ci starts bisection 2024-01-31 08:15:18.366149732 +0000 UTC m=+12695.814288748 bisecting cause commit starting from 596764183be8ebb13352b281a442a1f1151c9b06 building syzkaller on cc4a4020ecb6d62110981f597feea0c04a643efa fetch other tags and check if the commit is present ensuring issue is reproducible on original commit 596764183be8ebb13352b281a442a1f1151c9b06 testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f89d138779b0a3dcb85d5fa81df02319273497d188d91357fb921f476caa7be2 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ebce9a00bf9f3341f2b6ec7007bb4e9fc23666115b74b0c30b323435043719f3 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed kconfig minimization: base=3941 full=7699 leaves diff=2004 split chunks (needed=false): <2004> split chunk #0 of len 2004 into 5 parts testing without sub-chunk 1/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2169591b75eb88d2eb52434911e701f0f308d07c4e4786fe53f018965eb1f654 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a0f686c4c9bf1c2129ac74f46d115f130104010c98710bc4c2d0fb9274e8f4ce all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 65b9b74018734177b9c0fc10f8ff5430540f43e6ee12485c2c69e870611f3903 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fed67d43c9ec3d7622dea5182038ca31ff8125632d8b626c78683c9433e47478 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [ATOMIC_SLEEP HANG LEAK UBSAN BUG LOCKDEP], they are not needed testing commit 596764183be8ebb13352b281a442a1f1151c9b06 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f360d2741a4ac0c6e210ea172536a753780db131c58d1aa0f826ebe15eddab4f all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] the chunk can be dropped disabling configs for [UBSAN BUG LOCKDEP ATOMIC_SLEEP HANG LEAK], they are not needed picked [v6.7 v6.6 v6.5 v6.3 v6.1 v5.19 v5.17 v5.15 v5.12 v5.9 v5.6 v5.3 v5.0 v4.19] out of 30 release tags testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e23bdce6b252c054a654f0e5aab96d69a75544707bd620a170d8802afbe3cef8 all runs: OK false negative chance: 0.000 # git bisect start 596764183be8ebb13352b281a442a1f1151c9b06 0dd3ee31125508cd67f7e7172247f05b7fd1753a Bisecting: 7242 revisions left to test after this (roughly 13 steps) [cf65598d5909acf5e7b7dc9e21786e386356bc81] Merge tag 'drm-next-2024-01-10' of git://anongit.freedesktop.org/drm/drm testing commit cf65598d5909acf5e7b7dc9e21786e386356bc81 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e421a4df28b6ceef9461c7e784ba90969bd979bca6617ddc17f7c47d43647738 all runs: OK false negative chance: 0.000 # git bisect good cf65598d5909acf5e7b7dc9e21786e386356bc81 Bisecting: 3614 revisions left to test after this (roughly 12 steps) [736b5545d39ca59d4332a60e56cc8a1a5e264a8e] Merge tag 'net-6.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit 736b5545d39ca59d4332a60e56cc8a1a5e264a8e gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 28e74b808c2b5df9ff54453b739cf7b43c67f4de221071ba0dfb9dc5fadc35b7 all runs: OK false negative chance: 0.000 # git bisect good 736b5545d39ca59d4332a60e56cc8a1a5e264a8e Bisecting: 1795 revisions left to test after this (roughly 11 steps) [39893db4c69a7dcd19073783973e89a24105ede3] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux.git testing commit 39893db4c69a7dcd19073783973e89a24105ede3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2dfa9a3ab3082475ae897155616ccc1fb9a8f3589ed8d430720e676660e4aaaf all runs: OK false negative chance: 0.000 # git bisect good 39893db4c69a7dcd19073783973e89a24105ede3 Bisecting: 919 revisions left to test after this (roughly 10 steps) [441a6389823e9ced24aa860bdb1404b41348c290] Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git testing commit 441a6389823e9ced24aa860bdb1404b41348c290 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4356ef9c8e6fadb7df3f060d6567b3672d8ec45ae4f868c4991e6ce34dbb5c5e all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] # git bisect bad 441a6389823e9ced24aa860bdb1404b41348c290 Bisecting: 427 revisions left to test after this (roughly 9 steps) [2300604694a287fa35f6f30a34c244b40fb26e69] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid.git testing commit 2300604694a287fa35f6f30a34c244b40fb26e69 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 63f80d23a42542bffafef993158b70f718fbf130b1f52942602691730027021d all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] # git bisect bad 2300604694a287fa35f6f30a34c244b40fb26e69 Bisecting: 218 revisions left to test after this (roughly 8 steps) [b07e170ea13225ee0fee8c7dc44c9fe1f3da60ca] Merge branch 'for_next' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git testing commit b07e170ea13225ee0fee8c7dc44c9fe1f3da60ca gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1754b1c22b89b4164046174ce34889c9252befd2ac9650047621ee3e5372cc2d all runs: OK false negative chance: 0.000 # git bisect good b07e170ea13225ee0fee8c7dc44c9fe1f3da60ca Bisecting: 121 revisions left to test after this (roughly 7 steps) [b8daab4bfdf36f2d3746c702795241e3da040651] Merge branch 'vfs.all' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git testing commit b8daab4bfdf36f2d3746c702795241e3da040651 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3d36005703f6f1aa0b7147bde4d81beff5dd8b64ed2781bacd9a0f6cf2605e26 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] # git bisect bad b8daab4bfdf36f2d3746c702795241e3da040651 Bisecting: 51 revisions left to test after this (roughly 6 steps) [e5d09783196c25c21ee2ef32179a1b69dfdf7912] Merge branch 'nfsd-next' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux testing commit e5d09783196c25c21ee2ef32179a1b69dfdf7912 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5033ebabc6436b43c6b30f0fa2b45a6b85c2057bd603184f0a198df9ce5b0c53 all runs: OK false negative chance: 0.000 # git bisect good e5d09783196c25c21ee2ef32179a1b69dfdf7912 Bisecting: 23 revisions left to test after this (roughly 5 steps) [378fc2a0584b91d4bbcc016d1dbb5cecf928ac9d] Merge branch 'ericvh/for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs.git testing commit 378fc2a0584b91d4bbcc016d1dbb5cecf928ac9d gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: afec895296aa8ac4e7d948ef35df40caf01fa062425d3834bd1bee604d7c16f1 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] # git bisect bad 378fc2a0584b91d4bbcc016d1dbb5cecf928ac9d Bisecting: 13 revisions left to test after this (roughly 4 steps) [d6ca2d253900b9b0a3a1ad77541d606010f5e5eb] fs/ntfs3: Add and fix comments testing commit d6ca2d253900b9b0a3a1ad77541d606010f5e5eb gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3d9c3232c8eab098d41d85fa321367e03b971842bacd1532fc7e30abd0c1bb64 all runs: OK false negative chance: 0.000 # git bisect good d6ca2d253900b9b0a3a1ad77541d606010f5e5eb Bisecting: 6 revisions left to test after this (roughly 3 steps) [724a08450f74b02bd89078a596fd24857827c012] fs/9p: simplify iget to remove unnecessary paths testing commit 724a08450f74b02bd89078a596fd24857827c012 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1508347d73415ffb4231ec5dd43e2327faaba215bcdcf65d1fe48f34c36c6af5 all runs: crashed: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl representative crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl, types: [KASAN] # git bisect bad 724a08450f74b02bd89078a596fd24857827c012 Bisecting: 3 revisions left to test after this (roughly 2 steps) [6bb29327221f66d20013cc26b62d5c261b4d46a7] fs/9p: remove walk and inode allocation from symlink testing commit 6bb29327221f66d20013cc26b62d5c261b4d46a7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0910669e0641aed4e9df74ddf2d96d87c38555769904e2bfce6438dd5307a2f5 all runs: OK false negative chance: 0.000 # git bisect good 6bb29327221f66d20013cc26b62d5c261b4d46a7 Bisecting: 1 revision left to test after this (roughly 1 step) [f61c906a7dffaa21b28c52000a75f2c6554a8199] fs/9p: Eliminate now unused v9fs_get_inode testing commit f61c906a7dffaa21b28c52000a75f2c6554a8199 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 120f070d892147e18591c4e726d985653d57dfca09f21ea84c2b4629e92e759e all runs: OK false negative chance: 0.000 # git bisect good f61c906a7dffaa21b28c52000a75f2c6554a8199 Bisecting: 0 revisions left to test after this (roughly 0 steps) [b91a26696ef38eae1442aa03104e60bb49d2ac99] fs/9p: rework qid2ino logic testing commit b91a26696ef38eae1442aa03104e60bb49d2ac99 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e45d7b18bc564f5fb57f2b84c1d57dec4a8811a2048c13609f04d81dae06c236 all runs: OK false negative chance: 0.000 # git bisect good b91a26696ef38eae1442aa03104e60bb49d2ac99 724a08450f74b02bd89078a596fd24857827c012 is the first bad commit commit 724a08450f74b02bd89078a596fd24857827c012 Author: Eric Van Hensbergen Date: Fri Jan 5 22:25:39 2024 +0000 fs/9p: simplify iget to remove unnecessary paths Remove the additional comparison operators and switch to simply lookup by inode number (aka qid.path). Signed-off-by: Eric Van Hensbergen fs/9p/v9fs.h | 31 +++------------- fs/9p/v9fs_vfs.h | 2 +- fs/9p/vfs_inode.c | 98 +++++++++++--------------------------------------- fs/9p/vfs_inode_dotl.c | 92 +++++++++-------------------------------------- fs/9p/vfs_super.c | 2 +- 5 files changed, 45 insertions(+), 180 deletions(-) accumulated error probability: 0.00 culprit signature: 1508347d73415ffb4231ec5dd43e2327faaba215bcdcf65d1fe48f34c36c6af5 parent signature: e45d7b18bc564f5fb57f2b84c1d57dec4a8811a2048c13609f04d81dae06c236 revisions tested: 22, total time: 8h33m41.399050222s (build: 3h35m13.410159985s, test: 4h20m10.581811175s) first bad commit: 724a08450f74b02bd89078a596fd24857827c012 fs/9p: simplify iget to remove unnecessary paths recipients (to): ["asmadeus@codewreck.org" "ericvh@kernel.org" "ericvh@kernel.org" "lucho@ionkov.net" "v9fs@lists.linux.dev"] recipients (cc): ["linux-kernel@vger.kernel.org" "linux_oss@crudebyte.com"] crash: KASAN: slab-use-after-free Read in v9fs_stat2inode_dotl ================================================================== BUG: KASAN: slab-use-after-free in v9fs_stat2inode_dotl+0x9dd/0xb80 fs/9p/vfs_inode_dotl.c:569 Read of size 8 at addr ffff8881169d1770 by task syz-executor.0/1866 CPU: 0 PID: 1866 Comm: syz-executor.0 Not tainted 6.8.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x70 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc4/0x620 mm/kasan/report.c:488 kasan_report+0xda/0x110 mm/kasan/report.c:601 v9fs_stat2inode_dotl+0x9dd/0xb80 fs/9p/vfs_inode_dotl.c:569 v9fs_fid_iget_dotl+0x184/0x200 fs/9p/vfs_inode_dotl.c:85 v9fs_get_inode_from_fid fs/9p/v9fs.h:230 [inline] v9fs_mount+0x3ec/0x7d0 fs/9p/vfs_super.c:142 legacy_get_tree+0x102/0x200 fs/fs_context.c:662 vfs_get_tree+0x85/0x230 fs/super.c:1784 do_new_mount fs/namespace.c:3352 [inline] path_mount+0x8ec/0x1a70 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount fs/namespace.c:3875 [inline] __x64_sys_mount+0x20c/0x280 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x73/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f7c6ef02da9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7c6ea850c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f7c6f031f80 RCX: 00007f7c6ef02da9 RDX: 0000000020004500 RSI: 00000000200002c0 RDI: 0000000000000000 RBP: 00007f7c6ef4f47a R08: 0000000020000300 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f7c6f031f80 R15: 00007ffc63ea09a8 Allocated by task 1866: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:372 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:389 kmalloc include/linux/slab.h:590 [inline] p9_client_getattr_dotl+0x49/0x260 net/9p/client.c:1726 v9fs_fid_iget_dotl+0xc2/0x200 fs/9p/vfs_inode_dotl.c:73 v9fs_get_inode_from_fid fs/9p/v9fs.h:230 [inline] v9fs_mount+0x3ec/0x7d0 fs/9p/vfs_super.c:142 legacy_get_tree+0x102/0x200 fs/fs_context.c:662 vfs_get_tree+0x85/0x230 fs/super.c:1784 do_new_mount fs/namespace.c:3352 [inline] path_mount+0x8ec/0x1a70 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount fs/namespace.c:3875 [inline] __x64_sys_mount+0x20c/0x280 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x73/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Freed by task 1866: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640 poison_slab_object mm/kasan/common.c:241 [inline] __kasan_slab_free+0x121/0x1c0 mm/kasan/common.c:257 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x11b/0x340 mm/slub.c:4409 v9fs_fid_iget_dotl+0x156/0x200 fs/9p/vfs_inode_dotl.c:81 v9fs_get_inode_from_fid fs/9p/v9fs.h:230 [inline] v9fs_mount+0x3ec/0x7d0 fs/9p/vfs_super.c:142 legacy_get_tree+0x102/0x200 fs/fs_context.c:662 vfs_get_tree+0x85/0x230 fs/super.c:1784 do_new_mount fs/namespace.c:3352 [inline] path_mount+0x8ec/0x1a70 fs/namespace.c:3679 do_mount fs/namespace.c:3692 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount fs/namespace.c:3875 [inline] __x64_sys_mount+0x20c/0x280 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x73/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 The buggy address belongs to the object at ffff8881169d1770 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes inside of freed 192-byte region [ffff8881169d1770, ffff8881169d1830) The buggy address belongs to the physical page: page:ffffea00045a7440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1169d1 flags: 0x200000000000800(slab|node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000800 ffff888100041a00 dead000000000122 0000000000000000 raw: 0000000000000000 00000000800f000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 1411, tgid 1411 (syz-executor.0), ts 51147176492, free_ts 51146933134 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x283/0x300 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c:1540 [inline] get_page_from_freelist+0xeb8/0x3700 mm/page_alloc.c:3311 __alloc_pages+0x346/0x5e0 mm/page_alloc.c:4567 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2190 [inline] allocate_slab+0xa3/0x340 mm/slub.c:2354 new_slab mm/slub.c:2407 [inline] ___slab_alloc+0x853/0x13e0 mm/slub.c:3540 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3625 __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] __do_kmalloc_node mm/slub.c:3980 [inline] __kmalloc_node+0x39e/0x4c0 mm/slub.c:3988 kmalloc_array_node include/linux/slab.h:688 [inline] kcalloc_node include/linux/slab.h:693 [inline] memcg_alloc_slab_cgroups+0xa9/0x180 mm/memcontrol.c:2988 __memcg_slab_post_alloc_hook+0xa4/0x2b0 mm/slub.c:1970 memcg_slab_post_alloc_hook mm/slub.c:1993 [inline] slab_post_alloc_hook mm/slub.c:3822 [inline] slab_alloc_node mm/slub.c:3860 [inline] kmem_cache_alloc+0x37d/0x390 mm/slub.c:3867 dup_fd+0x7b/0xab0 fs/file.c:324 copy_files kernel/fork.c:1788 [inline] copy_process+0x1ee5/0x93a0 kernel/fork.c:2484 kernel_clone+0xcb/0x7e0 kernel/fork.c:2901 __do_sys_clone+0xa1/0xe0 kernel/fork.c:3044 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x73/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 page last free pid 1411 tgid 1411 stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] free_unref_page_prepare+0x543/0xb10 mm/page_alloc.c:2346 free_unref_page+0x33/0x2a0 mm/page_alloc.c:2486 vfree mm/vmalloc.c:2842 [inline] vfree+0x27c/0x9c0 mm/vmalloc.c:2807 copy_entries_to_user net/ipv6/netfilter/ip6_tables.c:882 [inline] get_entries net/ipv6/netfilter/ip6_tables.c:1039 [inline] do_ip6t_get_ctl+0x98a/0xd10 net/ipv6/netfilter/ip6_tables.c:1669 nf_getsockopt+0x5e/0xc0 net/netfilter/nf_sockopt.c:116 ipv6_getsockopt+0x178/0x1d0 net/ipv6/ipv6_sockglue.c:1488 do_sock_getsockopt+0x1fc/0x2f0 net/socket.c:2373 __sys_getsockopt+0xf6/0x1b0 net/socket.c:2402 __do_sys_getsockopt net/socket.c:2412 [inline] __se_sys_getsockopt net/socket.c:2409 [inline] __x64_sys_getsockopt+0xb8/0x150 net/socket.c:2409 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x73/0x180 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 Memory state around the buggy address: ffff8881169d1600: 00 fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ffff8881169d1680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881169d1700: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fa fb ^ ffff8881169d1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881169d1800: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ==================================================================