Re: BUG: Bad page state (3)

From: Eric Biggers
Date: Thu Feb 01 2018 - 18:47:27 EST


On Sun, Dec 31, 2017 at 11:03:01PM -0800, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> 30a7acd573899fd8b8ac39236eff6468b195ac7d
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+b8845cd4aa5a5e2c6cdc@xxxxxxxxxxxxxxxxxxxxxxxxx
> It will help syzbot understand when the bug is fixed. See footer for
> details.
> If you forward the report, please keep this part and the footer.
>
> BUG: Bad page state in process syzkaller246299 pfn:1c0c5f
> page:000000004c4544aa count:1 mapcount:1 mapping: (null) index:0x0
> flags: 0x2fffc0000000004(referenced)
> raw: 02fffc0000000004 0000000000000000 0000000000000000 0000000100000000
> raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000
> page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
> Modules linked in:
> CPU: 1 PID: 3493 Comm: syzkaller246299 Not tainted 4.15.0-rc6+ #245
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> bad_page+0x230/0x2b0 mm/page_alloc.c:577
> free_pages_check_bad+0x1f0/0x2e0 mm/page_alloc.c:955
> free_pages_check mm/page_alloc.c:964 [inline]
> free_pages_prepare mm/page_alloc.c:1054 [inline]
> free_pcp_prepare mm/page_alloc.c:1079 [inline]
> free_unref_page_prepare mm/page_alloc.c:2622 [inline]
> free_unref_page+0x594/0x9e0 mm/page_alloc.c:2672
> __free_pages+0x107/0x150 mm/page_alloc.c:4297
> free_pages+0x51/0x90 mm/page_alloc.c:4309
> mon_free_buff drivers/usb/mon/mon_bin.c:1331 [inline]
> mon_bin_ioctl+0x653/0xd40 drivers/usb/mon/mon_bin.c:1039
> vfs_ioctl fs/ioctl.c:46 [inline]
> do_vfs_ioctl+0x1b1/0x1520 fs/ioctl.c:686
> SYSC_ioctl fs/ioctl.c:701 [inline]
> SyS_ioctl+0x8f/0xc0 fs/ioctl.c:692
> entry_SYSCALL_64_fastpath+0x23/0x9a

Crash is no longer occurring, seems to have been fixed by commit 46eb14a6e1585:

#syz fix: USB: fix usbmon BUG trigger

- Eric