kernel BUG at mm/slab.c:LINE! (3)

kernel BUG at mm/slab.c:LINE! (3)
Status: fixed on 2019/03/21 17:09
Reported-by: syzbot+2182db487a523d86bf34@syzkaller.appspotmail.com
Fix commit: bc6e019b fou: Prevent unbounded recursion in GUE error handler also with UDP-Lite
First crash: 637d, last: 510d

Cause bisection: introduced by (bisect log):

commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
Author: Stefano Brivio <sbrivio@redhat.com>
Date: Thu Nov 8 11:19:23 2018 +0000

fou, fou6: ICMP error handlers for FoU and GUE

Crash: BUG: unable to handle kernel paging request in corrupted (log)
Repro: C syz .config

similar bugs (4):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
upstream	kernel BUG at mm/slab.c:LINE! (4)			12	436d	504d	13/17	fixed on 2019/06/14 18:22
upstream	kernel BUG at mm/slab.c:LINE! (2)	C		701	750d	765d	9/17	fixed on 2018/08/07 13:43
upstream	kernel BUG at mm/slab.c:LINE!	C		860	1070d	1074d	3/17	fixed on 2017/10/24 06:54
linux-4.14	kernel BUG at mm/slab.c:LINE!	C	fix	22	58d	373d	0/1	upstream: reported C repro on 2019/08/04 15:26

Sample crash report:

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)
------------[ cut here ]------------
kernel BUG at mm/slab.c:4425!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: -642842048 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #342
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4450
Code: 48 c7 c7 7d 01 15 89 e8 f7 e1 0a 00 5d c3 41 8b 91 04 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 7d 01 15 89 e8 5d ea 0a 00 44 89 e9 48 c7 c7 38 02
RSP: 0018:ffff8881d9af0030 EFLAGS: 00010093
RAX: 00000000000a57eb RBX: 1ffff1103b35e00d RCX: 000000000000000c
RDX: ffff8881d9af0240 RSI: 0000000000000002 RDI: ffff8881d9af01d8
RBP: ffff8881d9af0030 R08: ffff8881d9af0240 R09: ffff8881da970180
R10: 000000004afd69e7 R11: 0000000000000000 R12: ffff8881d9af01d8
R13: 0000000000000002 R14: ffffea000766bc00 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 00000001b5d1f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
Modules linked in:
---[ end trace 114b0f862f7337d5 ]---
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4450
Code: 48 c7 c7 7d 01 15 89 e8 f7 e1 0a 00 5d c3 41 8b 91 04 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 7d 01 15 89 e8 5d ea 0a 00 44 89 e9 48 c7 c7 38 02
RSP: 0018:ffff8881d9af0030 EFLAGS: 00010093
RAX: 00000000000a57eb RBX: 1ffff1103b35e00d RCX: 000000000000000c
RDX: ffff8881d9af0240 RSI: 0000000000000002 RDI: ffff8881d9af01d8
RBP: ffff8881d9af0030 R08: ffff8881d9af0240 R09: ffff8881da970180
R10: 000000004afd69e7 R11: 0000000000000000 R12: ffff8881d9af01d8
R13: 0000000000000002 R14: ffffea000766bc00 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000068 CR3: 00000001b5d1f000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (14):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-net-kasan-gce	2018/12/13 16:33	net-next	95302c39	f3d9d594	.config	log	report	syz	C
ci-upstream-net-kasan-gce	2018/12/04 21:28	net-next	d9bbd6a1	6ad0ae61	.config	log	report	syz	C
ci-upstream-net-kasan-gce	2018/11/15 04:25	net-next	15cef309	5f5f6d14	.config	log	report	syz	C
ci-upstream-net-kasan-gce	2018/11/14 02:18	net-next	3e536cff	5f5f6d14	.config	log	report	syz	C
ci-upstream-net-kasan-gce	2018/11/14 01:54	net-next	3e536cff	5f5f6d14	.config	log	report	syz	C
ci-upstream-kasan-gce	2019/02/27 11:11	upstream	7d762d69	083cfd0e	.config	log	report			davem@davemloft.net, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
ci-upstream-net-this-kasan-gce	2019/02/08 07:52	net	ec7fd009	aa4feb03	.config	log	report			avagin@virtuozzo.com, davem@davemloft.net, dvlasenk@redhat.com, jbaron@akamai.com, kgraul@linux.ibm.com, ktkhai@virtuozzo.com, kyeongdon.kim@lge.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, xiyou.wangcong@gmail.com
ci-upstream-net-kasan-gce	2019/03/21 11:45	net-next	a534ea30	427ea487	.config	log	report			linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk
ci-upstream-net-kasan-gce	2019/03/18 18:45	net-next	3b319ee2	4656beca	.config	log	report			bridge@lists.linux-foundation.org, davem@davemloft.net, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, nikolay@cumulusnetworks.com, roopa@cumulusnetworks.com
ci-upstream-net-kasan-gce	2019/03/16 06:27	net-next	3b319ee2	bab43553	.config	log	report			linux-kernel@vger.kernel.org, linux-mm@kvack.org, mike.kravetz@oracle.com
ci-upstream-net-kasan-gce	2019/03/04 01:48	net-next	41bc0ddb	1c0e457a	.config	log	report			linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk
ci-upstream-net-kasan-gce	2019/02/26 15:58	net-next	c14f7e1e	a36ecd98	.config	log	report			linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk
ci-upstream-net-kasan-gce	2019/02/25 04:40	net-next	45c0e7b2	7a06e792	.config	log	report			linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk
ci-upstream-net-kasan-gce	2019/02/05 01:36	net-next	cc733578	d672172c	.config	log	report			linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, viro@zeniv.linux.org.uk