ci starts bisection 2023-12-13 16:12:49.973008914 +0000 UTC m=+99933.583405477 bisecting cause commit starting from 48e8992e33abf054bcc0bb2e77b2d43bb899212e building syzkaller on ebcad15ccd9a570d2e16081b7b07b288462b7b91 ensuring issue is reproducible on original commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bf6456dc61cbcff1003677d81227050edb8b87b443bf3424eaffab54c6206917 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 76e3c953427c693b39d73dc4ffa111e21626d2aa9c0d29f201469ea5b45ddc0a all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed kconfig minimization: base=3923 full=7679 leaves diff=2009 split chunks (needed=false): <2009> split chunk #0 of len 2009 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a8c221228389619e1547eab7d5044b994bd1e6d697ba5f33e5e4eb11f3c4b522 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9cfc2d0e76c6e6ebc0fa02810c0662c3d0ed3068273357396933229aadf2f495 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dbbe706bb10af9de29c601c7758105f58b8bd0a94999120645e18a35b95bde5b all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9c5a0018b78a5fd0c66df7d7451c192a1e3e782ac4470f54913c35db46ff087e all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 48e8992e33abf054bcc0bb2e77b2d43bb899212e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1a3c70da34983f46df6c72ce06a96bbae4e598570e4137902673a2af8c5f56f5 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] the chunk can be dropped disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.6 v6.5 v6.4 v6.2 v6.0 v5.18 v5.16 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 29 release tags testing release v6.6 testing commit ffc253263a1375a65fa6c9f62a893e9767fbebfa gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 93caf5120da67fdceba5468f301b8594784a913007dde5b2f6a1f8644559d01e all runs: OK false negative chance: 0.000 # git bisect start 48e8992e33abf054bcc0bb2e77b2d43bb899212e ffc253263a1375a65fa6c9f62a893e9767fbebfa Bisecting: 12460 revisions left to test after this (roughly 14 steps) [fd912e49986aa7ec5bef1bc9cd92d7d68a57e383] Merge tag 'trace-tools-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace testing commit fd912e49986aa7ec5bef1bc9cd92d7d68a57e383 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 78e81c08fa717de2eadb80cdb5ed17041ac118c0862708b4c6a64afcb8d23fb5 all runs: OK false negative chance: 0.000 # git bisect good fd912e49986aa7ec5bef1bc9cd92d7d68a57e383 Bisecting: 6232 revisions left to test after this (roughly 13 steps) [1769e5e81b9b5520ed9f33adb4b56bfc1f328bc0] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap.git testing commit 1769e5e81b9b5520ed9f33adb4b56bfc1f328bc0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 46404dcb061f1f5fdab74bd6181dccaa9d89e6540f932408ff3d8447f35cf67d all runs: OK false negative chance: 0.000 # git bisect good 1769e5e81b9b5520ed9f33adb4b56bfc1f328bc0 Bisecting: 3211 revisions left to test after this (roughly 12 steps) [0d22946965cf371156238aa7cb23e6506dcba245] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git testing commit 0d22946965cf371156238aa7cb23e6506dcba245 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: da801fa5a92a8f5dee54cf96408086f7db4dc131c41b4c20d0b858ee3299a058 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad 0d22946965cf371156238aa7cb23e6506dcba245 Bisecting: 1552 revisions left to test after this (roughly 11 steps) [8041e2654f0c107b4ce0100633285c4fbf1e7fc0] Merge branch 'docs-next' of git://git.lwn.net/linux.git testing commit 8041e2654f0c107b4ce0100633285c4fbf1e7fc0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1366660a5dee99b5074172a0789b0948a52ab267ee90e114d47fa867acf8e409 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad 8041e2654f0c107b4ce0100633285c4fbf1e7fc0 Bisecting: 795 revisions left to test after this (roughly 10 steps) [3f6b5ceb3df345ca629b1816cb36757e5170524e] Merge branch 'xtensa-for-next' of git://github.com/jcmvbkbc/linux-xtensa.git testing commit 3f6b5ceb3df345ca629b1816cb36757e5170524e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d314536fae1094ee4613a488d8ff96407c363d316650611dac28beed65fe944e all runs: OK false negative chance: 0.000 # git bisect good 3f6b5ceb3df345ca629b1816cb36757e5170524e Bisecting: 409 revisions left to test after this (roughly 9 steps) [fc3947822c8918f4769de67bad183751fe82e376] Merge branch '9p-next' of git://github.com/martinetd/linux testing commit fc3947822c8918f4769de67bad183751fe82e376 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 35812e3d856663384475ec9868f6a67bf01fed4dc9abfbaf8d8b44fc0f426c2e all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad fc3947822c8918f4769de67bad183751fe82e376 Bisecting: 203 revisions left to test after this (roughly 8 steps) [191ed0063884e457d6af5b01f1835d1ac6f4072d] Merge branch 'afs-next' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git testing commit 191ed0063884e457d6af5b01f1835d1ac6f4072d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fd517f42856d9770e79ae125fabed33d05c0deca41735657e909a4958b002c3f all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad 191ed0063884e457d6af5b01f1835d1ac6f4072d Bisecting: 90 revisions left to test after this (roughly 7 steps) [33e0fe81e51d0b4f37c3ab1af9ae8d2fe014ec7a] bcachefs: Mark recovery passses that are safe to run online testing commit 33e0fe81e51d0b4f37c3ab1af9ae8d2fe014ec7a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 546cd817e457015add11b5a6a177db411fb74e84ffb999f944300b84193e2ea7 all runs: OK false negative chance: 0.000 # git bisect good 33e0fe81e51d0b4f37c3ab1af9ae8d2fe014ec7a Bisecting: 46 revisions left to test after this (roughly 6 steps) [03c91b840f2ab1c5474e83a32a9bf5babaa24d16] Merge branch 'for-next' of https://evilpiepirate.org/git/bcachefs.git testing commit 03c91b840f2ab1c5474e83a32a9bf5babaa24d16 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 174a62f76004d86f7a140773209724e65210cb6c0649598785a223287401ac62 all runs: OK false negative chance: 0.000 # git bisect good 03c91b840f2ab1c5474e83a32a9bf5babaa24d16 Bisecting: 23 revisions left to test after this (roughly 5 steps) [7bd4353ec32a4f077c9b144d5bd6377791fd63ae] afs: Fold the afs_addr_cursor struct in testing commit 7bd4353ec32a4f077c9b144d5bd6377791fd63ae gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: bbbddf20e5fbeeafb9c04f55ecf6864317f454080c1dcdeaa55e05a2619c1278 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad 7bd4353ec32a4f077c9b144d5bd6377791fd63ae Bisecting: 11 revisions left to test after this (roughly 4 steps) [f5f3754babc2a434b4b48f9e95e432db591646a2] afs: Turn the afs_addr_list address array into an array of structs testing commit f5f3754babc2a434b4b48f9e95e432db591646a2 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9678bb746a5d955de76d27d05e074c3827ceb624f73d2ade4e26431baffc528d all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad f5f3754babc2a434b4b48f9e95e432db591646a2 Bisecting: 5 revisions left to test after this (roughly 3 steps) [86b1191d1edb43385dec92fe21cc14f0eadebd78] afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() testing commit 86b1191d1edb43385dec92fe21cc14f0eadebd78 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e9bd74b8b7d0aefb2f07856483705c2f4bc819cc11fe71a7d780c3e98a898b15 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad 86b1191d1edb43385dec92fe21cc14f0eadebd78 Bisecting: 2 revisions left to test after this (roughly 1 step) [810315b9cea7baf96c7f04517ffc1eaa49f3033a] afs: Fix dynamic root lookup DNS check testing commit 810315b9cea7baf96c7f04517ffc1eaa49f3033a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dbfbf7202ac8c3c64d79e3399ca2416de08a6e78f2e9d15942a7a2d317b7155a all runs: OK false negative chance: 0.000 # git bisect good 810315b9cea7baf96c7f04517ffc1eaa49f3033a Bisecting: 0 revisions left to test after this (roughly 1 step) [c27cff9535baae8f4ce149f9c04da0f6dbbc1d75] afs: fix the usage of read_seqbegin_or_lock() in afs_lookup_volume_rcu() testing commit c27cff9535baae8f4ce149f9c04da0f6dbbc1d75 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4da9d1fcc6091aaf1b234ee3fba7f2be979195e926d99d0fb235033526e8bd07 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad c27cff9535baae8f4ce149f9c04da0f6dbbc1d75 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b946001d3bb1202e90093cf5e72dbcb20e2689a0] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry testing commit b946001d3bb1202e90093cf5e72dbcb20e2689a0 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3c8377058aba7ddeb74eeb44275e2c8b7e480d16f769b5f4a40bd771b9fc8945 all runs: crashed: KASAN: slab-out-of-bounds Read in dns_resolver_preparse representative crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse, types: [KASAN] # git bisect bad b946001d3bb1202e90093cf5e72dbcb20e2689a0 b946001d3bb1202e90093cf5e72dbcb20e2689a0 is the first bad commit commit b946001d3bb1202e90093cf5e72dbcb20e2689a0 Author: David Howells Date: Sat Dec 9 00:41:55 2023 +0000 keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry If a key has an expiration time, then when that time passes, the key is left around for a certain amount of time before being collected (5 mins by default) so that EKEYEXPIRED can be returned instead of ENOKEY. This is a problem for DNS keys because we want to redo the DNS lookup immediately at that point. Fix this by allowing key types to be marked such that keys of that type don't have this extra period, but are reclaimed as soon as they expire and turn this on for dns_resolver-type keys. To make this easier to handle, key->expiry is changed to be permanent if TIME64_MAX rather than 0. Furthermore, give such new-style negative DNS results a 10s default expiry if no other expiry time is set rather than allowing it to stick around indefinitely. This shouldn't be zero as ls will follow a failing stat call immediately with a second with AT_SYMLINK_NOFOLLOW added. Fixes: 1a4240f4764a ("DNS: Separate out CIFS DNS Resolver code") Signed-off-by: David Howells cc: Wang Lei cc: Jeff Layton cc: Steve French cc: Marc Dionne cc: Jarkko Sakkinen cc: "David S. Miller" cc: Eric Dumazet cc: Jakub Kicinski cc: Paolo Abeni cc: linux-afs@lists.infradead.org cc: linux-cifs@vger.kernel.org cc: linux-nfs@vger.kernel.org cc: ceph-devel@vger.kernel.org cc: keyrings@vger.kernel.org cc: netdev@vger.kernel.org include/linux/key-type.h | 1 + net/dns_resolver/dns_key.c | 10 +++++++++- security/keys/gc.c | 31 +++++++++++++++++++++---------- security/keys/internal.h | 11 ++++++++++- security/keys/key.c | 15 +++++---------- security/keys/proc.c | 2 +- 6 files changed, 47 insertions(+), 23 deletions(-) accumulated error probability: 0.00 culprit signature: 3c8377058aba7ddeb74eeb44275e2c8b7e480d16f769b5f4a40bd771b9fc8945 parent signature: dbfbf7202ac8c3c64d79e3399ca2416de08a6e78f2e9d15942a7a2d317b7155a revisions tested: 23, total time: 3h51m59.630122341s (build: 1h37m29.785154645s, test: 1h57m58.404454088s) first bad commit: b946001d3bb1202e90093cf5e72dbcb20e2689a0 keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry recipients (to): ["davem@davemloft.net" "dhowells@redhat.com" "dhowells@redhat.com" "edumazet@google.com" "jarkko@kernel.org" "jmorris@namei.org" "keyrings@vger.kernel.org" "kuba@kernel.org" "linux-security-module@vger.kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "paul@paul-moore.com" "serge@hallyn.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: slab-out-of-bounds Read in dns_resolver_preparse ================================================================== BUG: KASAN: slab-out-of-bounds in dns_resolver_preparse+0xa12/0xb50 net/dns_resolver/dns_key.c:127 Read of size 1 at addr ffff88810329270c by task syz-executor.0/1864 CPU: 1 PID: 1864 Comm: syz-executor.0 Not tainted 6.7.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 dns_resolver_preparse+0xa12/0xb50 net/dns_resolver/dns_key.c:127 __key_create_or_update+0x3c4/0xa90 security/keys/key.c:842 key_create_or_update+0xf/0x20 security/keys/key.c:1007 __do_sys_add_key+0x1be/0x310 security/keys/keyctl.c:134 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b RIP: 0033:0x7f1e2ecd4ba9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f1e2e8570c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 00007f1e2edf3f80 RCX: 00007f1e2ecd4ba9 RDX: 0000000020000080 RSI: 0000000000000000 RDI: 00000000200003c0 RBP: 00007f1e2ed2047a R08: 0000000006b67e5a R09: 0000000000000000 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f1e2edf3f80 R15: 00007ffc2bd66178 Allocated by task 1864: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc_node+0x63/0x160 mm/slab_common.c:1014 kvmalloc include/linux/slab.h:738 [inline] __do_sys_add_key+0x149/0x310 security/keys/keyctl.c:116 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The buggy address belongs to the object at ffff888103292708 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes to the right of allocated 4-byte region [ffff888103292708, ffff88810329270c) The buggy address belongs to the physical page: page:ffffea00040ca480 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888103292fc8 pfn:0x103292 flags: 0x200000000000800(slab|node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000800 ffff888100041280 ffffea00042d9440 0000000000000002 raw: ffff888103292fc8 0000000080660065 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 731, tgid 731 (udevadm), ts 4287116703, free_ts 3320237610 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x27f/0x2f0 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1544 [inline] get_page_from_freelist+0xeb8/0x36a0 mm/page_alloc.c:3312 __alloc_pages+0x342/0x5e0 mm/page_alloc.c:4568 alloc_pages_mpol+0xbf/0x370 mm/mempolicy.c:2133 alloc_slab_page mm/slub.c:1870 [inline] allocate_slab+0x24b/0x360 mm/slub.c:2017 new_slab mm/slub.c:2070 [inline] ___slab_alloc+0x8ce/0x10e0 mm/slub.c:3223 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3322 __slab_alloc_node mm/slub.c:3375 [inline] slab_alloc_node mm/slub.c:3468 [inline] __kmem_cache_alloc_node+0x150/0x350 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x4f/0x160 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kernfs_fop_write_iter+0x1bd/0x510 fs/kernfs/file.c:311 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x51f/0xc70 fs/read_write.c:584 ksys_write+0xf6/0x1d0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0xe0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1137 [inline] free_unref_page_prepare+0x562/0xbd0 mm/page_alloc.c:2347 free_unref_page+0x33/0x2a0 mm/page_alloc.c:2487 vfree mm/vmalloc.c:2842 [inline] vfree+0x27c/0x9c0 mm/vmalloc.c:2807 delayed_vfree_work+0x4a/0x70 mm/vmalloc.c:2763 process_one_work+0x72e/0x11b0 kernel/workqueue.c:2627 process_scheduled_works kernel/workqueue.c:2700 [inline] worker_thread+0x6b3/0x1080 kernel/workqueue.c:2781 kthread+0x278/0x330 kernel/kthread.c:388 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 Memory state around the buggy address: ffff888103292600: fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc ffff888103292680: fc fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc >ffff888103292700: fc 04 fc fc fc fc 05 fc fc fc fc fa fc fc fc fc ^ ffff888103292780: fa fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa ffff888103292800: fc fc fc fc fa fc fc fc fc fa fc fc fc fc fa fc ==================================================================