BUG: Bad page state

BUG: Bad page state
Status: fixed on 2017/10/24 06:54
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 263630e8 mm/madvise.c: fix freeing of locked page with MADV_FREE
First crash: 1168d, last: 1167d

similar bugs (8):
Kernel	Title	Repro	Count	Last	Reported	Patched	Status
upstream	BUG: Bad page state (3)	C	3	1022d	1029d	4/17	fixed on 2018/02/02 04:39
upstream	BUG: Bad page state (5)	C	171	607d	620d	0/17	closed as invalid on 2019/02/27 20:53
upstream	BUG: Bad page state (7)		3	57d	114d	0/17	upstream: reported on 2020/07/04 06:43
android-49	BUG: Bad page state		3	389d	413d	0/3	auto-closed as invalid on 2020/01/30 18:48
android-54	BUG: Bad page state	C	9	210d	241d	0/1	upstream: reported C repro on 2020/02/28 01:20
upstream	BUG: Bad page state (2)		1	1064d	1060d	0/17	closed as invalid on 2017/12/06 12:57
upstream	BUG: Bad page state (4)		1	826d	826d	0/17	closed as invalid on 2018/09/05 12:51
upstream	BUG: Bad page state (6)	C	2	606d	606d	0/17	closed as invalid on 2019/03/01 18:38

Sample crash report:

page:ffffea0006f63580 count:0 mapcount:0 mapping:          (null) index:0x20ad6
flags: 0x200000000040019(locked|uptodate|dirty|swapbacked)
raw: 0200000000040019 0000000000000000 0000000000020ad6 00000000ffffffff
raw: ffffea0006f635a0 ffffea0006f635a0 0000000000000000 0000000000000000
page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
bad because of flags: 0x1(locked)
Modules linked in:
CPU: 0 PID: 13946 Comm: syzkaller249964 Not tainted 4.13.0-rc5+ #36
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 bad_page+0x230/0x2b0 mm/page_alloc.c:565
 free_pages_check_bad+0x1f0/0x2e0 mm/page_alloc.c:943
 free_pages_check mm/page_alloc.c:952 [inline]
 free_pages_prepare mm/page_alloc.c:1043 [inline]
 free_pcp_prepare mm/page_alloc.c:1068 [inline]
 free_hot_cold_page+0x8cf/0x12b0 mm/page_alloc.c:2584
 __put_single_page mm/swap.c:79 [inline]
 __put_page+0xfb/0x160 mm/swap.c:113
 put_page include/linux/mm.h:814 [inline]
 madvise_free_pte_range+0x137a/0x1ec0 mm/madvise.c:371
 walk_pmd_range mm/pagewalk.c:50 [inline]
 walk_pud_range mm/pagewalk.c:108 [inline]
 walk_p4d_range mm/pagewalk.c:134 [inline]
 walk_pgd_range mm/pagewalk.c:160 [inline]
 __walk_page_range+0xc3a/0x1450 mm/pagewalk.c:249
 walk_page_range+0x200/0x470 mm/pagewalk.c:326
 madvise_free_page_range.isra.9+0x17d/0x230 mm/madvise.c:444
 madvise_free_single_vma+0x353/0x580 mm/madvise.c:471
 madvise_dontneed_free mm/madvise.c:555 [inline]
 madvise_vma mm/madvise.c:664 [inline]
 SYSC_madvise mm/madvise.c:832 [inline]
 SyS_madvise+0x7d3/0x13c0 mm/madvise.c:760
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4462e9
RSP: 002b:00007febbc9a8d08 EFLAGS: 00000202 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004462e9
RDX: 0000010200000008 RSI: 0000000000012000 RDI: 0000000020ad6000
RBP: 0000000000000086 R08: 00007febbc9a9700 R09: 00007febbc9a9700
R10: 00007febbc9a9700 R11: 0000000000000202 R12: 0000000000000000
R13: 00007ffc37647b0f R14: 00007febbc9a99c0 R15: 0000000000000000

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Maintainers
ci-upstream-kasan-gce	2017/08/15 17:49	upstream	fcd07350	6a0246bf	.config	log	report	syz	C		akpm@linux-foundation.org, mhocko@suse.com, hannes@cmpxchg.org, minchan@kernel.org, hillf.zj@alibaba-inc.com, aaron.lu@intel.com, guro@fb.com, shli@fb.com, tglx@linutronix.de, dan.j.williams@intel.com, ying.huang@intel.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org
ci-upstream-kasan-gce	2017/08/14 15:58	upstream	ef954844	6a0246bf	.config	log	report	syz	C		akpm@linux-foundation.org, mhocko@suse.com, hannes@cmpxchg.org, hillf.zj@alibaba-inc.com, vbabka@suse.cz, ying.huang@intel.com, npiggin@gmail.com, aaron.lu@intel.com, dan.j.williams@intel.com, shli@fb.com, tglx@linutronix.de, linux-mm@kvack.org, linux-kernel@vger.kernel.org