================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock+0x271/0x2c0 kernel/locking/spinlock_debug.c:115 Read of size 4 at addr ffff888024a88014 by task kswapd0/114 CPU: 2 UID: 0 PID: 114 Comm: kswapd0 Not tainted 6.13.0-rc3-syzkaller-00289-g48f506ad0b68 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xc3/0x620 mm/kasan/report.c:489 kasan_report+0xd9/0x110 mm/kasan/report.c:602 debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline] do_raw_spin_lock+0x271/0x2c0 kernel/locking/spinlock_debug.c:115 spin_lock include/linux/spinlock.h:351 [inline] z3fold_page_lock mm/z3fold.c:223 [inline] z3fold_alloc mm/z3fold.c:1060 [inline] z3fold_zpool_malloc+0xa78/0x14f0 mm/z3fold.c:1388 zswap_compress mm/zswap.c:933 [inline] zswap_store_page mm/zswap.c:1426 [inline] zswap_store+0xe97/0x25d0 mm/zswap.c:1533 swap_writepage+0x3b6/0x1120 mm/page_io.c:279 shmem_writepage+0xf76/0x1490 mm/shmem.c:1579 pageout+0x3b2/0xaa0 mm/vmscan.c:689 shrink_folio_list+0x3025/0x42d0 mm/vmscan.c:1367 evict_folios+0x6e3/0x19c0 mm/vmscan.c:4593 try_to_shrink_lruvec+0x61e/0xa80 mm/vmscan.c:4789 shrink_one+0x3e3/0x7b0 mm/vmscan.c:4834 shrink_many mm/vmscan.c:4897 [inline] lru_gen_shrink_node mm/vmscan.c:4975 [inline] shrink_node+0xbf0/0x3f20 mm/vmscan.c:5956 kswapd_shrink_node mm/vmscan.c:6785 [inline] balance_pgdat+0xc1f/0x18f0 mm/vmscan.c:6977 kswapd+0x605/0xc00 mm/vmscan.c:7246 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xc4 pfn:0x24a88 memcg:ffff888000b54882 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f2(table) raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 00000000000000c4 ffff888025b2c420 00000001f2000000 ffff888000b54882 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x440dc0(GFP_KERNEL_ACCOUNT|__GFP_COMP|__GFP_ZERO), pid 6890, tgid 6890 (syz-executor), ts 163180952400, free_ts 162925293410 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558 prep_new_page mm/page_alloc.c:1566 [inline] get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269 pagetable_alloc_noprof include/linux/mm.h:2899 [inline] __pte_alloc_one_noprof include/asm-generic/pgalloc.h:70 [inline] pte_alloc_one+0x20/0x390 arch/x86/mm/pgtable.c:33 do_fault_around mm/memory.c:5274 [inline] do_read_fault mm/memory.c:5313 [inline] do_fault mm/memory.c:5456 [inline] do_pte_missing+0x1ae7/0x3e00 mm/memory.c:3979 handle_pte_fault mm/memory.c:5801 [inline] __handle_mm_fault+0x103c/0x2a40 mm/memory.c:5944 handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6112 do_user_addr_fault+0x60d/0x13f0 arch/x86/mm/fault.c:1338 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 page last free pid 6887 tgid 6884 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1127 [inline] free_unref_page+0x661/0x1080 mm/page_alloc.c:2659 __folio_put+0x32a/0x450 mm/swap.c:112 folio_put include/linux/mm.h:1489 [inline] migrate_folio_done+0x298/0x340 mm/migrate.c:1188 migrate_folio_move mm/migrate.c:1410 [inline] migrate_pages_batch+0x1d08/0x3150 mm/migrate.c:1899 migrate_pages_sync+0x109/0x8f0 mm/migrate.c:1965 migrate_pages+0x1a46/0x21f0 mm/migrate.c:2074 compact_zone+0x1f68/0x4280 mm/compaction.c:2641 compact_zone_order+0x16b/0x240 mm/compaction.c:2776 try_to_compact_pages+0x357/0xa80 mm/compaction.c:2837 __alloc_pages_direct_compact+0x138/0x590 mm/page_alloc.c:3685 __alloc_pages_slowpath mm/page_alloc.c:4388 [inline] __alloc_pages_noprof+0xbe6/0x25b0 mm/page_alloc.c:4766 __folio_alloc_noprof+0x11/0x90 mm/page_alloc.c:4785 alloc_buddy_hugetlb_folio.isra.0+0xbe/0x330 mm/hugetlb.c:2025 alloc_fresh_hugetlb_folio+0x14b/0x190 mm/hugetlb.c:2096 alloc_migrate_hugetlb_folio mm/hugetlb.c:2350 [inline] alloc_hugetlb_folio_nodemask+0x14c/0x3c0 mm/hugetlb.c:2432 alloc_hugetlb_folio_vma mm/hugetlb.c:6530 [inline] hugetlb_mfill_atomic_pte+0xc37/0x17a0 mm/hugetlb.c:6618 Memory state around the buggy address: ffff888024a87f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888024a87f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888024a88000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff888024a88080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888024a88100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================