[syzbot] [mm?] [kasan?] WARNING in __kfence_free (3)
From: syzbot
Date: Tue Oct 17 2023 - 22:09:12 EST
Hello,
syzbot found the following issue on:
HEAD commit: 213f891525c2 Merge tag 'probes-fixes-v6.6-rc6' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14a731f9680000
kernel config: https://syzkaller.appspot.com/x/.config?x=a4436b383d761e86
dashboard link: https://syzkaller.appspot.com/bug?extid=59f37b0ab4c558a5357c
compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-213f8915.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98b9a78b6226/vmlinux-213f8915.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ed2ef54968f/Image-213f8915.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+59f37b0ab4c558a5357c@xxxxxxxxxxxxxxxxxxxxxxxxx
------------[ cut here ]------------
WARNING: CPU: 1 PID: 3252 at mm/kfence/core.c:1147 __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147
Modules linked in:
CPU: 1 PID: 3252 Comm: syz-executor.1 Not tainted 6.6.0-rc6-syzkaller-00029-g213f891525c2 #0
Hardware name: linux,dummy-virt (DT)
pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147
lr : kfence_free include/linux/kfence.h:187 [inline]
lr : __slab_free+0x48c/0x508 mm/slub.c:3614
sp : ffff800082cebb50
x29: ffff800082cebb50 x28: f7ff000002c0c400 x27: ffff8000818ca8a8
x26: ffff8000821f0620 x25: 0000000000000001 x24: ffff00007ffa3000
x23: 0000000000000001 x22: ffff00007ffa3000 x21: ffff00007ffa3000
x20: ffff80008004191c x19: fffffc0001ffe8c0 x18: ffffffffffffffff
x17: ffff800080027b40 x16: ffff800080027a34 x15: ffff800080318514
x14: ffff8000800469c8 x13: ffff800080011558 x12: ffff800081897ff4
x11: ffff800081897b28 x10: ffff800080027bfc x9 : 0000000000400cc0
x8 : ffff800082cebc30 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff80008004191c x4 : ffff00007f869000 x3 : ffff800082420338
x2 : fcff000006a24ec0 x1 : ffff00007f8a50a0 x0 : ffff00007ffa3000
Call trace:
__kfence_free+0x7c/0xb4 mm/kfence/core.c:1147
kfence_free include/linux/kfence.h:187 [inline]
__slab_free+0x48c/0x508 mm/slub.c:3614
do_slab_free mm/slub.c:3757 [inline]
slab_free mm/slub.c:3810 [inline]
__kmem_cache_free+0x220/0x230 mm/slub.c:3822
kfree+0x5c/0x74 mm/slab_common.c:1072
kvm_uevent_notify_change.part.0+0x10c/0x174 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5908
kvm_uevent_notify_change arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5878 [inline]
kvm_dev_ioctl_create_vm arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5107 [inline]
kvm_dev_ioctl+0x3e8/0x91c arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__arm64_sys_ioctl+0xac/0xf0 fs/ioctl.c:857
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51
el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136
do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155
el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxx.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup