BUG in depot_save_stack #35
Description
I am getting the following BUGs on 1a0a02d:
------------[ cut here ]------------
kernel BUG at mm/mempolicy.c:1697!
invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 11267 Comm: syz-executor Not tainted 4.7.0-rc5+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800384444c0 ti: ffff880038dc0000 task.ti: ffff880038dc0000
RIP: 0010:[<ffffffff817a356e>]
[<ffffffff817a356e>] policy_zonelist+0xbe/0x1a0 mm/mempolicy.c:1697
RSP: 0000:ffff880038dc76f0 EFLAGS: 00010097
RAX: ffff8800384444c0 RBX: ffff88006448a230 RCX: 00000000e41703bb
RDX: 0000000000000000 RSI: ffff88006448a230 RDI: ffff88006448a234
RBP: ffff880038dc7710 R08: 000000000000000c R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff89f06360 R12: 0000000000000001
R13: 0000000002000000 R14: ffff880038445520 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88006d500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000810000 CR3: 0000000063d7d000 CR4: 00000000000006e0
Stack:
ffff88006448a230 0000000002000000 ffff8800384444c0 ffff880038445520
ffff880038dc7778 ffffffff817a5158 ffffffff86c55e00 ffff880038dc77f0
ffffffff86c55e00 ffff8800384444c0 ffff880000000000 0000000203dc7798
Call Trace:
[<ffffffff817a5158>] alloc_pages_current+0xd8/0x4f0 mm/mempolicy.c:2070
[< inline >] alloc_pages include/linux/gfp.h:468
[<ffffffff82d8db6f>] depot_save_stack+0x4ff/0x5b0 lib/stackdepot.c:258
[<ffffffff817b8951>] save_stack+0xb1/0xd0 mm/kasan/kasan.c:482
[< inline >] set_track mm/kasan/kasan.c:488
[<ffffffff817b90cb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
[< inline >] __cache_free mm/slab.c:3551
[<ffffffff817b62f6>] kmem_cache_free+0x76/0x310 mm/slab.c:3811
[<ffffffff817a7723>] __mpol_put+0x33/0x40 mm/mempolicy.c:299
[< inline >] mpol_put include/linux/mempolicy.h:67
[<ffffffff8137ba63>] do_exit+0x16f3/0x2c80 kernel/exit.c:773
[<ffffffff8137d168>] do_group_exit+0x108/0x330 kernel/exit.c:878
[<ffffffff813a0634>] get_signal+0x634/0x15e0 kernel/signal.c:2307
[<ffffffff811fa943>] do_signal+0x83/0x1f20 arch/x86/kernel/signal.c:783
[<ffffffff81006695>] exit_to_usermode_loop+0x1a5/0x210 arch/x86/entry/common.c:229
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:264
[<ffffffff8100885f>] syscall_return_slowpath+0x2bf/0x340 arch/x86/entry/common.c:329
[<ffffffff86a94e9c>] entry_SYSCALL_64_fastpath+0xbf/0xc1 arch/x86/entry/entry_64.S:241
Code: 45 85 ed 4a 8b 14 e5 80 8f f4 88 0f 95 c0 48 69 c0 10 14 00 00 5b 41 5c 41 5d 48 8d 84 02 c0 26 00 00 41 5e 5d c3 e8 72 22 df ff <0f> 0b e8 6b 22 df ff 48 8d 7b 06 48 b8 00 00 00 00 00 fc ff df
RIP [<ffffffff817a356e>] policy_zonelist+0xbe/0x1a0 mm/mempolicy.c:1697
RSP <ffff880038dc76f0>
---[ end trace fa599a524816f07d ]---
do_exit frees current mempolicy here:
mpol_put(tsk->mempolicy);
And that same free tries to allocate pages in depot_save_stack and accesses the freed mempolicy.