* [BUG] KASAN: user-memory-access in free_pgtables
@ 2026-04-25 9:50 Huang Forrest
2026-04-27 8:09 ` David Hildenbrand (Arm)
0 siblings, 1 reply; 3+ messages in thread
From: Huang Forrest @ 2026-04-25 9:50 UTC (permalink / raw)
To: akpm@linux-foundation.org, david@kernel.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org
Hello,
I found the following issue with syzkaller on:
HEAD commit: 7aaa8047eafd (HEAD -> master, tag: v7.0-rc6, origin/master, origin/HEAD) Linux 7.0-rc6.
git tree: https://github.com/torvalds/linux.git master
console output: N/A (local fuzzing run did not capture full serial console; only report0/log0 saved)
kernel config: https://gist.githubusercontent.com/Forest-kernel/354e7c56522ab60f29c8b96e7429e2e3/raw/97bb1e7d6f9406da5bd07e999c3634f250a5db0c/config.txt
dashboard link: N/A for local dashboard
compiler: gcc (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
userspace arch: x86_64
I don't have any reproducer for this issue yet.
Suspected root cause:
The first report message is "get_swap_device: Bad swap file entry", immediately followed by a WARN in swap_put_entries_direct() (mm/swapfile.c:1909).
I suspect that the root cause falls in these two possibilities:
1. The bad swap entry may itself be just a symptom: a prior unnoticed memory corruption like a UAF could have corrupted a swap entry/PTE/VMA field, which then surfaces as the WARNING occurs.
2. Alternatively, the swap entry issue itself might be the real trigger: a logic bug could let an invalid entry reach swap accounting , corrupting swap metadata and then leading to more serious secondary faults like user-memory-access.
The following full report also in https://gist.github.com/Forest-kernel/725ce788c4374d8e4945e5a13c67362e
==================================================================
get_swap_device: Bad swap file entry 80162affc3fffff
BUG: KASAN: user-memory-access in instrument_atomic_read include/linux/instrumented.h:82 [inline]
BUG: KASAN: user-memory-access in atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
BUG: KASAN: user-memory-access in rwsem_assert_held_write_nolockdep include/linux/rwsem.h:87 [inline]
BUG: KASAN: user-memory-access in rwsem_assert_held_write include/linux/rwsem.h:223 [inline]
BUG: KASAN: user-memory-access in mmap_assert_write_locked include/linux/mmap_lock.h:76 [inline]
BUG: KASAN: user-memory-access in __vma_raw_mm_seqnum include/linux/mmap_lock.h:272 [inline]
BUG: KASAN: user-memory-access in __is_vma_write_locked include/linux/mmap_lock.h:288 [inline]
BUG: KASAN: user-memory-access in vma_start_write include/linux/mmap_lock.h:300 [inline]
BUG: KASAN: user-memory-access in free_pgtables+0x53e/0xcd0 mm/memory.c:413
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
CPU: 0 UID: 0 PID: 5123 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
------------[ cut here ]------------
WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0 mm/swapfile.c:1909, CPU#2: syz-executor/3650
Modules linked in:
CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:swap_put_entries_direct+0x1be/0x2c0 mm/swapfile.c:1909
Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
Call Trace:
<TASK>
zap_nonpresent_ptes mm/memory.c:1764 [inline]
do_zap_pte_range mm/memory.c:1831 [inline]
zap_pte_range mm/memory.c:1929 [inline]
zap_pmd_range mm/memory.c:2021 [inline]
zap_pud_range mm/memory.c:2049 [inline]
zap_p4d_range mm/memory.c:2070 [inline]
unmap_page_range+0x1645/0x3f40 mm/memory.c:2091
unmap_single_vma+0x153/0x240 mm/memory.c:2133
unmap_vmas+0x248/0x530 mm/memory.c:2171
exit_mmap+0x1ee/0x800 mm/mmap.c:1302
__mmput kernel/fork.c:1175 [inline]
mmput+0x6c/0x320 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x7c1/0x28e0 kernel/exit.c:964
Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
kasan_report+0xce/0x100 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:194 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:82 [inline]
atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
rwsem_assert_held_write_nolockdep include/linux/rwsem.h:87 [inline]
rwsem_assert_held_write include/linux/rwsem.h:223 [inline]
mmap_assert_write_locked include/linux/mmap_lock.h:76 [inline]
__vma_raw_mm_seqnum include/linux/mmap_lock.h:272 [inline]
__is_vma_write_locked include/linux/mmap_lock.h:288 [inline]
vma_start_write include/linux/mmap_lock.h:300 [inline]
free_pgtables+0x53e/0xcd0 mm/memory.c:413
exit_mmap+0x362/0x800 mm/mmap.c:1314
__mmput kernel/fork.c:1175 [inline]
mmput+0x6c/0x320 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x7c1/0x28e0 kernel/exit.c:964
do_group_exit+0xc7/0x280 kernel/exit.c:1118
get_signal+0x20d2/0x2150 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x6b/0x4c0 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x46d/0x580 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38134f777d
Code: Unable to access opcode bytes at 0x7f38134f7753.
RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
</TASK>
==================================================================
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
Call Trace:
<TASK>
pick_next_task_fair+0x98/0x1c60 kernel/sched/fair.c:8990
__do_sys_exit kernel/exit.c:1085 [inline]
__se_sys_exit kernel/exit.c:1083 [inline]
__x64_sys_exit+0x42/0x50 kernel/exit.c:1083
x64_sys_call+0x154f/0x1760 arch/x86/include/generated/asm/syscalls_64.h:61
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd94161777d
Code: Unable to access opcode bytes at 0x7fd941617753.
__pick_next_task kernel/sched/core.c:5929 [inline]
pick_next_task kernel/sched/core.c:6468 [inline]
__schedule+0x7ce/0x3ee0 kernel/sched/core.c:6852
RSP: 002b:00007fff7d837098 EFLAGS: 00000246
ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
preempt_schedule_irq+0x49/0x80 kernel/sched/core.c:7238
RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
irqentry_exit+0xc1/0x660 kernel/entry/common.c:239
R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
RIP: 0010:__rcu_read_unlock+0x88/0xf0 kernel/rcu/tree_plugin.h:435
</TASK>
Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
---[ end trace 0000000000000000 ]---
RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
rcu_read_unlock include/linux/rcupdate.h:883 [inline]
class_rcu_destructor include/linux/rcupdate.h:1193 [inline]
unwind_next_frame+0x39d/0x2400 arch/x86/kernel/unwind_orc.c:495
arch_stack_walk+0x94/0x100 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:57
kasan_save_track+0x17/0x60 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
kmalloc_noprof include/linux/slab.h:950 [inline]
slab_free_hook mm/slub.c:2637 [inline]
slab_free mm/slub.c:6165 [inline]
kmem_cache_free+0x245/0x3d0 mm/slub.c:6295
tear_down_vmas+0x182/0x3a0 mm/mmap.c:1264
exit_mmap+0x37f/0x800 mm/mmap.c:1322
__mmput kernel/fork.c:1175 [inline]
mmput+0x6c/0x320 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x7c1/0x28e0 kernel/exit.c:964
do_group_exit+0xc7/0x280 kernel/exit.c:1118
__do_sys_exit_group kernel/exit.c:1129 [inline]
__se_sys_exit_group kernel/exit.c:1127 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
x64_sys_call+0x16cd/0x1760 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb99736777d
Code: Unable to access opcode bytes at 0x7fb997367753.
RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
RIP: 0010:cpuacct_account_field+0x8c/0x110 kernel/sched/cpuacct.c:357
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
note: syz-executor[5123] exited with irqs disabled
R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
cgroup_account_cputime_field include/linux/cgroup.h:755 [inline]
task_group_account_field kernel/sched/cputime.c:115 [inline]
account_system_index_time+0x113/0x1f0 kernel/sched/cputime.c:178
update_process_times+0x82/0x1f0 kernel/time/timer.c:2472
tick_sched_handle kernel/time/tick-sched.c:298 [inline]
tick_nohz_handler+0x5a1/0x710 kernel/time/tick-sched.c:319
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x411/0x8a0 kernel/time/hrtimer.c:1849
hrtimer_interrupt+0x2f4/0x7c0 kernel/time/hrtimer.c:1911
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
__sysvec_apic_timer_interrupt+0x88/0x2d0 arch/x86/kernel/apic/apic.c:1062
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x67/0x80 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:get_current arch/x86/include/asm/current.h:25 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80 kernel/kcov.c:216
Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
zap_pte_range mm/memory.c:1938 [inline]
zap_pmd_range mm/memory.c:2021 [inline]
zap_pud_range mm/memory.c:2049 [inline]
zap_p4d_range mm/memory.c:2070 [inline]
unmap_page_range+0xe53/0x3f40 mm/memory.c:2091
unmap_single_vma+0x153/0x240 mm/memory.c:2133
unmap_vmas+0x248/0x530 mm/memory.c:2171
exit_mmap+0x1ee/0x800 mm/mmap.c:1302
__mmput kernel/fork.c:1175 [inline]
mmput+0x6c/0x320 kernel/fork.c:1198
exit_mm kernel/exit.c:581 [inline]
do_exit+0x7c1/0x28e0 kernel/exit.c:964
__do_sys_exit kernel/exit.c:1085 [inline]
__se_sys_exit kernel/exit.c:1083 [inline]
__x64_sys_exit+0x42/0x50 kernel/exit.c:1083
x64_sys_call+0x154f/0x1760 arch/x86/include/generated/asm/syscalls_64.h:61
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f52c8777d
Code: Unable to access opcode bytes at 0x7f8f52c87753.
RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:find_stack lib/stackdepot.c:610 [inline]
RIP: 0010:stack_depot_save_flags+0x164/0x7f0 lib/stackdepot.c:676
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
----------------
Code disassembly (best guess):
0: c0 0f 84 rorb $0x84,(%rdi)
3: 0c 01 or $0x1,%al
5: 00 00 add %al,(%rax)
7: 4d 89 ee mov %r13,%r14
a: eb 6b jmp 0x77
c: 4c 89 f7 mov %r14,%rdi
f: be 01 00 00 00 mov $0x1,%esi
14: e8 c8 14 fe ff call 0xfffe14e1
19: 48 8d 78 59 lea 0x59(%rax),%rdi
1d: 48 89 fa mov %rdi,%rdx
20: 48 89 f9 mov %rdi,%rcx
23: 48 c1 ea 03 shr $0x3,%rdx
27: 83 e1 07 and $0x7,%ecx
* 2a: 42 0f b6 14 3a movzbl (%rdx,%r15,1),%edx <-- trapping instruction
2f: 38 ca cmp %cl,%dl
31: 7f 08 jg 0x3b
33: 84 d2 test %dl,%dl
35: 0f 85 ed 00 00 00 jne 0x128
3b: 80 78 59 00 cmpb $0x0,0x59(%rax)
3f: 0f .byte 0xf
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
CPU: 0 UID: 0 PID: 5123 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:pick_task_fair+0x89/0x1e0
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
------------[ cut here ]------------
WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0, CPU#2: syz-executor/3650
Modules linked in:
CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:swap_put_entries_direct+0x1be/0x2c0
Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
Call Trace:
<TASK>
unmap_page_range+0x1645/0x3f40
unmap_single_vma+0x153/0x240
unmap_vmas+0x248/0x530
exit_mmap+0x1ee/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
kasan_report+0xce/0x100
kasan_check_range+0x100/0x1b0
free_pgtables+0x53e/0xcd0
exit_mmap+0x362/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
do_group_exit+0xc7/0x280
get_signal+0x20d2/0x2150
arch_do_signal_or_restart+0x8f/0x7a0
exit_to_user_mode_loop+0x6b/0x4c0
do_syscall_64+0x46d/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38134f777d
Code: Unable to access opcode bytes at 0x7f38134f7753.
RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
</TASK>
==================================================================
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
Call Trace:
<TASK>
pick_next_task_fair+0x98/0x1c60
__x64_sys_exit+0x42/0x50
x64_sys_call+0x154f/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd94161777d
Code: Unable to access opcode bytes at 0x7fd941617753.
__schedule+0x7ce/0x3ee0
RSP: 002b:00007fff7d837098 EFLAGS: 00000246
ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
preempt_schedule_irq+0x49/0x80
RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
irqentry_exit+0xc1/0x660
R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
asm_sysvec_apic_timer_interrupt+0x1a/0x20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
RIP: 0010:__rcu_read_unlock+0x88/0xf0
</TASK>
Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
---[ end trace 0000000000000000 ]---
RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
unwind_next_frame+0x39d/0x2400
arch_stack_walk+0x94/0x100
stack_trace_save+0x8e/0xc0
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
kmem_cache_free+0x245/0x3d0
tear_down_vmas+0x182/0x3a0
exit_mmap+0x37f/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
do_group_exit+0xc7/0x280
__x64_sys_exit_group+0x3e/0x50
x64_sys_call+0x16cd/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb99736777d
Code: Unable to access opcode bytes at 0x7fb997367753.
RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
RIP: 0010:cpuacct_account_field+0x8c/0x110
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
note: syz-executor[5123] exited with irqs disabled
R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
account_system_index_time+0x113/0x1f0
update_process_times+0x82/0x1f0
tick_nohz_handler+0x5a1/0x710
__hrtimer_run_queues+0x411/0x8a0
hrtimer_interrupt+0x2f4/0x7c0
__sysvec_apic_timer_interrupt+0x88/0x2d0
sysvec_apic_timer_interrupt+0x67/0x80
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
unmap_page_range+0xe53/0x3f40
unmap_single_vma+0x153/0x240
unmap_vmas+0x248/0x530
exit_mmap+0x1ee/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
__x64_sys_exit+0x42/0x50
x64_sys_call+0x154f/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f52c8777d
Code: Unable to access opcode bytes at 0x7f8f52c87753.
RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:stack_depot_save_flags+0x164/0x7f0
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
RIP: 0010:pick_task_fair+0x89/0x1e0
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
------------[ cut here ]------------
WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0, CPU#2: syz-executor/3650
Modules linked in:
CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:swap_put_entries_direct+0x1be/0x2c0
Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
Call Trace:
<TASK>
unmap_page_range+0x1645/0x3f40
unmap_single_vma+0x153/0x240
unmap_vmas+0x248/0x530
exit_mmap+0x1ee/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xab/0xe0
kasan_report+0xce/0x100
kasan_check_range+0x100/0x1b0
free_pgtables+0x53e/0xcd0
exit_mmap+0x362/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
do_group_exit+0xc7/0x280
get_signal+0x20d2/0x2150
arch_do_signal_or_restart+0x8f/0x7a0
exit_to_user_mode_loop+0x6b/0x4c0
do_syscall_64+0x46d/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f38134f777d
Code: Unable to access opcode bytes at 0x7f38134f7753.
RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
</TASK>
==================================================================
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
Call Trace:
<TASK>
pick_next_task_fair+0x98/0x1c60
__x64_sys_exit+0x42/0x50
x64_sys_call+0x154f/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd94161777d
Code: Unable to access opcode bytes at 0x7fd941617753.
__schedule+0x7ce/0x3ee0
RSP: 002b:00007fff7d837098 EFLAGS: 00000246
ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
preempt_schedule_irq+0x49/0x80
RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
irqentry_exit+0xc1/0x660
R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
asm_sysvec_apic_timer_interrupt+0x1a/0x20
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
RIP: 0010:__rcu_read_unlock+0x88/0xf0
</TASK>
Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
---[ end trace 0000000000000000 ]---
RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
unwind_next_frame+0x39d/0x2400
arch_stack_walk+0x94/0x100
stack_trace_save+0x8e/0xc0
kasan_save_stack+0x33/0x60
kasan_save_track+0x17/0x60
__kasan_kmalloc+0x8f/0xa0
kmem_cache_free+0x245/0x3d0
tear_down_vmas+0x182/0x3a0
exit_mmap+0x37f/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
do_group_exit+0xc7/0x280
__x64_sys_exit_group+0x3e/0x50
x64_sys_call+0x16cd/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb99736777d
Code: Unable to access opcode bytes at 0x7fb997367753.
RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
RIP: 0010:cpuacct_account_field+0x8c/0x110
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
note: syz-executor[5123] exited with irqs disabled
R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
account_system_index_time+0x113/0x1f0
update_process_times+0x82/0x1f0
tick_nohz_handler+0x5a1/0x710
__hrtimer_run_queues+0x411/0x8a0
hrtimer_interrupt+0x2f4/0x7c0
__sysvec_apic_timer_interrupt+0x88/0x2d0
sysvec_apic_timer_interrupt+0x67/0x80
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
unmap_page_range+0xe53/0x3f40
unmap_single_vma+0x153/0x240
unmap_vmas+0x248/0x530
exit_mmap+0x1ee/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
__x64_sys_exit+0x42/0x50
x64_sys_call+0x154f/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f52c8777d
Code: Unable to access opcode bytes at 0x7f8f52c87753.
RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:stack_depot_save_flags+0x164/0x7f0
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
RIP: 0010:cpuacct_account_field+0x8c/0x110
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
note: syz-executor[5123] exited with irqs disabled
R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
account_system_index_time+0x113/0x1f0
update_process_times+0x82/0x1f0
tick_nohz_handler+0x5a1/0x710
__hrtimer_run_queues+0x411/0x8a0
hrtimer_interrupt+0x2f4/0x7c0
__sysvec_apic_timer_interrupt+0x88/0x2d0
sysvec_apic_timer_interrupt+0x67/0x80
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
unmap_page_range+0xe53/0x3f40
unmap_single_vma+0x153/0x240
unmap_vmas+0x248/0x530
exit_mmap+0x1ee/0x800
mmput+0x6c/0x320
do_exit+0x7c1/0x28e0
__x64_sys_exit+0x42/0x50
x64_sys_call+0x154f/0x1760
do_syscall_64+0xfc/0x580
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8f52c8777d
Code: Unable to access opcode bytes at 0x7f8f52c87753.
RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
RIP: 0010:pick_task_fair+0x89/0x1e0
CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
RSP: 0018:ffff888110adf330 EFLAGS: 00010002
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:stack_depot_save_flags+0x164/0x7f0
RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
Thanks,
Forrest021
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] KASAN: user-memory-access in free_pgtables
2026-04-25 9:50 [BUG] KASAN: user-memory-access in free_pgtables Huang Forrest
@ 2026-04-27 8:09 ` David Hildenbrand (Arm)
2026-04-29 8:45 ` Kairui Song
0 siblings, 1 reply; 3+ messages in thread
From: David Hildenbrand (Arm) @ 2026-04-27 8:09 UTC (permalink / raw)
To: Huang Forrest, akpm@linux-foundation.org
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Chris Li,
Kairui Song, Kemeng Shi, Nhat Pham, Barry Song, Youngjun Park
On 4/25/26 11:50, Huang Forrest wrote:
> Hello,
CCing swap folks. Did any of the bigger swap reworks go into v7.0 that could
cause this?
It could also just be a corrupted PTE I guess.
>
> I found the following issue with syzkaller on:
>
> HEAD commit: 7aaa8047eafd (HEAD -> master, tag: v7.0-rc6, origin/master, origin/HEAD) Linux 7.0-rc6.
> git tree: https://github.com/torvalds/linux.git master
> console output: N/A (local fuzzing run did not capture full serial console; only report0/log0 saved)
> kernel config: https://gist.githubusercontent.com/Forest-kernel/354e7c56522ab60f29c8b96e7429e2e3/raw/97bb1e7d6f9406da5bd07e999c3634f250a5db0c/config.txt
> dashboard link: N/A for local dashboard
> compiler: gcc (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0
> userspace arch: x86_64
>
>
> I don't have any reproducer for this issue yet.
>
> Suspected root cause:
> The first report message is "get_swap_device: Bad swap file entry", immediately followed by a WARN in swap_put_entries_direct() (mm/swapfile.c:1909).
>
> I suspect that the root cause falls in these two possibilities:
> 1. The bad swap entry may itself be just a symptom: a prior unnoticed memory corruption like a UAF could have corrupted a swap entry/PTE/VMA field, which then surfaces as the WARNING occurs.
> 2. Alternatively, the swap entry issue itself might be the real trigger: a logic bug could let an invalid entry reach swap accounting , corrupting swap metadata and then leading to more serious secondary faults like user-memory-access.
>
> The following full report also in https://gist.github.com/Forest-kernel/725ce788c4374d8e4945e5a13c67362e
>
> ==================================================================
> get_swap_device: Bad swap file entry 80162affc3fffff
> BUG: KASAN: user-memory-access in instrument_atomic_read include/linux/instrumented.h:82 [inline]
> BUG: KASAN: user-memory-access in atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
> BUG: KASAN: user-memory-access in rwsem_assert_held_write_nolockdep include/linux/rwsem.h:87 [inline]
> BUG: KASAN: user-memory-access in rwsem_assert_held_write include/linux/rwsem.h:223 [inline]
> BUG: KASAN: user-memory-access in mmap_assert_write_locked include/linux/mmap_lock.h:76 [inline]
> BUG: KASAN: user-memory-access in __vma_raw_mm_seqnum include/linux/mmap_lock.h:272 [inline]
> BUG: KASAN: user-memory-access in __is_vma_write_locked include/linux/mmap_lock.h:288 [inline]
> BUG: KASAN: user-memory-access in vma_start_write include/linux/mmap_lock.h:300 [inline]
> BUG: KASAN: user-memory-access in free_pgtables+0x53e/0xcd0 mm/memory.c:413
> Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
> CPU: 0 UID: 0 PID: 5123 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
> RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> ------------[ cut here ]------------
> WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0 mm/swapfile.c:1909, CPU#2: syz-executor/3650
> Modules linked in:
> CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:swap_put_entries_direct+0x1be/0x2c0 mm/swapfile.c:1909
> Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
> RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
> RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
> R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
> R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
> FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> zap_nonpresent_ptes mm/memory.c:1764 [inline]
> do_zap_pte_range mm/memory.c:1831 [inline]
> zap_pte_range mm/memory.c:1929 [inline]
> zap_pmd_range mm/memory.c:2021 [inline]
> zap_pud_range mm/memory.c:2049 [inline]
> zap_p4d_range mm/memory.c:2070 [inline]
> unmap_page_range+0x1645/0x3f40 mm/memory.c:2091
> unmap_single_vma+0x153/0x240 mm/memory.c:2133
> unmap_vmas+0x248/0x530 mm/memory.c:2171
> exit_mmap+0x1ee/0x800 mm/mmap.c:1302
> __mmput kernel/fork.c:1175 [inline]
> mmput+0x6c/0x320 kernel/fork.c:1198
> exit_mm kernel/exit.c:581 [inline]
> do_exit+0x7c1/0x28e0 kernel/exit.c:964
> Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
>
> CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:94 [inline]
> dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
> kasan_report+0xce/0x100 mm/kasan/report.c:595
> check_region_inline mm/kasan/generic.c:194 [inline]
> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200
> instrument_atomic_read include/linux/instrumented.h:82 [inline]
> atomic_long_read include/linux/atomic/atomic-instrumented.h:3188 [inline]
> rwsem_assert_held_write_nolockdep include/linux/rwsem.h:87 [inline]
> rwsem_assert_held_write include/linux/rwsem.h:223 [inline]
> mmap_assert_write_locked include/linux/mmap_lock.h:76 [inline]
> __vma_raw_mm_seqnum include/linux/mmap_lock.h:272 [inline]
> __is_vma_write_locked include/linux/mmap_lock.h:288 [inline]
> vma_start_write include/linux/mmap_lock.h:300 [inline]
> free_pgtables+0x53e/0xcd0 mm/memory.c:413
> exit_mmap+0x362/0x800 mm/mmap.c:1314
> __mmput kernel/fork.c:1175 [inline]
> mmput+0x6c/0x320 kernel/fork.c:1198
> exit_mm kernel/exit.c:581 [inline]
> do_exit+0x7c1/0x28e0 kernel/exit.c:964
> do_group_exit+0xc7/0x280 kernel/exit.c:1118
> get_signal+0x20d2/0x2150 kernel/signal.c:3034
> arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
> __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
> exit_to_user_mode_loop+0x6b/0x4c0 kernel/entry/common.c:98
> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
> syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
> do_syscall_64+0x46d/0x580 arch/x86/entry/syscall_64.c:100
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f38134f777d
> Code: Unable to access opcode bytes at 0x7f38134f7753.
> RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
> RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
> RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
> </TASK>
> ==================================================================
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> pick_next_task_fair+0x98/0x1c60 kernel/sched/fair.c:8990
> __do_sys_exit kernel/exit.c:1085 [inline]
> __se_sys_exit kernel/exit.c:1083 [inline]
> __x64_sys_exit+0x42/0x50 kernel/exit.c:1083
> x64_sys_call+0x154f/0x1760 arch/x86/include/generated/asm/syscalls_64.h:61
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fd94161777d
> Code: Unable to access opcode bytes at 0x7fd941617753.
> __pick_next_task kernel/sched/core.c:5929 [inline]
> pick_next_task kernel/sched/core.c:6468 [inline]
> __schedule+0x7ce/0x3ee0 kernel/sched/core.c:6852
> RSP: 002b:00007fff7d837098 EFLAGS: 00000246
> ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
> RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
> preempt_schedule_irq+0x49/0x80 kernel/sched/core.c:7238
> RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
> irqentry_exit+0xc1/0x660 kernel/entry/common.c:239
> R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> RIP: 0010:__rcu_read_unlock+0x88/0xf0 kernel/rcu/tree_plugin.h:435
> </TASK>
> Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
> ---[ end trace 0000000000000000 ]---
> RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
> RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
> RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
> RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
> R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
> R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
> rcu_read_unlock include/linux/rcupdate.h:883 [inline]
> class_rcu_destructor include/linux/rcupdate.h:1193 [inline]
> unwind_next_frame+0x39d/0x2400 arch/x86/kernel/unwind_orc.c:495
> arch_stack_walk+0x94/0x100 arch/x86/kernel/stacktrace.c:25
> stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
> kasan_save_stack+0x33/0x60 mm/kasan/common.c:57
> kasan_save_track+0x17/0x60 mm/kasan/common.c:78
> poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
> __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:415
> kmalloc_noprof include/linux/slab.h:950 [inline]
> slab_free_hook mm/slub.c:2637 [inline]
> slab_free mm/slub.c:6165 [inline]
> kmem_cache_free+0x245/0x3d0 mm/slub.c:6295
> tear_down_vmas+0x182/0x3a0 mm/mmap.c:1264
> exit_mmap+0x37f/0x800 mm/mmap.c:1322
> __mmput kernel/fork.c:1175 [inline]
> mmput+0x6c/0x320 kernel/fork.c:1198
> exit_mm kernel/exit.c:581 [inline]
> do_exit+0x7c1/0x28e0 kernel/exit.c:964
> do_group_exit+0xc7/0x280 kernel/exit.c:1118
> __do_sys_exit_group kernel/exit.c:1129 [inline]
> __se_sys_exit_group kernel/exit.c:1127 [inline]
> __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1127
> x64_sys_call+0x16cd/0x1760 arch/x86/include/generated/asm/syscalls_64.h:232
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb99736777d
> Code: Unable to access opcode bytes at 0x7fb997367753.
> RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
> RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
> RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
> R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
> R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
> RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
> RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
> KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> RIP: 0010:cpuacct_account_field+0x8c/0x110 kernel/sched/cpuacct.c:357
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
>
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
> note: syz-executor[5123] exited with irqs disabled
> R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> Call Trace:
> <IRQ>
> cgroup_account_cputime_field include/linux/cgroup.h:755 [inline]
> task_group_account_field kernel/sched/cputime.c:115 [inline]
> account_system_index_time+0x113/0x1f0 kernel/sched/cputime.c:178
> update_process_times+0x82/0x1f0 kernel/time/timer.c:2472
> tick_sched_handle kernel/time/tick-sched.c:298 [inline]
> tick_nohz_handler+0x5a1/0x710 kernel/time/tick-sched.c:319
> __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
> __hrtimer_run_queues+0x411/0x8a0 kernel/time/hrtimer.c:1849
> hrtimer_interrupt+0x2f4/0x7c0 kernel/time/hrtimer.c:1911
> local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline]
> __sysvec_apic_timer_interrupt+0x88/0x2d0 arch/x86/kernel/apic/apic.c:1062
> instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
> sysvec_apic_timer_interrupt+0x67/0x80 arch/x86/kernel/apic/apic.c:1056
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
> RIP: 0010:get_current arch/x86/include/asm/current.h:25 [inline]
> RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80 kernel/kcov.c:216
> Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
> RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
> RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
> RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
> R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
> R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
> zap_pte_range mm/memory.c:1938 [inline]
> zap_pmd_range mm/memory.c:2021 [inline]
> zap_pud_range mm/memory.c:2049 [inline]
> zap_p4d_range mm/memory.c:2070 [inline]
> unmap_page_range+0xe53/0x3f40 mm/memory.c:2091
> unmap_single_vma+0x153/0x240 mm/memory.c:2133
> unmap_vmas+0x248/0x530 mm/memory.c:2171
> exit_mmap+0x1ee/0x800 mm/mmap.c:1302
> __mmput kernel/fork.c:1175 [inline]
> mmput+0x6c/0x320 kernel/fork.c:1198
> exit_mm kernel/exit.c:581 [inline]
> do_exit+0x7c1/0x28e0 kernel/exit.c:964
> __do_sys_exit kernel/exit.c:1085 [inline]
> __se_sys_exit kernel/exit.c:1083 [inline]
> __x64_sys_exit+0x42/0x50 kernel/exit.c:1083
> x64_sys_call+0x154f/0x1760 arch/x86/include/generated/asm/syscalls_64.h:61
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xfc/0x580 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8f52c8777d
> Code: Unable to access opcode bytes at 0x7f8f52c87753.
> RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
> RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
> RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
> RIP: 0010:pick_next_entity kernel/sched/fair.c:5547 [inline]
> RIP: 0010:pick_task_fair+0x89/0x1e0 kernel/sched/fair.c:8966
> CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
> RIP: 0010:find_stack lib/stackdepot.c:610 [inline]
> RIP: 0010:stack_depot_save_flags+0x164/0x7f0 lib/stackdepot.c:676
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
>
> RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
> ----------------
> Code disassembly (best guess):
> 0: c0 0f 84 rorb $0x84,(%rdi)
> 3: 0c 01 or $0x1,%al
> 5: 00 00 add %al,(%rax)
> 7: 4d 89 ee mov %r13,%r14
> a: eb 6b jmp 0x77
> c: 4c 89 f7 mov %r14,%rdi
> f: be 01 00 00 00 mov $0x1,%esi
> 14: e8 c8 14 fe ff call 0xfffe14e1
> 19: 48 8d 78 59 lea 0x59(%rax),%rdi
> 1d: 48 89 fa mov %rdi,%rdx
> 20: 48 89 f9 mov %rdi,%rcx
> 23: 48 c1 ea 03 shr $0x3,%rdx
> 27: 83 e1 07 and $0x7,%ecx
> * 2a: 42 0f b6 14 3a movzbl (%rdx,%r15,1),%edx <-- trapping instruction
> 2f: 38 ca cmp %cl,%dl
> 31: 7f 08 jg 0x3b
> 33: 84 d2 test %dl,%dl
> 35: 0f 85 ed 00 00 00 jne 0x128
> 3b: 80 78 59 00 cmpb $0x0,0x59(%rax)
> 3f: 0f .byte 0xf
>
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
> CPU: 0 UID: 0 PID: 5123 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:pick_task_fair+0x89/0x1e0
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> ------------[ cut here ]------------
> WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0, CPU#2: syz-executor/3650
> Modules linked in:
> CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:swap_put_entries_direct+0x1be/0x2c0
> Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
> RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
> RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
> R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
> R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
> FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> unmap_page_range+0x1645/0x3f40
> unmap_single_vma+0x153/0x240
> unmap_vmas+0x248/0x530
> exit_mmap+0x1ee/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
>
> CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0xab/0xe0
> kasan_report+0xce/0x100
> kasan_check_range+0x100/0x1b0
> free_pgtables+0x53e/0xcd0
> exit_mmap+0x362/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> do_group_exit+0xc7/0x280
> get_signal+0x20d2/0x2150
> arch_do_signal_or_restart+0x8f/0x7a0
> exit_to_user_mode_loop+0x6b/0x4c0
> do_syscall_64+0x46d/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f38134f777d
> Code: Unable to access opcode bytes at 0x7f38134f7753.
> RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
> RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
> RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
> </TASK>
> ==================================================================
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> pick_next_task_fair+0x98/0x1c60
> __x64_sys_exit+0x42/0x50
> x64_sys_call+0x154f/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fd94161777d
> Code: Unable to access opcode bytes at 0x7fd941617753.
> __schedule+0x7ce/0x3ee0
> RSP: 002b:00007fff7d837098 EFLAGS: 00000246
> ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
> RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
> preempt_schedule_irq+0x49/0x80
> RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
> irqentry_exit+0xc1/0x660
> R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> RIP: 0010:__rcu_read_unlock+0x88/0xf0
> </TASK>
> Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
> ---[ end trace 0000000000000000 ]---
> RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
> RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
> RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
> RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
> R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
> R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
> unwind_next_frame+0x39d/0x2400
> arch_stack_walk+0x94/0x100
> stack_trace_save+0x8e/0xc0
> kasan_save_stack+0x33/0x60
> kasan_save_track+0x17/0x60
> __kasan_kmalloc+0x8f/0xa0
> kmem_cache_free+0x245/0x3d0
> tear_down_vmas+0x182/0x3a0
> exit_mmap+0x37f/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> do_group_exit+0xc7/0x280
> __x64_sys_exit_group+0x3e/0x50
> x64_sys_call+0x16cd/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb99736777d
> Code: Unable to access opcode bytes at 0x7fb997367753.
> RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
> RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
> RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
> R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
> R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> RIP: 0010:cpuacct_account_field+0x8c/0x110
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
>
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
> note: syz-executor[5123] exited with irqs disabled
> R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> Call Trace:
> <IRQ>
> account_system_index_time+0x113/0x1f0
> update_process_times+0x82/0x1f0
> tick_nohz_handler+0x5a1/0x710
> __hrtimer_run_queues+0x411/0x8a0
> hrtimer_interrupt+0x2f4/0x7c0
> __sysvec_apic_timer_interrupt+0x88/0x2d0
> sysvec_apic_timer_interrupt+0x67/0x80
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
> Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
> RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
> RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
> RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
> R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
> R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
> unmap_page_range+0xe53/0x3f40
> unmap_single_vma+0x153/0x240
> unmap_vmas+0x248/0x530
> exit_mmap+0x1ee/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> __x64_sys_exit+0x42/0x50
> x64_sys_call+0x154f/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8f52c8777d
> Code: Unable to access opcode bytes at 0x7f8f52c87753.
> RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
> RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
> RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
> RIP: 0010:stack_depot_save_flags+0x164/0x7f0
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
>
> RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
>
>
> RIP: 0010:pick_task_fair+0x89/0x1e0
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> ------------[ cut here ]------------
> WARNING: mm/swapfile.c:1909 at swap_put_entries_direct+0x1be/0x2c0, CPU#2: syz-executor/3650
> Modules linked in:
> CPU: 2 UID: 0 PID: 3650 Comm: syz-executor Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RIP: 0010:swap_put_entries_direct+0x1be/0x2c0
> Code: 48 8b 44 24 58 65 48 2b 05 c7 e0 9c 05 0f 85 db 00 00 00 48 83 c4 60 5b 5d 41 5c 41 5d 41 5e e9 68 9c ef 02 e8 93 21 cc ff 90 <0f> 0b 90 eb b9 e8 88 21 cc ff 49 8d 6c 24 08 48 b8 00 00 00 00 00
> RSP: 0018:ffff88810bd0f768 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 000162affc3fffff RCX: ffffffffaae42f5d
> RDX: ffff888113315640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 000162affc400000 R08: 0000000000000001 R09: ffffed10217a1e92
> R10: 0000000000000000 R11: 706177735f746567 R12: 0000000000000000
> R13: 1ffff110217a1eed R14: dffffc0000000000 R15: ffff888117002000
> FS: 0000000000000000(0000) GS:ffff88816a88f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 00000001014b7000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> unmap_page_range+0x1645/0x3f40
> unmap_single_vma+0x153/0x240
> unmap_vmas+0x248/0x530
> exit_mmap+0x1ee/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> Read of size 8 at addr 0000000100000190 by task syz.2.164/6127
>
> CPU: 5 UID: 0 PID: 6127 Comm: syz.2.164 Not tainted 7.0.0-rc6 #1 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0xab/0xe0
> kasan_report+0xce/0x100
> kasan_check_range+0x100/0x1b0
> free_pgtables+0x53e/0xcd0
> exit_mmap+0x362/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> do_group_exit+0xc7/0x280
> get_signal+0x20d2/0x2150
> arch_do_signal_or_restart+0x8f/0x7a0
> exit_to_user_mode_loop+0x6b/0x4c0
> do_syscall_64+0x46d/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f38134f777d
> Code: Unable to access opcode bytes at 0x7f38134f7753.
> RSP: 002b:00007f3811f36fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
> RAX: fffffffffffffe00 RBX: 00007f3813785fa0 RCX: 00007f38134f777d
> RDX: 000000000000004e RSI: 00002000000000c0 RDI: 000000000000000c
> RBP: 00007f3813594d74 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f3813786038 R14: 00007f3813785fa0 R15: 00007f3811f17000
> </TASK>
> ==================================================================
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> Call Trace:
> <TASK>
> pick_next_task_fair+0x98/0x1c60
> __x64_sys_exit+0x42/0x50
> x64_sys_call+0x154f/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fd94161777d
> Code: Unable to access opcode bytes at 0x7fd941617753.
> __schedule+0x7ce/0x3ee0
> RSP: 002b:00007fff7d837098 EFLAGS: 00000246
> ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fd94161777d
> RDX: 00007fd94165859a RSI: 00007fff7d8370c0 RDI: 000000000000000b
> preempt_schedule_irq+0x49/0x80
> RBP: 0000000000000000 R08: 00007fd9423e5000 R09: 0000000000007228
> irqentry_exit+0xc1/0x660
> R10: 0000000000000053 R11: 0000000000000246 R12: 0000000000000000
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> RIP: 0010:__rcu_read_unlock+0x88/0xf0
> </TASK>
> Code: fc ff df 48 89 fa 48 c1 ea 03 83 eb 01 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 62 41 89 9c 24 3c 04 00 00 <85> db 75 37 48 8d bd 40 04 00 00 48 b8 00 00 00 00 00 fc ff df 48
> ---[ end trace 0000000000000000 ]---
> RSP: 0018:ffff888110adf6e0 EFLAGS: 00000246
> RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffff888110ae0001
> RDX: 0000000000000000 RSI: ffff888110adfdb0 RDI: ffff888100ec26bc
> RBP: ffff888100ec2280 R08: 0000000000000001 R09: ffff888110adf7b0
> R10: ffff888110adf770 R11: 0000000000009963 R12: ffff888100ec2280
> R13: ffff888110adf770 R14: ffff888110adfde0 R15: ffff888110adfdd8
> unwind_next_frame+0x39d/0x2400
> arch_stack_walk+0x94/0x100
> stack_trace_save+0x8e/0xc0
> kasan_save_stack+0x33/0x60
> kasan_save_track+0x17/0x60
> __kasan_kmalloc+0x8f/0xa0
> kmem_cache_free+0x245/0x3d0
> tear_down_vmas+0x182/0x3a0
> exit_mmap+0x37f/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> do_group_exit+0xc7/0x280
> __x64_sys_exit_group+0x3e/0x50
> x64_sys_call+0x16cd/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fb99736777d
> Code: Unable to access opcode bytes at 0x7fb997367753.
> RSP: 002b:00007ffd98c095f8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007fb99736777d
> RDX: 00007fb9973a859a RSI: 0000000000000000 RDI: 000000000000000b
> RBP: 00007ffd98c09bfc R08: 0000000000000000 R09: 000000000000000b
> R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
> R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> RIP: 0010:cpuacct_account_field+0x8c/0x110
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
>
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
> note: syz-executor[5123] exited with irqs disabled
> R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> Call Trace:
> <IRQ>
> account_system_index_time+0x113/0x1f0
> update_process_times+0x82/0x1f0
> tick_nohz_handler+0x5a1/0x710
> __hrtimer_run_queues+0x411/0x8a0
> hrtimer_interrupt+0x2f4/0x7c0
> __sysvec_apic_timer_interrupt+0x88/0x2d0
> sysvec_apic_timer_interrupt+0x67/0x80
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
> Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
> RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
> RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
> RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
> R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
> R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
> unmap_page_range+0xe53/0x3f40
> unmap_single_vma+0x153/0x240
> unmap_vmas+0x248/0x530
> exit_mmap+0x1ee/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> __x64_sys_exit+0x42/0x50
> x64_sys_call+0x154f/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8f52c8777d
> Code: Unable to access opcode bytes at 0x7f8f52c87753.
> RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
> RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
> RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
> RIP: 0010:stack_depot_save_flags+0x164/0x7f0
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
>
> RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
>
>
> R10: 000000000000000e R11: 0000000000000206 R12: 0000000000000000
> R13: 0000000000007221 R14: 0000000000000000 R15: 00000000000071f9
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: general protection fault, probably for non-canonical address 0xe1d646401ffff12b: 0000 [#2] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> KASAN: maybe wild-memory-access in range [0x0eb25200ffff8958-0x0eb25200ffff895f]
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> CPU: 1 UID: 0 PID: 3489 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> RIP: 0010:cpuacct_account_field+0x8c/0x110
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> Code: fb 00 bb cf ae 74 5b 48 bd 00 00 00 00 00 fc ff df 48 63 f6 4c 8d 24 f5 00 00 00 00 48 8d bb d8 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 75 41 48 8b 83 d8 00 00 00 48 8d bb b8 00 00 00 4c 01
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
> RSP: 0018:ffff88811b048c88 EFLAGS: 00010016
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
>
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RAX: 01d64a401ffff12b RBX: 0eb25200ffff8881 RCX: 0000000000010000
> FS: 0000000000000000(0000) GS:ffff88816a80f000(0000) knlGS:0000000000000000
> RDX: 1ffff11022e6cb02 RSI: 0000000000000002 RDI: 0eb25200ffff8959
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed102360919a
> CR2: 00007ffd98c09c10 CR3: 00000000ace72000 CR4: 0000000000350ef0
> R10: 0000000000015a2a R11: ffff88811b048ff8 R12: 0000000000000010
> note: syz-executor[5123] exited with irqs disabled
> R13: 00000000000f4240 R14: ffff888104356500 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> Call Trace:
> <IRQ>
> account_system_index_time+0x113/0x1f0
> update_process_times+0x82/0x1f0
> tick_nohz_handler+0x5a1/0x710
> __hrtimer_run_queues+0x411/0x8a0
> hrtimer_interrupt+0x2f4/0x7c0
> __sysvec_apic_timer_interrupt+0x88/0x2d0
> sysvec_apic_timer_interrupt+0x67/0x80
> </IRQ>
> <TASK>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20
> RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x80
> Code: 00 e9 6c ff ff ff 4d 01 d7 4d 89 39 e9 ef fd ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 0c 24 <65> 48 8b 15 18 bf d0 05 65 8b 05 29 bf d0 05 a9 00 01 ff 00 74 1d
> RSP: 0018:ffff8881031477f0 EFLAGS: 00000216
> RAX: ffff888100c74680 RBX: 0000000000001000 RCX: ffffffffaad67b73
> RDX: ffff88810150d640 RSI: 0000000000000000 RDI: 0000000000000001
> RBP: 0000000000000000 R08: 0000000000000000 R09: fffff94000040026
> R10: 0000000000000000 R11: ffffea00042a5400 R12: ffffea0000200100
> R13: 00007f8f51ecf000 R14: dffffc0000000000 R15: ffffea0000200130
> unmap_page_range+0xe53/0x3f40
> unmap_single_vma+0x153/0x240
> unmap_vmas+0x248/0x530
> exit_mmap+0x1ee/0x800
> mmput+0x6c/0x320
> do_exit+0x7c1/0x28e0
> __x64_sys_exit+0x42/0x50
> x64_sys_call+0x154f/0x1760
> do_syscall_64+0xfc/0x580
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f8f52c8777d
> Code: Unable to access opcode bytes at 0x7f8f52c87753.
> RSP: 002b:00007ffdf12940d8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
> RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f8f52c8777d
> RDX: 00007f8f52cc859a RSI: 00007ffdf1294100 RDI: 000000000000000b
> RBP: 00007ffdf1294740 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000049 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000065 R14: 0000000000000000 R15: 0000000000000001
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> Oops: stack segment: 0000 [#3] SMP KASAN NOPTI
> RIP: 0010:pick_task_fair+0x89/0x1e0
> CPU: 3 UID: 0 PID: 3120 Comm: syz-executor Tainted: G B D W 7.0.0-rc6 #1 PREEMPT(lazy)
> Code: c0 0f 84 0c 01 00 00 4d 89 ee eb 6b 4c 89 f7 be 01 00 00 00 e8 c8 14 fe ff 48 8d 78 59 48 89 fa 48 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 3a 38 ca 7f 08 84 d2 0f 85 ed 00 00 00 80 78 59 00 0f
> Tainted: [B]=BAD_PAGE, [D]=DIE, [W]=WARN
> RSP: 0018:ffff888110adf330 EFLAGS: 00010002
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
> RIP: 0010:stack_depot_save_flags+0x164/0x7f0
> RAX: 0000000000000000 RBX: ffff88811b035800 RCX: 0000000000000001
> Code: e1 04 48 03 0d 75 8f f0 04 65 ff 05 06 35 e4 04 48 8b 29 48 39 e9 75 12 e9 96 00 00 00 48 8b 6d 00 48 39 e9 0f 84 6c 01 00 00 <39> 5d 10 75 ee 44 3b 7d 14 75 e8 31 c0 48 8b 54 c5 20 49 39 54 c5
> RDX: 000000000000000b RSI: 0000000000000001 RDI: 0000000000000059
> RSP: 0000:ffff888114a279a8 EFLAGS: 00010096
> RBP: ffffed1023606b12 R08: 0000000000000001 R09: ffffed102215be92
>
> RAX: 00000000b8c9dc9e RBX: 00000000b8c9dc9e RCX: ffff88811a3dc9e0
> R10: 0000000000000000 R11: 0000000000000000 R12: ffff88811b035890
> RDX: ffffffffaa4012a6 RSI: 0000000000000003 RDI: 0000000099bcd7db
> R13: ffff88811b035880 R14: ffff8881173a4000 R15: dffffc0000000000
> RBP: 075200d30000000c R08: ffffffffaf8a3284 R09: ffff888114a27900
> FS: 0000000000000000(0000) GS:ffff88816a84f000(0000) knlGS:0000000000000000
> R10: 00000000b2322418 R11: 000000002c30fd98 R12: 0000000000000001
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> R13: ffff888114a27a00 R14: 000000000000000c R15: 000000000000000c
> CR2: 00007ffffffff000 CR3: 0000000104120000 CR4: 0000000000350ef0
> FS: 000055555b109500(0000) GS:ffff88816a8cf000(0000) knlGS:0000000000000000
>
>
> Thanks,
> Forrest021
>
--
Cheers,
David
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [BUG] KASAN: user-memory-access in free_pgtables
2026-04-27 8:09 ` David Hildenbrand (Arm)
@ 2026-04-29 8:45 ` Kairui Song
0 siblings, 0 replies; 3+ messages in thread
From: Kairui Song @ 2026-04-29 8:45 UTC (permalink / raw)
To: Huang Forrest, David Hildenbrand (Arm)
Cc: akpm@linux-foundation.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, Chris Li, Kemeng Shi, Nhat Pham,
Barry Song, Youngjun Park
On Mon, Apr 27, 2026 at 4:09 PM David Hildenbrand (Arm)
<david@kernel.org> wrote:
>
> On 4/25/26 11:50, Huang Forrest wrote:
> > Hello,
>
> CCing swap folks. Did any of the bigger swap reworks go into v7.0 that could
> cause this?
Thanks for the Cc.
>
> It could also just be a corrupted PTE I guess.
>
I think it is more likely a corrupted PTE issue indeed. Corrupted PTE
often causes WARN from swap side on process exit / unmap zap, the swap
file entry reported here looks like random garbage, not an entry
allocated from swap.
Swap free helper will just return and do nothing after that WARN,
following panic is likely caused by other corrupted memory or bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-29 8:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-25 9:50 [BUG] KASAN: user-memory-access in free_pgtables Huang Forrest
2026-04-27 8:09 ` David Hildenbrand (Arm)
2026-04-29 8:45 ` Kairui Song
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox