mm: use after free and panic in free_pages_and_swap_cache

From: Sasha Levin
Date: Mon Aug 10 2015 - 09:38:11 EST


Hi all,

While fuzzing with trinity inside a KVM tools guest running -next I've stumbled on the following:

[486475.535183] ==================================================================
[486475.536099] BUG: KASan: use after free in tlb_flush_mmu_free+0xfe/0x120 at addr ffff8803c3a62008
[486475.537936] Read of size 4 by task trinity-c218/7429
[486475.538464] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.539252] flags: 0x22fffff80000000()
[486475.539735] page dumped because: kasan: bad access detected
[486475.540313] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.541464] ffff880406b27910 ffff880406b277c0 ffffffffa1e89e54 ffff880406b27848
[486475.542260] ffff880406b27838 ffffffff9877299e ffffffff983b359d ffff880406b277f0
[486475.543146] 0000000000000282 ffff880406b27800 ffffffff983b359d 0000000000000001
[486475.543994] Call Trace:
[486475.544260] dump_stack (lib/dump_stack.c:52)
[486475.544841] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.545445] ? get_parent_ip (kernel/sched/core.c:2796)
[486475.545983] ? get_parent_ip (kernel/sched/core.c:2796)
[486475.546520] __asan_report_load4_noabort (mm/kasan/report.c:250)
[486475.547163] ? tlb_flush_mmu_free (mm/memory.c:254)
[486475.547760] tlb_flush_mmu_free (mm/memory.c:254)
[486475.548335] tlb_finish_mmu (mm/memory.c:280)
[486475.548873] exit_mmap (mm/mmap.c:2865)
[486475.549386] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.550007] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.550613] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.551215] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.551688] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.552194] ? mm_update_next_owner (kernel/exit.c:654)
[486475.552811] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.553348] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.553973] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.555012] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.555884] get_signal (kernel/signal.c:2353)
[486475.556693] do_signal (arch/x86/kernel/signal.c:711)
[486475.557521] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.558443] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.559266] ? vfs_write (fs/read_write.c:777)
[486475.559996] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.560929] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.561961] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.562647] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.563385] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.564207] ? do_setitimer (kernel/time/itimer.c:239)
[486475.564977] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.565909] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.566886] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.567791] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.568763] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.569557] Memory state around the buggy address:
[486475.570069] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.571142] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.572127] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.573188] ^
[486475.573641] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.574584] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.575524] ==================================================================
[486475.577906] FAULT_INJECTION: forcing a failure.
[486475.577906] name failslab, interval 50, probability 30, space 0, times -1
[486475.593541] ==================================================================
[486475.595556] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62010
[486475.596984] Read of size 8 by task trinity-c218/7429
[486475.597908] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.599883] flags: 0x22fffff80000000()
[486475.600674] page dumped because: kasan: bad access detected
[486475.601859] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.603504] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486475.604831] ffff880406b277f0 ffffffff9877299e ffffffff9869c496 ffffed005803b45c
[486475.606150] 0000000000000282 ffffffff98696fe0 ffffffffa1f110e2 ffff8803df648000
[486475.607404] Call Trace:
[486475.607824] dump_stack (lib/dump_stack.c:52)
[486475.608689] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.609709] ? pagevec_lru_move_fn (include/linux/pagevec.h:44 mm/swap.c:445)
[486475.610696] ? trace_event_raw_event_mm_lru_activate (mm/swap.c:1079)
[486475.611952] ? _raw_spin_unlock_irqrestore (kernel/locking/spinlock.c:192)
[486475.613072] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486475.614177] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.615431] free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.616748] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486475.617722] tlb_finish_mmu (mm/memory.c:280)
[486475.618691] exit_mmap (mm/mmap.c:2865)
[486475.619527] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.620734] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.621666] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.622698] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.623453] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.624312] ? mm_update_next_owner (kernel/exit.c:654)
[486475.625379] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.626305] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.627285] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.627835] FAULT_INJECTION: forcing a failure.
[486475.627835] name failslab, interval 50, probability 30, space 0, times -1
[486475.631698] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.633017] get_signal (kernel/signal.c:2353)
[486475.633997] do_signal (arch/x86/kernel/signal.c:711)
[486475.635136] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.636766] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.637879] ? vfs_write (fs/read_write.c:777)
[486475.638895] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.640246] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.641623] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.642807] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.644075] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.645137] ? do_setitimer (kernel/time/itimer.c:239)
[486475.646019] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.647120] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.648157] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.649274] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.650319] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.651264] Memory state around the buggy address:
[486475.652239] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.653704] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.655116] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.656311] ^
[486475.656924] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.658088] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.659196] ==================================================================
[486475.668686] ==================================================================
[486475.669882] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62018
[486475.671308] Read of size 8 by task trinity-c218/7429
[486475.672128] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.673375] flags: 0x22fffff80000000()
[486475.673990] page dumped because: kasan: bad access detected
[486475.674886] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.677047] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486475.679387] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486475.681127] 0000000000000282 ffffed007874c402 66666620a1f110e2 6133633330383866
[486475.682449] Call Trace:
[486475.682861] dump_stack (lib/dump_stack.c:52)
[486475.683705] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.684777] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486475.685891] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.687061] free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.688187] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486475.689365] tlb_finish_mmu (mm/memory.c:280)
[486475.690840] exit_mmap (mm/mmap.c:2865)
[486475.692441] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.694383] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.695780] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.697056] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.698196] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.699207] ? mm_update_next_owner (kernel/exit.c:654)
[486475.700338] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.701425] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.702443] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.703981] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.704927] get_signal (kernel/signal.c:2353)
[486475.705772] do_signal (arch/x86/kernel/signal.c:711)
[486475.706595] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.707526] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.708573] ? vfs_write (fs/read_write.c:777)
[486475.709447] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.710396] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.711624] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.712758] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.713820] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.714861] ? do_setitimer (kernel/time/itimer.c:239)
[486475.715756] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.716865] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.717950] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.719043] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.720035] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.721041] Memory state around the buggy address:
[486475.721834] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.722992] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.724134] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.725355] ^
[486475.726013] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.727099] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.728210] ==================================================================
[486475.733496] ==================================================================
[486475.734654] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62020
[486475.736177] Read of size 8 by task trinity-c218/7429
[486475.737202] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.738476] flags: 0x22fffff80000000()
[486475.739099] page dumped because: kasan: bad access detected
[486475.739962] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.741643] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486475.742972] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486475.744189] 0000000000000282 ffffed007874c403 66666620a1f110e2 6133633330383866
[486475.745517] Call Trace:
[486475.746007] dump_stack (lib/dump_stack.c:52)
[486475.746983] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.747993] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486475.749025] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.750069] free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.751095] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486475.752073] tlb_finish_mmu (mm/memory.c:280)
[486475.752912] exit_mmap (mm/mmap.c:2865)
[486475.753715] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.754651] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.755597] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.756549] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.757341] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.758386] ? mm_update_next_owner (kernel/exit.c:654)
[486475.760300] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.761970] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.763699] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.766164] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.767847] get_signal (kernel/signal.c:2353)
[486475.769393] do_signal (arch/x86/kernel/signal.c:711)
[486475.770306] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.771871] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.773646] ? vfs_write (fs/read_write.c:777)
[486475.775339] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.777103] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.779505] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.780654] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.781692] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.783407] ? do_setitimer (kernel/time/itimer.c:239)
[486475.784644] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.785975] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.786978] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.787924] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.791314] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.792442] Memory state around the buggy address:
[486475.793276] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.794359] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.795569] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.797329] ^
[486475.798181] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.799900] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.801651] ==================================================================
[486475.803572] ==================================================================
[486475.804801] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62028
[486475.806866] Read of size 8 by task trinity-c218/7429
[486475.808305] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.810323] flags: 0x22fffff80000000()
[486475.811276] page dumped because: kasan: bad access detected
[486475.812678] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.814973] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486475.816527] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486475.818088] 0000000000000282 ffffed007874c404 66666620a1f110e2 6133633330383866
[486475.819606] Call Trace:
[486475.820044] dump_stack (lib/dump_stack.c:52)
[486475.820866] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.821880] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486475.822434] audit: type=1326 audit(7.030:417): auid=4294967295 uid=3067829327 gid=2901925822 ses=4294967295 pid=11247 comm="trinity-c84" exe="/trinity/trinity" sig=9 arch=c000003e syscall=231 compat=0 ip=0x7fbd70916818 code=0x0
[486475.826094] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.826948] free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.827780] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486475.828526] tlb_finish_mmu (mm/memory.c:280)
[486475.829215] exit_mmap (mm/mmap.c:2865)
[486475.829875] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.830672] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.831439] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.832209] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.832822] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.833525] ? mm_update_next_owner (kernel/exit.c:654)
[486475.834364] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.835497] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.836363] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.837666] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.838518] get_signal (kernel/signal.c:2353)
[486475.839527] do_signal (arch/x86/kernel/signal.c:711)
[486475.839970] FAULT_INJECTION: forcing a failure.
[486475.839970] name failslab, interval 50, probability 30, space 0, times -1
[486475.842025] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.842882] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.844128] ? vfs_write (fs/read_write.c:777)
[486475.845446] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.846838] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.848693] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.850230] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.851665] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.853097] ? do_setitimer (kernel/time/itimer.c:239)
[486475.854420] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.855637] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.856720] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.857863] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.858953] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.859945] Memory state around the buggy address:
[486475.860863] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.862096] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.863217] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.864440] ^
[486475.865861] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.867322] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.868396] ==================================================================
[486475.888839] ==================================================================
[486475.889830] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62030
[486475.891008] Read of size 8 by task trinity-c218/7429
[486475.891674] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486475.892688] flags: 0x22fffff80000000()
[486475.893198] page dumped because: kasan: bad access detected
[486475.893921] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486475.895402] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486475.896764] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486475.898202] 0000000000000282 ffffed007874c405 66666620a1f110e2 6133633330383866
[486475.899592] Call Trace:
[486475.899995] dump_stack (lib/dump_stack.c:52)
[486475.900872] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486475.901785] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486475.902957] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.904447] free_pages_and_swap_cache (mm/swap_state.c:265)
[486475.905525] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486475.906393] tlb_finish_mmu (mm/memory.c:280)
[486475.907230] exit_mmap (mm/mmap.c:2865)
[486475.908024] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486475.909159] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.910303] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486475.911281] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486475.912089] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486475.912895] ? mm_update_next_owner (kernel/exit.c:654)
[486475.913848] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486475.914782] ? lock_release (kernel/locking/lockdep.c:3644)
[486475.915784] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.917287] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486475.918263] get_signal (kernel/signal.c:2353)
[486475.919085] do_signal (arch/x86/kernel/signal.c:711)
[486475.920007] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486475.920952] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486475.921840] ? vfs_write (fs/read_write.c:777)
[486475.922567] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486475.923469] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486475.924591] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.925726] ? preempt_count_sub (kernel/sched/core.c:2852)
[486475.926693] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486475.927802] ? do_setitimer (kernel/time/itimer.c:239)
[486475.928899] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486475.929963] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486475.930968] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486475.931985] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486475.932932] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486475.933931] Memory state around the buggy address:
[486475.934767] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.935851] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.936993] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.938216] ^
[486475.938956] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.940053] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486475.941165] ==================================================================
[486475.997632] ==================================================================
[486475.998924] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62038
[486476.000443] Read of size 8 by task trinity-c218/7429
[486476.001768] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.003032] flags: 0x22fffff80000000()
[486476.003865] page dumped because: kasan: bad access detected
[486476.004848] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.006915] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.008185] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.009382] 0000000000000282 ffffed007874c406 66666620a1f110e2 6133633330383866
[486476.010634] Call Trace:
[486476.011041] dump_stack (lib/dump_stack.c:52)
[486476.011845] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.012950] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.014037] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.015505] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.016547] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.017599] tlb_finish_mmu (mm/memory.c:280)
[486476.018684] exit_mmap (mm/mmap.c:2865)
[486476.019559] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.020689] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.021683] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.022504] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.023122] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.023832] ? mm_update_next_owner (kernel/exit.c:654)
[486476.024692] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.025394] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.026121] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.027113] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.027810] get_signal (kernel/signal.c:2353)
[486476.028499] do_signal (arch/x86/kernel/signal.c:711)
[486476.029163] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.029909] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.030698] ? vfs_write (fs/read_write.c:777)
[486476.031384] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.032140] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.033140] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.034168] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.034968] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.035948] ? do_setitimer (kernel/time/itimer.c:239)
[486476.036732] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.037625] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.038501] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.039347] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.040226] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.041030] Memory state around the buggy address:
[486476.041682] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.042612] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.043503] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.044476] ^
[486476.045313] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.046515] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.047576] ==================================================================
[486476.104666] ==================================================================
[486476.105798] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62040
[486476.107316] Read of size 8 by task trinity-c218/7429
[486476.108230] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.109479] flags: 0x22fffff80000000()
[486476.110165] page dumped because: kasan: bad access detected
[486476.110961] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.112354] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.113519] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.114576] 0000000000000282 ffffed007874c407 66666620a1f110e2 6133633330383866
[486476.115959] Call Trace:
[486476.116423] dump_stack (lib/dump_stack.c:52)
[486476.117306] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.118525] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.119547] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.120635] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.121807] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.122759] tlb_finish_mmu (mm/memory.c:280)
[486476.123803] exit_mmap (mm/mmap.c:2865)
[486476.124622] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.125444] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.126216] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.126988] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.127614] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.128334] ? mm_update_next_owner (kernel/exit.c:654)
[486476.129177] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.129972] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.130748] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.131793] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.132511] get_signal (kernel/signal.c:2353)
[486476.133202] do_signal (arch/x86/kernel/signal.c:711)
[486476.133899] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.134906] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.136216] ? vfs_write (fs/read_write.c:777)
[486476.137225] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.138227] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.139509] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.140549] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.141684] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.142674] ? do_setitimer (kernel/time/itimer.c:239)
[486476.143767] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.144835] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.146086] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.147129] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.148132] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.149031] Memory state around the buggy address:
[486476.149755] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.150806] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.151864] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.152954] ^
[486476.153826] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.155014] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.156254] ==================================================================
[486476.215515] ==================================================================
[486476.217578] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62048
[486476.220360] Read of size 8 by task trinity-c218/7429
[486476.221560] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.223076] flags: 0x22fffff80000000()
[486476.224067] page dumped because: kasan: bad access detected
[486476.225064] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.226393] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.227400] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.228430] 0000000000000282 ffffed007874c408 66666620a1f110e2 6133633330383866
[486476.229433] Call Trace:
[486476.229839] dump_stack (lib/dump_stack.c:52)
[486476.230525] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.231312] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.232154] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.233019] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.234040] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.234814] tlb_finish_mmu (mm/memory.c:280)
[486476.235294] exit_mmap (mm/mmap.c:2865)
[486476.235745] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.236280] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.236804] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.237634] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.238173] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.238836] ? mm_update_next_owner (kernel/exit.c:654)
[486476.239666] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.240427] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.241243] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.242133] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.242730] get_signal (kernel/signal.c:2353)
[486476.243393] do_signal (arch/x86/kernel/signal.c:711)
[486476.243959] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.244627] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.245315] ? vfs_write (fs/read_write.c:777)
[486476.245902] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.246548] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.247395] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.248000] FAULT_INJECTION: forcing a failure.
[486476.248000] name failslab, interval 50, probability 30, space 0, times -1
[486476.249267] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.249924] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.250583] ? do_setitimer (kernel/time/itimer.c:239)
[486476.251190] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.251901] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.252596] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.253284] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.253966] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.254637] Memory state around the buggy address:
[486476.255156] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.255934] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.256693] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.257450] ^
[486476.258044] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.258803] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.259562] ==================================================================
[486476.261376] ==================================================================
[486476.262308] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62050
[486476.263540] Read of size 8 by task trinity-c218/7429
[486476.264189] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.265569] flags: 0x22fffff80000000()
[486476.266095] page dumped because: kasan: bad access detected
[486476.266834] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.267813] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54[486476.268552] FAULT_INJECTION: forcing a failure.
[486476.268552] name failslab, interval 50, probability 30, space 0, times -1

[486476.269940] ffff880406b27800
[486476.270439] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.271528] 0000000000000282 ffffed007874c409 66666620a1f110e2 6133633330383866
[486476.272569] Call Trace:
[486476.272912] dump_stack (lib/dump_stack.c:52)
[486476.273559] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.274356] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.275180] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.275936] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.276684] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.277346] tlb_finish_mmu (mm/memory.c:280)
[486476.277961] exit_mmap (mm/mmap.c:2865)
[486476.278549] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.279259] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.279940] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.280619] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.281160] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.281742] ? mm_update_next_owner (kernel/exit.c:654)
[486476.282451] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.283064] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.283707] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.284615] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.285228] get_signal (kernel/signal.c:2353)
[486476.285842] do_signal (arch/x86/kernel/signal.c:711)
[486476.286433] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.287099] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.287789] ? vfs_write (fs/read_write.c:777)
[486476.288390] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.289056] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.289935] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.290657] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.291332] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.292016] ? do_setitimer (kernel/time/itimer.c:239)
[486476.292643] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.293382] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.294101] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.294831] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.295544] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.296220] Memory state around the buggy address:
[486476.296759] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.297554] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.298349] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.299145] ^
[486476.299796] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.300591] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.301384] ==================================================================
[486476.302475] ==================================================================
[486476.303278] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62058
[486476.304301] Read of size 8 by task trinity-c218/7429
[486476.304889] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.305387] FAULT_INJECTION: forcing a failure.
[486476.305387] name failslab, interval 50, probability 30, space 0, times -1
[486476.306956] flags: 0x22fffff80000000()
[486476.307394] page dumped because: kasan: bad access detected
[486476.308005] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.309122] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.310005] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.310890] 0000000000000282 ffffed007874c40a 66666620a1f110e2 6133633330383866
[486476.311774] Call Trace:
[486476.312068] dump_stack (lib/dump_stack.c:52)
[486476.312634] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.313286] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.313826] FAULT_INJECTION: forcing a failure.
[486476.313826] name failslab, interval 50, probability 30, space 0, times -1
[486476.315293] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.316040] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.316764] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.317414] tlb_finish_mmu (mm/memory.c:280)
[486476.318019] exit_mmap (mm/mmap.c:2865)
[486476.318599] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.319299] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.319973] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.320646] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.321182] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.321755] ? mm_update_next_owner (kernel/exit.c:654)
[486476.322454] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.323063] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.323700] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.324581] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.325209] get_signal (kernel/signal.c:2353)
[486476.325785] do_signal (arch/x86/kernel/signal.c:711)
[486476.326232] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.326823] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.327355] ? vfs_write (fs/read_write.c:777)
[486476.327817] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.328325] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.328995] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.329546] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.330145] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.330670] ? do_setitimer (kernel/time/itimer.c:239)
[486476.331150] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.331712] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.332340] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.332916] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.333506] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.334233] Memory state around the buggy address:
[486476.334836] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.335530] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.336148] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.336802] ^
[486476.337336] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.337969] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.338574] ==================================================================
[486476.339259] ==================================================================
[486476.339866] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62060
[486476.340638] Read of size 8 by task trinity-c218/7429
[486476.341055] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.341795] flags: 0x22fffff80000000()
[486476.342132] page dumped because: kasan: bad access detected
[486476.342598] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.343473] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.344144] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.344858] 0000000000000282 ffffed007874c40b 66666620a1f110e2 6133633330383866
[486476.345533] Call Trace:
[486476.345757] dump_stack (lib/dump_stack.c:52)
[486476.346256] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.346869] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.347419] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.348051] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.348885] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.349597] tlb_finish_mmu (mm/memory.c:280)
[486476.350318] exit_mmap (mm/mmap.c:2865)
[486476.351035] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.351889] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.352708] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.353520] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.354174] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.354686] FAULT_INJECTION: forcing a failure.
[486476.354686] name failslab, interval 50, probability 30, space 0, times -1
[486476.356376] ? mm_update_next_owner (kernel/exit.c:654)
[486476.357234] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.357976] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.358755] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.359820] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.360570] get_signal (kernel/signal.c:2353)
[486476.361303] do_signal (arch/x86/kernel/signal.c:711)
[486476.362014] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.362811] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.363649] ? vfs_write (fs/read_write.c:777)
[486476.364373] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.365193] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.366242] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.367115] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.367877] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.368787] ? do_setitimer (kernel/time/itimer.c:239)
[486476.369541] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.370432] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.371234] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.372071] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.372932] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.373747] Memory state around the buggy address:
[486476.374393] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.375371] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.376265] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.377032] ^
[486476.377820] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.378760] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.379642] ==================================================================
[486476.380553] ==================================================================
[486476.381406] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62068
[486476.382186] Read of size 8 by task trinity-c218/7429
[486476.382613] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.383350] flags: 0x22fffff80000000()
[486476.383691] page dumped because: kasan: bad access detected
[486476.384159] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.385175] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.386157] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.387069] 0000000000000282 ffffed007874c40c 66666620a1f110e2 6133633330383866
[486476.388073] Call Trace:
[486476.388329] FAULT_INJECTION: forcing a failure.
[486476.388329] name failslab, interval 50, probability 30, space 0, times -1
[486476.389770] dump_stack (lib/dump_stack.c:52)
[486476.390478] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.391242] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.392123] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.393029] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.393908] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.394831] tlb_finish_mmu (mm/memory.c:280)
[486476.395566] exit_mmap (mm/mmap.c:2865)
[486476.396225] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.397071] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.397857] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.398670] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.399321] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.400017] ? mm_update_next_owner (kernel/exit.c:654)
[486476.400886] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.401629] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.402398] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.403681] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.404364] get_signal (kernel/signal.c:2353)
[486476.405238] do_signal (arch/x86/kernel/signal.c:711)
[486476.406040] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.406300] FAULT_INJECTION: forcing a failure.
[486476.406300] name failslab, interval 50, probability 30, space 0, times -1
[486476.408278] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.409060] ? vfs_write (fs/read_write.c:777)
[486476.409985] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.410741] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.411978] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.412800] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.413553] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.413727] FAULT_INJECTION: forcing a failure.
[486476.413727] name failslab, interval 50, probability 30, space 0, times -1
[486476.416007] ? do_setitimer (kernel/time/itimer.c:239)
[486476.416658] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.417521] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.418372] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.419207] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.420020] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.420783] Memory state around the buggy address:
[486476.421386] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.422271] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.423162] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.423442] FAULT_INJECTION: forcing a failure.
[486476.423442] name failslab, interval 50, probability 30, space 0, times -1
[486476.425568] ^
[486476.426400] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.427309] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.428173] ==================================================================
[486476.428311] FAULT_INJECTION: forcing a failure.
[486476.428311] name failslab, interval 50, probability 30, space 0, times -1
[486476.430647] ==================================================================
[486476.431581] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62070
[486476.432796] Read of size 8 by task trinity-c218/7429
[486476.433450] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.434519] flags: 0x22fffff80000000()
[486476.435056] page dumped because: kasan: bad access detected
[486476.435809] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.437152] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.438222] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.439295] 0000000000000282 ffffed007874c40d 66666620a1f110e2 6133633330383866
[486476.440374] Call Trace:
[486476.440733] dump_stack (lib/dump_stack.c:52)
[486476.441438] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.442233] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.443067] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.444024] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.445027] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.445822] tlb_finish_mmu (mm/memory.c:280)
[486476.446624] exit_mmap (mm/mmap.c:2865)
[486476.447267] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.448090] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.448906] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.449712] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.450331] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.451018] ? mm_update_next_owner (kernel/exit.c:654)
[486476.451858] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.452589] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.453355] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.454405] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.455173] get_signal (kernel/signal.c:2353)
[486476.455894] do_signal (arch/x86/kernel/signal.c:711)
[486476.456588] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.457379] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.458182] ? vfs_write (fs/read_write.c:777)
[486476.458948] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.459836] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.461001] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.462059] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.463068] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.463932] ? do_setitimer (kernel/time/itimer.c:239)
[486476.464753] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.465632] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.466503] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.467370] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.468222] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.469029] Memory state around the buggy address:
[486476.469675] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.470615] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.471557] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.472496] ^
[486476.473398] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.474336] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.475301] ==================================================================
[486476.477819] ==================================================================
[486476.478757] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62078
[486476.480002] Read of size 8 by task trinity-c218/7429
[486476.480662] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.481719] flags: 0x22fffff80000000()
[486476.482263] page dumped because: kasan: bad access detected
[486476.483013] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.484373] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.485508] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.486598] 0000000000000282 ffffed007874c40e 66666620a1f110e2 6133633330383866
[486476.487700] Call Trace:
[486476.488056] dump_stack (lib/dump_stack.c:52)
[486476.488768] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.489577] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.490441] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.491357] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.492232] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.493032] tlb_finish_mmu (mm/memory.c:280)
[486476.493775] exit_mmap (mm/mmap.c:2865)
[486476.494496] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.495344] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.496168] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.497003] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.497654] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.498353] ? mm_update_next_owner (kernel/exit.c:654)
[486476.499223] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.499973] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.500432] FAULT_INJECTION: forcing a failure.
[486476.500432] name failslab, interval 50, probability 30, space 0, times -1
[486476.502250] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.503310] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.504142] get_signal (kernel/signal.c:2353)
[486476.504966] do_signal (arch/x86/kernel/signal.c:711)
[486476.505733] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.506615] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.507564] ? vfs_write (fs/read_write.c:777)
[486476.508300] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.509062] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.510136] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.510987] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.511789] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.512628] ? do_setitimer (kernel/time/itimer.c:239)
[486476.513377] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.514243] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.515202] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.516024] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.516883] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.517695] Memory state around the buggy address:
[486476.518346] ffff8803c3a61f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.519279] ffff8803c3a61f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.520213] >ffff8803c3a62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.521162] ^
[486476.522104] ffff8803c3a62080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.523063] ffff8803c3a62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[486476.524007] ==================================================================
[486476.525088] ==================================================================
[486476.526040] BUG: KASan: use after free in free_pages_and_swap_cache+0x17d/0x1a0 at addr ffff8803c3a62080
[486476.527275] Read of size 8 by task trinity-c218/7429
[486476.527971] page:ffffea000f0e9880 count:1 mapcount:0 mapping: (null) index:0x0
[486476.529029] flags: 0x22fffff80000000()
[486476.529571] page dumped because: kasan: bad access detected
[486476.530325] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.531715] dffffc0000000000 ffff880406b27778 ffffffffa1e89e54 ffff880406b27800
[486476.532804] ffff880406b277f0 ffffffff9877299e 0000000000000010 ffffed0000000000
[486476.533888] 0000000000000282 ffffed007874c40f 66666620a1f110e2 6133633330383866
[486476.534984] Call Trace:
[486476.535344] dump_stack (lib/dump_stack.c:52)
[486476.536024] kasan_report_error (mm/kasan/report.c:132 mm/kasan/report.c:193)
[486476.536836] __asan_report_load8_noabort (mm/kasan/report.c:251)
[486476.537728] ? free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.538649] free_pages_and_swap_cache (mm/swap_state.c:265)
[486476.539544] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.540335] tlb_finish_mmu (mm/memory.c:280)
[486476.541068] exit_mmap (mm/mmap.c:2865)
[486476.541764] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.542620] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.543381] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.544204] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.544819] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.545450] ? mm_update_next_owner (kernel/exit.c:654)
[486476.546200] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.546854] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.547538] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.548475] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.549138] get_signal (kernel/signal.c:2353)
[486476.549791] do_signal (arch/x86/kernel/signal.c:711)
[486476.550596] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.551550] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.552298] ? vfs_write (fs/read_write.c:777)
[486476.552954] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.553790] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.554876] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.555749] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.556567] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.557390] ? do_setitimer (kernel/time/itimer.c:239)
[486476.558147] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.559037] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.559914] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.560400] FAULT_INJECTION: forcing a failure.
[486476.560400] name failslab, interval 50, probability 30, space 0, times -1
[486476.562266] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.563123] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.563936] Memory state around the buggy address:
[486476.564605] ffff8803c3a61f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[486476.565556] ffff8803c3a62000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[486476.566494] >ffff8803c3a62080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[486476.567459] ^
[486476.567901] ffff8803c3a62100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[486476.568839] ffff8803c3a62180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[486476.569771] ==================================================================
[486476.570789] kasan: CONFIG_KASAN_INLINE enabled
[486476.571371] kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[486476.573697] Dumping ftrace buffer:
[486476.574537] (ftrace buffer empty)
[486476.575185] Modules linked in:
[486476.575715] CPU: 5 PID: 7429 Comm: trinity-c218 Not tainted 4.2.0-rc5-next-20150806-sasha-00040-g1b47b00-dirty #2418
[486476.577310] task: ffff8803df648000 ti: ffff880406b20000 task.ti: ffff880406b20000
[486476.578449] RIP: free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:337 (discriminator 3) mm/swap_state.c:238 (discriminator 3) mm/swap_state.c:265 (discriminator 3))
[486476.579870] RSP: 0018:ffff880406b27838 EFLAGS: 00010246
[486476.580693] RAX: 0000000000000000 RBX: ffff8803c3a624e8 RCX: 0000000000000000
[486476.581792] RDX: ffff8803c3a63000 RSI: ffffffff987728fb RDI: ffffffffa1f110cb
[486476.582897] RBP: ffff880406b27870 R08: 0000000000000001 R09: 0000000000000000
[486476.583967] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[486476.585112] R13: dffffc0000000000 R14: ffff8803c3a62010 R15: 00000000000001fe
[486476.585651] FAULT_INJECTION: forcing a failure.
[486476.585651] name failslab, interval 50, probability 30, space 0, times -1
[486476.587904] FS: 00007fbd70df9700(0000) GS:ffff8802c0000000(0000) knlGS:0000000000000000
[486476.589034] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[486476.589954] CR2: 00007fbd6fdf4220 CR3: 0000000692c7b000 CR4: 00000000000006a0
[486476.591058] Stack:
[486476.591434] ffff880406b27870 ffff8803c3a63000 ffff8803c3a62000 dffffc0000000000
[486476.592757] ffff880406b27910 ffff880406b27938 ffff8803c3a62008 ffff880406b278a8
[486476.594117] ffffffff986e673a ffff880406b27910 1ffff10080d64f1e dffffc0000000000
[486476.595427] Call Trace:
[486476.595866] tlb_flush_mmu_free (mm/memory.c:256 (discriminator 4))
[486476.596811] tlb_finish_mmu (mm/memory.c:280)
[486476.597603] exit_mmap (mm/mmap.c:2865)
[486476.598227] ? SyS_remap_file_pages (mm/mmap.c:2827)
[486476.598955] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.599752] ? __khugepaged_exit (./arch/x86/include/asm/atomic.h:118 include/linux/sched.h:2563 mm/huge_memory.c:2204)
[486476.600723] mmput (include/linux/compiler.h:207 kernel/fork.c:737 kernel/fork.c:704)
[486476.601545] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:91 kernel/exit.c:438 kernel/exit.c:733)
[486476.602405] ? mm_update_next_owner (kernel/exit.c:654)
[486476.603424] ? lockdep_init (kernel/locking/lockdep.c:3298)
[486476.604311] ? lock_release (kernel/locking/lockdep.c:3644)
[486476.605201] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.606412] do_group_exit (./arch/x86/include/asm/current.h:14 kernel/exit.c:859)
[486476.607306] get_signal (kernel/signal.c:2353)
[486476.608111] do_signal (arch/x86/kernel/signal.c:711)
[486476.608752] ? do_readv_writev (include/linux/fsnotify.h:223 fs/read_write.c:821)
[486476.609665] ? v9fs_file_lock_dotl (fs/9p/vfs_file.c:407)
[486476.610691] ? vfs_write (fs/read_write.c:777)
[486476.611596] ? setup_sigcontext (arch/x86/kernel/signal.c:708)
[486476.612622] ? __raw_callee_save___pv_queued_spin_unlock (??:?)
[486476.613949] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.615163] ? preempt_count_sub (kernel/sched/core.c:2852)
[486476.616169] ? _raw_spin_unlock_irq (./arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:171 kernel/locking/spinlock.c:199)
[486476.617220] ? do_setitimer (kernel/time/itimer.c:239)
[486476.618140] ? check_preemption_disabled (lib/smp_processor_id.c:18)
[486476.619229] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[486476.620290] prepare_exit_to_usermode (arch/x86/entry/common.c:282)
[486476.621439] syscall_return_slowpath (arch/x86/entry/common.c:349)
[486476.622363] int_ret_from_sys_call (arch/x86/entry/entry_64.S:282)
[486476.623369] Code: eb 0d 48 83 c3 08 48 39 d3 0f 84 9d 00 00 00 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 10 01 00 00 4c 8b 23 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 0f 85 e6 00 00 00 49 8b 04 24 a9 00 00 01 00 74
All code
========
0: eb 0d jmp 0xf
2: 48 83 c3 08 add $0x8,%rbx
6: 48 39 d3 cmp %rdx,%rbx
9: 0f 84 9d 00 00 00 je 0xac
f: 48 89 d8 mov %rbx,%rax
12: 48 c1 e8 03 shr $0x3,%rax
16: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
1b: 0f 85 10 01 00 00 jne 0x131
21: 4c 8b 23 mov (%rbx),%r12
24: 4c 89 e0 mov %r12,%rax
27: 48 c1 e8 03 shr $0x3,%rax
2b:* 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
30: 0f 85 e6 00 00 00 jne 0x11c
36: 49 8b 04 24 mov (%r12),%rax
3a: a9 00 00 01 00 test $0x10000,%eax
3f: 74 00 je 0x41

Code starting with the faulting instruction
===========================================
0: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
5: 0f 85 e6 00 00 00 jne 0xf1
b: 49 8b 04 24 mov (%r12),%rax
f: a9 00 00 01 00 test $0x10000,%eax
14: 74 00 je 0x16
[486476.628902] RIP free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:337 (discriminator 3) mm/swap_state.c:238 (discriminator 3) mm/swap_state.c:265 (discriminator 3))
[486476.630017] RSP <ffff880406b27838>
[486476.633716] ---[ end trace 3e2ea69469462bc0 ]---
[486476.634480] Kernel panic - not syncing: Fatal exception


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/