ci starts bisection 2023-08-23 14:19:21.331043153 +0000 UTC m=+91989.782286599 bisecting cause commit starting from 28c736b0e92e11bfe2b9997688213dc43cb22182 building syzkaller on b81ca3f66f8d2d8b397c3c1dc5f14e77c2936b1e fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 28c736b0e92e11bfe2b9997688213dc43cb22182 testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f24eb1d43f7a6270a3c80cf3f226f422e73e19c2d7322976a71907a8eb6deb5e all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4cfb3de6b6a7f66cf38c7767c2405050f4519495d801b947173936ac2ec315ee all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3883 full=7691 leaves diff=2019 split chunks (needed=false): <2019> split chunk #0 of len 2019 into 5 parts testing without sub-chunk 1/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69528e18c8d393da71b7b39cef37a1987b36627389cf0cb79c323d026de34219 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: cf1930d2971d240b41da9b87f07c1efe9f6918970f5aee5c26d987d3e79bcbc0 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 949c57d8e932ddff84c090488ed6977ce13592f564e747c524353bd0f2f50d98 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f9912ee1da4bbbabe94f64318ec56bffbbe9f01f4f3333cd8cfb5fa03742ec80 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed testing commit 28c736b0e92e11bfe2b9997688213dc43cb22182 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1aa747b8e3157eeb0bb19ad34754726523388cb6f5bad7fa5025b34cbed6c6f9 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] the chunk can be dropped disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing release v6.4 testing commit 6995e2de6891c724bfeb2db33d7b87775f913ad1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a619217a716df1955e4d71b7fed7f45badf6e64cafb6422a9021f421ae51bfcc all runs: OK false negative chance: 0.000 # git bisect start 28c736b0e92e11bfe2b9997688213dc43cb22182 6995e2de6891c724bfeb2db33d7b87775f913ad1 Bisecting: 13132 revisions left to test after this (roughly 14 steps) [39b1428639ed2224832234f48bfce991786aa4df] Merge tag 'regmap-fix-v6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap testing commit 39b1428639ed2224832234f48bfce991786aa4df gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4bcef6c0da5e4633f53faddd95b6c7dc00d5b5de18163e14ece82215f7810054 all runs: OK false negative chance: 0.000 # git bisect good 39b1428639ed2224832234f48bfce991786aa4df Bisecting: 5867 revisions left to test after this (roughly 13 steps) [f4d5d94452e4dcb84e84709b536c2686d0fcae84] Merge branch 'main' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git testing commit f4d5d94452e4dcb84e84709b536c2686d0fcae84 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 84974119ed6b36c89b5ad4880918b7b6d0094cab20b1bd42147a9a5618f8bfbb all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad f4d5d94452e4dcb84e84709b536c2686d0fcae84 Bisecting: 3640 revisions left to test after this (roughly 12 steps) [ea0e34742aa5ae1237f155aead3ad9018ba6c6d9] Merge branch 'sunxi/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux.git testing commit ea0e34742aa5ae1237f155aead3ad9018ba6c6d9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 36facd443a4677b398224d2b2ad68979bc603b8aec5561f8c0b79791c83657a4 all runs: OK false negative chance: 0.000 # git bisect good ea0e34742aa5ae1237f155aead3ad9018ba6c6d9 Bisecting: 1768 revisions left to test after this (roughly 11 steps) [a8716f9f5a967352ebf5a9ff1cabf3ae8ad8af0d] Merge branch 'master' of git://linuxtv.org/media_tree.git testing commit a8716f9f5a967352ebf5a9ff1cabf3ae8ad8af0d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a8fd9f66830806e994c113a3efc28dcb8ccb56c192861f313fee088baed620f4 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad a8716f9f5a967352ebf5a9ff1cabf3ae8ad8af0d Bisecting: 1020 revisions left to test after this (roughly 10 steps) [0cc933d2a8b5fa685c768c12ad4d439d3094bc38] Merge branch 'locks-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux.git testing commit 0cc933d2a8b5fa685c768c12ad4d439d3094bc38 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d105b603f64b9a0d4da1e2306e19f8780baaf37708f0d7c496dd06d97274e976 all runs: OK false negative chance: 0.000 # git bisect good 0cc933d2a8b5fa685c768c12ad4d439d3094bc38 Bisecting: 523 revisions left to test after this (roughly 9 steps) [0857e8ff1eb9b0dbf3acb4613f096181687d1a3b] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git testing commit 0857e8ff1eb9b0dbf3acb4613f096181687d1a3b gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4ff353d62dc34186f971ac1ed6acde279f01a9754096c21648a88a118cc86b04 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad 0857e8ff1eb9b0dbf3acb4613f096181687d1a3b Bisecting: 261 revisions left to test after this (roughly 8 steps) [1ff665b6c7fc49c6a1c99ca148cd77581cd69930] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git testing commit 1ff665b6c7fc49c6a1c99ca148cd77581cd69930 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 42f63fb39cfd67c02c4b1c9420ce1e2e3d4287396ecc72cde01be4723554c95e all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad 1ff665b6c7fc49c6a1c99ca148cd77581cd69930 Bisecting: 107 revisions left to test after this (roughly 7 steps) [ff4f7887e239b068367ae857b27c7cec98015656] Merge branch 'vfs.tmpfs' into vfs.all testing commit ff4f7887e239b068367ae857b27c7cec98015656 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 79b7adfbeb6dc6f47fda20034c1677a46a66aad867b47455db29a7a57e8bc1eb all runs: OK false negative chance: 0.000 # git bisect good ff4f7887e239b068367ae857b27c7cec98015656 Bisecting: 56 revisions left to test after this (roughly 6 steps) [b13917cb7655192a45781d132d320a47ab8f2365] Merge branch 'vfs.fchmodat2' into vfs.all testing commit b13917cb7655192a45781d132d320a47ab8f2365 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f1024b1d245da2523df76de929eef47689cc11ea34fdae8151617fa214fe4427 all runs: OK false negative chance: 0.000 # git bisect good b13917cb7655192a45781d132d320a47ab8f2365 Bisecting: 28 revisions left to test after this (roughly 5 steps) [8ffa54e3370c5a8b9538dbe4077fc9c4b5a08f45] xfs use fs_holder_ops for the log and RT devices testing commit 8ffa54e3370c5a8b9538dbe4077fc9c4b5a08f45 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d6a0fc730ea711551c54622975752fe85dec97b80728ca13389aac06ab0d1d95 all runs: OK false negative chance: 0.000 # git bisect good 8ffa54e3370c5a8b9538dbe4077fc9c4b5a08f45 Bisecting: 14 revisions left to test after this (roughly 4 steps) [5e87491415217d6bec0bcae08a3156622be2b177] super: wait for nascent superblocks testing commit 5e87491415217d6bec0bcae08a3156622be2b177 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0b8a5301edeb47331ca8ee0b4dd7647f28ca917bdbb4fa6bdfa3e563a7a83162 all runs: OK false negative chance: 0.000 # git bisect good 5e87491415217d6bec0bcae08a3156622be2b177 Bisecting: 9 revisions left to test after this (roughly 3 steps) [eb329cf7344191588f4852aa7b134040dee7a41f] Merge branch 'vfs.autofs' into vfs.all testing commit eb329cf7344191588f4852aa7b134040dee7a41f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6f3f387020de19723e39e10c4f790207f234193b5e2b49de920e312f4c63d782 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad eb329cf7344191588f4852aa7b134040dee7a41f Bisecting: 2 revisions left to test after this (roughly 1 step) [17fce12e7c0a53f0bed26af231a2a98a34d34c60] autofs: use wake_up() instead of wake_up_interruptible(() testing commit 17fce12e7c0a53f0bed26af231a2a98a34d34c60 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7f6765f1157d7afecb7a757256a400d213400ee9b6705fa54a97b7ec9089c811 all runs: OK false negative chance: 0.000 # git bisect good 17fce12e7c0a53f0bed26af231a2a98a34d34c60 Bisecting: 0 revisions left to test after this (roughly 1 step) [c59465f5d99081bdde47f46daf7873e086be58d1] Merge branch 'vfs.super' into vfs.all testing commit c59465f5d99081bdde47f46daf7873e086be58d1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dff3ca00ea4f097c1bbd5fff8a65ee9b5c6c3be84d03cbabb1093f412ed529a9 all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad c59465f5d99081bdde47f46daf7873e086be58d1 Bisecting: 0 revisions left to test after this (roughly 0 steps) [2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e] super: wait until we passed kill super testing commit 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 64356a743eb6c6da1f35faa46e6550e00a7e6fcf374c0b11c6f7965c4df6487c all runs: crashed: KASAN: slab-use-after-free Read in kernfs_test_super representative crash: KASAN: slab-use-after-free Read in kernfs_test_super, types: [KASAN] # git bisect bad 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e is the first bad commit commit 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e Author: Christian Brauner Date: Fri Aug 18 16:00:51 2023 +0200 super: wait until we passed kill super Recent rework moved block device closing out of sb->put_super() and into sb->kill_sb() to avoid deadlocks as s_umount is held in put_super() and blkdev_put() can end up taking s_umount again. That means we need to move the removal of the superblock from @fs_supers out of generic_shutdown_super() and into deactivate_locked_super() to ensure that concurrent mounters don't fail to open block devices that are still in use because blkdev_put() in sb->kill_sb() hasn't been called yet. We can now do this as we can make iterators through @fs_super and @super_blocks wait without holding s_umount. Concurrent mounts will wait until a dying superblock is fully dead so until sb->kill_sb() has been called and SB_DEAD been set. Concurrent iterators can already discard any SB_DYING superblock. Reviewed-by: Jan Kara Message-Id: <20230818-vfs-super-fixes-v3-v3-4-9f0b1876e46b@kernel.org> Signed-off-by: Christian Brauner fs/super.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++------ include/linux/fs.h | 1 + 2 files changed, 65 insertions(+), 7 deletions(-) accumulated error probability: 0.00 culprit signature: 64356a743eb6c6da1f35faa46e6550e00a7e6fcf374c0b11c6f7965c4df6487c parent signature: 0b8a5301edeb47331ca8ee0b4dd7647f28ca917bdbb4fa6bdfa3e563a7a83162 revisions tested: 23, total time: 5h11m53.313445993s (build: 2h20m56.401532898s, test: 2h29m29.773458725s) first bad commit: 2c18a63b760a0f68f14cb8bb4c3840bb0b63b73e super: wait until we passed kill super recipients (to): ["brauner@kernel.org" "jack@suse.cz"] recipients (cc): [] crash: KASAN: slab-use-after-free Read in kernfs_test_super ================================================================== BUG: KASAN: slab-use-after-free in kernfs_test_super+0x108/0x140 fs/kernfs/mount.c:286 Read of size 8 at addr ffff8881057c6108 by task syz-executor.4/4205 CPU: 0 PID: 4205 Comm: syz-executor.4 Not tainted 6.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 kernfs_test_super+0x108/0x140 fs/kernfs/mount.c:286 sget_fc+0x4ee/0x760 fs/super.c:764 kernfs_get_tree+0x18c/0x9f0 fs/kernfs/mount.c:337 sysfs_get_tree+0x3e/0x130 fs/sysfs/mount.c:31 vfs_get_tree+0x82/0x220 fs/super.c:1711 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x878/0x1a00 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __x64_sys_mount+0x208/0x280 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff7884b9ae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ff78803c0c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ff7885d8f80 RCX: 00007ff7884b9ae9 RDX: 0000000020000300 RSI: 0000000020000080 RDI: 0000000000000000 RBP: 00007ff78850547a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007ff7885d8f80 R15: 00007ffc4edbd338 Allocated by task 4207: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:582 [inline] kzalloc include/linux/slab.h:703 [inline] kernfs_get_tree+0x73/0x9f0 fs/kernfs/mount.c:328 sysfs_get_tree+0x3e/0x130 fs/sysfs/mount.c:31 vfs_get_tree+0x82/0x220 fs/super.c:1711 do_new_mount fs/namespace.c:3335 [inline] path_mount+0x878/0x1a00 fs/namespace.c:3662 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount fs/namespace.c:3861 [inline] __x64_sys_mount+0x208/0x280 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 1414: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1792 [inline] slab_free_freelist_hook+0x10b/0x1e0 mm/slub.c:1818 slab_free mm/slub.c:3801 [inline] __kmem_cache_free+0xba/0x340 mm/slub.c:3814 sysfs_kill_sb+0x19/0x30 fs/sysfs/mount.c:86 deactivate_locked_super+0x83/0x270 fs/super.c:454 cleanup_mnt+0x1d8/0x360 fs/namespace.c:1254 task_work_run+0x114/0x1f0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x13f/0x150 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x16/0x30 kernel/entry/common.c:297 do_syscall_64+0x44/0x80 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff8881057c6100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 8 bytes inside of freed 64-byte region [ffff8881057c6100, ffff8881057c6140) The buggy address belongs to the physical page: page:ffffea000415f180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1057c6 flags: 0x200000000000200(slab|node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000200 ffff888100041640 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4203, tgid 4203 (syz-executor.2), ts 72947701720, free_ts 72912689372 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x281/0x2f0 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0xcd4/0x3060 mm/page_alloc.c:3221 __alloc_pages+0x1d0/0x470 mm/page_alloc.c:4477 alloc_slab_page mm/slub.c:1862 [inline] allocate_slab+0x24e/0x360 mm/slub.c:2009 new_slab mm/slub.c:2062 [inline] ___slab_alloc+0x7a7/0x1000 mm/slub.c:3215 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3314 __slab_alloc_node mm/slub.c:3367 [inline] slab_alloc_node mm/slub.c:3460 [inline] __kmem_cache_alloc_node+0x143/0x390 mm/slub.c:3509 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc_node+0x4f/0x160 mm/slab_common.c:992 kmalloc_node include/linux/slab.h:602 [inline] __vmalloc_area_node mm/vmalloc.c:3121 [inline] __vmalloc_node_range+0x31e/0x1140 mm/vmalloc.c:3316 alloc_thread_stack_node kernel/fork.c:309 [inline] dup_task_struct kernel/fork.c:1113 [inline] copy_process+0x10a8/0x6140 kernel/fork.c:2330 kernel_clone+0xcb/0x7a0 kernel/fork.c:2912 __do_sys_clone3+0x152/0x190 kernel/fork.c:3213 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x5ac/0xcf0 mm/page_alloc.c:2348 free_unref_page_list+0xd5/0x850 mm/page_alloc.c:2489 release_pages+0x8b4/0xed0 mm/swap.c:1042 tlb_batch_pages_flush+0x79/0x140 mm/mmu_gather.c:97 tlb_flush_mmu_free mm/mmu_gather.c:292 [inline] tlb_flush_mmu mm/mmu_gather.c:299 [inline] tlb_finish_mmu+0x114/0x5e0 mm/mmu_gather.c:391 exit_mmap+0x247/0x6f0 mm/mmap.c:3214 __mmput kernel/fork.c:1348 [inline] mmput+0x9e/0x3a0 kernel/fork.c:1370 exit_mm kernel/exit.c:567 [inline] do_exit+0x776/0x2600 kernel/exit.c:861 do_group_exit+0xb4/0x250 kernel/exit.c:1024 get_signal+0x1ed5/0x1f00 kernel/signal.c:2877 arch_do_signal_or_restart+0x89/0x5d0 arch/x86/kernel/signal.c:308 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0xc3/0x150 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x16/0x30 kernel/entry/common.c:297 do_syscall_64+0x44/0x80 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff8881057c6000: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8881057c6080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff8881057c6100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8881057c6180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881057c6200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================