syzbot


BUG: Bad page state

Status: fixed on 2017/10/24 06:54
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 263630e8d176 mm/madvise.c: fix freeing of locked page with MADV_FREE
First crash: 1820d, last: 1819d
similar bugs (11):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: Bad page state (3) C 3 1673d 1680d 4/23 fixed on 2018/02/02 04:39
upstream BUG: Bad page state (5) C 171 1258d 1272d 0/23 closed as invalid on 2019/02/27 20:53
linux-4.19 BUG: Bad page state 1 260d 260d 0/1 auto-closed as invalid on 2022/03/21 10:57
linux-4.19 BUG: Bad page state (2) 1 71d 71d 0/1 upstream: reported on 2022/05/29 19:49
upstream BUG: Bad page state (7) 3 708d 765d 0/23 auto-closed as invalid on 2020/12/28 02:44
android-49 BUG: Bad page state 3 1041d 1064d 0/3 auto-closed as invalid on 2020/01/30 18:48
android-54 BUG: Bad page state C 9 861d 892d 0/2 upstream: reported C repro on 2020/02/28 01:20
upstream BUG: Bad page state (2) 1 1716d 1712d 0/23 closed as invalid on 2017/12/06 12:57
upstream BUG: Bad page state (4) 1 1478d 1478d 0/23 closed as invalid on 2018/09/05 12:51
upstream BUG: Bad page state (6) C 2 1257d 1257d 0/23 closed as invalid on 2019/03/01 18:38
upstream BUG: Bad page state (8) 358 12h51m 553d 1/23 upstream: reported on 2021/02/01 10:07

Sample crash report:
page:ffffea0006f63580 count:0 mapcount:0 mapping:          (null) index:0x20ad6
flags: 0x200000000040019(locked|uptodate|dirty|swapbacked)
raw: 0200000000040019 0000000000000000 0000000000020ad6 00000000ffffffff
raw: ffffea0006f635a0 ffffea0006f635a0 0000000000000000 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
bad because of flags: 0x1(locked)
Modules linked in:
CPU: 0 PID: 13946 Comm: syzkaller249964 Not tainted 4.13.0-rc5+ #36
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 bad_page+0x230/0x2b0 mm/page_alloc.c:565
 free_pages_check_bad+0x1f0/0x2e0 mm/page_alloc.c:943
 free_pages_check mm/page_alloc.c:952 [inline]
 free_pages_prepare mm/page_alloc.c:1043 [inline]
 free_pcp_prepare mm/page_alloc.c:1068 [inline]
 free_hot_cold_page+0x8cf/0x12b0 mm/page_alloc.c:2584
 __put_single_page mm/swap.c:79 [inline]
 __put_page+0xfb/0x160 mm/swap.c:113
 put_page include/linux/mm.h:814 [inline]
 madvise_free_pte_range+0x137a/0x1ec0 mm/madvise.c:371
 walk_pmd_range mm/pagewalk.c:50 [inline]
 walk_pud_range mm/pagewalk.c:108 [inline]
 walk_p4d_range mm/pagewalk.c:134 [inline]
 walk_pgd_range mm/pagewalk.c:160 [inline]
 __walk_page_range+0xc3a/0x1450 mm/pagewalk.c:249
 walk_page_range+0x200/0x470 mm/pagewalk.c:326
 madvise_free_page_range.isra.9+0x17d/0x230 mm/madvise.c:444
 madvise_free_single_vma+0x353/0x580 mm/madvise.c:471
 madvise_dontneed_free mm/madvise.c:555 [inline]
 madvise_vma mm/madvise.c:664 [inline]
 SYSC_madvise mm/madvise.c:832 [inline]
 SyS_madvise+0x7d3/0x13c0 mm/madvise.c:760
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4462e9
RSP: 002b:00007febbc9a8d08 EFLAGS: 00000202 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004462e9
RDX: 0000010200000008 RSI: 0000000000012000 RDI: 0000000020ad6000
RBP: 0000000000000086 R08: 00007febbc9a9700 R09: 00007febbc9a9700
R10: 00007febbc9a9700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc37647b0f R14: 00007febbc9a99c0 R15: 0000000000000000

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2017/08/15 17:49 upstream fcd07350007b 6a0246bf .config log report syz C
ci-upstream-kasan-gce 2017/08/14 15:58 upstream ef954844c7ac 6a0246bf .config log report syz C