ci starts bisection 2024-09-19 14:41:53.143554577 +0000 UTC m=+61.376895231 bisecting cause commit starting from a430d95c5efa2b545d26a094eb5f624e36732af0 building syzkaller on c673ca06b23cea94091ab496ef62c3513e434585 ensuring issue is reproducible on original commit a430d95c5efa2b545d26a094eb5f624e36732af0 testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f864e608b8b3aaebec98c37e3479ff71a402f2ad526440ea034bc8f5ff564d5 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e07769d1a6b8e40dd491022ab89c6d1e6c4db15dbb3a0d7c18e2cd112b3f8198 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=4047 full=8155 leaves diff=2104 split chunks (needed=false): <2104> split chunk #0 of len 2104 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fcf9124ac81731f2b216bb55f0fed450e42a2b7e09f1465189fba0c1f174b411 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6d784b6d1208f20453c442f6cbbbae6bb42d40db244ee459be7f51d5a4741df5 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6cde33cde114f18e431642fd3211c9f6d990c576a92629d3f66e161f83400768 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 59f95d7da47c9d970cd7288858b11c61efb6e4325bec834608e73761349f9a7c all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit a430d95c5efa2b545d26a094eb5f624e36732af0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f007b32e230ab86683fb9a0725943bcd25f3c1fc6d4bf18fb12cb6c811149f7 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] the chunk can be dropped disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed picked [v6.11 v6.10 v6.9 v6.7 v6.5 v6.3 v6.1 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 34 release tags testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2b58895a406de7c413652ae29e4b37248eb18f03fb39c49f18474f39e789b792 all runs: OK false negative chance: 0.000 # git bisect start a430d95c5efa2b545d26a094eb5f624e36732af0 98f7e32f20d28ec452afb208f9cffc08448a2652 Bisecting: 1286 revisions left to test after this (roughly 10 steps) [9f6b619edf2e85746f261b42ae8f818a59d126f7] net: support non paged skb frags testing commit 9f6b619edf2e85746f261b42ae8f818a59d126f7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 failed building 9f6b619edf2e85746f261b42ae8f818a59d126f7: ./include/trace/events/page_pool.h:68: undefined reference to `__tracepoint_page_pool_state_hold' ld: ./include/trace/events/page_pool.h:68: undefined reference to `__tracepoint_page_pool_state_hold' ld: ./include/trace/events/page_pool.h:68: undefined reference to `__SCT__tp_func_page_pool_state_hold' ld: vmlinux.o:(__jump_table+0x1ca88): undefined reference to `__tracepoint_page_pool_state_hold' ld: vmlinux.o:(.static_call_sites+0x8f5c): undefined reference to `__SCK__tp_func_page_pool_state_hold' # git bisect skip 9f6b619edf2e85746f261b42ae8f818a59d126f7 Bisecting: 1286 revisions left to test after this (roughly 10 steps) [15d8a407a54708cacefd5e36c069e7ba36a36050] net: stmmac: support fp parameter of tc-taprio testing commit 15d8a407a54708cacefd5e36c069e7ba36a36050 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39411d079eb881219271e7f3c87f41b4ac1f4b7ab4eb727749134d115555aa25 all runs: OK false negative chance: 0.000 # git bisect good 15d8a407a54708cacefd5e36c069e7ba36a36050 Bisecting: 767 revisions left to test after this (roughly 10 steps) [64dd3b6a79f0907d36de481b0f15fab323a53e5a] Merge tag 'for-linus-non-x86' of git://git.kernel.org/pub/scm/virt/kvm/kvm testing commit 64dd3b6a79f0907d36de481b0f15fab323a53e5a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cca2097f924f51eafabefbbc21101ef7eaf77520c6859a1689950a794212e5eb all runs: OK false negative chance: 0.000 # git bisect good 64dd3b6a79f0907d36de481b0f15fab323a53e5a Bisecting: 382 revisions left to test after this (roughly 9 steps) [9020d0d844ad58a051f90b1e5b82ba34123925b9] Merge tag 'vfs-6.12.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs testing commit 9020d0d844ad58a051f90b1e5b82ba34123925b9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 46c22aa62bcbc563d8bfb1e261932181edb11295532d8b97b1a436ddcda82378 all runs: OK false negative chance: 0.000 # git bisect good 9020d0d844ad58a051f90b1e5b82ba34123925b9 Bisecting: 189 revisions left to test after this (roughly 8 steps) [3a4d319a8fb5a9bbdf5b31ef32841eb286b1dcc2] Merge tag 'for-6.12/io_uring-20240913' of git://git.kernel.dk/linux testing commit 3a4d319a8fb5a9bbdf5b31ef32841eb286b1dcc2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 17a705d34d4624a3791076df204d97aa471e2c5839ecc14a0f2f064f54efdad3 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect bad 3a4d319a8fb5a9bbdf5b31ef32841eb286b1dcc2 Bisecting: 96 revisions left to test after this (roughly 7 steps) [54c78d497b383f5828b019d41149a9e76cfc771c] btrfs: convert zlib_decompress() to take a folio testing commit 54c78d497b383f5828b019d41149a9e76cfc771c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad2dc56c3f27b427dc3def823920922b4375feef04895ea508316daf9ceae9a2 all runs: OK false negative chance: 0.000 # git bisect good 54c78d497b383f5828b019d41149a9e76cfc771c Bisecting: 51 revisions left to test after this (roughly 6 steps) [7a40974fd0efa3698de4c6d1d0ee0436bcc4445d] Merge tag 'for-6.12-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit 7a40974fd0efa3698de4c6d1d0ee0436bcc4445d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bc65a3f229b02e5dd48c758f1bbed5bc0e6a4649b129a6b749528df989c3eb10 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect bad 7a40974fd0efa3698de4c6d1d0ee0436bcc4445d Bisecting: 22 revisions left to test after this (roughly 5 steps) [2982c8c19bab020e38da9d503aa21a3b389c53ac] cifs: Use iterate_and_advance*() routines directly for hashing testing commit 2982c8c19bab020e38da9d503aa21a3b389c53ac gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dae6cfdb8c77fb78f6471f489b1ec64ce7d584926fb74912a87d170535a87c67 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect bad 2982c8c19bab020e38da9d503aa21a3b389c53ac Bisecting: 10 revisions left to test after this (roughly 4 steps) [db0aa2e9566fda2d23dc8f6c102856ead95578a4] mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios testing commit db0aa2e9566fda2d23dc8f6c102856ead95578a4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a70459e7fa3322fb561bb584c3b4a356cf7cb5a211d00bf9697b60f22277bcc all runs: OK false negative chance: 0.000 # git bisect good db0aa2e9566fda2d23dc8f6c102856ead95578a4 Bisecting: 4 revisions left to test after this (roughly 3 steps) [2e45b922977c07bb339d76fd45e68f9b907fef7d] afs: Make read subreqs async testing commit 2e45b922977c07bb339d76fd45e68f9b907fef7d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6360680c420d849a3e135eee55f3962e1f6b65ebea272a3e57ae867c815c9bef all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect bad 2e45b922977c07bb339d76fd45e68f9b907fef7d Bisecting: 2 revisions left to test after this (roughly 2 steps) [cd0277ed0c188dd40e7744e89299af7b78831ca4] netfs: Use new folio_queue data type and iterator instead of xarray iter testing commit cd0277ed0c188dd40e7744e89299af7b78831ca4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a7c5348f5a90f7ed51285ade35a9b7cf8042e690b70cd7d34752526d149a07a all runs: OK false negative chance: 0.000 # git bisect good cd0277ed0c188dd40e7744e89299af7b78831ca4 Bisecting: 0 revisions left to test after this (roughly 1 step) [983cdcf8fe141b0ce16bc71959a5dc55bcb0764d] netfs: Simplify the writeback code testing commit 983cdcf8fe141b0ce16bc71959a5dc55bcb0764d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 45a6c5f3ad62518e7b69a36b639329a73e2c8a17249e7744e04a24b24fac5bb4 all runs: crashed: KASAN: slab-use-after-free Read in iov_iter_advance representative crash: KASAN: slab-use-after-free Read in iov_iter_advance, types: [KASAN] # git bisect bad 983cdcf8fe141b0ce16bc71959a5dc55bcb0764d Bisecting: 0 revisions left to test after this (roughly 0 steps) [bfaa33b8ba196f9506a45e5a36e968f087c8cd16] netfs: Provide an iterator-reset function testing commit bfaa33b8ba196f9506a45e5a36e968f087c8cd16 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 21b57c6875cee47bb2a2ab66e3c57c234e79e3b3842bd77dc6c70f9369dc446f all runs: OK false negative chance: 0.000 # git bisect good bfaa33b8ba196f9506a45e5a36e968f087c8cd16 983cdcf8fe141b0ce16bc71959a5dc55bcb0764d is the first bad commit commit 983cdcf8fe141b0ce16bc71959a5dc55bcb0764d Author: David Howells Date: Thu Jun 6 07:48:55 2024 +0100 netfs: Simplify the writeback code Use the new folio_queue structures to simplify the writeback code. The problem with referring to the i_pages xarray directly is that we may have gaps in the sequence of folios we're writing from that we need to skip when we're removing the writeback mark from the folios we're writing back from. At the moment the code tries to deal with this by carefully tracking the gaps in each writeback stream (eg. write to server and write to cache) and divining when there's a gap that spans folios (something that's not helped by folios not being a consistent size). Instead, the folio_queue buffer contains pointers only the folios we're dealing with, has them in ascending order and indicates a gap by placing non-consequitive folios next to each other. This makes it possible to track where we need to clean up to by just keeping track of where we've processed to on each stream and taking the minimum. Note that the I/O iterator is always rounded up to the end of the folio, even if that is beyond the EOF position, so that the cache can do DIO from the page. The excess space is cleared, though mmapped writes clobber it. Signed-off-by: David Howells cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20240814203850.2240469-18-dhowells@redhat.com/ # v2 Signed-off-by: Christian Brauner fs/netfs/write_collect.c | 146 +++++++------------------------------------ fs/netfs/write_issue.c | 36 ++++++----- include/linux/netfs.h | 1 - include/trace/events/netfs.h | 33 +--------- 4 files changed, 45 insertions(+), 171 deletions(-) accumulated error probability: 0.00 culprit signature: 45a6c5f3ad62518e7b69a36b639329a73e2c8a17249e7744e04a24b24fac5bb4 parent signature: 21b57c6875cee47bb2a2ab66e3c57c234e79e3b3842bd77dc6c70f9369dc446f revisions tested: 20, total time: 9h27m55.596904791s (build: 4h12m4.864647483s, test: 3h0m33.614337726s) first bad commit: 983cdcf8fe141b0ce16bc71959a5dc55bcb0764d netfs: Simplify the writeback code recipients (to): ["brauner@kernel.org" "dhowells@redhat.com" "dhowells@redhat.com" "linux-fsdevel@vger.kernel.org" "linux-trace-kernel@vger.kernel.org" "mhiramat@kernel.org" "netfs@lists.linux.dev" "rostedt@goodmis.org"] recipients (cc): ["jlayton@kernel.org" "linux-kernel@vger.kernel.org" "mathieu.desnoyers@efficios.com"] crash: KASAN: slab-use-after-free Read in iov_iter_advance ================================================================== BUG: KASAN: slab-use-after-free in iov_iter_folioq_advance lib/iov_iter.c:540 [inline] BUG: KASAN: slab-use-after-free in iov_iter_advance+0x470/0x500 lib/iov_iter.c:576 Read of size 8 at addr ffff8881196d7120 by task syz.0.17/2818 CPU: 0 UID: 0 PID: 2818 Comm: syz.0.17 Not tainted 6.11.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x5a/0x90 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 iov_iter_folioq_advance lib/iov_iter.c:540 [inline] iov_iter_advance+0x470/0x500 lib/iov_iter.c:576 netfs_write_folio+0xa33/0x1e00 fs/netfs/write_issue.c:481 netfs_writepages+0x25a/0xb60 fs/netfs/write_issue.c:541 do_writepages+0x172/0x780 mm/page-writeback.c:2683 filemap_fdatawrite_wbc mm/filemap.c:397 [inline] filemap_fdatawrite_wbc+0x10e/0x180 mm/filemap.c:387 __filemap_fdatawrite_range+0xaa/0xf0 mm/filemap.c:430 v9fs_dir_release+0x242/0x310 fs/9p/vfs_dir.c:219 __fput+0x361/0xaf0 fs/file_table.c:422 task_work_run+0x119/0x1f0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x180/0x190 kernel/entry/common.c:218 do_syscall_64+0x7a/0x170 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff4a803def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcbc931268 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007ff4a81f7a80 RCX: 00007ff4a803def9 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff4a81f7a80 R08: 0000000000000000 R09: 00007ffcbc93155f R10: 000000000003fd88 R11: 0000000000000246 R12: 000000000001159a R13: 00007ffcbc931370 R14: 0000000000000032 R15: ffffffffffffffff Allocated by task 2818: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387 kmalloc_noprof include/linux/slab.h:681 [inline] netfs_buffer_append_folio+0x140/0x640 fs/netfs/misc.c:25 netfs_write_folio+0x41e/0x1e00 fs/netfs/write_issue.c:419 netfs_writepages+0x25a/0xb60 fs/netfs/write_issue.c:541 do_writepages+0x172/0x780 mm/page-writeback.c:2683 filemap_fdatawrite_wbc mm/filemap.c:397 [inline] filemap_fdatawrite_wbc+0x10e/0x180 mm/filemap.c:387 __filemap_fdatawrite_range+0xaa/0xf0 mm/filemap.c:430 v9fs_dir_release+0x242/0x310 fs/9p/vfs_dir.c:219 __fput+0x361/0xaf0 fs/file_table.c:422 task_work_run+0x119/0x1f0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x180/0x190 kernel/entry/common.c:218 do_syscall_64+0x7a/0x170 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 529: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x121/0x360 mm/slub.c:4598 netfs_delete_buffer_head+0x97/0xf0 fs/netfs/misc.c:59 netfs_writeback_unlock_folios fs/netfs/write_collect.c:133 [inline] netfs_collect_write_results fs/netfs/write_collect.c:486 [inline] netfs_write_collection_worker+0x18de/0x4340 fs/netfs/write_collect.c:544 process_one_work+0x7c4/0x15e0 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6b1/0x1010 kernel/workqueue.c:3389 kthread+0x277/0x330 kernel/kthread.c:389 ret_from_fork+0x2f/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff8881196d7000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 288 bytes inside of freed 512-byte region [ffff8881196d7000, ffff8881196d7200) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1196d4 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x200000000000040(head|node=0|zone=2) page_type: 0xfdffffff(slab) raw: 0200000000000040 ffff888100041c80 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080100010 00000001fdffffff 0000000000000000 head: 0200000000000040 ffff888100041c80 0000000000000000 dead000000000001 head: 0000000000000000 0000000080100010 00000001fdffffff 0000000000000000 head: 0200000000000002 ffffea000465b501 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 744, tgid 744 (udevd), ts 3689530780, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x283/0x300 mm/page_alloc.c:1500 prep_new_page mm/page_alloc.c:1508 [inline] get_page_from_freelist+0x117b/0x3620 mm/page_alloc.c:3446 __alloc_pages_noprof+0x345/0x620 mm/page_alloc.c:4702 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x4e/0xf0 mm/slub.c:2325 allocate_slab+0x5b/0x200 mm/slub.c:2488 new_slab mm/slub.c:2541 [inline] ___slab_alloc+0xc2a/0x13f0 mm/slub.c:3727 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3817 __slab_alloc_node mm/slub.c:3870 [inline] slab_alloc_node mm/slub.c:4029 [inline] __kmalloc_cache_noprof+0x324/0x370 mm/slub.c:4188 kmalloc_noprof include/linux/slab.h:681 [inline] kzalloc_noprof include/linux/slab.h:807 [inline] kernfs_fop_open+0x25c/0xda0 fs/kernfs/file.c:623 do_dentry_open+0x624/0x1150 fs/open.c:959 vfs_open+0x7d/0x350 fs/open.c:1089 do_open fs/namei.c:3727 [inline] path_openat+0x1d3b/0x2d10 fs/namei.c:3886 do_filp_open+0x1ba/0x400 fs/namei.c:3913 do_sys_openat2+0x133/0x170 fs/open.c:1416 do_sys_open fs/open.c:1431 [inline] __do_sys_openat fs/open.c:1447 [inline] __se_sys_openat fs/open.c:1442 [inline] __x64_sys_openat+0x134/0x1d0 fs/open.c:1442 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x6d/0x170 arch/x86/entry/common.c:83 page_owner free stack trace missing Memory state around the buggy address: ffff8881196d7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881196d7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881196d7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881196d7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881196d7200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================