bisecting cause commit starting from 187b9ac8c348383f7f36c8413d73ad89e9b1e90a building syzkaller on 9ad6612a0a3b4ab403e6db3bafc65dc098e83fc3 testing commit 187b9ac8c348383f7f36c8413d73ad89e9b1e90a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1fd2ec93d9e7f6f6ff0101fe5e803c95f6d9eee4123a8c6de34b0c64343b6254 all runs: crashed: KASAN: use-after-free Read in anon_vma_interval_tree_insert testing release v5.17 testing commit f443e374ae131c168a065ea1748feac6b2e76613 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cf9531c8d8ef1033ecc09f21b2da7bb37f80b7c7b7c95bbf8b4326e19ce94d1f all runs: OK # git bisect start 187b9ac8c348383f7f36c8413d73ad89e9b1e90a f443e374ae131c168a065ea1748feac6b2e76613 Bisecting: 13591 revisions left to test after this (roughly 14 steps) [354b8bf222ee15bf9aac3d870ba8e0880dd9bc8d] Merge tag 'linux-watchdog-5.18-rc1' of git://www.linux-watchdog.org/linux-watchdog testing commit 354b8bf222ee15bf9aac3d870ba8e0880dd9bc8d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 74f288b00bffe8c45de8fe35e05543f5f3b48c18e67b18fb50fa4fa2ef38a233 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 354b8bf222ee15bf9aac3d870ba8e0880dd9bc8d Bisecting: 6550 revisions left to test after this (roughly 13 steps) [cf145c57ea23578117cb546cabb993f6cf200192] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit cf145c57ea23578117cb546cabb993f6cf200192 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1a50b2f8ffd30192d09532e507a3c5ae92004f5fa85b1c091fc2c96c0c35e410 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good cf145c57ea23578117cb546cabb993f6cf200192 Bisecting: 3286 revisions left to test after this (roughly 12 steps) [9fff2c20adfdac1bfc40b6ae0bb5d832ca35ef9d] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git testing commit 9fff2c20adfdac1bfc40b6ae0bb5d832ca35ef9d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bad4369b9af111a20f616b87ff8c56481b89b1fde79bf171a27b8987c06f109c run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 9fff2c20adfdac1bfc40b6ae0bb5d832ca35ef9d Bisecting: 1632 revisions left to test after this (roughly 11 steps) [108eefe78260e356dbf80621ddaa01a445c953d3] Merge branch 'staging-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git testing commit 108eefe78260e356dbf80621ddaa01a445c953d3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d604b2e63ce963de0d0359c501231c0da1494305c8ad13c315e906fe99615d63 all runs: OK # git bisect good 108eefe78260e356dbf80621ddaa01a445c953d3 Bisecting: 821 revisions left to test after this (roughly 10 steps) [f5a42eaa42bd3982f1c16590f4ce1b1a49474b44] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git testing commit f5a42eaa42bd3982f1c16590f4ce1b1a49474b44 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 48370ba10101b0ccd4d80a8df294b019c94e21376948e2d0b3dab8ae529d32fe all runs: OK # git bisect good f5a42eaa42bd3982f1c16590f4ce1b1a49474b44 Bisecting: 410 revisions left to test after this (roughly 9 steps) [344aa72ec59c218d451345000cdc4e401fa7ca01] kasan: use tabs to align shadow values testing commit 344aa72ec59c218d451345000cdc4e401fa7ca01 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: e3fb754726f8e59a57148026980dd9b9da4db8b9438136aa84b9e872e1c78294 all runs: crashed: KASAN: use-after-free Read in anon_vma_interval_tree_insert # git bisect bad 344aa72ec59c218d451345000cdc4e401fa7ca01 Bisecting: 205 revisions left to test after this (roughly 8 steps) [69a947f20cf15d59025b003387ff8ba61460494a] mm/damon/sysfs: move targets setup code to a separated function testing commit 69a947f20cf15d59025b003387ff8ba61460494a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 mm/madvise.c:632:8: error: implicit declaration of function 'is_swapin_error_entry' [-Werror=implicit-function-declaration] # git bisect skip 69a947f20cf15d59025b003387ff8ba61460494a Bisecting: 204 revisions left to test after this (roughly 8 steps) [4892c4b3a77003cfb76cc7df1256a428dda68579] mm/damon/sysfs: reuse damon_set_regions() for regions setting testing commit 4892c4b3a77003cfb76cc7df1256a428dda68579 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 mm/madvise.c:632:8: error: implicit declaration of function 'is_swapin_error_entry' [-Werror=implicit-function-declaration] # git bisect skip 4892c4b3a77003cfb76cc7df1256a428dda68579 Bisecting: 204 revisions left to test after this (roughly 8 steps) [fd606cd04dae91f6b7af4d7546caff408bbb5da6] mm/khugepaged: sched to numa node when collapse huge page testing commit fd606cd04dae91f6b7af4d7546caff408bbb5da6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 mm/madvise.c:632:8: error: implicit declaration of function 'is_swapin_error_entry' [-Werror=implicit-function-declaration] # git bisect skip fd606cd04dae91f6b7af4d7546caff408bbb5da6 Bisecting: 204 revisions left to test after this (roughly 8 steps) [e3246d8f52173a798710314a42fea83223036fc8] mm/sparse-vmemmap: add a pgmap argument to section activation testing commit e3246d8f52173a798710314a42fea83223036fc8 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 73edc79ea828c6ff13ca0372d739dea7077273f3486f3a0f3291f66452e50834 all runs: OK # git bisect good e3246d8f52173a798710314a42fea83223036fc8 Bisecting: 156 revisions left to test after this (roughly 7 steps) [77790fc3ae1ae4f0482f1c4ab7264084d651f269] userfaultfd/selftests: use swap() instead of open coding it testing commit 77790fc3ae1ae4f0482f1c4ab7264084d651f269 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 mm/madvise.c:632:8: error: implicit declaration of function 'is_swapin_error_entry' [-Werror=implicit-function-declaration] # git bisect skip 77790fc3ae1ae4f0482f1c4ab7264084d651f269 Bisecting: 156 revisions left to test after this (roughly 7 steps) [fb3d824d1a46c5bb0584ea88f32dc2495544aebf] mm/rmap: split page_dup_rmap() into page_dup_file_rmap() and page_try_dup_anon_rmap() testing commit fb3d824d1a46c5bb0584ea88f32dc2495544aebf compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1e46ef2dd47b4eba3dcca65456a75f3b9d05522135f4c626512b1bfab88a978b all runs: OK # git bisect good fb3d824d1a46c5bb0584ea88f32dc2495544aebf Bisecting: 135 revisions left to test after this (roughly 7 steps) [4e94d844064924daedc8a457f816e967f1995c46] mm/vmscan: use helper folio_is_file_lru() testing commit 4e94d844064924daedc8a457f816e967f1995c46 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b23f92fdaa9726b9bda37f6f4de9f401198de38a6d5310d4bd3ac76fd985bab2 all runs: OK # git bisect good 4e94d844064924daedc8a457f816e967f1995c46 Bisecting: 67 revisions left to test after this (roughly 6 steps) [ff59d518bcac98f97fb365666eb3649320a3af93] mm: remove rb tree. testing commit ff59d518bcac98f97fb365666eb3649320a3af93 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bac0d145767ec726ae4f4de17e6628fd2fa0a0e7137ba01be56c1b0472573adf all runs: crashed: KASAN: use-after-free Read in anon_vma_interval_tree_insert # git bisect bad ff59d518bcac98f97fb365666eb3649320a3af93 Bisecting: 33 revisions left to test after this (roughly 5 steps) [422dc61be676549b829a400fc551930f064c22c6] mm: allow can_split_folio() to be called when THP are disabled testing commit 422dc61be676549b829a400fc551930f064c22c6 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0eea0dc8097e6a1cffc2f9796798a2b0a89a847576caf3debd50d0e42c8477cb all runs: OK # git bisect good 422dc61be676549b829a400fc551930f064c22c6 Bisecting: 16 revisions left to test after this (roughly 4 steps) [b26520f9a8e4a43e6a441a85c7047e232ed71a9e] radix tree test suite: add kmem_cache_set_non_kernel() testing commit b26520f9a8e4a43e6a441a85c7047e232ed71a9e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cc3d84ec0906348fd39c7e172cfaca21342ab9784fa7879446cddb619176a6d3 all runs: OK # git bisect good b26520f9a8e4a43e6a441a85c7047e232ed71a9e Bisecting: 8 revisions left to test after this (roughly 3 steps) [0d16fd6af245d17cc221ac360dca0617b11bf744] mm: add VMA iterator testing commit 0d16fd6af245d17cc221ac360dca0617b11bf744 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 5c30a9acdd3974ebb9301a2fcbf0275dadf95daafafe9354ba1a3426fb45ee08 all runs: OK # git bisect good 0d16fd6af245d17cc221ac360dca0617b11bf744 Bisecting: 4 revisions left to test after this (roughly 2 steps) [a9989a1df6e75c3b152399afe6b0233753fadf90] mm/mmap: use maple tree for unmapped_area{_topdown} testing commit a9989a1df6e75c3b152399afe6b0233753fadf90 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 9c813928dedbb9520d487005b3c05e66f4d0eca8f50e36c621e3da40e2789bb2 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good a9989a1df6e75c3b152399afe6b0233753fadf90 Bisecting: 1 revision left to test after this (roughly 1 step) [61e1aa9cc1bca84123e5119b224936403f62f7a5] damon-convert-__damon_va_three_regions-to-use-the-vma-iterator-fix testing commit 61e1aa9cc1bca84123e5119b224936403f62f7a5 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bb25bfd683d6454846ca92e9ca65b0ca58a360af87b34a14b80d4b6d53a7f091 all runs: OK # git bisect good 61e1aa9cc1bca84123e5119b224936403f62f7a5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [791fb46b9e7cec70701ba06bba016d5783760651] proc: remove VMA rbtree use from nommu testing commit 791fb46b9e7cec70701ba06bba016d5783760651 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6bb7a058cc12f3c21c87a208871e4d1c3be28e9991404029b84923a2b85df852 all runs: OK # git bisect good 791fb46b9e7cec70701ba06bba016d5783760651 ff59d518bcac98f97fb365666eb3649320a3af93 is the first bad commit commit ff59d518bcac98f97fb365666eb3649320a3af93 Author: Liam R. Howlett Date: Wed May 11 18:12:46 2022 -0700 mm: remove rb tree. Remove the RB tree and start using the maple tree for vm_area_struct tracking. Drop validate_mm() calls in expand_upwards() and expand_downwards() as the lock is not held. Link: https://lkml.kernel.org/r/20220504011345.662299-2-Liam.Howlett@oracle.com Signed-off-by: Liam R. Howlett Cc: Catalin Marinas Cc: David Howells Cc: "Matthew Wilcox (Oracle)" Cc: SeongJae Park Cc: Vlastimil Babka Cc: Will Deacon Cc: Davidlohr Bueso Signed-off-by: Andrew Morton arch/x86/kernel/tboot.c | 1 - drivers/firmware/efi/efi.c | 1 - include/linux/mm.h | 2 - include/linux/mm_types.h | 14 -- kernel/fork.c | 8 - mm/init-mm.c | 2 - mm/mmap.c | 509 ++++++++++----------------------------------- mm/nommu.c | 87 +++----- mm/util.c | 10 +- 9 files changed, 144 insertions(+), 490 deletions(-) culprit signature: bac0d145767ec726ae4f4de17e6628fd2fa0a0e7137ba01be56c1b0472573adf parent signature: 6bb7a058cc12f3c21c87a208871e4d1c3be28e9991404029b84923a2b85df852 revisions tested: 18, total time: 4h30m47.232365748s (build: 2h7m28.062821871s, test: 2h21m11.345188595s) first bad commit: ff59d518bcac98f97fb365666eb3649320a3af93 mm: remove rb tree. recipients (to): ["akpm@linux-foundation.org" "akpm@linux-foundation.org" "liam.howlett@oracle.com" "linux-mm@kvack.org"] recipients (cc): ["ardb@kernel.org" "arnd@arndb.de" "bp@alien8.de" "ccross@google.com" "dave.hansen@linux.intel.com" "david@redhat.com" "ebiederm@xmission.com" "hpa@zytor.com" "linux-efi@vger.kernel.org" "linux-kernel@vger.kernel.org" "mingo@redhat.com" "ning.sun@intel.com" "tboot-devel@lists.sourceforge.net" "tglx@linutronix.de" "vbabka@suse.cz" "willy@infradead.org" "x86@kernel.org"] crash: KASAN: use-after-free Read in anon_vma_interval_tree_insert ================================================================== BUG: KASAN: use-after-free in vma_start_pgoff mm/interval_tree.c:15 [inline] BUG: KASAN: use-after-free in avc_start_pgoff mm/interval_tree.c:63 [inline] BUG: KASAN: use-after-free in __anon_vma_interval_tree_insert mm/interval_tree.c:71 [inline] BUG: KASAN: use-after-free in anon_vma_interval_tree_insert+0x388/0x570 mm/interval_tree.c:82 Read of size 8 at addr ffff88801ca44500 by task syz-executor.0/4083 CPU: 1 PID: 4083 Comm: syz-executor.0 Not tainted 5.18.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 vma_start_pgoff mm/interval_tree.c:15 [inline] avc_start_pgoff mm/interval_tree.c:63 [inline] __anon_vma_interval_tree_insert mm/interval_tree.c:71 [inline] anon_vma_interval_tree_insert+0x388/0x570 mm/interval_tree.c:82 anon_vma_interval_tree_post_update_vma mm/mmap.c:436 [inline] __vma_adjust+0x70d/0x14c0 mm/mmap.c:828 vma_merge+0xa57/0x12b0 mm/mmap.c:1101 userfaultfd_release+0x30c/0x600 fs/userfaultfd.c:883 __fput+0x1f5/0x8c0 fs/file_table.c:317 task_work_run+0xc0/0x160 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f1ed183bd2b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffdcb189be0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f1ed183bd2b RDX: 00007f1ed19a02e8 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f1ed199d960 R08: 0000000000000000 R09: 00007f1ed19a02f0 R10: 00007ffdcb189ce0 R11: 0000000000000293 R12: 0000000000013202 R13: 00007ffdcb189ce0 R14: 00007f1ed199bf60 R15: 0000000000000032 Allocated by task 4084: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3242 vm_area_dup+0x83/0x370 kernel/fork.c:467 copy_vma+0x388/0x810 mm/mmap.c:3018 move_vma+0x35e/0xdd0 mm/mremap.c:624 __do_sys_mremap+0x374/0x1130 mm/mremap.c:1056 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4084: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3510 [inline] kmem_cache_free+0xdd/0x5a0 mm/slub.c:3527 copy_vma+0x637/0x810 mm/mmap.c:3045 move_vma+0x35e/0xdd0 mm/mremap.c:624 __do_sys_mremap+0x374/0x1130 mm/mremap.c:1056 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88801ca44488 which belongs to the cache vm_area_struct of size 168 The buggy address is located 120 bytes inside of 168-byte region [ffff88801ca44488, ffff88801ca44530) The buggy address belongs to the physical page: page:ffffea0000729100 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801ca44ae0 pfn:0x1ca44 memcg:ffff88801c57be01 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0001de2a40 dead000000000003 ffff888140006b40 raw: ffff88801ca44ae0 000000008011000b 00000001ffffffff ffff88801c57be01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3848, tgid 3848 (rm), ts 48020570663, free_ts 48018326510 prep_new_page mm/page_alloc.c:2431 [inline] get_page_from_freelist+0x177d/0x3e60 mm/page_alloc.c:4173 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5402 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242 vm_area_dup+0x83/0x370 kernel/fork.c:467 __split_vma+0x82/0x470 mm/mmap.c:2460 mprotect_fixup+0x545/0x7a0 mm/mprotect.c:569 do_mprotect_pkey+0x400/0x7d0 mm/mprotect.c:733 __do_sys_mprotect mm/mprotect.c:760 [inline] __se_sys_mprotect mm/mprotect.c:757 [inline] __x64_sys_mprotect+0x6f/0xb0 mm/mprotect.c:757 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1396 free_unref_page_prepare mm/page_alloc.c:3318 [inline] free_unref_page_list+0x16f/0xf80 mm/page_alloc.c:3450 release_pages+0x6f1/0x1780 mm/swap.c:980 tlb_batch_pages_flush+0x85/0x160 mm/mmu_gather.c:58 tlb_flush_mmu_free mm/mmu_gather.c:255 [inline] tlb_flush_mmu mm/mmu_gather.c:262 [inline] tlb_finish_mmu+0x110/0x6c0 mm/mmu_gather.c:353 exit_mmap+0x19d/0x510 mm/mmap.c:2911 __mmput+0xf3/0x440 kernel/fork.c:1195 exec_mmap fs/exec.c:1038 [inline] begin_new_exec+0xda0/0x29e0 fs/exec.c:1297 load_elf_binary+0xf64/0x4180 fs/binfmt_elf.c:1002 search_binary_handler fs/exec.c:1730 [inline] exec_binprm fs/exec.c:1771 [inline] bprm_execve fs/exec.c:1840 [inline] bprm_execve+0x669/0x14e0 fs/exec.c:1802 do_execveat_common+0x5fd/0x7b0 fs/exec.c:1945 do_execve fs/exec.c:2015 [inline] __do_sys_execve fs/exec.c:2091 [inline] __se_sys_execve fs/exec.c:2086 [inline] __x64_sys_execve+0x8a/0xb0 fs/exec.c:2086 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88801ca44400: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff88801ca44480: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88801ca44500: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb ^ ffff88801ca44580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801ca44600: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb ==================================================================