bisecting cause commit starting from 6d0c806803170f120f8cb97b321de7bd89d3a791 building syzkaller on 0d5abf15b74358009a02efb629f7bc7c84841a1f testing commit 6d0c806803170f120f8cb97b321de7bd89d3a791 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b63cd1ab69b7751551da8a73721e3a75d864f21434cc68adc25ccec63d708190 run #0: crashed: WARNING in exit_tasks_rcu_finish run #1: crashed: WARNING in exit_tasks_rcu_finish run #2: crashed: WARNING in exit_tasks_rcu_finish run #3: crashed: WARNING in exit_tasks_rcu_finish run #4: crashed: WARNING in exit_tasks_rcu_finish run #5: crashed: WARNING in exit_tasks_rcu_finish run #6: crashed: WARNING in exit_tasks_rcu_finish run #7: crashed: WARNING in exit_tasks_rcu_finish run #8: crashed: WARNING in exit_tasks_rcu_finish run #9: crashed: WARNING in exit_tasks_rcu_finish run #10: crashed: WARNING in exit_tasks_rcu_finish run #11: crashed: WARNING in exit_tasks_rcu_finish run #12: crashed: WARNING in exit_tasks_rcu_finish run #13: crashed: WARNING in exit_tasks_rcu_finish run #14: crashed: WARNING in exit_tasks_rcu_finish run #15: crashed: WARNING in exit_tasks_rcu_finish run #16: crashed: WARNING in exit_tasks_rcu_finish run #17: crashed: WARNING in exit_tasks_rcu_finish run #18: crashed: WARNING in exit_tasks_rcu_finish run #19: OK testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6c831aa045469e1c6fe62d7fa55f6d977923cb3d03017a3674bfa6f094c7bcab all runs: OK # git bisect start 6d0c806803170f120f8cb97b321de7bd89d3a791 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 8633 revisions left to test after this (roughly 13 steps) [c011dd537ffe47462051930413fed07dbdc80313] Merge tag 'arm-soc-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit c011dd537ffe47462051930413fed07dbdc80313 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 341c39a9d7e9e989cce21c48a1926074e52ebd76b96847a50b3445e971e50a3b all runs: OK # git bisect good c011dd537ffe47462051930413fed07dbdc80313 Bisecting: 4315 revisions left to test after this (roughly 12 steps) [09a018176ba246f00d6b6b526047d38dcd2955d3] Merge tag 'arm-late-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 09a018176ba246f00d6b6b526047d38dcd2955d3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: deb9e0062bc8738d38d814b850284bdd9387fca2f36424f58722c2e1c88fdcb6 all runs: OK # git bisect good 09a018176ba246f00d6b6b526047d38dcd2955d3 Bisecting: 2157 revisions left to test after this (roughly 11 steps) [418c23681c885acda426639ece844738df890002] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap.git testing commit 418c23681c885acda426639ece844738df890002 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 4deafc04a3f1f6755324ebe4c18fda8383ed63015e05201edded7e4f909dec76 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 418c23681c885acda426639ece844738df890002 Bisecting: 1032 revisions left to test after this (roughly 10 steps) [782e6d3d515ec3e2034c50c8c4a5fc54b264fbad] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git testing commit 782e6d3d515ec3e2034c50c8c4a5fc54b264fbad compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3c772220a2c309085c56ab3a772c4645472c9de2c8297a2b63915d94985585dd run #0: OK run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 782e6d3d515ec3e2034c50c8c4a5fc54b264fbad Bisecting: 531 revisions left to test after this (roughly 9 steps) [2c10926c279fdcfe3bce8e51d2584c6346400f4e] Merge branch 'extcon-next' of git://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/extcon.git testing commit 2c10926c279fdcfe3bce8e51d2584c6346400f4e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 78881d93bd4892b9a26042e837da09187ac9326215fded41426dfb03e465b82e run #0: crashed: WARNING in exit_tasks_rcu_finish run #1: crashed: WARNING in exit_tasks_rcu_finish run #2: crashed: WARNING in exit_tasks_rcu_finish run #3: crashed: WARNING in exit_tasks_rcu_finish run #4: boot failed: INFO: task hung in add_early_randomness run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: boot failed: INFO: task hung in add_early_randomness run #9: OK # git bisect bad 2c10926c279fdcfe3bce8e51d2584c6346400f4e Bisecting: 200 revisions left to test after this (roughly 8 steps) [3f96e4f84808629d4951d957d01ca7c12290802b] Merge branch 'rcu/next' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git testing commit 3f96e4f84808629d4951d957d01ca7c12290802b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 984e8c0146f52e227e6932fb0e982fbd5c7f0b7adcc13a8b2d6d1717d13983b4 run #0: crashed: WARNING in exit_tasks_rcu_finish run #1: crashed: WARNING in exit_tasks_rcu_finish run #2: crashed: WARNING in exit_tasks_rcu_finish run #3: crashed: WARNING in exit_tasks_rcu_finish run #4: crashed: WARNING in exit_tasks_rcu_finish run #5: boot failed: INFO: task hung in add_early_randomness run #6: boot failed: INFO: task hung in add_early_randomness run #7: boot failed: INFO: task hung in add_early_randomness run #8: OK run #9: OK # git bisect bad 3f96e4f84808629d4951d957d01ca7c12290802b Bisecting: 153 revisions left to test after this (roughly 7 steps) [e0db80d2b59a78101576f3eb763f5048c90ea201] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git testing commit e0db80d2b59a78101576f3eb763f5048c90ea201 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cdf7dbc279bcbac229b748c3066a9fb9d8068eaca7670c6a2acae04aef892813 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good e0db80d2b59a78101576f3eb763f5048c90ea201 Bisecting: 76 revisions left to test after this (roughly 6 steps) [d4c8263876fccd00f778312c7a01f3ba3b2a9efa] tools/nolibc: fix the makefile to also work as "make -C tools ..." testing commit d4c8263876fccd00f778312c7a01f3ba3b2a9efa compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3a860bee53d450eae2b90150d2bd646b8900064da688035cecd35088105277f6 all runs: OK # git bisect good d4c8263876fccd00f778312c7a01f3ba3b2a9efa Bisecting: 32 revisions left to test after this (roughly 5 steps) [77aaa2e3ce5f29504ef8a72d5e8562e009e2f57d] Merge branch 'edac-for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras.git testing commit 77aaa2e3ce5f29504ef8a72d5e8562e009e2f57d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0dc7d6b5c3c5e6a025ccbbbae7bc1a0a0bdea0076fb2336f9e97531d44e4d743 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: boot failed: INFO: task hung in add_early_randomness run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 77aaa2e3ce5f29504ef8a72d5e8562e009e2f57d Bisecting: 16 revisions left to test after this (roughly 4 steps) [8b2db54f7980bc289747a3041cb2902be117671e] rcu-tasks: Make RCU Tasks Trace stall warnings print full .b.need_qs field testing commit 8b2db54f7980bc289747a3041cb2902be117671e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7de4457a2a32141aa796bcf6bc7840624b2be3eb1159283a98406267eb2f7bb8 all runs: OK # git bisect good 8b2db54f7980bc289747a3041cb2902be117671e Bisecting: 8 revisions left to test after this (roughly 3 steps) [dbb21fa6eddb3b9a143a7313b210e343111b5736] rcu-tasks: Scan running tasks for RCU Tasks Trace readers testing commit dbb21fa6eddb3b9a143a7313b210e343111b5736 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1ad0833f3f83c162be586e9d7d032c55ee008021e35b045555d32cc1b55804f3 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: WARNING in exit_tasks_rcu_finish run #2: crashed: WARNING in exit_tasks_rcu_finish run #3: crashed: WARNING in exit_tasks_rcu_finish run #4: crashed: WARNING in exit_tasks_rcu_finish run #5: crashed: WARNING in exit_tasks_rcu_finish run #6: crashed: WARNING in exit_tasks_rcu_finish run #7: crashed: WARNING in exit_tasks_rcu_finish run #8: crashed: WARNING in exit_tasks_rcu_finish run #9: OK # git bisect bad dbb21fa6eddb3b9a143a7313b210e343111b5736 Bisecting: 3 revisions left to test after this (roughly 2 steps) [96102856a205a4cae8b18b468209127478176860] rcu-tasks: Untrack blocked RCU Tasks Trace at reader end testing commit 96102856a205a4cae8b18b468209127478176860 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 170448d4a75dae52b4024447b04bfdc8bcb8a71a2507840ebc3ff9df7a0140ad run #0: crashed: WARNING in exit_tasks_rcu_finish run #1: crashed: WARNING in exit_tasks_rcu_finish run #2: crashed: WARNING in exit_tasks_rcu_finish run #3: crashed: WARNING in exit_tasks_rcu_finish run #4: crashed: WARNING in exit_tasks_rcu_finish run #5: crashed: WARNING in exit_tasks_rcu_finish run #6: crashed: WARNING in exit_tasks_rcu_finish run #7: crashed: WARNING in exit_tasks_rcu_finish run #8: OK run #9: OK # git bisect bad 96102856a205a4cae8b18b468209127478176860 Bisecting: 1 revision left to test after this (roughly 1 step) [c3b95b019d4cec6c1fd2bee3c6f9d8d804892c30] rcu-tasks: Add data structures for lightweight grace periods testing commit c3b95b019d4cec6c1fd2bee3c6f9d8d804892c30 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 200c6a2f9f0f404ce1466b830c5cd853b2c639211cc3b0edb71e08ee66ca79cc all runs: OK # git bisect good c3b95b019d4cec6c1fd2bee3c6f9d8d804892c30 Bisecting: 0 revisions left to test after this (roughly 0 steps) [09f110d4a1597185a5ed177da8573eec997b7227] rcu-tasks: Track blocked RCU Tasks Trace readers testing commit 09f110d4a1597185a5ed177da8573eec997b7227 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dc7613109cd10bbda7ffdf4c3aa035bc73f2bdaaece2e41600c3c67bceb57e58 all runs: crashed: KASAN: use-after-free Read in rcu_tasks_trace_qs_blkd # git bisect bad 09f110d4a1597185a5ed177da8573eec997b7227 09f110d4a1597185a5ed177da8573eec997b7227 is the first bad commit commit 09f110d4a1597185a5ed177da8573eec997b7227 Author: Paul E. McKenney Date: Tue May 17 11:30:32 2022 -0700 rcu-tasks: Track blocked RCU Tasks Trace readers This commit places any task that has ever blocked within its current RCU Tasks Trace read-side critcial section on a per-CPU list within the rcu_tasks_percpu structure. Tasks are removed from this list when they exit by the exit_tasks_rcu_finish_trace() function. [ paulmck: Apply kernel test robot feedback. ] Signed-off-by: Paul E. McKenney Cc: Neeraj Upadhyay Cc: Eric Dumazet Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Martin KaFai Lau Cc: KP Singh include/linux/rcupdate.h | 11 +++++++++-- kernel/rcu/tasks.h | 22 +++++++++++++++++++++- 2 files changed, 30 insertions(+), 3 deletions(-) culprit signature: dc7613109cd10bbda7ffdf4c3aa035bc73f2bdaaece2e41600c3c67bceb57e58 parent signature: 200c6a2f9f0f404ce1466b830c5cd853b2c639211cc3b0edb71e08ee66ca79cc revisions tested: 16, total time: 4h41m42.167518888s (build: 1h49m41.506390029s, test: 2h50m11.128770122s) first bad commit: 09f110d4a1597185a5ed177da8573eec997b7227 rcu-tasks: Track blocked RCU Tasks Trace readers recipients (to): ["linux-kernel@vger.kernel.org" "paulmck@kernel.org"] recipients (cc): ["frederic@kernel.org" "jiangshanlai@gmail.com" "joel@joelfernandes.org" "josh@joshtriplett.org" "mathieu.desnoyers@efficios.com" "paulmck@kernel.org" "quic_neeraju@quicinc.com" "rcu@vger.kernel.org" "rostedt@goodmis.org"] crash: KASAN: use-after-free Read in rcu_tasks_trace_qs_blkd ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x81/0xa0 lib/list_debug.c:23 Read of size 8 at addr ffff88806a383ea8 by task syz-executor.2/11107 CPU: 0 PID: 11107 Comm: syz-executor.2 Not tainted 5.18.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 __list_add_valid+0x81/0xa0 lib/list_debug.c:23 __list_add include/linux/list.h:69 [inline] list_add include/linux/list.h:88 [inline] rcu_tasks_trace_qs_blkd+0xf0/0x310 kernel/rcu/tasks.h:1278 rcu_note_context_switch+0xe64/0x1840 kernel/rcu/tree_plugin.h:357 __schedule+0x236/0x4900 kernel/sched/core.c:6279 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6547 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35 migrate_disable+0x113/0x160 kernel/sched/core.c:2239 bpf_prog_run_pin_on_cpu include/linux/filter.h:651 [inline] bpf_prog_test_run_syscall+0x299/0x660 net/bpf/test_run.c:1565 bpf_prog_test_run kernel/bpf/syscall.c:3369 [inline] __sys_bpf+0x1840/0x4360 kernel/bpf/syscall.c:4681 __do_sys_bpf kernel/bpf/syscall.c:4767 [inline] __se_sys_bpf kernel/bpf/syscall.c:4765 [inline] __x64_sys_bpf+0x70/0xb0 kernel/bpf/syscall.c:4765 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f840de89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f840d5fe168 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007f840df9bf60 RCX: 00007f840de89109 RDX: 0000000000000048 RSI: 0000000020000500 RDI: 000000000000000a RBP: 00007f840dee30ad R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd3184b3df R14: 00007f840d5fe300 R15: 0000000000022000 Allocated by task 11050: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3267 alloc_task_struct_node kernel/fork.c:172 [inline] dup_task_struct kernel/fork.c:970 [inline] copy_process+0x46a/0x6960 kernel/fork.c:2069 kernel_clone+0xb8/0x7f0 kernel/fork.c:2640 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2757 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 4027: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3510 [inline] kmem_cache_free+0xdd/0x5a0 mm/slub.c:3527 rcu_do_batch kernel/rcu/tree.c:2662 [inline] rcu_core+0x7b5/0x18a0 kernel/rcu/tree.c:2922 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3210 context_switch kernel/sched/core.c:5076 [inline] __schedule+0xa62/0x4900 kernel/sched/core.c:6382 schedule+0xd2/0x1f0 kernel/sched/core.c:6454 freezable_schedule include/linux/freezer.h:172 [inline] do_nanosleep+0x20d/0x5b0 kernel/time/hrtimer.c:2044 hrtimer_nanosleep+0x1ac/0x3b0 kernel/time/hrtimer.c:2097 common_nsleep+0x74/0xb0 kernel/time/posix-timers.c:1227 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline] __se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline] __x64_sys_clock_nanosleep+0x256/0x3b0 kernel/time/posix-timers.c:1245 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3210 release_task+0xb5e/0x14d0 kernel/exit.c:229 wait_task_zombie kernel/exit.c:1111 [inline] wait_consider_task+0x28db/0x3530 kernel/exit.c:1338 do_wait_thread kernel/exit.c:1401 [inline] do_wait+0x63e/0xaa0 kernel/exit.c:1518 kernel_wait4+0xee/0x1c0 kernel/exit.c:1681 __do_sys_wait4+0xe8/0x100 kernel/exit.c:1709 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88806a383a00 which belongs to the cache task_struct of size 7168 The buggy address is located 1192 bytes inside of 7168-byte region [ffff88806a383a00, ffff88806a385600) The buggy address belongs to the physical page: page:ffffea0001a8e000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6a380 head:ffffea0001a8e000 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff88807b483cc1 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffffea00019a4c00 dead000000000002 ffff888140006280 raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88807b483cc1 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4330, tgid 4330 (syz-executor.1), ts 73526954802, free_ts 9008369052 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0x178d/0x3da0 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8e1/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] kmem_cache_alloc_node+0x122/0x3f0 mm/slub.c:3267 alloc_task_struct_node kernel/fork.c:172 [inline] dup_task_struct kernel/fork.c:970 [inline] copy_process+0x46a/0x6960 kernel/fork.c:2069 kernel_clone+0xb8/0x7f0 kernel/fork.c:2640 __do_sys_clone+0xaf/0xf0 kernel/fork.c:2757 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3423 free_contig_range+0xb1/0x180 mm/page_alloc.c:9418 destroy_args+0x7e/0x503 mm/debug_vm_pgtable.c:1018 debug_vm_pgtable+0x1fc8/0x204c mm/debug_vm_pgtable.c:1332 do_one_initcall+0xbe/0x440 init/main.c:1298 do_initcall_level init/main.c:1371 [inline] do_initcalls init/main.c:1387 [inline] do_basic_setup init/main.c:1406 [inline] kernel_init_freeable+0x5ab/0x605 init/main.c:1613 kernel_init+0x14/0x130 init/main.c:1502 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff88806a383d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806a383e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88806a383e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806a383f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806a383f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================