general protection fault in kmem_cache

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-4.14	general protection fault in kmem_cache_free	syz		done	3	1609d	1610d	1/1	fixed on 2020/10/03 03:40
kasan: CONFIG_KASAN_INLINE enabled
PANIC: double fault, error_code: 0x0
kasan: GPF could be caused by NULL-ptr deref or user memory access
CPU: 1 PID: 5412 Comm: syz-executor773 Not tainted 4.18.0-rc3+ #48
general protection fault: 0000 [#1] SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0x2e/0x5020 kernel/locking/lockdep.c:3294
CPU: 0 PID: 4456 Comm: syz-executor773 Not tainted 4.18.0-rc3+ #48
Code: 41 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
57 41 
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:775 [inline]
RIP: 0010:debug_check_no_obj_freed+0x1b3/0x595 lib/debugobjects.c:815
89 cf 
Code: ff 
41 56 
48 
41 
c7 
55 
c0 
49 
c0 
89 fd 
18 b3 
41 54 
8a 
45 89 
4c 
cc 53 
8b 
65 4c 
24 
8b 34 
30 
25 40 
4d 
ee 01 
85 
00 48 
e4 0f 
83 e4 
84 
f0 48 
9c 
81 
02 
ec 
00 00 31 f6 4c 89 bd 68 ff ff ff 49 89 df 89 f3 4c 89 e0 48 c1 e8 03 <42> 80 3c 30 00 0f 85 a1 02 00 00 49 8d 7c 24 18 83 c3 01 4d 8b 2c 
RSP: 0000:ffff8801ac646ea8 EFLAGS: 00010002
RAX: 045e3d1fffffa7fd RBX: 0000000000000002 RCX: ffffffff816017d1
RDX: ff53850fdb84ffeb RSI: 0000000000000000 RDI: ffffffff8190e8ed
RBP: ffff8801ac646f98 R08: fffffbfff156a6b2 R09: fffffbfff156a6b1
R10: fffffbfff156a6b1 R11: ffffffff8ab5358b R12: 22f1e8fffffd3fe9
R13: 22f1e8fffffd3fe9 R14: dffffc0000000000 R15: ffffffff8ab53588
FS:  0000000000000000(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff88bee950 CR3: 00000001d7fe2000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kmem_cache_free+0x216/0x2d0 mm/slab.c:3755
 anon_vma_chain_free mm/rmap.c:133 [inline]
 unlink_anon_vmas+0x5f0/0xa60 mm/rmap.c:418
 free_pgtables+0x271/0x380 mm/memory.c:641
 exit_mmap+0x2d1/0x5b0 mm/mmap.c:3106
 __mmput kernel/fork.c:970 [inline]
 mmput+0x265/0x620 kernel/fork.c:991
 exit_mm kernel/exit.c:544 [inline]
 do_exit+0xea9/0x2750 kernel/exit.c:852
 do_group_exit+0x177/0x440 kernel/exit.c:968
 get_signal+0x88e/0x1970 kernel/signal.c:2468
 do_signal+0x9c/0x21c0 arch/x86/kernel/signal.c:816
60 
03 00 
00 
48 
8b 
45 10 
<89> 
 exit_to_usermode_loop+0x2e0/0x370 arch/x86/entry/common.c:162
94 
24 
80 00 
00 00 
 prepare_exit_to_usermode+0x342/0x3b0 arch/x86/entry/common.c:197
48 ba 
00 00 
00 
00 00 
 retint_user+0x8/0x18
fc ff 
RIP: 0033:K512_4+0x38d0/0x120c74
df 
Code: 
48 
5f 
89 
75 
84 
20 
24 
36 
98 
37 
32 
RSP: 0018:ffff8801b57e1f50 EFLAGS: 00010086
20 
RAX: 0000000000000000 RBX: 1ffff10036afc467 RCX: 0000000000000002
38 
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff88f92620
RBP: ffff8801b57e22e0 R08: 0000000000000000 R09: 0000000000000000
20 
R10: ffff8801b85ff1b8 R11: ffff8801daf236b3 R12: 0000000000000000
33 
R13: ffffffff88f92620 R14: ffff8801cb864380 R15: 0000000000000002
20 
FS:  00007f149fde5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
5f 
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
5f 
CR2: ffff8801b57e1f48 CR3: 0000000008e6a000 CR4: 00000000001406e0
75 
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
20 
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
37 
Call Trace:
33