ci2 starts bisection 2025-09-18 20:21:30.305920945 +0000 UTC m=+608802.180736072 bisecting cause commit starting from 8b789f2b7602a818e7c7488c74414fae21392b63 building syzkaller on e2beed91937c0ace342f19a2e9afb67adb3a828a ensuring issue is reproducible on original commit 8b789f2b7602a818e7c7488c74414fae21392b63 testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c8c01a0f1f37d5ee14560090d301ec836bbde538183f1efc27a6ff6294b50578 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] check whether we can drop unnecessary instrumentation disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 8b8ece85d5258d3b8d456f56eccb7313985b82a3bf32af52a9c18fe4680839a9 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] the bug reproduces without the instrumentation disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed kconfig minimization: base=4092 full=8349 leaves diff=2174 split chunks (needed=false): <2174> split chunk #0 of len 2174 into 5 parts testing without sub-chunk 1/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6b4cfdb3b3e40dec8b4973a9d6d517b13cf1ae962753264098890739dc380a34 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 367864a0010be227a58a4c128a87650a14389ee4eb127bccc2a5b69c7581cc58 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ubsan bug_or_warning locking atomic_sleep hang memleak], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: fa157b832c268f250fd890436de5147fb59c9d17215899a3dc3bf0ff6fbd81ea all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 10703aec998b91136a53c31748603610a926f4e6835dad25d8cd7a8825b38e4c all runs: OK false negative chance: 0.000 testing without sub-chunk 5/5 disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed testing commit 8b789f2b7602a818e7c7488c74414fae21392b63 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 48fb0fb4bda602020b2dcb97794905389c24ad0ad96d1e81808bfc3100b925f1 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] the chunk can be dropped minimized to 435 configs; suspects: [AF_RXRPC ARCH_ENABLE_MEMORY_HOTREMOVE ATM AX25 BT BT_BREDR BT_HIDP BXT_WC_PMIC_OPREGION CFG80211 CMA DAX DLM DRM DVB_CORE ENCRYPTED_KEYS EXTCON GENEVE GPIOLIB HAMRADIO HAVE_CLK HID_NINTENDO HID_NVIDIA_SHIELD HID_PLAYSTATION HID_SENSOR_HUB HID_SMARTJOYPLUS HID_STEAM HID_THRUSTMASTER IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN INTEL_SCU_IPC INTEL_SOC_PMIC_BXTWC IP_SCTP L2TP LEDS_CLASS_MULTICOLOR LIBNVDIMM MAC80211 MEDIA_COMMON_OPTIONS MEDIA_DIGITAL_TV_SUPPORT MEDIA_PLATFORM_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_INTEL_PMC_BXT MFD_MT6360 MFD_MT6370 MFD_RETU MMC MTD MTD_UBI NETFILTER_CONNCOUNT NET_IPGRE NET_IPGRE_DEMUX NFS_V4_1 NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NINTENDO_FF NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NLS_UCS2_UTILS NOZOMI NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NULL_TTY NUMA_EMU NUMA_KEEP_MEMINFO NVDIMM_DAX NVDIMM_KEYS NVDIMM_PFN NVIDIA_SHIELD_FF NVME_CORE NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER OF_GPIO OF_PMEM OMFS_FS OPENVSWITCH OPENVSWITCH_GENEVE OPENVSWITCH_GRE OPENVSWITCH_VXLAN ORANGEFS_FS OSF_PARTITION OVERLAY_FS OVERLAY_FS_DEBUG OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PAGE_IDLE_FLAG PAGE_REPORTING PAHOLE_HAS_BTF_TAG PAHOLE_HAS_LANG_EXCLUDE PAHOLE_HAS_SPLIT_BTF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PCCARD PCCARD_NONSTATIC PCIEAER PCI_ENDPOINT PCI_IOV PCMCIA PCMCIA_LOAD_CIS PERCPU_STATS PERSISTENT_KEYRINGS PHYLINK PHY_CPCAP_USB PHY_QCOM_USB_HS PHY_QCOM_USB_HSIC PHY_SAMSUNG_USB2 PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PLAYSTATION_FF PLFXLC PMIC_OPREGION PM_CLK PNFS_BLOCK PNFS_FILE_LAYOUT PNFS_FLEXFILE_LAYOUT PPP PPPOATM PPPOE PPPOE_HASH_BITS_1 PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PREEMPT PREEMPT_NOTIFIERS PREEMPT_RT PROC_CHILDREN PSAMPLE PSI PSTORE PSTORE_COMPRESS QCOM_QMI_HELPERS QNX4FS_FS QNX6FS_FS QRTR QRTR_TUN RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RAID6_PQ RAID_ATTRS RC_ATI_REMOTE RC_CORE RC_DEVICES RC_XBOX_DVD RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP REGMAP_I2C REGMAP_IRQ REGMAP_MMIO REGMAP_SPI REGULATOR REGULATOR_FIXED_VOLTAGE REGULATOR_TWL4030 RESET_CONTROLLER RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 RMI4_F3A ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHED_CORE SCREEN_INFO SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SAS_ATA SCSI_SAS_ATTRS SCSI_SAS_LIBSAS SCSI_SCAN_ASYNC SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SECURITY_SMACK_NETFILTER SENSORS_AQUACOMPUTER_D5NEXT SENSORS_CORSAIR_CPRO SENSORS_CORSAIR_PSU SENSORS_GIGABYTE_WATERFORCE SENSORS_NZXT_KRAKEN2 SENSORS_NZXT_SMART2 SENSORS_POWERZ SERIAL_DEV_BUS SERIAL_DEV_CTRL_TTYPORT SERIAL_MCTRL_GPIO SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SKB_DECRYPTED SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS SMB_SERVER SMC SMC_DIAG SMSC_PHY SMS_SDIO_DRV SMS_SIANO_DEBUGFS SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_BCD2000 SND_CTL_FAST_LOOKUP SND_CTL_LED SND_DEBUG SND_DMA_SGBUF SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_CODEC_ALC260 SND_HDA_CODEC_ALC262 SND_HDA_CODEC_ALC268 SND_HDA_CODEC_ALC269 SND_HDA_CODEC_ALC662 SND_HDA_CODEC_ALC680 SND_HDA_CODEC_ALC861 SND_HDA_CODEC_ALC861VD SND_HDA_CODEC_ALC880 SND_HDA_CODEC_ALC882 SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_CS420X SND_HDA_CODEC_CS421X SND_HDA_CODEC_HDMI SND_HDA_CODEC_HDMI_ATI SND_HDA_CODEC_HDMI_GENERIC SND_HDA_CODEC_HDMI_INTEL SND_HDA_CODEC_HDMI_NVIDIA SND_HDA_CODEC_HDMI_NVIDIA_MCP SND_HDA_CODEC_HDMI_SIMPLE SND_HDA_CODEC_HDMI_TEGRA SND_HDA_CODEC_REALTEK SND_HDA_CODEC_REALTEK_LIB SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HDA_SCODEC_COMPONENT SND_HRTIMER SND_HWDEP SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCMCIA SND_PCM_ELD SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_HRTIMER_DEFAULT SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SOC SND_SOC_I2C_AND_SPI SND_SOC_SDCA_OPTIONAL SND_SUPPORT_OLD_API SND_TIMER SND_UMP SND_UMP_LEGACY_RAWMIDI SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_MIDI_V2 SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_US122L SND_USB_USX2Y SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SND_X86 SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUNDWIRE SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI SPI_DLN2 SPI_DYNAMIC SPI_LJCA SPI_MASTER SQUASHFS SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_COMPILE_DECOMP_MULTI SQUASHFS_DECOMP_MULTI SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZLIB SQUASHFS_ZSTD SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STEAM_FF STP STREAM_PARSER SUNRPC_BACKCHANNEL SUN_PARTITION SURFACE_AGGREGATOR SURFACE_AGGREGATOR_BUS SURFACE_AGGREGATOR_REGISTRY SURFACE_HID SURFACE_HID_CORE SURFACE_KBD SW_SYNC SYSFB SYSFS_SYSCALL SYSV68_PARTITION TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TCG_CRB TCG_TIS TCG_TIS_CORE TCG_TPM TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TEE TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_TOE TMPFS_QUOTA TOOLS_SUPPORT_RELR TOUCHSCREEN_SUR40 TOUCHSCREEN_USB_3M TOUCHSCREEN_USB_COMPOSITE TOUCHSCREEN_USB_DMC_TSC10 TOUCHSCREEN_USB_E2I TOUCHSCREEN_USB_EASYTOUCH TOUCHSCREEN_USB_EGALAX TOUCHSCREEN_USB_ELO TOUCHSCREEN_USB_ETT_TC45USB TOUCHSCREEN_USB_ETURBO TOUCHSCREEN_USB_GENERAL_TOUCH TOUCHSCREEN_USB_GOTOP TOUCHSCREEN_USB_GUNZE TOUCHSCREEN_USB_IDEALTEK TOUCHSCREEN_USB_IRTOUCH TOUCHSCREEN_USB_ITM TOUCHSCREEN_USB_JASTEC TOUCHSCREEN_USB_NEXIO TOUCHSCREEN_USB_PANJIT TOUCHSCREEN_USB_ZYTRONIC TRACEFS_AUTOMOUNT_DEPRECATED TTPCI_EEPROM TTY_PRINTK TUN_VNET_CROSS_LE TWL4030_CORE TYPEC TYPEC_ANX7411 TYPEC_DP_ALTMODE TYPEC_FUSB302 TYPEC_HD3SS3220 TYPEC_MT6360 TYPEC_MUX_FSA4480 TYPEC_MUX_GPIO_SBU TYPEC_MUX_INTEL_PMC TYPEC_MUX_NB7VPQ904M TYPEC_MUX_PTN36502 TYPEC_MUX_WCD939X_USBSS TYPEC_NVIDIA_ALTMODE TYPEC_RT1711H TYPEC_RT1719 TYPEC_STUSB160X TYPEC_TCPCI TYPEC_TCPCI_MAXIM TYPEC_TCPCI_MT6370 TYPEC_TCPM TYPEC_TPS6598X TYPEC_UCSI TYPEC_WCOVE TYPEC_WUSB3801 UBIFS_ATIME_SUPPORT UBIFS_FS UBIFS_FS_ADVANCED_COMPR UBIFS_FS_LZO UBIFS_FS_SECURITY UBIFS_FS_XATTR UBIFS_FS_ZLIB UBIFS_FS_ZSTD UCSI_ACPI UCSI_CCG UCSI_STM32G0 UDF_FS UDMABUF UFS_FS UFS_FS_WRITE UHID ULTRIX_PARTITION UNICODE UNIXWARE_DISKLABEL UNIX_DIAG USB4 USB4_NET USBIP_CORE USBIP_HOST USBIP_VHCI_HCD USBIP_VUDC USBPCWATCHDOG USB_ACM USB_DWC2 USB_GADGET USB_LJCA USB_MUSB_HDRC USB_ROLE_SWITCH USB_STORAGE_REALTEK USB_ULPI_BUS VIDEO_DEV VXLAN WIRELESS WLAN WLAN_VENDOR_PURELIFI ZONE_DEVICE] disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed picked [v6.16 v6.15 v6.14 v6.12 v6.10 v6.8 v6.6 v6.4 v6.1 v5.18 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 39 release tags testing release v6.16 testing commit 038d61fd642278bab63ee8ef722c50d10ab01e8f gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 906509b58800c64c9e5d6fbc685030200c54d8d89e7222afc30fe975d864aadb all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: c27428a2f6c6cd0aa60d40d1550f699a83ab8a74becef5770984cb0510a660be all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] testing release v6.14 testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1f5b6356267619c38802661b6b3f698bc902fe65e6726b402e9a7d1096b40aca all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] testing release v6.12 testing commit adc218676eef25575469234709c2d87185ca223a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: bce96b89d10ace8a2b388c98d5c9e00ac10ba4304a7bc15e6d566bd866948d21 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] testing release v6.10 testing commit 0c3836482481200ead7b416ca80c68a29cfdaabd gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 58cee402c58e11e56d995486b9a65db7112a6be0983188f6bcb7e02c50e80535 all runs: OK false negative chance: 0.000 # git bisect start adc218676eef25575469234709c2d87185ca223a 0c3836482481200ead7b416ca80c68a29cfdaabd Bisecting: 14868 revisions left to test after this (roughly 14 steps) [703896be3015db7f8fd8822b18909a5914209a70] Merge tag 'sound-6.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit 703896be3015db7f8fd8822b18909a5914209a70 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 611a94b7cf87ed270d8d2d11534497185fface75e0d799cb823fb54563a251e9 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 703896be3015db7f8fd8822b18909a5914209a70 Bisecting: 6814 revisions left to test after this (roughly 13 steps) [b3ce7a30847a54a7f96a35e609303d8afecd460b] Merge tag 'drm-next-2024-07-18' of https://gitlab.freedesktop.org/drm/kernel testing commit b3ce7a30847a54a7f96a35e609303d8afecd460b gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: df59dc4e2ef1ce26c78158e0e93451f3cd67a5e70b317b0b0a503ea45ae0ba18 all runs: OK false negative chance: 0.000 # git bisect good b3ce7a30847a54a7f96a35e609303d8afecd460b Bisecting: 3536 revisions left to test after this (roughly 12 steps) [7846b618e0a4c3e08888099d1d4512722b39ca99] Merge tag 'rtc-6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit 7846b618e0a4c3e08888099d1d4512722b39ca99 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 7634d60786dffb9eddb7741b53ecc04474be4c522c554a414a4d2734015a99ab all runs: OK false negative chance: 0.000 # git bisect good 7846b618e0a4c3e08888099d1d4512722b39ca99 Bisecting: 1754 revisions left to test after this (roughly 11 steps) [183d46ff422ef9f3d755b6808ef3faa6d009ba3a] Merge tag 'net-6.11-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 183d46ff422ef9f3d755b6808ef3faa6d009ba3a gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 02383eec54b8e1c24a8716be3960dbaf07f410b4126772f8ec2195a468cdde68 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 183d46ff422ef9f3d755b6808ef3faa6d009ba3a Bisecting: 894 revisions left to test after this (roughly 10 steps) [371c141464b8312ee4a298fad6d17ee26654b7d6] Merge tag 'jfs-6.11' of github.com:kleikamp/linux-shaggy testing commit 371c141464b8312ee4a298fad6d17ee26654b7d6 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 9ee170bdc6ae085ea501f2813dc9f6d74c00ca89e46ef718362b91d94077b589 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 371c141464b8312ee4a298fad6d17ee26654b7d6 Bisecting: 473 revisions left to test after this (roughly 9 steps) [fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c] Merge tag 'mm-stable-2024-07-21-14-50' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm testing commit fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: d8d9554d4cfe98b41a7edb79b3bff1046a21bc39ad52b5fade7806f466cbb240 run #0: crashed: KASAN: slab-use-after-free Read in ocfs2_fault run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] unable to determine the verdict: 9 good runs (wanted 5), for bad wanted 5 in total, got 10 # git bisect skip fbc90c042cd1dc7258ebfebe6d226017e5b5ac8c Bisecting: 473 revisions left to test after this (roughly 9 steps) [9deed1d5f82cf30308027f9f604a95ac7ffdbe19] Merge tag 'io_uring-6.11-20240722' of git://git.kernel.dk/linux testing commit 9deed1d5f82cf30308027f9f604a95ac7ffdbe19 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 721034f7337ba0d741ca8a8a90dc7da02e5c8dfe75ea6235760059515d858cec all runs: OK false negative chance: 0.000 # git bisect good 9deed1d5f82cf30308027f9f604a95ac7ffdbe19 Bisecting: 136 revisions left to test after this (roughly 7 steps) [d51f8f63f7cf19c7c7d0288650fdee154a89d499] Merge tag 'mailbox-v6.11' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox testing commit d51f8f63f7cf19c7c7d0288650fdee154a89d499 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 2d014aad5bc51fdb7d0fac850777a4eb55fd743db3a41534082bfa1f7fbffe46 all runs: OK false negative chance: 0.000 # git bisect good d51f8f63f7cf19c7c7d0288650fdee154a89d499 Bisecting: 71 revisions left to test after this (roughly 6 steps) [13c239a2c088e91e453d26517b562c9a116444fa] kbuild: doc: gcc to CC change testing commit 13c239a2c088e91e453d26517b562c9a116444fa gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 9be15002d7e0497453f78c3457a2528d7c73812ef32ee83f1c3f40ff9249ab6d all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 13c239a2c088e91e453d26517b562c9a116444fa Bisecting: 32 revisions left to test after this (roughly 5 steps) [7c9bb07a6e9439fb7bdeee15eb188fe127a0d0e0] kconfig: remove E_LIST expression type testing commit 7c9bb07a6e9439fb7bdeee15eb188fe127a0d0e0 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 1e02ad35cb736f5a23c12c3a04ab959d3a1edd7b5720e58d606f3438e98612c9 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad 7c9bb07a6e9439fb7bdeee15eb188fe127a0d0e0 Bisecting: 15 revisions left to test after this (roughly 4 steps) [9b114520837a5f08b8eeeee30947bb9e7f44be1e] kconfig: remember the current choice while parsing the choice block testing commit 9b114520837a5f08b8eeeee30947bb9e7f44be1e gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: f6786f4278d45c789e80edc6282c567efe78cc99ccbbadcc1a69414442e2c5c3 all runs: OK false negative chance: 0.000 # git bisect good 9b114520837a5f08b8eeeee30947bb9e7f44be1e Bisecting: 7 revisions left to test after this (roughly 3 steps) [cca318378d6dcb38acd0ba8801b34d1a9be16028] kconfig: remove conf_unsaved in conf_read_simple() testing commit cca318378d6dcb38acd0ba8801b34d1a9be16028 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 80e511c644c1cd56f29b50d93294e1407afe0bb87328df765ccf3ad472bf597e all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad cca318378d6dcb38acd0ba8801b34d1a9be16028 Bisecting: 3 revisions left to test after this (roughly 2 steps) [17c31aded9a1ee87e37f0ea0e3737797ef3f8c97] scripts/make_fit: Support decomposing DTBs testing commit 17c31aded9a1ee87e37f0ea0e3737797ef3f8c97 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 46a782cebb2d4aa19b23a067b1f6451bdb5532ff30e11ee09039b26570e35e07 all runs: OK false negative chance: 0.000 # git bisect good 17c31aded9a1ee87e37f0ea0e3737797ef3f8c97 Bisecting: 1 revision left to test after this (roughly 1 step) [f79dc03fe68c79d388908182e68d702f7f1786bc] kconfig: refactor choice value calculation testing commit f79dc03fe68c79d388908182e68d702f7f1786bc gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 6706af9baf3370669b8b8753019136faca9b1643d029386bd083096557e7d194 all runs: crashed: KASAN: slab-use-after-free Read in ocfs2_fault representative crash: KASAN: slab-use-after-free Read in ocfs2_fault, types: [KASAN-USE-AFTER-FREE-READ] # git bisect bad f79dc03fe68c79d388908182e68d702f7f1786bc Bisecting: 0 revisions left to test after this (roughly 0 steps) [ee29e6204c32dce013ac6d1078d98dce5607ce86] kconfig: import list_move(_tail) and list_for_each_entry_reverse macros testing commit ee29e6204c32dce013ac6d1078d98dce5607ce86 gcc compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8 kernel signature: 835e0079e916cbf27b1753150138939042369bc59babae4168a89f6acfcdd83c all runs: OK false negative chance: 0.000 # git bisect good ee29e6204c32dce013ac6d1078d98dce5607ce86 f79dc03fe68c79d388908182e68d702f7f1786bc is the first bad commit commit f79dc03fe68c79d388908182e68d702f7f1786bc Author: Masahiro Yamada Date: Tue Jun 18 19:35:21 2024 +0900 kconfig: refactor choice value calculation Handling choices has always been in a PITA in Kconfig. For example, fixes and reverts were repeated for randconfig with KCONFIG_ALLCONFIG: - 422c809f03f0 ("kconfig: fix randomising choice entries in presence of KCONFIG_ALLCONFIG") - 23a5dfdad22a ("Revert "kconfig: fix randomising choice entries in presence of KCONFIG_ALLCONFIG"") - 8357b48549e1 ("kconfig: fix randomising choice entries in presence of KCONFIG_ALLCONFIG") - 490f16171119 ("Revert "kconfig: fix randomising choice entries in presence of KCONFIG_ALLCONFIG"") As these commits pointed out, randconfig does not randomize choices when KCONFIG_ALLCONFIG is used. This issue still remains. [Test Case] choice prompt "choose" config A bool "A" config B bool "B" endchoice $ echo > all.config $ make KCONFIG_ALLCONFIG=1 randconfig The output is always as follows: CONFIG_A=y # CONFIG_B is not set Not only randconfig, but other all*config variants are also broken with KCONFIG_ALLCONFIG. With the same Kconfig, $ echo '# CONFIG_A is not set' > all.config $ make KCONFIG_ALLCONFIG=1 allyesconfig You will get this: CONFIG_A=y # CONFIG_B is not set This is incorrect because it does not respect all.config. The correct output should be: # CONFIG_A is not set CONFIG_B=y To handle user inputs more accurately, this commit refactors the code based on the following principles: - When a user value is given, Kconfig must set it immediately. Do not defer it by setting SYMBOL_NEED_SET_CHOICE_VALUES. - The SYMBOL_DEF_USER flag must not be cleared, unless a new config file is loaded. Kconfig must not forget user inputs. In addition, user values for choices must be managed with priority. If user inputs conflict within a choice block, the newest value wins. The values given by randconfig have lower priority than explicit user inputs. This commit implements it by using a linked list. Every time a choice block gets a new input, it is moved to the top of the list. Let me explain how it works. Let's say, we have a choice block that consists of five symbols: A, B, C, D, and E. Initially, the linked list looks like this: A(=?) --> B(=?) --> C(=?) --> D(=?) --> E(=?) Suppose randconfig is executed with the following KCONFIG_ALLCONFIG: CONFIG_C=y # CONFIG_A is not set CONFIG_D=y First, CONFIG_C=y is read. C is set to 'y' and moved to the top. C(=y) --> A(=?) --> B(=?) --> D(=?) --> E(=?) Next, '# CONFIG_A is not set' is read. A is set to 'n' and moved to the top. A(=n) --> C(=y) --> B(=?) --> D(=?) --> E(=?) Then, 'CONFIG_D=y' is read. D is set to 'y' and moved to the top. D(=y) --> A(=n) --> C(=y) --> B(=?) --> E(=?) Lastly, randconfig shuffles the order of the remaining symbols, resulting in: D(=y) --> A(=n) --> C(=y) --> B(=y) --> E(=y) or D(=y) --> A(=n) --> C(=y) --> E(=y) --> B(=y) When calculating the output, the linked list is traversed and the first visible symbol with 'y' is taken. In this case, it is D if visible. If D is hidden by 'depends on', the next node, A, is examined. Since it is already specified as 'n', it is skipped. Next, C is checked, and selected if it is visible. If C is also invisible, either B or E is chosen as a result of the randomization. If B and E are also invisible, the linked list is traversed in the reverse order, and the least prioritized 'n' symbol is chosen. It is A in this case. Now, Kconfig remembers all user values. This is a big difference from the previous implementation, where Kconfig would forget CONFIG_C=y when CONFIG_D=y appeared in the same input file. The new appaorch respects user-specified values as much as possible. Signed-off-by: Masahiro Yamada scripts/kconfig/conf.c | 131 ++++++++++++++++++------------------- scripts/kconfig/confdata.c | 54 +++------------ scripts/kconfig/expr.h | 12 ++-- scripts/kconfig/lkc.h | 7 +- scripts/kconfig/menu.c | 17 +---- scripts/kconfig/parser.y | 4 ++ scripts/kconfig/symbol.c | 159 ++++++++++++++++++++++++++++----------------- 7 files changed, 187 insertions(+), 197 deletions(-) accumulated error probability: 0.00 culprit signature: 6706af9baf3370669b8b8753019136faca9b1643d029386bd083096557e7d194 parent signature: 835e0079e916cbf27b1753150138939042369bc59babae4168a89f6acfcdd83c revisions tested: 27, total time: 7h38m36.944849028s (build: 3h6m51.418848715s, test: 4h9m46.739566845s) first bad commit: f79dc03fe68c79d388908182e68d702f7f1786bc kconfig: refactor choice value calculation recipients (to): ["masahiroy@kernel.org"] recipients (cc): [] crash: KASAN: slab-use-after-free Read in ocfs2_fault ================================================================== BUG: KASAN: slab-use-after-free in ocfs2_fault+0xbe/0x270 fs/ocfs2/mmap.c:41 Read of size 8 at addr ffff888023a684e0 by task syz.1.54/5141 CPU: 1 PID: 5141 Comm: syz.1.54 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xca/0x250 mm/kasan/report.c:488 kasan_report+0x118/0x150 mm/kasan/report.c:601 ocfs2_fault+0xbe/0x270 fs/ocfs2/mmap.c:41 __do_fault+0x10f/0x300 mm/memory.c:4556 do_read_fault mm/memory.c:4921 [inline] do_fault mm/memory.c:5051 [inline] do_pte_missing mm/memory.c:3897 [inline] handle_pte_fault mm/memory.c:5381 [inline] __handle_mm_fault mm/memory.c:5524 [inline] handle_mm_fault+0xb41/0x2440 mm/memory.c:5689 faultin_page mm/gup.c:1290 [inline] __get_user_pages+0x73d/0xf00 mm/gup.c:1589 populate_vma_page_range+0x19d/0x220 mm/gup.c:2029 __mm_populate+0x1dd/0x290 mm/gup.c:2132 mm_populate include/linux/mm.h:3469 [inline] vm_mmap_pgoff+0x212/0x2e0 mm/util.c:578 ksys_mmap_pgoff+0x2c4/0x3f0 mm/mmap.c:1443 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0ae08f0ba9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0ae0761038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007f0ae0b37fa0 RCX: 00007f0ae08f0ba9 RDX: 00000000027ffff7 RSI: 0000000000600000 RDI: 0000200000000000 RBP: 00007f0ae0973e19 R08: 0000000000000004 R09: 0000000000000000 R10: 0000000004012011 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f0ae0b38038 R14: 00007f0ae0b37fa0 R15: 00007fff3cf9d818 Allocated by task 5141: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4002 [inline] kmem_cache_alloc_noprof+0x11d/0x330 mm/slub.c:4009 vm_area_alloc+0x1f/0x190 kernel/fork.c:467 mmap_region+0x910/0x1740 mm/mmap.c:2873 do_mmap+0x63b/0xb60 mm/mmap.c:1397 vm_mmap_pgoff+0x181/0x2e0 mm/util.c:573 ksys_mmap_pgoff+0x2c4/0x3f0 mm/mmap.c:1443 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 426: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:579 poison_slab_object+0xef/0x170 mm/kasan/common.c:240 __kasan_slab_free+0x3c/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2196 [inline] slab_free mm/slub.c:4438 [inline] kmem_cache_free+0x11d/0x390 mm/slub.c:4513 rcu_do_batch kernel/rcu/tree.c:2535 [inline] rcu_core+0xb1e/0x12a0 kernel/rcu/tree.c:2809 handle_softirqs+0x19d/0x500 kernel/softirq.c:554 __do_softirq kernel/softirq.c:588 [inline] invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0x45/0xe0 kernel/softirq.c:637 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0x92/0xb0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:541 __call_rcu_common kernel/rcu/tree.c:3072 [inline] call_rcu+0x131/0x7a0 kernel/rcu/tree.c:3176 remove_vma mm/mmap.c:148 [inline] remove_mt mm/mmap.c:2344 [inline] do_vmi_align_munmap+0xb5e/0x1030 mm/mmap.c:2687 __vm_munmap+0x14e/0x270 mm/mmap.c:3038 __do_sys_munmap mm/mmap.c:3055 [inline] __se_sys_munmap mm/mmap.c:3052 [inline] __x64_sys_munmap+0x5b/0x70 mm/mmap.c:3052 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888023a68460 which belongs to the cache vm_area_struct of size 160 The buggy address is located 128 bytes inside of freed 160-byte region [ffff888023a68460, ffff888023a68500) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23a68 memcg:ffff8880251ab101 flags: 0x80000000000000(node=0|zone=1) page_type: 0xffffefff(slab) raw: 0080000000000000 ffff88800daabb40 ffffea000094cf80 dead000000000004 raw: 0000000000000000 0000000000120012 00000001ffffefff ffff8880251ab101 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 2604, tgid 2604 (modprobe), ts 42024732188, free_ts 42002542608 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x16e/0x1a0 mm/page_alloc.c:1473 prep_new_page mm/page_alloc.c:1481 [inline] get_page_from_freelist+0x2255/0x22f0 mm/page_alloc.c:3425 __alloc_pages_noprof+0x1d3/0x420 mm/page_alloc.c:4683 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x46/0x100 mm/slub.c:2265 allocate_slab+0x5d/0x290 mm/slub.c:2428 new_slab mm/slub.c:2481 [inline] ___slab_alloc+0xa3c/0x1150 mm/slub.c:3667 __slab_alloc mm/slub.c:3757 [inline] __slab_alloc_node mm/slub.c:3810 [inline] slab_alloc_node mm/slub.c:3990 [inline] kmem_cache_alloc_noprof+0x1c9/0x330 mm/slub.c:4009 vm_area_dup+0x21/0x130 kernel/fork.c:482 __split_vma+0xef/0x940 mm/mmap.c:2394 split_vma mm/mmap.c:2466 [inline] vma_modify+0x228/0x2f0 mm/mmap.c:2507 vma_modify_flags include/linux/mm.h:3352 [inline] mprotect_fixup+0x2c4/0x7f0 mm/mprotect.c:637 do_mprotect_pkey+0x5c4/0x8a0 mm/mprotect.c:820 __do_sys_mprotect mm/mprotect.c:841 [inline] __se_sys_mprotect mm/mprotect.c:838 [inline] __x64_sys_mprotect+0x7b/0x90 mm/mprotect.c:838 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 2602 tgid 2602 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1093 [inline] free_unref_page+0xb00/0xbb0 mm/page_alloc.c:2588 __slab_free+0x311/0x3a0 mm/slub.c:4349 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x150 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:322 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3940 [inline] slab_alloc_node mm/slub.c:4002 [inline] kmem_cache_alloc_noprof+0x11d/0x330 mm/slub.c:4009 getname_flags+0xa5/0x440 fs/namei.c:139 vfs_fstatat+0xb0/0xf0 fs/stat.c:303 __do_sys_newfstatat fs/stat.c:468 [inline] __se_sys_newfstatat+0xae/0x2f0 fs/stat.c:462 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x8f/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888023a68380: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888023a68400: fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb fb >ffff888023a68480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888023a68500: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888023a68580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================