_SYNC_ALL ordering requirement.<br /> <br /> Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains<br /> the TOWRITE tag. We now manually clear the tag only after the folio becomes<br /> clean, via the xas operation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/ext: Fix invalid task state transitions on class switch<br /> <br /> When enabling a sched_ext scheduler, we may trigger invalid task state<br /> transitions, resulting in warnings like the following (which can be<br /> easily reproduced by running the hotplug selftest in a loop):<br /> <br /> sched_ext: Invalid task state transition 0 -&gt; 3 for fish[770]<br /> WARNING: CPU: 18 PID: 787 at kernel/sched/ext.c:3862 scx_set_task_state+0x7c/0xc0<br /> ...<br /> RIP: 0010:scx_set_task_state+0x7c/0xc0<br /> ...<br /> Call Trace:<br /> <br /> scx_enable_task+0x11f/0x2e0<br /> switching_to_scx+0x24/0x110<br /> scx_enable.isra.0+0xd14/0x13d0<br /> bpf_struct_ops_link_create+0x136/0x1a0<br /> __sys_bpf+0x1edd/0x2c30<br /> __x64_sys_bpf+0x21/0x30<br /> do_syscall_64+0xbb/0x370<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> This happens because we skip initialization for tasks that are already<br /> dead (with their usage counter set to zero), but we don&amp;#39;t exclude them<br /> during the scheduling class transition phase.<br /> <br /> Fix this by also skipping dead tasks during class swiching, preventing<br /> invalid task state transitions.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: fix soft lockup in br_multicast_query_expired()<br /> <br /> When set multicast_query_interval to a large value, the local variable<br /> &amp;#39;time&amp;#39; in br_multicast_send_query() may overflow. If the time is smaller<br /> than jiffies, the timer will expire immediately, and then call mod_timer()<br /> again, which creates a loop and may trigger the following soft lockup<br /> issue.<br /> <br /> watchdog: BUG: soft lockup - CPU#1 stuck for 221s! [rb_consumer:66]<br /> CPU: 1 UID: 0 PID: 66 Comm: rb_consumer Not tainted 6.16.0+ #259 PREEMPT(none)<br /> Call Trace:<br /> <br /> __netdev_alloc_skb+0x2e/0x3a0<br /> br_ip6_multicast_alloc_query+0x212/0x1b70<br /> __br_multicast_send_query+0x376/0xac0<br /> br_multicast_send_query+0x299/0x510<br /> br_multicast_query_expired.constprop.0+0x16d/0x1b0<br /> call_timer_fn+0x3b/0x2a0<br /> __run_timers+0x619/0x950<br /> run_timer_softirq+0x11c/0x220<br /> handle_softirqs+0x18e/0x560<br /> __irq_exit_rcu+0x158/0x1a0<br /> sysvec_apic_timer_interrupt+0x76/0x90<br /> <br /> <br /> This issue can be reproduced with:<br /> ip link add br0 type bridge<br /> echo 1 &gt; /sys/class/net/br0/bridge/multicast_querier<br /> echo 0xffffffffffffffff &gt;<br /> /sys/class/net/br0/bridge/multicast_query_interval<br /> ip link set dev br0 up<br /> <br /> The multicast_startup_query_interval can also cause this issue. Similar to<br /> the commit 99b40610956a ("net: bridge: mcast: add and enforce query<br /> interval minimum"), add check for the query interval maximum to fix this<br /> issue.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/debug_vm_pgtable: clear page table entries at destroy_args()<br /> <br /> The mm/debug_vm_pagetable test allocates manually page table entries for<br /> the tests it runs, using also its manually allocated mm_struct. That in<br /> itself is ok, but when it exits, at destroy_args() it fails to clear those<br /> entries with the *_clear functions.<br /> <br /> The problem is that leaves stale entries. If another process allocates an<br /> mm_struct with a pgd at the same address, it may end up running into the<br /> stale entry. This is happening in practice on a debug kernel with<br /> CONFIG_DEBUG_VM_PGTABLE=y, for example this is the output with some extra<br /> debugging I added (it prints a warning trace if pgtables_bytes goes<br /> negative, in addition to the warning at check_mm() function):<br /> <br /> [ 2.539353] debug_vm_pgtable: [get_random_vaddr ]: random_vaddr is 0x7ea247140000<br /> [ 2.539366] kmem_cache info<br /> [ 2.539374] kmem_cachep 0x000000002ce82385 - freelist 0x0000000000000000 - offset 0x508<br /> [ 2.539447] debug_vm_pgtable: [init_args ]: args-&gt;mm is 0x000000002267cc9e<br /> (...)<br /> [ 2.552800] WARNING: CPU: 5 PID: 116 at include/linux/mm.h:2841 free_pud_range+0x8bc/0x8d0<br /> [ 2.552816] Modules linked in:<br /> [ 2.552843] CPU: 5 UID: 0 PID: 116 Comm: modprobe Not tainted 6.12.0-105.debug_vm2.el10.ppc64le+debug #1 VOLUNTARY<br /> [ 2.552859] Hardware name: IBM,9009-41A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW910.00 (VL910_062) hv:phyp pSeries<br /> [ 2.552872] NIP: c0000000007eef3c LR: c0000000007eef30 CTR: c0000000003d8c90<br /> [ 2.552885] REGS: c0000000622e73b0 TRAP: 0700 Not tainted (6.12.0-105.debug_vm2.el10.ppc64le+debug)<br /> [ 2.552899] MSR: 800000000282b033 CR: 24002822 XER: 0000000a<br /> [ 2.552954] CFAR: c0000000008f03f0 IRQMASK: 0<br /> [ 2.552954] GPR00: c0000000007eef30 c0000000622e7650 c000000002b1ac00 0000000000000001<br /> [ 2.552954] GPR04: 0000000000000008 0000000000000000 c0000000007eef30 ffffffffffffffff<br /> [ 2.552954] GPR08: 00000000ffff00f5 0000000000000001 0000000000000048 0000000000004000<br /> [ 2.552954] GPR12: 00000003fa440000 c000000017ffa300 c0000000051d9f80 ffffffffffffffdb<br /> [ 2.552954] GPR16: 0000000000000000 0000000000000008 000000000000000a 60000000000000e0<br /> [ 2.552954] GPR20: 4080000000000000 c0000000113af038 00007fffcf130000 0000700000000000<br /> [ 2.552954] GPR24: c000000062a6a000 0000000000000001 8000000062a68000 0000000000000001<br /> [ 2.552954] GPR28: 000000000000000a c000000062ebc600 0000000000002000 c000000062ebc760<br /> [ 2.553170] NIP [c0000000007eef3c] free_pud_range+0x8bc/0x8d0<br /> [ 2.553185] LR [c0000000007eef30] free_pud_range+0x8b0/0x8d0<br /> [ 2.553199] Call Trace:<br /> [ 2.553207] [c0000000622e7650] [c0000000007eef30] free_pud_range+0x8b0/0x8d0 (unreliable)<br /> [ 2.553229] [c0000000622e7750] [c0000000007f40b4] free_pgd_range+0x284/0x3b0<br /> [ 2.553248] [c0000000622e7800] [c0000000007f4630] free_pgtables+0x450/0x570<br /> [ 2.553274] [c0000000622e78e0] [c0000000008161c0] exit_mmap+0x250/0x650<br /> [ 2.553292] [c0000000622e7a30] [c0000000001b95b8] __mmput+0x98/0x290<br /> [ 2.558344] [c0000000622e7a80] [c0000000001d1018] exit_mm+0x118/0x1b0<br /> [ 2.558361] [c0000000622e7ac0] [c0000000001d141c] do_exit+0x2ec/0x870<br /> [ 2.558376] [c0000000622e7b60] [c0000000001d1ca8] do_group_exit+0x88/0x150<br /> [ 2.558391] [c0000000622e7bb0] [c0000000001d1db8] sys_exit_group+0x48/0x50<br /> [ 2.558407] [c0000000622e7be0] [c00000000003d810] system_call_exception+0x1e0/0x4c0<br /> [ 2.558423] [c0000000622e7e50] [c00000000000d05c] system_call_vectored_common+0x15c/0x2ec<br /> (...)<br /> [ 2.558892] ---[ end trace 0000000000000000 ]---<br /> [ 2.559022] BUG: Bad rss-counter state mm:000000002267cc9e type:MM_ANONPAGES val:1<br /> [ 2.559037] BUG: non-zero pgtables_bytes on freeing mm: -6144<br /> <br /> Here the modprobe process ended up with an allocated mm_struct from the<br /> mm_struct slab that was used before by the debug_vm_pgtable test. That is<br /> not a problem, since the mm_stru<br /> ---truncated---