sashalevin/gist:c67fbea55e7c0576972a

## gistfile1.txt
[ 3674.902796] BUG: KASAN: slab-out-of-bounds in unfreeze_page+0x8db/0xff0 at addr ffff8801c806c0a8
[ 3674.904081] Read of size 8 by task syz-executor/4374
[ 3674.904695] =============================================================================
[ 3674.905793] BUG kmalloc-192 (Tainted: G    B          ): kasan: bad access detected
[ 3674.906791] -----------------------------------------------------------------------------
[ 3674.906791]
[ 3674.908178] INFO: Allocated in groups_alloc+0x2d8/0x310 age=251008 cpu=2 pid=17596
[ 3674.909213] 	___slab_alloc+0x7e9/0x900
[ 3674.909702] 	__slab_alloc.isra.23+0xf9/0x170
[ 3674.910375] 	kmem_cache_alloc+0x189/0x280
[ 3674.911004] 	groups_alloc+0x2d8/0x310
[ 3674.911512] 	SyS_setgroups+0x50/0x320
[ 3674.912124] 	entry_SYSCALL_64_fastpath+0x16/0x7a
[ 3674.912750] INFO: Freed in groups_free+0x8d/0x110 age=251018 cpu=1 pid=16
[ 3674.913690] 	__slab_free+0x8b/0x300
[ 3674.914224] 	kfree+0x2a5/0x2e0
[ 3674.914613] 	groups_free+0x8d/0x110
[ 3674.915140] 	put_cred_rcu+0x3b8/0x3d0
[ 3674.915588] 	rcu_do_batch+0x6d2/0x10e0
[ 3674.916098] 	rcu_cpu_kthread+0x42c/0x550
[ 3674.916804] 	smpboot_thread_fn+0xb3f/0xb60
[ 3674.918649] 	ret_from_fork+0x3f/0x70
[ 3674.919639] INFO: Slab 0xffffea0007201b00 objects=16 used=15 fp=0xffff8801c806da00 flags=0x2fffff80004080
[ 3674.920886] INFO: Object 0xffff8801c806c000 @offset=0 fp=0x0000000000000001
[ 3674.920886]
[ 3674.922124] Object ffff8801c806c000: 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
[ 3674.923350] Object ffff8801c806c010: 60 03 b4 ab ff ff ff ff 46 02 00 f0 00 00 00 00  `.......F.......
[ 3674.924585] Object ffff8801c806c020: 00 2d c4 c3 01 88 ff ff 28 c0 06 c8 01 88 ff ff  .-......(.......
[ 3674.926150] Object ffff8801c806c030: 28 c0 06 c8 01 88 ff ff 60 d4 a8 ae ff ff ff ff  (.......`.......
[ 3674.927401] Object ffff8801c806c040: 70 66 01 00 00 00 00 00 00 00 00 00 ad 4e ad de  pf...........N..
[ 3674.928658] Object ffff8801c806c050: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff  ................
[ 3674.929977] Object ffff8801c806c060: 80 13 9c bc ff ff ff ff 40 6d 1c bc ff ff ff ff  ........@m......
[ 3674.931780] Object ffff8801c806c070: 00 00 00 00 00 00 00 00 00 f9 b3 ab ff ff ff ff  ................
[ 3674.933119] Object ffff8801c806c080: 80 c0 06 c8 01 88 ff ff 80 c0 06 c8 01 88 ff ff  ................
[ 3674.934347] Object ffff8801c806c090: 0c c0 06 c8 01 88 ff ff 00 00 00 00 00 00 00 00  ................
[ 3674.935596] Object ffff8801c806c0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 3674.937046] Object ffff8801c806c0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 3674.938246] Redzone ffff8801c806c0c0: cc cc cc cc cc cc cc cc                          ........
[ 3674.939421] Padding ffff8801c806c1f8: 00 00 00 00 00 00 00 00                          ........
[ 3674.940547] CPU: 3 PID: 4374 Comm: syz-executor Tainted: G    B           4.4.0-rc8-next-20160111-sasha-00024-g376a9c2 #2781
[ 3674.942020]  1ffff1001898eecb 00000000c270e323mmap(&(0x7f0000000000)=nil, (0xd02000), 0x3, 0x32, 0xfffffffffff ffff8800c4c776d8fffff, 0x0)
r0 = socket(0x5, 0x803, 0x231b) ffffffffa301a782
[ 3674.943684]  0000000041b58ab3
ffffffffae1b7338 ffffffffa301a6b7recvmsg(r0, &(0x7f0000d00000-0x38)={&(0x7f0000cff000+0xb7)=nil,  ffff8800c48f30000x80, &(0x7f0000cff000)=[{&(0x7f0000cff000+0x8df)=nil, 0x9f}, {&(0x7f0000d01000)=nil, 0x40}, {&(0x7f0000d00000-0x51)=nil, 0xac},
{&(0x7f0000d00000-0x68)=nil, 0xf2}, {&(0x7f0000cff000)=nil, 0x6[ 3674.945592]  ffffffffae1d3db7a}], 0x5, &(0x7f0000d00000-0x9a)=nil, 0x9a, 0x2}, 0x0) ffff8801d2404900 0000000000000008 ffff8801c806c000
[ 3674.947323] Call Trace:
[ 3674.947678] dump_stack (lib/dump_stack.c:52)
[ 3674.948429] ? _atomic_dec_and_lock (lib/dump_stack.c:27)
[ 3674.949290] ? print_section (./arch/x86/include/asm/current.h:14 include/linux/kasan.h:35 mm/slub.c:488 mm/slub.c:499)
[ 3674.950018] print_trailer (mm/slub.c:655)
[ 3674.950745] object_err (mm/slub.c:662)
[ 3674.951513] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 3674.952275] ? lock_release (kernel/locking/lockdep.c:3608 (discriminator 1))
[ 3674.952982] ? unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
[ 3674.953689] __asan_report_load8_noabort (mm/kasan/report.c:280)
[ 3674.954444] ? unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
[ 3674.955183] unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
[ 3674.955900] split_huge_page_to_list (include/linux/compiler.h:222 include/linux/page-flags.h:140 include/linux/mm.h:703 mm/huge_memory.c:3343 mm/huge_memory.c:3439)
[ 3674.956998] ? total_mapcount (mm/huge_memory.c:3386)
[ 3674.957708] ? ___might_sleep (kernel/sched/core.c:7674 (discriminator 1))
[ 3674.958493] ? __might_sleep (kernel/sched/core.c:7666 (discriminator 14))
[ 3674.959347] queue_pages_pte_range (mm/mempolicy.c:538)
[ 3674.960228] ? queue_pages_hugetlb (mm/mempolicy.c:487)
[ 3674.961045] __walk_page_range (mm/pagewalk.c:51 mm/pagewalk.c:90 mm/pagewalk.c:116 mm/pagewalk.c:204)
[ 3674.961740] walk_page_range (mm/pagewalk.c:282)
[ 3674.962528] queue_pages_range (mm/mempolicy.c:669)
[ 3674.963310] ? mpol_relative_nodemask (mm/mempolicy.c:669)
[ 3674.964158] ? queue_pages_hugetlb (mm/mempolicy.c:487)
[ 3674.964997] ? alloc_pages_current (mm/mempolicy.c:560)
[ 3674.965743] ? change_prot_numa (mm/mempolicy.c:620)
[ 3674.966567] ? SYSC_mbind (mm/mempolicy.c:1236 mm/mempolicy.c:1348)
[ 3674.967342] ? kfree (mm/slub.c:2805 mm/slub.c:3634)
[ 3674.968049] SYSC_mbind (mm/mempolicy.c:1236 mm/mempolicy.c:1348)
[ 3674.968735] ? account_user_time (kernel/sched/cputime.c:140)
[ 3674.969594] ? __mpol_equal (mm/mempolicy.c:1333)
[ 3674.970332] SyS_mbind (mm/mempolicy.c:1330)
[ 3674.971120] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
[ 3674.971856] Memory state around the buggy address:
[ 3674.972554]  ffff8801c806bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3674.973473]  ffff8801c806c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3674.974354] >ffff8801c806c080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3674.975280]                                   ^
[ 3674.975823]  ffff8801c806c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3674.976780]  ffff8801c806c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 3674.902796] BUG: KASAN: slab-out-of-bounds in unfreeze_page+0x8db/0xff0 at addr ffff8801c806c0a8
	[ 3674.904081] Read of size 8 by task syz-executor/4374
	[ 3674.904695] =============================================================================
	[ 3674.905793] BUG kmalloc-192 (Tainted: G B ): kasan: bad access detected
	[ 3674.906791] -----------------------------------------------------------------------------
	[ 3674.906791]
	[ 3674.908178] INFO: Allocated in groups_alloc+0x2d8/0x310 age=251008 cpu=2 pid=17596
	[ 3674.909213] ___slab_alloc+0x7e9/0x900
	[ 3674.909702] __slab_alloc.isra.23+0xf9/0x170
	[ 3674.910375] kmem_cache_alloc+0x189/0x280
	[ 3674.911004] groups_alloc+0x2d8/0x310
	[ 3674.911512] SyS_setgroups+0x50/0x320
	[ 3674.912124] entry_SYSCALL_64_fastpath+0x16/0x7a
	[ 3674.912750] INFO: Freed in groups_free+0x8d/0x110 age=251018 cpu=1 pid=16
	[ 3674.913690] __slab_free+0x8b/0x300
	[ 3674.914224] kfree+0x2a5/0x2e0
	[ 3674.914613] groups_free+0x8d/0x110
	[ 3674.915140] put_cred_rcu+0x3b8/0x3d0
	[ 3674.915588] rcu_do_batch+0x6d2/0x10e0
	[ 3674.916098] rcu_cpu_kthread+0x42c/0x550
	[ 3674.916804] smpboot_thread_fn+0xb3f/0xb60
	[ 3674.918649] ret_from_fork+0x3f/0x70
	[ 3674.919639] INFO: Slab 0xffffea0007201b00 objects=16 used=15 fp=0xffff8801c806da00 flags=0x2fffff80004080
	[ 3674.920886] INFO: Object 0xffff8801c806c000 @offset=0 fp=0x0000000000000001
	[ 3674.920886]
	[ 3674.922124] Object ffff8801c806c000: 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
	[ 3674.923350] Object ffff8801c806c010: 60 03 b4 ab ff ff ff ff 46 02 00 f0 00 00 00 00 `.......F.......
	[ 3674.924585] Object ffff8801c806c020: 00 2d c4 c3 01 88 ff ff 28 c0 06 c8 01 88 ff ff .-......(.......
	[ 3674.926150] Object ffff8801c806c030: 28 c0 06 c8 01 88 ff ff 60 d4 a8 ae ff ff ff ff (.......`.......
	[ 3674.927401] Object ffff8801c806c040: 70 66 01 00 00 00 00 00 00 00 00 00 ad 4e ad de pf...........N..
	[ 3674.928658] Object ffff8801c806c050: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................
	[ 3674.929977] Object ffff8801c806c060: 80 13 9c bc ff ff ff ff 40 6d 1c bc ff ff ff ff ........@m......
	[ 3674.931780] Object ffff8801c806c070: 00 00 00 00 00 00 00 00 00 f9 b3 ab ff ff ff ff ................
	[ 3674.933119] Object ffff8801c806c080: 80 c0 06 c8 01 88 ff ff 80 c0 06 c8 01 88 ff ff ................
	[ 3674.934347] Object ffff8801c806c090: 0c c0 06 c8 01 88 ff ff 00 00 00 00 00 00 00 00 ................
	[ 3674.935596] Object ffff8801c806c0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 3674.937046] Object ffff8801c806c0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	[ 3674.938246] Redzone ffff8801c806c0c0: cc cc cc cc cc cc cc cc ........
	[ 3674.939421] Padding ffff8801c806c1f8: 00 00 00 00 00 00 00 00 ........
	[ 3674.940547] CPU: 3 PID: 4374 Comm: syz-executor Tainted: G B 4.4.0-rc8-next-20160111-sasha-00024-g376a9c2 #2781
	[ 3674.942020] 1ffff1001898eecb 00000000c270e323mmap(&(0x7f0000000000)=nil, (0xd02000), 0x3, 0x32, 0xfffffffffff ffff8800c4c776d8fffff, 0x0)
	r0 = socket(0x5, 0x803, 0x231b) ffffffffa301a782
	[ 3674.943684] 0000000041b58ab3
	ffffffffae1b7338 ffffffffa301a6b7recvmsg(r0, &(0x7f0000d00000-0x38)={&(0x7f0000cff000+0xb7)=nil, ffff8800c48f30000x80, &(0x7f0000cff000)=[{&(0x7f0000cff000+0x8df)=nil, 0x9f}, {&(0x7f0000d01000)=nil, 0x40}, {&(0x7f0000d00000-0x51)=nil, 0xac},
	{&(0x7f0000d00000-0x68)=nil, 0xf2}, {&(0x7f0000cff000)=nil, 0x6[ 3674.945592] ffffffffae1d3db7a}], 0x5, &(0x7f0000d00000-0x9a)=nil, 0x9a, 0x2}, 0x0) ffff8801d2404900 0000000000000008 ffff8801c806c000
	[ 3674.947323] Call Trace:
	[ 3674.947678] dump_stack (lib/dump_stack.c:52)
	[ 3674.948429] ? _atomic_dec_and_lock (lib/dump_stack.c:27)
	[ 3674.949290] ? print_section (./arch/x86/include/asm/current.h:14 include/linux/kasan.h:35 mm/slub.c:488 mm/slub.c:499)
	[ 3674.950018] print_trailer (mm/slub.c:655)
	[ 3674.950745] object_err (mm/slub.c:662)
	[ 3674.951513] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
	[ 3674.952275] ? lock_release (kernel/locking/lockdep.c:3608 (discriminator 1))
	[ 3674.952982] ? unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
	[ 3674.953689] __asan_report_load8_noabort (mm/kasan/report.c:280)
	[ 3674.954444] ? unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
	[ 3674.955183] unfreeze_page (mm/huge_memory.c:3203 mm/huge_memory.c:3241)
	[ 3674.955900] split_huge_page_to_list (include/linux/compiler.h:222 include/linux/page-flags.h:140 include/linux/mm.h:703 mm/huge_memory.c:3343 mm/huge_memory.c:3439)
	[ 3674.956998] ? total_mapcount (mm/huge_memory.c:3386)
	[ 3674.957708] ? ___might_sleep (kernel/sched/core.c:7674 (discriminator 1))
	[ 3674.958493] ? __might_sleep (kernel/sched/core.c:7666 (discriminator 14))
	[ 3674.959347] queue_pages_pte_range (mm/mempolicy.c:538)
	[ 3674.960228] ? queue_pages_hugetlb (mm/mempolicy.c:487)
	[ 3674.961045] __walk_page_range (mm/pagewalk.c:51 mm/pagewalk.c:90 mm/pagewalk.c:116 mm/pagewalk.c:204)
	[ 3674.961740] walk_page_range (mm/pagewalk.c:282)
	[ 3674.962528] queue_pages_range (mm/mempolicy.c:669)
	[ 3674.963310] ? mpol_relative_nodemask (mm/mempolicy.c:669)
	[ 3674.964158] ? queue_pages_hugetlb (mm/mempolicy.c:487)
	[ 3674.964997] ? alloc_pages_current (mm/mempolicy.c:560)
	[ 3674.965743] ? change_prot_numa (mm/mempolicy.c:620)
	[ 3674.966567] ? SYSC_mbind (mm/mempolicy.c:1236 mm/mempolicy.c:1348)
	[ 3674.967342] ? kfree (mm/slub.c:2805 mm/slub.c:3634)
	[ 3674.968049] SYSC_mbind (mm/mempolicy.c:1236 mm/mempolicy.c:1348)
	[ 3674.968735] ? account_user_time (kernel/sched/cputime.c:140)
	[ 3674.969594] ? __mpol_equal (mm/mempolicy.c:1333)
	[ 3674.970332] SyS_mbind (mm/mempolicy.c:1330)
	[ 3674.971120] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)
	[ 3674.971856] Memory state around the buggy address:
	[ 3674.972554] ffff8801c806bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[ 3674.973473] ffff8801c806c000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	[ 3674.974354] >ffff8801c806c080: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 3674.975280] ^
	[ 3674.975823] ffff8801c806c100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 3674.976780] ffff8801c806c180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc