From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC9F4C02180 for ; Mon, 13 Jan 2025 19:00:54 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6F8366B009F; Mon, 13 Jan 2025 14:00:54 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6A7CE6B00A1; Mon, 13 Jan 2025 14:00:54 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 56FDF6B00A3; Mon, 13 Jan 2025 14:00:54 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 33A946B009F for ; Mon, 13 Jan 2025 14:00:54 -0500 (EST) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id E85E91A0277 for ; Mon, 13 Jan 2025 19:00:53 +0000 (UTC) X-FDA: 83003345586.07.87BF246 Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by imf05.hostedemail.com (Postfix) with ESMTP id E583C100013 for ; Mon, 13 Jan 2025 19:00:51 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=cv7Z49Ww; spf=pass (imf05.hostedemail.com: domain of yosryahmed@google.com designates 209.85.219.46 as permitted sender) smtp.mailfrom=yosryahmed@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1736794852; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/2l86Den6tHlurZ9daHIlY12eXVDayT2kJBdqeKi6K0=; b=3cK3JePqCsrUHLnf6c82aCNszmZKlmJKjShV5ohoxNjcTj/yQq0pdzfT85u+lNT3b9i0Ub lgrqRvY1B3MpexIEV2oIZrUDEzYi2FrqFTcFoXkAt3eqL027WrKRCVSeW3SwYHdEueQiFL weGh94dE8SNmfgOJFr/GuA1JZMHvByI= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1736794852; a=rsa-sha256; cv=none; b=60i7HQXwJJdaSRdlcwvxz+6wSZVLLwXmq03QCUbv3QqwCrnkqgTwk9v2QCqNOUD64Tc81N bZof4Ck7xOTVI27BMGSanMPOi2REdTNjacSls+weGNI03Irf7/2Sni3gqzc665lsIfUr7j KJQFurwT3MLrB89C7rn29kYw2/9tpF8= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=cv7Z49Ww; spf=pass (imf05.hostedemail.com: domain of yosryahmed@google.com designates 209.85.219.46 as permitted sender) smtp.mailfrom=yosryahmed@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-6d888fc8300so25520636d6.3 for ; Mon, 13 Jan 2025 11:00:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1736794851; x=1737399651; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=/2l86Den6tHlurZ9daHIlY12eXVDayT2kJBdqeKi6K0=; b=cv7Z49WwqT9GKlFrfZ7IdUX87Pb35RQOAh6Kko22W0MdguBHzxyenjGR4kyrmVmyO3 GsjaQXTe/6g/HRqpo47yhIGRPS/pbudQyHLrln789oFtdSS838+4lixS6lBhMekiUgkt udM2qsNg3cwF3y/1ireq++IkXugwncILh+uVbtm2SAg7rsVj6Z7sQKODP+NHk/FPllWY u5Z90mLFtNnQIhMK4b3p/9OMtKnjjM4m6oWWkLjU9yxUTavnaeXCw0ptm+mY7evbUDsO JqPTgZwYz3qdcwwG07C/OWhTkGUXNOJerDXvC50DqlWTp4oXMgj5YR4SHh1d20e5SMv8 SLEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736794851; x=1737399651; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/2l86Den6tHlurZ9daHIlY12eXVDayT2kJBdqeKi6K0=; b=JArwZtNW317OGmKYqqKoA0lknvQgzIpZcxXDO1jVLNSyyqUHVulprf0TAuL03QwQ2O P9pTtZEIzGnHtnlbZ6JmxSio5JpkxTbA3RJwKL1f8vx99BbLKRfJlvBvtm/BKZ7gOnnh TJGk+bGckjnKAF1yHUS99hDP/OO5ZFS0qZEXzd81/K160JtsAd+XZSwunErky8tBgm+V Xx6RxoQLpS0pcQmiNeL9ACcGWeNULTZvvQIdHeV2BGwjNGLP+O1ajOKYKhkwyDO9cgt6 bwSZ6yo0N6Bz8wRsufGBe8Z7DuMZbLuTAH5djDdiMbhiytOyHvHj559pp57au//cG7Nu ScIQ== X-Forwarded-Encrypted: i=1; AJvYcCUSb5Lnzlm/P6+HIABKXGtketynFmBN9q3Lmy9vzPv06o0dWj5GGdwTJ67UdyR484KX7mh6s/pqZQ==@kvack.org X-Gm-Message-State: AOJu0YzBlEQaEk+ywm+7mHVG0uQXHidmKKG+jE4ZUkmnSoaaQkq3ie68 ua8PxS9sqZbAJgZeDEsHdsFm1y29G/PGke+JIIMTusR38ai2e/aoXQWKp9cblSGbjvxkn2F+kMW U50/PeM+PDMtVc41GT6zcj/5ptfGbDIbj7sY0 X-Gm-Gg: ASbGncuMDDhd8ty43MkobXGZqy4pZdiPILyErIeHsfu0V09DGxtml4X42xznoA5iy8h idcMFX2SnC7v0JqU5214RpwkMpRcJlwMMgJk= X-Google-Smtp-Source: AGHT+IE5368xj8H2Zm/TQk9aPVrF51shGZhLZMuQToB9/r/z6w2KWjcyns7B1DIG7L5lVuQz956yG2zLv+jM0r5mwko= X-Received: by 2002:a05:6214:252f:b0:6d8:7ed4:335b with SMTP id 6a1803df08f44-6df9b25f37dmr303454706d6.26.1736794850459; Mon, 13 Jan 2025 11:00:50 -0800 (PST) MIME-Version: 1.0 References: <6769214c.050a0220.226966.0039.GAE@google.com> In-Reply-To: <6769214c.050a0220.226966.0039.GAE@google.com> From: Yosry Ahmed Date: Mon, 13 Jan 2025 11:00:13 -0800 X-Gm-Features: AbW1kvYsarEeh1Zie8x011XXp7qNumUKN_dLpU6pG8NrZkNBDIzRzoSJ3xgecp0 Message-ID: Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Write in zswap_store To: syzbot Cc: akpm@linux-foundation.org, chengming.zhou@linux.dev, hannes@cmpxchg.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, nphamcs@gmail.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: E583C100013 X-Stat-Signature: 9bdmyfn86eraig7pcjoqmgzp7bq1oiu6 X-Rspam-User: X-HE-Tag: 1736794851-922085 X-HE-Meta: U2FsdGVkX18kq/ilkS6xM1CSi2bZgEANhZsPhC9cM+mCXERmBJ1LlUVZXBU3RKDYmOs0GpQkccMqJfxsCryhYcPlLEzqyR99FenMxO2lXD77JPPF6GaYQ0Pd0CYG7EUEBWn1IgnX1LWGMICzZe8lgMLDvjkuPTc0L4UH2w/9YgMvZUjGX2kVzcmZByiHtvYAGVBJy2+uC9qKV21Hs7/AURs9vrOBG2+x8HRCv5l5Dc8IuJlzz6nMlFzjQGYfWJj1pLwDiVw0re3tl2Li6yaB1uhpneozq/z5kTWUgy+rXhGfjwo7swWWSMzQgnhoDLGaSxcj5w095MyGu+O96Yjxxpf0EgKzf754wZV/yTtXvbsq7rnosVbgsE0LQe6jiF0bGfAY9l4f9RrsGERAtEbvvzFPRN5wPCa7/9k6QFZj9Pys94Ujt/EwAD04G5bB6hyyscQirD+aEiaypm8hnhuss8sPuDhB2A/mq4eRxoi/0vCUJT87nNH7xg+j25BpJiFP8XXb8zp7geq+YWP9v1axjI5GBwKs41q5CofxY/gUxPxllkRSaS6tVTzggSta8I5VgCxHO9J/9ED2CcCS3AlWFBRDrMdThUJ2FcNzLwT6BANl7CpjRInBa7CkpfyJFI6WSejlpoSmegm3j4uhIFMCGoq8iqQoCgi0yj4e4tqtMO6PKqPmp+nJSb+OaFf0qjONO2sW4vYqfB4yloM0gdpTJjWjzt67mVDLKxgeo9JAicWFpDX74eg7HhpviaU7NVAQlINuzgU6ID5kIinQElYEAA5w+8YVr55uxe2fneZJ9YX+9GjOdpVMW0XbiGm/YBtVMiVhtcqvxbE+32nNB5EAjFj+0wW5oYxs7725Kzs9qYCcuxj6iM5QPDj8mfwJ6JD390MpzT/NmS2+3daul0Vzu0Dv6pzPFBsI9DwKrsMMLUdN9bDmkX4VLEuKtOFZxsjwvtNJhRqRD8k7D9oZLs/ Lf8pi1kL LGvMg2PtKRkSd0MAfXrPGU9vk/XIIaYHU2axpNDxtR7Jl/7WSLo6iJCfE0p6VVRkYBMpTq4rhzJivmj2oO6W216vAQCec7rr/rh+bjXTqa6Xrjz9ToyeSmTstjEMohckrgBGleCpDI7E+GikWnGmpHO0K/CJv9I2UIhgUJEIv2O49boU/sbkEuQ933nJl5TCTxpKvVe+hmRPk17G2dt2PdEIv59DJaKfbuy54I5AUlVVejrDptmi6wV7q+S1RYKNYkXG1xcpN7yFsZPSL6iasurPglmQ4j6KDcrn774lWFKWYMosA8zDkYFA2YQ8hdJPc8fOrVWIQmHpmnNeBV2YUSc/cCNBgeewL5x4H0fXLLFqIjeTPbnahdYTB1kCM3IFmeC9O+WSlZzJhucs+jax6mSGo0+EmHGV94bZMOkGbzPwfYA8SPRHFvyTyB9fvZyBQlxA2KA+YU8/NqYVJHku95oZJnpRPRUzIpvP4eTGzF5S3ADHF2ixU7GCsPwclMo+nsdp3q8V7HxrKDU9/MGXju9bjBQCpacvTu7pjCv4M3X3zhlLcwMhyMsilcxVGsxzDfSwryYewUCnd0EXSEzbuW5P/b0QsgOcUJO9xyYz8WgT9IS0YmQ44gg9dYBUz0xykD0LOE0sln0ZoDyTXQeqs1HrG+rQdr7YPJCL6ow8UQ69yt75PHq+C2h9mqZdWJux5JCaTnakEr+giYXh0fKNiFxyr4Re9/OmtmO2s1e1MHwetuAqQJvom7wd9LTH9tdiLMDkJjU1vcdb5L6hInHZtAJQgQacldWGpUYqmzCDTrmoZ9dQ273fKWwXstGOZwfyPjarFRZrCWXx/As1iDJr3RiYGOgSlhpueZN4aE1VLSOoKbmt7LiRGOV7L475aEeRSC5JJ5p+dL+YYrXktotVz2PhynSaTJnw2ddRmZcOUuHCBdLUmXCyqHKGCwaZBupdm4aI53LlmPDY73wgpCVAStrxfjtyo F8WWC2fU YCBuysLV/WvQDBnE5b8b4GTrA2Eua0/1isODHDe/vP5gi5IolhIo1kPv5WNf785f X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Dec 23, 2024 at 12:37=E2=80=AFAM syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 48f506ad0b68 Merge tag 'soc-fixes-6.13-2' of git://git.ke= r.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=3D13649fe858000= 0 > kernel config: https://syzkaller.appspot.com/x/.config?x=3Dc22efbd20f8da= 769 > dashboard link: https://syzkaller.appspot.com/bug?extid=3D7c26f5c5ca6a610= 56049 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for D= ebian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/f42f936a7d8d/dis= k-48f506ad.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/5f5d9512f350/vmlinu= x-48f506ad.xz > kernel image: https://storage.googleapis.com/syzbot-assets/08855819fbb0/b= zImage-48f506ad.xz > > IMPORTANT: if you fix the issue, please add the following tag to the comm= it: > Reported-by: syzbot+7c26f5c5ca6a61056049@syzkaller.appspotmail.com > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > BUG: KASAN: slab-use-after-free in acomp_request_set_params include/crypt= o/acompress.h:230 [inline] > BUG: KASAN: slab-use-after-free in zswap_compress mm/zswap.c:910 [inline] > BUG: KASAN: slab-use-after-free in zswap_store_page mm/zswap.c:1426 [inli= ne] > BUG: KASAN: slab-use-after-free in zswap_store+0x2481/0x25d0 mm/zswap.c:1= 533 > Write of size 8 at addr ffff8880344bc330 by task syz.2.518/8050 > > CPU: 0 UID: 0 PID: 8050 Comm: syz.2.518 Not tainted 6.13.0-rc3-syzkaller-= 00289-g48f506ad0b68 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 09/13/2024 > Call Trace: > > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0xc3/0x620 mm/kasan/report.c:489 > kasan_report+0xd9/0x110 mm/kasan/report.c:602 > acomp_request_set_params include/crypto/acompress.h:230 [inline] > zswap_compress mm/zswap.c:910 [inline] > zswap_store_page mm/zswap.c:1426 [inline] > zswap_store+0x2481/0x25d0 mm/zswap.c:1533 > swap_writepage+0x3b6/0x1120 mm/page_io.c:279 > shmem_writepage+0xf76/0x1490 mm/shmem.c:1579 > pageout+0x3b2/0xaa0 mm/vmscan.c:689 > shrink_folio_list+0x3025/0x42d0 mm/vmscan.c:1367 > evict_folios+0x6e3/0x19c0 mm/vmscan.c:4593 > try_to_shrink_lruvec+0x61e/0xa80 mm/vmscan.c:4789 > lru_gen_shrink_lruvec mm/vmscan.c:4938 [inline] > shrink_lruvec+0x313/0x2ba0 mm/vmscan.c:5693 > shrink_node_memcgs mm/vmscan.c:5929 [inline] > shrink_node mm/vmscan.c:5970 [inline] > shrink_node+0x105e/0x3f20 mm/vmscan.c:5948 > shrink_zones mm/vmscan.c:6215 [inline] > do_try_to_free_pages+0x35f/0x1a30 mm/vmscan.c:6277 > try_to_free_mem_cgroup_pages+0x31a/0x7a0 mm/vmscan.c:6609 > try_charge_memcg+0x356/0xaf0 mm/memcontrol.c:2238 > try_charge mm/memcontrol-v1.h:19 [inline] > charge_memcg mm/memcontrol.c:4497 [inline] > __mem_cgroup_charge+0x9b/0x280 mm/memcontrol.c:4512 > mem_cgroup_charge include/linux/memcontrol.h:646 [inline] > shmem_alloc_and_add_folio+0x507/0xc00 mm/shmem.c:1847 > shmem_get_folio_gfp+0x689/0x1530 mm/shmem.c:2357 > shmem_get_folio mm/shmem.c:2463 [inline] > shmem_write_begin+0x161/0x300 mm/shmem.c:3119 > generic_perform_write+0x2ba/0x920 mm/filemap.c:4055 > shmem_file_write_iter+0x10e/0x140 mm/shmem.c:3295 > __kernel_write_iter+0x318/0xa80 fs/read_write.c:612 > dump_emit_page fs/coredump.c:884 [inline] > dump_user_range+0x389/0x8c0 fs/coredump.c:945 > elf_core_dump+0x2787/0x3880 fs/binfmt_elf.c:2129 > do_coredump+0x2dd5/0x43e0 fs/coredump.c:758 > get_signal+0x23f3/0x2610 kernel/signal.c:3002 > arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 > exit_to_user_mode_loop kernel/entry/common.c:111 [inline] > exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] > irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231 > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 > RIP: 0033:0x100000 > Code: Unable to access opcode bytes at 0xfffd6. > RSP: 002b:000000000000000a EFLAGS: 00010217 > RAX: 0000000000000000 RBX: 00007fe556775fa0 RCX: 00007fe556585d29 > RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000020003b46 > RBP: 00007fe556601aa8 R08: 0000000000000200 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 0000000000000000 R14: 00007fe556775fa0 R15: 00007ffc3d0ee328 > > > Allocated by task 1: > kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 > kasan_save_track+0x14/0x30 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:377 [inline] > __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 > kasan_kmalloc include/linux/kasan.h:260 [inline] > __do_kmalloc_node mm/slub.c:4298 [inline] > __kmalloc_noprof+0x21a/0x4f0 mm/slub.c:4310 > kmalloc_noprof include/linux/slab.h:905 [inline] > kzalloc_noprof include/linux/slab.h:1037 [inline] > __acomp_request_alloc_noprof include/crypto/internal/acompress.h:75 [inl= ine] > acomp_request_alloc+0x46/0x110 crypto/acompress.c:131 > zswap_cpu_comp_prepare+0x1f2/0x460 mm/zswap.c:840 > cpuhp_invoke_callback+0x20c/0xa10 kernel/cpu.c:204 > cpuhp_issue_call+0x1c0/0x980 kernel/cpu.c:2375 > __cpuhp_state_add_instance_cpuslocked+0x1a4/0x3c0 kernel/cpu.c:2437 > __cpuhp_state_add_instance+0xd7/0x2e0 kernel/cpu.c:2458 > cpuhp_state_add_instance include/linux/cpuhotplug.h:386 [inline] > zswap_pool_create+0x27b/0x540 mm/zswap.c:288 > __zswap_pool_create_fallback mm/zswap.c:356 [inline] > zswap_setup+0x402/0x810 mm/zswap.c:1781 > zswap_init+0x2c/0x40 mm/zswap.c:1817 > do_one_initcall+0x128/0x630 init/main.c:1266 > do_initcall_level init/main.c:1328 [inline] > do_initcalls init/main.c:1344 [inline] > do_basic_setup init/main.c:1363 [inline] > kernel_init_freeable+0x58f/0x8b0 init/main.c:1577 > kernel_init+0x1c/0x2b0 init/main.c:1466 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Freed by task 5898: > kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 > kasan_save_track+0x14/0x30 mm/kasan/common.c:68 > kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582 > poison_slab_object mm/kasan/common.c:247 [inline] > __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 > kasan_slab_free include/linux/kasan.h:233 [inline] > slab_free_hook mm/slub.c:2353 [inline] > slab_free mm/slub.c:4613 [inline] > kfree+0x14f/0x4b0 mm/slub.c:4761 > zswap_cpu_comp_dead+0xe3/0x1c0 mm/zswap.c:874 > cpuhp_invoke_callback+0x528/0xa10 kernel/cpu.c:216 > __cpuhp_invoke_callback_range+0x101/0x200 kernel/cpu.c:965 > cpuhp_invoke_callback_range kernel/cpu.c:989 [inline] > cpuhp_down_callbacks kernel/cpu.c:1382 [inline] > _cpu_down+0x422/0xf20 kernel/cpu.c:1443 > __cpu_down_maps_locked+0x6c/0x90 kernel/cpu.c:1473 > work_for_cpu_fn+0x52/0xa0 kernel/workqueue.c:6719 > process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 > process_scheduled_works kernel/workqueue.c:3310 [inline] > worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 > kthread+0x2c1/0x3a0 kernel/kthread.c:389 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > The buggy address belongs to the object at ffff8880344bc300 > which belongs to the cache kmalloc-96 of size 96 > The buggy address is located 48 bytes inside of > freed 96-byte region [ffff8880344bc300, ffff8880344bc360) > > The buggy address belongs to the physical page: > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x344b= c > anon flags: 0xfff00000000000(node=3D0|zone=3D1|lastcpupid=3D0x7ff) > page_type: f5(slab) > raw: 00fff00000000000 ffff88801ac41280 0000000000000000 dead000000000001 > raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800= (GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 1, tgid 1 (swappe= r/0), ts 20977470907, free_ts 20711170276 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 > prep_new_page mm/page_alloc.c:1566 [inline] > get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476 > __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753 > __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] > alloc_slab_page mm/slub.c:2425 [inline] > allocate_slab mm/slub.c:2589 [inline] > new_slab+0xca/0x410 mm/slub.c:2642 > ___slab_alloc+0xce2/0x1650 mm/slub.c:3830 > __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920 > __slab_alloc_node mm/slub.c:3995 [inline] > slab_alloc_node mm/slub.c:4156 [inline] > __kmalloc_cache_node_noprof+0xfb/0x3f0 mm/slub.c:4337 > kmalloc_node_noprof include/linux/slab.h:924 [inline] > alloc_node_nr_active kernel/workqueue.c:4859 [inline] > __alloc_workqueue+0x506/0x1810 kernel/workqueue.c:5712 > alloc_workqueue+0xd3/0x200 kernel/workqueue.c:5772 > zswap_setup+0xcb/0x810 mm/zswap.c:1767 > zswap_init+0x2c/0x40 mm/zswap.c:1817 > do_one_initcall+0x128/0x630 init/main.c:1266 > do_initcall_level init/main.c:1328 [inline] > do_initcalls init/main.c:1344 [inline] > do_basic_setup init/main.c:1363 [inline] > kernel_init_freeable+0x58f/0x8b0 init/main.c:1577 > kernel_init+0x1c/0x2b0 init/main.c:1466 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > page last free pid 8 tgid 8 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > free_pages_prepare mm/page_alloc.c:1127 [inline] > free_unref_page+0x661/0x1080 mm/page_alloc.c:2659 > vfree+0x174/0x950 mm/vmalloc.c:3383 > delayed_vfree_work+0x56/0x70 mm/vmalloc.c:3303 > process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 > process_scheduled_works kernel/workqueue.c:3310 [inline] > worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 > kthread+0x2c1/0x3a0 kernel/kthread.c:389 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 > > Memory state around the buggy address: > ffff8880344bc200: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc > ffff8880344bc280: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc > >ffff8880344bc300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc > ^ > ffff8880344bc380: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc > ffff8880344bc400: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title #syz fix "mm: zswap: properly synchronize freeing resources during CPU hotunplug" > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup