==================================================================
BUG: KASAN: use-after-free in ieee80211_scan_rx+0x850/0x860 net/mac80211/scan.c:303
Read of size 4 at addr ffff88802685142c by task ksoftirqd/0/15
CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
print_report mm/kasan/report.c:429 [inline]
kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
ieee80211_scan_rx+0x850/0x860 net/mac80211/scan.c:303
__ieee80211_rx_handle_packet net/mac80211/rx.c:4829 [inline]
ieee80211_rx_list+0x1ff9/0x2750 net/mac80211/rx.c:5022
ieee80211_rx_napi+0xdb/0x3d0 net/mac80211/rx.c:5045
ieee80211_rx include/net/mac80211.h:4679 [inline]
ieee80211_tasklet_handler+0xd4/0x130 net/mac80211/main.c:235
tasklet_action_common.constprop.0+0x201/0x2e0 kernel/softirq.c:797
__do_softirq+0x29b/0x9c2 kernel/softirq.c:571
invoke_softirq kernel/softirq.c:445 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline]
RIP: 0010:smpboot_thread_fn+0x63/0x9c0 kernel/smpboot.c:112
Code: 25 80 6f 02 00 4c 8b 65 08 49 8d 86 08 17 00 00 48 bb 00 00 00 00 00 fc ff df 48 89 44 24 10 48 c1 e8 03 48 01 d8 48 89 04 24 <e8> 68 f9 29 00 48 8b 04 24 80 38 00 0f 85 78 01 00 00 49 c7 86 08
RSP: 0018:ffffc9000035fed0 EFLAGS: 00000246
RAX: 0000000004208040 RBX: dffffc0000000000 RCX: ffffffff89797b31
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888012060140
RBP: ffff88823bc04000 R08: 0000000000000000 R09: ffff888012060147
R10: ffffed100240c028 R11: 0000000000000001 R12: ffffffff8bc38ee0
R13: 0000000000000000 R14: ffff888012060140 R15: 0000000000000001
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Allocated by task 21646:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:437 [inline]
____kasan_kmalloc mm/kasan/common.c:516 [inline]
____kasan_kmalloc mm/kasan/common.c:475 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:525
kasan_kmalloc include/linux/kasan.h:234 [inline]
__do_kmalloc mm/slab.c:3696 [inline]
__kmalloc+0x209/0x4e0 mm/slab.c:3705
kmalloc include/linux/slab.h:605 [inline]
kzalloc include/linux/slab.h:733 [inline]
cfg80211_conn_scan+0x195/0x1000 net/wireless/sme.c:80
cfg80211_sme_connect net/wireless/sme.c:585 [inline]
cfg80211_connect+0x15d0/0x2020 net/wireless/sme.c:1256
nl80211_connect+0x1682/0x22e0 net/wireless/nl80211.c:11274
genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:731
genl_family_rcv_msg net/netlink/genetlink.c:775 [inline]
genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:792
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
genl_rcv+0x24/0x40 net/netlink/genetlink.c:803
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2485
___sys_sendmsg+0x110/0x1b0 net/socket.c:2539
__sys_sendmsg+0xf3/0x1c0 net/socket.c:2568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 10647:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:367 [inline]
____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:329
kasan_slab_free include/linux/kasan.h:200 [inline]
__cache_free mm/slab.c:3426 [inline]
kfree+0x173/0x390 mm/slab.c:3796
___cfg80211_scan_done+0x482/0x970 net/wireless/scan.c:991
__cfg80211_scan_done+0x2c/0x40 net/wireless/scan.c:1008
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
Last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
free_fib_info net/ipv4/fib_semantics.c:256 [inline]
fib_create_info+0x220a/0x4ac0 net/ipv4/fib_semantics.c:1579
fib_table_insert+0x19a/0x1bd0 net/ipv4/fib_trie.c:1236
fib_magic+0x455/0x540 net/ipv4/fib_frontend.c:1098
fib_add_ifaddr+0x16b/0x540 net/ipv4/fib_frontend.c:1120
fib_netdev_event+0x462/0x680 net/ipv4/fib_frontend.c:1480
notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
call_netdevice_notifiers net/core/dev.c:1997 [inline]
__dev_notify_flags+0x110/0x2b0 net/core/dev.c:8575
dev_change_flags+0x112/0x170 net/core/dev.c:8613
do_setlink+0x961/0x3bb0 net/core/rtnetlink.c:2780
__rtnl_newlink+0xd6a/0x17e0 net/core/rtnetlink.c:3546
rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3593
rtnetlink_rcv_msg+0x43a/0xc90 net/core/rtnetlink.c:6089
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
__sys_sendto+0x236/0x340 net/socket.c:2120
__do_sys_sendto net/socket.c:2132 [inline]
__se_sys_sendto net/socket.c:2128 [inline]
__x64_sys_sendto+0xdd/0x1b0 net/socket.c:2128
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
__kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
call_rcu+0x99/0x790 kernel/rcu/tree.c:2793
free_fib_info net/ipv4/fib_semantics.c:256 [inline]
fib_info_put include/net/ip_fib.h:578 [inline]
fib_release_info+0x634/0x8d0 net/ipv4/fib_semantics.c:281
fib_table_delete+0x788/0xa40 net/ipv4/fib_trie.c:1775
fib_magic+0x321/0x540 net/ipv4/fib_frontend.c:1100
fib_del_ifaddr+0xc97/0x13c0 net/ipv4/fib_frontend.c:1311
fib_inetaddr_event+0xb4/0x2a0 net/ipv4/fib_frontend.c:1442
notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
blocking_notifier_call_chain kernel/notifier.c:382 [inline]
blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:370
__inet_del_ifa+0x415/0xf70 net/ipv4/devinet.c:431
inet_del_ifa net/ipv4/devinet.c:468 [inline]
inetdev_destroy net/ipv4/devinet.c:321 [inline]
inetdev_event+0x671/0x15d0 net/ipv4/devinet.c:1602
notifier_call_chain+0xb5/0x200 kernel/notifier.c:87
call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945
call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
call_netdevice_notifiers net/core/dev.c:1997 [inline]
unregister_netdevice_many+0x948/0x1830 net/core/dev.c:10843
default_device_exit_batch+0x449/0x590 net/core/dev.c:11337
ops_exit_list+0x125/0x170 net/core/net_namespace.c:167
cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The buggy address belongs to the object at ffff888026851400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 44 bytes inside of
256-byte region [ffff888026851400, ffff888026851500)
The buggy address belongs to the physical page:
page:ffffea00009a1440 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888026851800 pfn:0x26851
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0000716148 ffffea0000814d08 ffff888011840500
raw: ffff888026851800 ffff888026851000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x3420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_HARDWALL|__GFP_THISNODE), pid 15784, tgid 15783 (syz-executor.2), ts 3007585825208, free_ts 3007408341485
prep_new_page mm/page_alloc.c:2457 [inline]
get_page_from_freelist+0x1298/0x3b80 mm/page_alloc.c:4203
__alloc_pages+0x1c7/0x510 mm/page_alloc.c:5431
__alloc_pages_node include/linux/gfp.h:587 [inline]
kmem_getpages mm/slab.c:1363 [inline]
cache_grow_begin+0x75/0x350 mm/slab.c:2569
cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
____cache_alloc mm/slab.c:3024 [inline]
____cache_alloc mm/slab.c:3007 [inline]
__do_cache_alloc mm/slab.c:3253 [inline]
slab_alloc mm/slab.c:3295 [inline]
__do_kmalloc mm/slab.c:3694 [inline]
__kmalloc+0x3ba/0x4e0 mm/slab.c:3705
kmalloc_array+0x42/0x70 include/linux/slab.h:640
kcalloc include/linux/slab.h:671 [inline]
iter_file_splice_write+0x13f/0xc10 fs/splice.c:628
do_splice_from fs/splice.c:767 [inline]
direct_splice_actor+0x110/0x180 fs/splice.c:934
splice_direct_to_actor+0x331/0x8a0 fs/splice.c:889
do_splice_direct+0x1a7/0x270 fs/splice.c:977
do_sendfile+0xb19/0x1270 fs/read_write.c:1251
__do_sys_sendfile64 fs/read_write.c:1319 [inline]
__se_sys_sendfile64 fs/read_write.c:1305 [inline]
__x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1305
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1371 [inline]
free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
free_unref_page_prepare mm/page_alloc.c:3344 [inline]
free_unref_page_list+0x16f/0xf80 mm/page_alloc.c:3476
release_pages+0xff6/0x2290 mm/swap.c:980
tlb_batch_pages_flush+0xa8/0x1a0 mm/mmu_gather.c:58
tlb_flush_mmu_free mm/mmu_gather.c:255 [inline]
tlb_flush_mmu mm/mmu_gather.c:262 [inline]
tlb_finish_mmu+0x147/0x7e0 mm/mmu_gather.c:353
exit_mmap+0x1de/0x4a0 mm/mmap.c:3164
__mmput+0x122/0x4b0 kernel/fork.c:1187
mmput+0x56/0x60 kernel/fork.c:1208
exit_mm kernel/exit.c:510 [inline]
do_exit+0x9f1/0x29d0 kernel/exit.c:782
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff888026851300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888026851380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888026851400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888026851480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888026851500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 25 80 6f 02 00 and $0x26f80,%eax
5: 4c 8b 65 08 mov 0x8(%rbp),%r12
9: 49 8d 86 08 17 00 00 lea 0x1708(%r14),%rax
10: 48 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%rbx
17: fc ff df
1a: 48 89 44 24 10 mov %rax,0x10(%rsp)
1f: 48 c1 e8 03 shr $0x3,%rax
23: 48 01 d8 add %rbx,%rax
26: 48 89 04 24 mov %rax,(%rsp)
* 2a: e8 68 f9 29 00 callq 0x29f997 <-- trapping instruction
2f: 48 8b 04 24 mov (%rsp),%rax
33: 80 38 00 cmpb $0x0,(%rax)
36: 0f 85 78 01 00 00 jne 0x1b4
3c: 49 rex.WB
3d: c7 .byte 0xc7
3e: 86 08 xchg %cl,(%rax)