ci starts bisection 2023-03-29 22:39:26.878298187 +0000 UTC m=+36907.324646162 bisecting cause commit starting from 198925fae644b0099b66fac1d972721e6e563b17 building syzkaller on f325deb023e4e2fb9197004be1b3da738680429c ensuring issue is reproducible on original commit 198925fae644b0099b66fac1d972721e6e563b17 testing commit 198925fae644b0099b66fac1d972721e6e563b17 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d7daf129e16532759c665a9504d91d176491f794830140238b59a84d1c9c546f run #0: crashed: KASAN: slab-use-after-free Read in class_register run #1: crashed: KASAN: slab-use-after-free Read in class_register run #2: crashed: KASAN: slab-use-after-free Read in class_register run #3: crashed: KASAN: slab-use-after-free Read in class_register run #4: crashed: KASAN: slab-use-after-free Read in class_register run #5: crashed: KASAN: slab-use-after-free Read in class_register run #6: crashed: WARNING in class_register run #7: crashed: WARNING in class_register run #8: crashed: WARNING in class_register run #9: crashed: WARNING in class_register run #10: crashed: WARNING in class_register run #11: crashed: WARNING in class_register run #12: crashed: KASAN: slab-use-after-free Read in class_register run #13: crashed: KASAN: slab-use-after-free Read in class_register run #14: crashed: WARNING in class_register run #15: crashed: WARNING in class_register run #16: crashed: WARNING in class_register run #17: crashed: WARNING in class_register run #18: crashed: WARNING in class_register run #19: crashed: WARNING in class_register testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 07c5600bf9be8c62b2568f551a9b35d87d806c4d2247f6aeb95d7530163e49e6 all runs: OK # git bisect start 198925fae644b0099b66fac1d972721e6e563b17 c9c3395d5e3dcc6daee66c6908354d47bf98cb0c Bisecting: 11189 revisions left to test after this (roughly 14 steps) [61fc1ee8be26bc192d691932b0a67eabee45d12f] riscv: Bump COMMAND_LINE_SIZE value to 1024 testing commit 61fc1ee8be26bc192d691932b0a67eabee45d12f gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fad239eb665f50de5daa46471fe5978b1adbd9c1f46486fef3e4d9caacd26a19 all runs: OK # git bisect good 61fc1ee8be26bc192d691932b0a67eabee45d12f Bisecting: 5603 revisions left to test after this (roughly 13 steps) [fb240b4570698e1215df5baa0d6410bc5cf2320c] Merge branch 'dev' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git testing commit fb240b4570698e1215df5baa0d6410bc5cf2320c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ff2b3b7715803bd8dadf6f7973655f67d2c158115f388a663a118c3458eec321 all runs: OK # git bisect good fb240b4570698e1215df5baa0d6410bc5cf2320c Bisecting: 2807 revisions left to test after this (roughly 12 steps) [dafd64d11985f41df2e51e8fc78dc851e7e8a379] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap.git testing commit dafd64d11985f41df2e51e8fc78dc851e7e8a379 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a0e60f76b5d53032783e34a3ac23060714b396e816d6e5593ebb8525e630682c all runs: OK # git bisect good dafd64d11985f41df2e51e8fc78dc851e7e8a379 Bisecting: 1395 revisions left to test after this (roughly 11 steps) [a34941588e3abfa07aa794b6df20f743d0998b4c] Merge branch 'rcu/next' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu.git testing commit a34941588e3abfa07aa794b6df20f743d0998b4c gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b268a8b8a91376e402176de4dd464cd0a9ae8a494490494f13b5a8caed224ce4 all runs: OK # git bisect good a34941588e3abfa07aa794b6df20f743d0998b4c Bisecting: 687 revisions left to test after this (roughly 10 steps) [647d4821589b32424cb570cff3fe6924bd4dc4f6] Merge branch 'staging-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git testing commit 647d4821589b32424cb570cff3fe6924bd4dc4f6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 50c7e88d3b24209d7f00a7ffb249c31f38fa6b00c64dc86d317a18ae21408db4 run #0: crashed: WARNING in class_register run #1: crashed: KASAN: slab-use-after-free Read in class_register run #2: crashed: WARNING in class_register run #3: crashed: WARNING in class_register run #4: crashed: KASAN: slab-out-of-bounds Read in class_register run #5: crashed: WARNING in class_register run #6: crashed: WARNING in class_register run #7: crashed: KASAN: slab-use-after-free Read in class_register run #8: crashed: KASAN: slab-use-after-free Read in class_register run #9: crashed: KASAN: slab-use-after-free Read in class_register # git bisect bad 647d4821589b32424cb570cff3fe6924bd4dc4f6 Bisecting: 333 revisions left to test after this (roughly 9 steps) [0e685f727c3bf63dd7c0a63f7b6cf31429e341b6] Merge branch 'usb-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git testing commit 0e685f727c3bf63dd7c0a63f7b6cf31429e341b6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2d64ce3aebcd223dae0bbe1402eaeaef7bdcd0e023e058e68941d900cc171afe run #0: crashed: KASAN: slab-use-after-free Read in class_register run #1: crashed: WARNING in class_register run #2: crashed: WARNING in class_register run #3: crashed: KASAN: slab-use-after-free Read in class_register run #4: crashed: KASAN: slab-use-after-free Read in class_register run #5: crashed: WARNING in class_register run #6: crashed: WARNING in class_register run #7: crashed: WARNING in class_register run #8: crashed: KASAN: slab-use-after-free Read in class_register run #9: crashed: KASAN: slab-use-after-free Read in class_register # git bisect bad 0e685f727c3bf63dd7c0a63f7b6cf31429e341b6 Bisecting: 187 revisions left to test after this (roughly 8 steps) [a5a5d3ae54e23a7b7e229f9f354fe7d934d4a229] Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git testing commit a5a5d3ae54e23a7b7e229f9f354fe7d934d4a229 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d2489e51986805109c4ed4302ef44cfd340fad456ed48302090b589539df5df2 all runs: OK # git bisect good a5a5d3ae54e23a7b7e229f9f354fe7d934d4a229 Bisecting: 84 revisions left to test after this (roughly 7 steps) [d682605ab5bbb1611ed0b27aa261543b8809f7d6] Merge branch 'driver-core-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git testing commit d682605ab5bbb1611ed0b27aa261543b8809f7d6 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d914327032247a90ba9c074a819ac763335d8b9196b00f521d85ded189bfec24 run #0: crashed: WARNING in class_register run #1: crashed: KASAN: slab-use-after-free Read in class_register run #2: crashed: KASAN: slab-use-after-free Read in class_register run #3: crashed: KASAN: slab-use-after-free Read in class_register run #4: crashed: KASAN: slab-use-after-free Read in class_register run #5: crashed: KASAN: slab-use-after-free Read in class_register run #6: crashed: KFENCE: use-after-free in class_register run #7: crashed: KASAN: slab-use-after-free Read in class_register run #8: crashed: WARNING in class_register run #9: crashed: WARNING in class_register # git bisect bad d682605ab5bbb1611ed0b27aa261543b8809f7d6 Bisecting: 51 revisions left to test after this (roughly 6 steps) [c28dd08ef713d2127c5bad3f3e0e93d6ec0309a2] driver core: make the bus_type in struct device_driver constant testing commit c28dd08ef713d2127c5bad3f3e0e93d6ec0309a2 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 152bc3b0bf87b78af3b4ebd854740992c4cc26ec360ad9a962e7ceea57ef6138 all runs: OK # git bisect good c28dd08ef713d2127c5bad3f3e0e93d6ec0309a2 Bisecting: 25 revisions left to test after this (roughly 5 steps) [2f9e87f5a2941b259336c7ea6c5a1499ede4554a] driver core: Add a comment to set_primary_fwnode() on nullifying testing commit 2f9e87f5a2941b259336c7ea6c5a1499ede4554a gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d76e528d128f53b63b2d19336094ac1dc90ba27a8d9d9751da3a29f850a9825d run #0: crashed: WARNING in class_register run #1: crashed: KASAN: slab-use-after-free Read in class_register run #2: crashed: KASAN: slab-use-after-free Read in class_register run #3: crashed: WARNING in class_register run #4: crashed: WARNING in class_register run #5: crashed: WARNING in class_register run #6: crashed: WARNING in class_register run #7: crashed: KASAN: slab-use-after-free Read in class_register run #8: crashed: WARNING in class_register run #9: crashed: WARNING in class_register # git bisect bad 2f9e87f5a2941b259336c7ea6c5a1499ede4554a Bisecting: 12 revisions left to test after this (roughly 4 steps) [f43243c66e5e9ad839d235f82a58e73a7e7612af] driver core: device.h: remove extern from function prototypes testing commit f43243c66e5e9ad839d235f82a58e73a7e7612af gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: af24987c67a06a6424f0f9ef16919e84977442d798dfed409568430aa03d9876 run #0: crashed: KASAN: slab-use-after-free Read in class_register run #1: crashed: KASAN: slab-use-after-free Read in class_register run #2: crashed: KASAN: slab-use-after-free Read in class_register run #3: crashed: WARNING in class_register run #4: crashed: KASAN: slab-use-after-free Read in class_register run #5: crashed: WARNING in class_register run #6: crashed: WARNING in class_register run #7: crashed: WARNING in class_register run #8: crashed: KASAN: slab-use-after-free Read in class_register run #9: crashed: KASAN: slab-use-after-free Read in class_register # git bisect bad f43243c66e5e9ad839d235f82a58e73a7e7612af Bisecting: 6 revisions left to test after this (roughly 3 steps) [b18d0a0f92a8fe9e56d812808184c8c4b9f18f92] iommu: make the pointer to struct bus_type constant testing commit b18d0a0f92a8fe9e56d812808184c8c4b9f18f92 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b4b0eed589bbad632e29b34d710b324fb350542a54bbbb4ec31f380f00b4ebce all runs: OK # git bisect good b18d0a0f92a8fe9e56d812808184c8c4b9f18f92 Bisecting: 3 revisions left to test after this (roughly 2 steps) [0a392354dbc3ff748e0856a75592fe8d0fdc7674] device property: constify fwnode_get_phy_mode() argument testing commit 0a392354dbc3ff748e0856a75592fe8d0fdc7674 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b5c4179e28ffbd9e74efd498587c9ddb7202f687062d42012a7f7029901a44a0 all runs: OK # git bisect good 0a392354dbc3ff748e0856a75592fe8d0fdc7674 Bisecting: 1 revision left to test after this (roughly 1 step) [dcfbb67e48a2becfce7990386e985b9c45098ee5] driver core: class: use lock_class_key already present in struct subsys_private testing commit dcfbb67e48a2becfce7990386e985b9c45098ee5 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: b9c873883edcaf9b957609d0fef6ef81b49ef516c84a3d167d54c1b9c3940ad0 run #0: crashed: KASAN: slab-use-after-free Read in class_register run #1: crashed: WARNING in class_register run #2: crashed: WARNING in class_register run #3: crashed: KASAN: slab-use-after-free Read in class_register run #4: crashed: WARNING in class_register run #5: crashed: KASAN: slab-use-after-free Read in class_register run #6: crashed: KASAN: slab-use-after-free Read in class_register run #7: crashed: KASAN: slab-use-after-free Read in class_register run #8: crashed: KASAN: slab-use-after-free Read in class_register run #9: crashed: KASAN: slab-use-after-free Read in class_register # git bisect bad dcfbb67e48a2becfce7990386e985b9c45098ee5 Bisecting: 0 revisions left to test after this (roughly 0 steps) [5b9ff0ba11042096bfb396e506fa9038e6a61de7] device property: Constify a few fwnode APIs testing commit 5b9ff0ba11042096bfb396e506fa9038e6a61de7 gcc compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: d0c6f1572286d0594406af11ed89eeb05ce35ca3e55b5cb2b159fdee9c04406d all runs: OK # git bisect good 5b9ff0ba11042096bfb396e506fa9038e6a61de7 dcfbb67e48a2becfce7990386e985b9c45098ee5 is the first bad commit commit dcfbb67e48a2becfce7990386e985b9c45098ee5 Author: Greg Kroah-Hartman Date: Fri Mar 24 11:01:31 2023 +0100 driver core: class: use lock_class_key already present in struct subsys_private In commit 37e98d9bedb5 ("driver core: bus: move lock_class_key into dynamic structure"), we moved the lock_class_key into the internal structure shared by busses and classes, but only used it for buses. Move the class code to use this structure as it is already present and being allocated, instead of the statically allocated on-the-stack variable that class_create() was using as part of a macro wrapper around the core function call. Reviewed-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20230324100132.1633647-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman drivers/base/class.c | 15 +++++++++------ include/linux/device/class.h | 36 ++---------------------------------- 2 files changed, 11 insertions(+), 40 deletions(-) culprit signature: b9c873883edcaf9b957609d0fef6ef81b49ef516c84a3d167d54c1b9c3940ad0 parent signature: d0c6f1572286d0594406af11ed89eeb05ce35ca3e55b5cb2b159fdee9c04406d revisions tested: 17, total time: 5h24m22.914765231s (build: 2h47m7.844597724s, test: 2h34m0.90961893s) first bad commit: dcfbb67e48a2becfce7990386e985b9c45098ee5 driver core: class: use lock_class_key already present in struct subsys_private recipients (to): ["gregkh@linuxfoundation.org" "rafael@kernel.org"] recipients (cc): [] crash: KASAN: slab-use-after-free Read in class_register usb 1-1: New USB device strings: Mfr=0, Product=106, SerialNumber=59 usb 1-1: Product: syz usb 1-1: SerialNumber: syz hub 1-1:250.228: bad descriptor, ignoring hub hub: probe of 1-1:250.228 failed with error -5 ================================================================== BUG: KASAN: slab-use-after-free in lockdep_register_key+0x396/0x410 kernel/locking/lockdep.c:1231 Read of size 8 at addr ffff88806e9d3360 by task kworker/0:4/5088 CPU: 0 PID: 5088 Comm: kworker/0:4 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x64/0xb0 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:319 print_report mm/kasan/report.c:430 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:536 lockdep_register_key+0x396/0x410 kernel/locking/lockdep.c:1231 class_register+0xdc/0x4c0 drivers/base/class.c:172 class_create+0x8f/0xe0 drivers/base/class.c:250 init_usb_class drivers/usb/core/file.c:91 [inline] usb_register_dev+0x403/0x770 drivers/usb/core/file.c:179 usblp_probe+0xb1d/0x15a0 drivers/usb/class/usblp.c:1208 usb_probe_interface+0x26c/0x820 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x1c7/0xb20 drivers/base/dd.c:658 __driver_probe_device+0x186/0x460 drivers/base/dd.c:795 driver_probe_device+0x44/0x110 drivers/base/dd.c:825 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:953 bus_for_each_drv+0x102/0x190 drivers/base/bus.c:457 __device_attach+0x19e/0x3d0 drivers/base/dd.c:1025 bus_probe_device+0x12b/0x170 drivers/base/bus.c:532 device_add+0xee4/0x1930 drivers/base/core.c:3611 usb_set_configuration+0xabc/0x1a20 drivers/usb/core/message.c:2171 usb_generic_driver_probe+0x88/0xd0 drivers/usb/core/generic.c:238 usb_probe_device+0x98/0x240 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x1c7/0xb20 drivers/base/dd.c:658 __driver_probe_device+0x186/0x460 drivers/base/dd.c:795 driver_probe_device+0x44/0x110 drivers/base/dd.c:825 __device_attach_driver+0x14e/0x270 drivers/base/dd.c:953 bus_for_each_drv+0x102/0x190 drivers/base/bus.c:457 __device_attach+0x19e/0x3d0 drivers/base/dd.c:1025 bus_probe_device+0x12b/0x170 drivers/base/bus.c:532 device_add+0xee4/0x1930 drivers/base/core.c:3611 usb_new_device+0xc6e/0x1930 drivers/usb/core/hub.c:2575 hub_port_connect drivers/usb/core/hub.c:5407 [inline] hub_port_connect_change drivers/usb/core/hub.c:5551 [inline] port_event drivers/usb/core/hub.c:5711 [inline] hub_event+0x24cc/0x4240 drivers/usb/core/hub.c:5793 process_one_work+0x8ba/0x15a0 kernel/workqueue.c:2390 worker_thread+0x59c/0xec0 kernel/workqueue.c:2537 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Allocated by task 2866: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] ____kasan_kmalloc mm/kasan/common.c:333 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:196 [inline] __do_kmalloc_node mm/slab_common.c:967 [inline] __kmalloc+0x5a/0xd0 mm/slab_common.c:980 kmalloc include/linux/slab.h:584 [inline] kzalloc include/linux/slab.h:720 [inline] ieee802_11_parse_elems_full+0xea/0x1280 net/mac80211/util.c:1606 ieee802_11_parse_elems_crc.constprop.0+0x87/0xc0 net/mac80211/ieee80211_i.h:2262 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2269 [inline] ieee80211_bss_info_update+0x2d3/0x8f0 net/mac80211/scan.c:212 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline] ieee80211_ibss_rx_queued_mgmt+0x12d3/0x3260 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1583 [inline] ieee80211_iface_work+0x6f9/0x9e0 net/mac80211/iface.c:1637 process_one_work+0x8ba/0x15a0 kernel/workqueue.c:2390 worker_thread+0x59c/0xec0 kernel/workqueue.c:2537 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Freed by task 2866: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:521 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0xaf/0x2d0 mm/slub.c:3800 ieee80211_bss_info_update+0x37a/0x8f0 net/mac80211/scan.c:223 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline] ieee80211_ibss_rx_queued_mgmt+0x12d3/0x3260 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1583 [inline] ieee80211_iface_work+0x6f9/0x9e0 net/mac80211/iface.c:1637 process_one_work+0x8ba/0x15a0 kernel/workqueue.c:2390 worker_thread+0x59c/0xec0 kernel/workqueue.c:2537 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the object at ffff88806e9d3000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 864 bytes inside of freed 1024-byte region [ffff88806e9d3000, ffff88806e9d3400) The buggy address belongs to the physical page: page:ffffea0001ba7400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6e9d0 head:ffffea0001ba7400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff888011441dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 1218, tgid 1218 (kworker/u4:5), ts 110568999693, free_ts 110211125354 prep_new_page mm/page_alloc.c:2552 [inline] get_page_from_freelist+0x1190/0x2f80 mm/page_alloc.c:4325 __alloc_pages+0x1cb/0x5c0 mm/page_alloc.c:5591 alloc_slab_page mm/slub.c:1851 [inline] allocate_slab+0x25f/0x390 mm/slub.c:1998 new_slab mm/slub.c:2051 [inline] ___slab_alloc+0xa91/0x1400 mm/slub.c:3193 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3292 __slab_alloc_node mm/slub.c:3345 [inline] slab_alloc_node mm/slub.c:3442 [inline] __kmem_cache_alloc_node+0x136/0x320 mm/slub.c:3491 __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x4a/0xd0 mm/slab_common.c:980 kmalloc include/linux/slab.h:584 [inline] kzalloc include/linux/slab.h:720 [inline] ieee802_11_parse_elems_full+0xea/0x1280 net/mac80211/util.c:1606 ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2262 [inline] ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2269 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1605 [inline] ieee80211_ibss_rx_queued_mgmt+0xb76/0x3260 net/mac80211/ibss.c:1638 ieee80211_iface_process_skb net/mac80211/iface.c:1583 [inline] ieee80211_iface_work+0x6f9/0x9e0 net/mac80211/iface.c:1637 process_one_work+0x8ba/0x15a0 kernel/workqueue.c:2390 worker_thread+0x59c/0xec0 kernel/workqueue.c:2537 kthread+0x298/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1453 [inline] free_pcp_prepare+0x668/0xb50 mm/page_alloc.c:1503 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x1d/0x490 mm/page_alloc.c:3482 __unfreeze_partials+0x17c/0x1a0 mm/slub.c:2637 qlink_free mm/kasan/quarantine.c:168 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187 kasan_quarantine_reduce+0x192/0x220 mm/kasan/quarantine.c:294 __kasan_slab_alloc+0x63/0x90 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:186 [inline] slab_post_alloc_hook mm/slab.h:769 [inline] slab_alloc_node mm/slub.c:3452 [inline] slab_alloc mm/slub.c:3460 [inline] __kmem_cache_alloc_lru mm/slub.c:3467 [inline] kmem_cache_alloc+0x17c/0x320 mm/slub.c:3476 kmem_cache_zalloc include/linux/slab.h:710 [inline] taskstats_tgid_alloc kernel/taskstats.c:583 [inline] taskstats_exit+0x560/0xab0 kernel/taskstats.c:622 do_exit+0x739/0x2500 kernel/exit.c:854 do_group_exit+0xb4/0x250 kernel/exit.c:1019 __do_sys_exit_group kernel/exit.c:1030 [inline] __se_sys_exit_group kernel/exit.c:1028 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:1028 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88806e9d3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806e9d3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88806e9d3300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88806e9d3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88806e9d3400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================