==================================================================
BUG: KASAN: use-after-free in sk_is_mptcp include/net/mptcp.h:104 [inline]
BUG: KASAN: use-after-free in mptcp_subflow_queue_clean+0x2e0/0x3dc net/mptcp/subflow.c:1718
Read of size 1 at addr ffff000116e42b4c by task syz-executor.2/12751
CPU: 1 PID: 12751 Comm: syz-executor.2 Not tainted 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call trace:
dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x174/0x4c0 mm/kasan/report.c:395
kasan_report+0xd4/0x130 mm/kasan/report.c:495
__asan_report_load1_noabort+0x2c/0x38 mm/kasan/report_generic.c:348
sk_is_mptcp include/net/mptcp.h:104 [inline]
mptcp_subflow_queue_clean+0x2e0/0x3dc net/mptcp/subflow.c:1718
mptcp_check_listen_stop+0xc4/0x108 net/mptcp/protocol.c:3009
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Allocated by task 12754:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:211 [inline]
__do_kmalloc_node mm/slab_common.c:955 [inline]
__kmalloc+0xd8/0x1c4 mm/slab_common.c:968
kmalloc include/linux/slab.h:558 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2046
sk_clone_lock+0x74/0xe0c net/core/sock.c:2244
inet_csk_clone_lock+0x34/0x394 net/ipv4/inet_connection_sock.c:1145
tcp_create_openreq_child+0x44/0x1294 net/ipv4/tcp_minisocks.c:474
tcp_v4_syn_recv_sock+0x1d4/0x105c net/ipv4/tcp_ipv4.c:1520
tcp_v6_syn_recv_sock+0x11c/0x1550 net/ipv6/tcp_ipv6.c:1223
subflow_syn_recv_sock+0x590/0x1110 net/mptcp/subflow.c:731
tcp_get_cookie_sock+0xf4/0x5b4 net/ipv4/syncookies.c:201
cookie_v4_check+0x15dc/0x23ac net/ipv4/syncookies.c:442
tcp_v4_cookie_check net/ipv4/tcp_ipv4.c:1626 [inline]
tcp_v4_do_rcv+0x62c/0xb08 net/ipv4/tcp_ipv4.c:1686
tcp_v4_rcv+0x2010/0x2818 net/ipv4/tcp_ipv4.c:2089
ip_protocol_deliver_rcu+0x340/0x764 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x23c/0x46c net/ipv4/ip_input.c:233
NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:302
ip_local_deliver+0x11c/0x190 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:454 [inline]
ip_rcv_finish+0x224/0x250 net/ipv4/ip_input.c:449
NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:302
ip_rcv+0x78/0x98 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core net/core/dev.c:5528 [inline]
__netif_receive_skb+0x18c/0x400 net/core/dev.c:5642
process_backlog+0x410/0x784 net/core/dev.c:5970
__napi_poll+0xb4/0x3f0 net/core/dev.c:6537
napi_poll net/core/dev.c:6604 [inline]
net_rx_action+0x5cc/0xd3c net/core/dev.c:6715
__do_softirq+0x314/0xe38 kernel/softirq.c:571
Freed by task 12754:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x80 mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook mm/slub.c:1750 [inline]
slab_free mm/slub.c:3661 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674
kfree+0xcc/0x1b8 mm/slab_common.c:1007
sk_prot_free net/core/sock.c:2082 [inline]
__sk_destruct+0x4b8/0x75c net/core/sock.c:2168
sk_destruct net/core/sock.c:2183 [inline]
__sk_free+0x37c/0x4e8 net/core/sock.c:2194
sk_free+0x60/0xc8 net/core/sock.c:2205
sock_put+0x60/0xc8 include/net/sock.h:2018
tcp_v4_rcv+0x2194/0x2818
ip_protocol_deliver_rcu+0x340/0x764 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x23c/0x46c net/ipv4/ip_input.c:233
NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:302
ip_local_deliver+0x11c/0x190 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:454 [inline]
ip_rcv_finish+0x224/0x250 net/ipv4/ip_input.c:449
NF_HOOK+0x328/0x3d4 include/linux/netfilter.h:302
ip_rcv+0x78/0x98 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core net/core/dev.c:5528 [inline]
__netif_receive_skb+0x18c/0x400 net/core/dev.c:5642
process_backlog+0x410/0x784 net/core/dev.c:5970
__napi_poll+0xb4/0x3f0 net/core/dev.c:6537
napi_poll net/core/dev.c:6604 [inline]
net_rx_action+0x5cc/0xd3c net/core/dev.c:6715
__do_softirq+0x314/0xe38 kernel/softirq.c:571
The buggy address belongs to the object at ffff000116e42000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2892 bytes inside of
4096-byte region [ffff000116e42000, ffff000116e43000)
The buggy address belongs to the physical page:
page:00000000404fb8c2 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x156e40
head:00000000404fb8c2 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 fffffc00035fd600 dead000000000002 ffff0000c0002a80
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000116e42a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff000116e42a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff000116e42b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff000116e42b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff000116e42c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 12751 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
lr : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
sp : ffff8000214c76f0
x29: ffff8000214c76f0 x28: ffff000116e42000 x27: ffff0000ca35e000
x26: ffff000116e42080 x25: 1fffe0001b993d87 x24: dfff800000000000
x23: ffff0000dcc9ec40 x22: ffff0000dcc9ec38 x21: 0000000000000002
x20: ffff000116e42080 x19: ffff800018165000 x18: 1fffe0003686fb76
x17: 0000000000000000 x16: ffff800012151d8c x15: 0000000000000000
x14: 0000000000000000 x13: 205d313537323154 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 545b5d3534373834 x6 : ffff800008347ac8
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff8000214c6e80 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
sock_hold include/net/sock.h:773 [inline]
inet_csk_listen_stop+0x740/0x9d8 net/ipv4/inet_connection_sock.c:1395
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: tcp_write_timer+0x0/0x2e4 net/ipv4/tcp_timer.c:819
WARNING: CPU: 1 PID: 12751 at lib/debugobjects.c:517 debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
lr : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
sp : ffff8000214c73b0
x29: ffff8000214c73b0 x28: dfff800000000000 x27: ffff700004298e84
x26: ffff0000c933a0c0 x25: ffff8000083f8dec x24: dfff800000000000
x23: 0000000000000000 x22: ffff800010c3dd74 x21: ffff800012783820
x20: ffff8000122c9b00 x19: ffff800012783360 x18: 1fffe0003686fb76
x17: 203a657079742074 x16: ffff8000120a15c0 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000214c6c98 x4 : ffff800015922b60 x3 : ffff80000834d3b4
x2 : 0000000000000001 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
debug_object_assert_init+0x318/0x3c8 lib/debugobjects.c:899
debug_timer_assert_init kernel/time/timer.c:792 [inline]
debug_assert_init kernel/time/timer.c:837 [inline]
del_timer+0xa8/0x2b4 kernel/time/timer.c:1257
sk_stop_timer+0x24/0xc0 net/core/sock.c:3377
inet_csk_clear_xmit_timers+0x60/0xa4 net/ipv4/inet_connection_sock.c:768
tcp_clear_xmit_timers+0xe4/0x168 include/net/tcp.h:652
tcp_disconnect+0x17c/0x134c net/ipv4/tcp.c:3128
inet_child_forget+0x7c/0x34c net/ipv4/inet_connection_sock.c:1278
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: arch_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic.h:49 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_add include/linux/refcount.h:193 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_inc include/linux/refcount.h:250 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: refcount_inc include/linux/refcount.h:267 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: sock_hold include/net/sock.h:773 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: tcp_delack_timer+0x0/0x354 net/ipv4/tcp_timer.c:669
WARNING: CPU: 1 PID: 12751 at lib/debugobjects.c:517 debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
lr : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
sp : ffff8000214c73b0
x29: ffff8000214c73b0 x28: dfff800000000000 x27: ffff700004298e84
x26: ffff0000c933a0c0 x25: ffff8000083f8dec x24: dfff800000000000
x23: 0000000000000000 x22: ffff800010c3e058 x21: ffff800012783820
x20: ffff8000122c9b00 x19: ffff800012783360 x18: 1fffe0003686fb76
x17: 203a657079742074 x16: ffff8000120a15c0 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000214c6c98 x4 : ffff800015922b60 x3 : ffff80000834d3b4
x2 : 0000000000000001 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
debug_object_assert_init+0x318/0x3c8 lib/debugobjects.c:899
debug_timer_assert_init kernel/time/timer.c:792 [inline]
debug_assert_init kernel/time/timer.c:837 [inline]
del_timer+0xa8/0x2b4 kernel/time/timer.c:1257
sk_stop_timer+0x24/0xc0 net/core/sock.c:3377
inet_csk_clear_xmit_timers+0x6c/0xa4 net/ipv4/inet_connection_sock.c:769
tcp_clear_xmit_timers+0xe4/0x168 include/net/tcp.h:652
tcp_disconnect+0x17c/0x134c net/ipv4/tcp.c:3128
inet_child_forget+0x7c/0x34c net/ipv4/inet_connection_sock.c:1278
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: arch_atomic_fetch_add_relaxed arch/arm64/include/asm/atomic.h:49 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:117 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_add include/linux/refcount.h:193 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: __refcount_inc include/linux/refcount.h:250 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: refcount_inc include/linux/refcount.h:267 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: sock_hold include/net/sock.h:773 [inline]
ODEBUG: assert_init not available (active state 0) object type: timer_list hint: tcp_keepalive_timer+0x0/0xb00 net/ipv4/tcp_timer.c:354
WARNING: CPU: 1 PID: 12751 at lib/debugobjects.c:517 debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
lr : debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
sp : ffff8000214c73b0
x29: ffff8000214c73b0 x28: dfff800000000000 x27: ffff700004298e84
x26: ffff0000c933a0c0 x25: ffff8000083f8dec x24: dfff800000000000
x23: 0000000000000000 x22: ffff800010c3e3ac x21: ffff800012783820
x20: ffff8000122c9b00 x19: ffff800012783360 x18: 1fffe0003686fb76
x17: 203a657079742074 x16: ffff80001215324c x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000214c6c98 x4 : ffff800015922b60 x3 : ffff80000aa8a46c
x2 : ffff0001b437dcd0 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
debug_print_object+0x148/0x1d4 lib/debugobjects.c:514
debug_object_assert_init+0x318/0x3c8 lib/debugobjects.c:899
debug_timer_assert_init kernel/time/timer.c:792 [inline]
debug_assert_init kernel/time/timer.c:837 [inline]
del_timer+0xa8/0x2b4 kernel/time/timer.c:1257
sk_stop_timer+0x24/0xc0 net/core/sock.c:3377
inet_csk_clear_xmit_timers+0x78/0xa4 net/ipv4/inet_connection_sock.c:770
tcp_clear_xmit_timers+0xe4/0x168 include/net/tcp.h:652
tcp_disconnect+0x17c/0x134c net/ipv4/tcp.c:3128
inet_child_forget+0x7c/0x34c net/ipv4/inet_connection_sock.c:1278
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
dst_release underflow
WARNING: CPU: 1 PID: 12751 at net/core/dst.c:169 dst_release+0x10c/0x140 net/core/dst.c:169
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dst_release+0x10c/0x140 net/core/dst.c:169
lr : dst_release+0x10c/0x140 net/core/dst.c:169
sp : ffff8000214c7630
x29: ffff8000214c7630 x28: ffff000116e42000 x27: 0000000000000000
x26: 1fffe00022dc8520 x25: dfff800000000000 x24: 1fffe00022dc8520
x23: ffff0000cd17cf00 x22: ffff000116e42260 x21: ffff800018165000
x20: 00000000ffffffff x19: ffff0000cd17cf00 x18: 1fffe0003686fb76
x17: 0000000000000000 x16: ffff8000120a15c0 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000214c6f18 x4 : ffff800015922b60 x3 : ffff80000834d3b4
x2 : 0000000000000001 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
dst_release+0x10c/0x140 net/core/dst.c:169
__sk_dst_set include/net/sock.h:2234 [inline]
__sk_dst_reset include/net/sock.h:2251 [inline]
tcp_disconnect+0x708/0x134c net/ipv4/tcp.c:3179
inet_child_forget+0x7c/0x34c net/ipv4/inet_connection_sock.c:1278
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
dst_release: dst:00000000cbc2cf3f refcnt:-1
dst_release: dst:00000000f4b23567 refcnt:-1
------------[ cut here ]------------
WARNING: CPU: 1 PID: 12751 at net/ipv4/tcp.c:3220 tcp_disconnect+0xc1c/0x134c net/ipv4/tcp.c:3220
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tcp_disconnect+0xc1c/0x134c net/ipv4/tcp.c:3220
lr : tcp_disconnect+0xc1c/0x134c net/ipv4/tcp.c:3220
sp : ffff8000214c7660
x29: ffff8000214c7660 x28: ffff000116e42000 x27: 0000000000000040
x26: 1fffe00022dc8520 x25: dfff800000000000 x24: 1fffe00022dc8520
x23: 1fffe00022dc856e x22: 0000000000000000 x21: ffff000116e42904
x20: ffff000116e426a8 x19: ffff000116e42000 x18: 1fffe0003686fb76
x17: 0000000000000000 x16: ffff8000084f8c7c x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: ffff600022dc850d
x11: 0000000000ff0100 x10: 0000000000000000 x9 : ffff800010bd13bc
x8 : ffff0001169e9bc0 x7 : 0000000000000000 x6 : 0000000000000001
x5 : ffff8000214c6f38 x4 : 0000000000000008 x3 : ffff800010bd118c
x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000
Call trace:
tcp_disconnect+0xc1c/0x134c net/ipv4/tcp.c:3220
inet_child_forget+0x7c/0x34c net/ipv4/inet_connection_sock.c:1278
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 12751 at net/ipv4/inet_connection_sock.c:1198 inet_csk_destroy_sock+0x378/0x434 net/ipv4/inet_connection_sock.c:1198
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : inet_csk_destroy_sock+0x378/0x434 net/ipv4/inet_connection_sock.c:1198
lr : inet_csk_destroy_sock+0x378/0x434 net/ipv4/inet_connection_sock.c:1198
sp : ffff8000214c7670
x29: ffff8000214c7670 x28: ffff000116e42000 x27: ffff0000ca35e000
x26: 1fffe0001b993cc5 x25: dfff800000000000 x24: 1fffe00022d3d379
x23: dfff800000000000 x22: 0000000000000000 x21: ffff0000ca35e000
x20: ffff000116e426a8 x19: ffff000116e42000 x18: 1fffe0003686fb76
x17: 0000000000000000 x16: ffff8000084f8c7c x15: 0000000000000000
x14: 000000000000000a x13: ffff0001169e9bc0 x12: ffff600022dc8474
x11: 0000000000ff0100 x10: 0000000000000000 x9 : ffff800010bba47c
x8 : ffff0001169e9bc0 x7 : 0000000000000000 x6 : ffff800010bbacc0
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff800010bba1f8
x2 : 0000000000000000 x1 : 0000000000000008 x0 : 0000000000000000
Call trace:
inet_csk_destroy_sock+0x378/0x434 net/ipv4/inet_connection_sock.c:1198
inet_child_forget+0x278/0x34c net/ipv4/inet_connection_sock.c:1296
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 12751 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 12751 Comm: syz-executor.2 Tainted: G B W 6.1.77-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
sp : ffff8000214c7640
x29: ffff8000214c7640 x28: ffff000116e42000 x27: ffff0000ca35e000
x26: 1fffe0001b993cc5 x25: 0000000000000202 x24: 1fffe00022dc8405
x23: dfff800000000000 x22: 1fffe00022d3d379 x21: 0000000000000003
x20: ffff000116e42080 x19: ffff800018165000 x18: 1fffe0003686fb76
x17: 0000000000000000 x16: ffff8000120a15c0 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001
x11: 0000000000ff0100 x10: 0000000000000000 x9 : 47e153c409a3a200
x8 : 47e153c409a3a200 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff8000214c6f38 x4 : ffff800015922b60 x3 : ffff80000834d3b4
x2 : 0000000000000001 x1 : 0000000000000201 x0 : 0000000000000000
Call trace:
refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28
__refcount_sub_and_test include/linux/refcount.h:283 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
sock_put include/net/sock.h:2017 [inline]
inet_csk_destroy_sock+0x390/0x434 net/ipv4/inet_connection_sock.c:1210
inet_child_forget+0x278/0x34c net/ipv4/inet_connection_sock.c:1296
inet_csk_listen_stop+0x384/0x9d8 net/ipv4/inet_connection_sock.c:1421
mptcp_check_listen_stop+0xcc/0x108 net/mptcp/protocol.c:3010
__mptcp_close+0xbc/0x7d8 net/mptcp/protocol.c:3024
mptcp_close+0x38/0x180 net/mptcp/protocol.c:3089
inet_release+0x160/0x1d0 net/ipv4/af_inet.c:432
inet6_release+0x5c/0x78 net/ipv6/af_inet6.c:493
__sock_release net/socket.c:654 [inline]
sock_close+0xb8/0x1fc net/socket.c:1400
__fput+0x30c/0x7bc fs/file_table.c:320
____fput+0x20/0x30 fs/file_table.c:348
task_work_run+0x240/0x2f0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
do_notify_resume+0x2148/0x3474 arch/arm64/kernel/signal.c:1132
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline]
el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
irq event stamp: 3275
hardirqs last enabled at (3275): [<ffff80000827c5c0>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1366 [inline]
hardirqs last enabled at (3275): [<ffff80000827c5c0>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:5004
hardirqs last disabled at (3274): [<ffff80001221df54>] __schedule+0x2a4/0x1c98 kernel/sched/core.c:6457
softirqs last enabled at (3128): [<ffff8000103b2ae8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3128): [<ffff8000103b2ae8>] release_sock+0x178/0x1cc net/core/sock.c:3510
softirqs last disabled at (3126): [<ffff8000103b29ac>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3126): [<ffff8000103b29ac>] release_sock+0x3c/0x1cc net/core/sock.c:3497
---[ end trace 0000000000000000 ]---