Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
upstream | KASAN: invalid-free in ___pte_free_tlb kernel | 1 | 1538d | 1534d | 0/28 | auto-closed as invalid on 2021/01/15 18:41 |
syzbot |
sign-in | mailing list | source | docs |
================================================================== BUG: KASAN: double-free or invalid-free in pte_lock_deinit include/linux/mm.h:1910 [inline] BUG: KASAN: double-free or invalid-free in pgtable_page_dtor include/linux/mm.h:1943 [inline] BUG: KASAN: double-free or invalid-free in ___pte_free_tlb+0x40/0x190 arch/x86/mm/pgtable.c:64 CPU: 1 PID: 15619 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_invalid_free+0x61/0xa0 mm/kasan/report.c:336 __kasan_slab_free+0x1d0/0x1f0 mm/kasan/kasan.c:501 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 pte_lock_deinit include/linux/mm.h:1910 [inline] pgtable_page_dtor include/linux/mm.h:1943 [inline] ___pte_free_tlb+0x40/0x190 arch/x86/mm/pgtable.c:64 __pte_free_tlb arch/x86/include/asm/pgalloc.h:73 [inline] free_pte_range mm/memory.c:457 [inline] free_pmd_range mm/memory.c:475 [inline] free_pud_range mm/memory.c:509 [inline] free_p4d_range mm/memory.c:543 [inline] free_pgd_range+0xa94/0x1020 mm/memory.c:623 free_pgtables+0x230/0x2f0 mm/memory.c:655 exit_mmap+0x2c8/0x530 mm/mmap.c:3094 __mmput kernel/fork.c:1016 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1037 exit_mm kernel/exit.c:549 [inline] do_exit+0xaec/0x2be0 kernel/exit.c:857 do_group_exit+0x125/0x310 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7ff228164e99 Code: Bad RIP value. RSP: 002b:00007fffc8bdaed8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007ff228164e99 RDX: 00007ff228117adb RSI: ffffffffffffffbc RDI: 0000000000000000 RBP: 0000000000000000 R08: 00000000d02f5a14 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 00007fffc8bdafc0 Allocated by task 21795: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 ptlock_alloc+0x1d/0x70 mm/memory.c:4969 ptlock_init include/linux/mm.h:1900 [inline] pgtable_page_ctor include/linux/mm.h:1934 [inline] pte_alloc_one+0x68/0x190 arch/x86/mm/pgtable.c:38 __pte_alloc+0x21/0x340 mm/memory.c:665 copy_pte_range mm/memory.c:1089 [inline] copy_pmd_range mm/memory.c:1165 [inline] copy_pud_range mm/memory.c:1199 [inline] copy_p4d_range mm/memory.c:1221 [inline] copy_page_range+0x1d3d/0x2ff0 mm/memory.c:1283 dup_mmap kernel/fork.c:549 [inline] dup_mm kernel/fork.c:1285 [inline] copy_mm kernel/fork.c:1341 [inline] copy_process.part.0+0x5b22/0x8260 kernel/fork.c:1913 copy_process kernel/fork.c:1710 [inline] _do_fork+0x22f/0xf30 kernel/fork.c:2219 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 15619: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 pte_lock_deinit include/linux/mm.h:1910 [inline] pgtable_page_dtor include/linux/mm.h:1943 [inline] ___pte_free_tlb+0x40/0x190 arch/x86/mm/pgtable.c:64 __pte_free_tlb arch/x86/include/asm/pgalloc.h:73 [inline] free_pte_range mm/memory.c:457 [inline] free_pmd_range mm/memory.c:475 [inline] free_pud_range mm/memory.c:509 [inline] free_p4d_range mm/memory.c:543 [inline] free_pgd_range+0xa94/0x1020 mm/memory.c:623 free_pgtables+0x230/0x2f0 mm/memory.c:655 exit_mmap+0x2c8/0x530 mm/mmap.c:3094 __mmput kernel/fork.c:1016 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1037 exit_mm kernel/exit.c:549 [inline] do_exit+0xaec/0x2be0 kernel/exit.c:857 do_group_exit+0x125/0x310 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:976 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff88800010f000 which belongs to the cache page->ptl of size 56 The buggy address is located 0 bytes inside of 56-byte region [ffff88800010f000, ffff88800010f038) The buggy address belongs to the page: page:ffffea00000043c0 count:1 mapcount:0 mapping:ffff88813bfec040 index:0x0 flags: 0x7ff00000000100(slab) raw: 007ff00000000100 ffffea00025e08c8 ffffea000061bb08 ffff88813bfec040 raw: 0000000000000000 ffff88800010f000 000000010000002e 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800010ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88800010ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88800010f000: fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb ^ ffff88800010f080: fb fb fc fc fc fc fb fb fb fb fb fb fb fc fc fc ffff88800010f100: fc fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/01/10 03:46 | linux-4.19.y | 3f8a27f9e27b | 2ca0d385 | .config | console log | report | info | ci2-linux-4-19 | KASAN: invalid-free in ___pte_free_tlb |