BUG: Bad page state

BUG: Bad page state
Status: fixed on 2017/10/24 06:54
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 263630e8d176 mm/madvise.c: fix freeing of locked page with MADV_FREE
First crash: 1505d, last: 1504d

similar bugs (9):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	BUG: Bad page state (3)	C	3	1358d	1365d	4/22	fixed on 2018/02/02 04:39
upstream	BUG: Bad page state (5)	C	171	943d	957d	0/22	closed as invalid on 2019/02/27 20:53
upstream	BUG: Bad page state (7)		3	393d	450d	0/22	auto-closed as invalid on 2020/12/28 02:44
android-49	BUG: Bad page state		3	726d	749d	0/3	auto-closed as invalid on 2020/01/30 18:48
android-54	BUG: Bad page state	C	9	546d	577d	0/1	upstream: reported C repro on 2020/02/28 01:20
upstream	BUG: Bad page state (2)		1	1401d	1397d	0/22	closed as invalid on 2017/12/06 12:57
upstream	BUG: Bad page state (4)		1	1163d	1163d	0/22	closed as invalid on 2018/09/05 12:51
upstream	BUG: Bad page state (6)	C	2	942d	942d	0/22	closed as invalid on 2019/03/01 18:38
upstream	BUG: Bad page state (8)		2	238d	238d	1/22	upstream: reported on 2021/02/01 10:07

Sample crash report:

page:ffffea0006f63580 count:0 mapcount:0 mapping:          (null) index:0x20ad6
flags: 0x200000000040019(locked|uptodate|dirty|swapbacked)
raw: 0200000000040019 0000000000000000 0000000000020ad6 00000000ffffffff
raw: ffffea0006f635a0 ffffea0006f635a0 0000000000000000 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
bad because of flags: 0x1(locked)
Modules linked in:
CPU: 0 PID: 13946 Comm: syzkaller249964 Not tainted 4.13.0-rc5+ #36
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 bad_page+0x230/0x2b0 mm/page_alloc.c:565
 free_pages_check_bad+0x1f0/0x2e0 mm/page_alloc.c:943
 free_pages_check mm/page_alloc.c:952 [inline]
 free_pages_prepare mm/page_alloc.c:1043 [inline]
 free_pcp_prepare mm/page_alloc.c:1068 [inline]
 free_hot_cold_page+0x8cf/0x12b0 mm/page_alloc.c:2584
 __put_single_page mm/swap.c:79 [inline]
 __put_page+0xfb/0x160 mm/swap.c:113
 put_page include/linux/mm.h:814 [inline]
 madvise_free_pte_range+0x137a/0x1ec0 mm/madvise.c:371
 walk_pmd_range mm/pagewalk.c:50 [inline]
 walk_pud_range mm/pagewalk.c:108 [inline]
 walk_p4d_range mm/pagewalk.c:134 [inline]
 walk_pgd_range mm/pagewalk.c:160 [inline]
 __walk_page_range+0xc3a/0x1450 mm/pagewalk.c:249
 walk_page_range+0x200/0x470 mm/pagewalk.c:326
 madvise_free_page_range.isra.9+0x17d/0x230 mm/madvise.c:444
 madvise_free_single_vma+0x353/0x580 mm/madvise.c:471
 madvise_dontneed_free mm/madvise.c:555 [inline]
 madvise_vma mm/madvise.c:664 [inline]
 SYSC_madvise mm/madvise.c:832 [inline]
 SyS_madvise+0x7d3/0x13c0 mm/madvise.c:760
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4462e9
RSP: 002b:00007febbc9a8d08 EFLAGS: 00000202 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004462e9
RDX: 0000010200000008 RSI: 0000000000012000 RDI: 0000000020ad6000
RBP: 0000000000000086 R08: 00007febbc9a9700 R09: 00007febbc9a9700
R10: 00007febbc9a9700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc37647b0f R14: 00007febbc9a99c0 R15: 0000000000000000

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-kasan-gce	2017/08/15 17:49	upstream	fcd07350007b	6a0246bf	.config	log	report	syz	C
ci-upstream-kasan-gce	2017/08/14 15:58	upstream	ef954844c7ac	6a0246bf	.config	log	report	syz	C