syzkaller login: [ 92.962143][ C1] ================================================================== [ 92.971282][ C1] BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 [ 92.974382][ C1] Read at addr fcff000004792ff0 by task rm/3068 [ 92.975533][ C1] Pointer tag: [fc], memory tag: [fe] [ 92.976048][ C1] [ 92.976815][ C1] CPU: 1 PID: 3068 Comm: rm Not tainted 6.6.0-rc6-syzkaller-00182-gce55c22ec8b2 #0 [ 92.978782][ C1] Hardware name: linux,dummy-virt (DT) [ 92.980421][ C1] Call trace: [ 92.981292][ C1] dump_backtrace+0x94/0xec [ 92.982130][ C1] show_stack+0x18/0x24 [ 92.982655][ C1] dump_stack_lvl+0x48/0x60 [ 92.983133][ C1] print_report+0x108/0x618 [ 92.983596][ C1] kasan_report+0x88/0xac [ 92.984075][ C1] __do_kernel_fault+0x17c/0x1e8 [ 92.984586][ C1] do_tag_check_fault+0x78/0x8c [ 92.985318][ C1] do_mem_abort+0x44/0x94 [ 92.985822][ C1] el1_abort+0x40/0x60 [ 92.986309][ C1] el1h_64_sync_handler+0xd8/0xe4 [ 92.986811][ C1] el1h_64_sync+0x64/0x68 [ 92.987264][ C1] reweight_entity+0x248/0x2b8 [ 92.987793][ C1] update_cfs_group+0x80/0x98 [ 92.988235][ C1] task_tick_fair+0x64/0x280 [ 92.988731][ C1] scheduler_tick+0xcc/0x170 [ 92.989209][ C1] update_process_times+0xa0/0xb4 [ 92.989745][ C1] tick_sched_handle+0x34/0x58 [ 92.990272][ C1] tick_sched_timer+0x50/0xa8 [ 92.990752][ C1] __hrtimer_run_queues+0x138/0x1d8 [ 92.991247][ C1] hrtimer_interrupt+0xe8/0x244 [ 92.991774][ C1] arch_timer_handler_phys+0x2c/0x44 [ 92.992280][ C1] handle_percpu_devid_irq+0x84/0x130 [ 92.993108][ C1] generic_handle_domain_irq+0x2c/0x44 [ 92.993685][ C1] gic_handle_irq+0x44/0xc8 [ 92.994250][ C1] call_on_irq_stack+0x24/0x4c [ 92.995040][ C1] do_interrupt_handler+0x80/0x84 [ 92.995526][ C1] el1_interrupt+0x34/0x64 [ 92.995992][ C1] el1h_64_irq_handler+0x18/0x24 [ 92.996498][ C1] el1h_64_irq+0x64/0x68 [ 92.996973][ C1] format_decode+0x70/0x598 [ 92.997426][ C1] vsnprintf+0x74/0x6dc [ 92.997908][ C1] tomoyo_supervisor+0x84/0x65c [ 92.998401][ C1] tomoyo_path_permission+0xa0/0xd8 [ 92.998906][ C1] tomoyo_check_open_permission+0x174/0x188 [ 92.999444][ C1] tomoyo_file_open+0x34/0x40 [ 92.999928][ C1] security_file_open+0x38/0x68 [ 93.000441][ C1] do_dentry_open+0xe8/0x570 [ 93.001066][ C1] vfs_open+0x2c/0x38 [ 93.001545][ C1] path_openat+0x9c4/0xf10 [ 93.002020][ C1] do_filp_open+0x9c/0x14c [ 93.002504][ C1] do_sys_openat2+0xc0/0xf4 [ 93.002999][ C1] __arm64_sys_openat+0x64/0xa4 [ 93.003544][ C1] invoke_syscall+0x48/0x114 [ 93.004078][ C1] el0_svc_common.constprop.0+0x40/0xe0 [ 93.004617][ C1] do_el0_svc+0x1c/0x28 [ 93.005081][ C1] el0_svc+0x40/0x114 [ 93.005596][ C1] el0t_64_sync_handler+0x100/0x12c [ 93.006117][ C1] el0t_64_sync+0x19c/0x1a0 [ 93.006860][ C1] [ 93.007243][ C1] Allocated by task 3063: [ 93.007815][ C1] kasan_save_stack+0x3c/0x64 [ 93.008530][ C1] save_stack_info+0x38/0x118 [ 93.009054][ C1] kasan_save_alloc_info+0x14/0x20 [ 93.009598][ C1] __kasan_slab_alloc+0x94/0xcc [ 93.010099][ C1] kmem_cache_alloc_node+0x150/0x2b8 [ 93.010633][ C1] copy_process+0x1b4/0x147c [ 93.011134][ C1] kernel_clone+0x64/0x360 [ 93.011625][ C1] __do_sys_clone+0x70/0xa8 [ 93.012092][ C1] __arm64_sys_clone+0x20/0x2c [ 93.012598][ C1] invoke_syscall+0x48/0x114 [ 93.013118][ C1] el0_svc_common.constprop.0+0x40/0xe0 [ 93.013658][ C1] do_el0_svc+0x1c/0x28 [ 93.014124][ C1] el0_svc+0x40/0x114 [ 93.014562][ C1] el0t_64_sync_handler+0x100/0x12c [ 93.015026][ C1] el0t_64_sync+0x19c/0x1a0 [ 93.015572][ C1] [ 93.015926][ C1] Freed by task 3062: [ 93.016388][ C1] kasan_save_stack+0x3c/0x64 [ 93.016903][ C1] save_stack_info+0x38/0x118 [ 93.017369][ C1] kasan_save_free_info+0x18/0x24 [ 93.017872][ C1] ____kasan_slab_free.constprop.0+0x180/0x1c8 [ 93.018399][ C1] __kasan_slab_free+0x10/0x1c [ 93.018891][ C1] slab_free_freelist_hook+0xac/0x1c4 [ 93.019429][ C1] kmem_cache_free+0x18c/0x314 [ 93.019941][ C1] free_task+0x54/0x80 [ 93.020410][ C1] __put_task_struct+0x100/0x154 [ 93.020912][ C1] delayed_put_task_struct+0x7c/0xa8 [ 93.021400][ C1] rcu_core+0x250/0x638 [ 93.021865][ C1] rcu_core_si+0x10/0x1c [ 93.022344][ C1] __do_softirq+0x10c/0x284 [ 93.022863][ C1] [ 93.023223][ C1] The buggy address belongs to the object at ffff000004792f40 [ 93.023223][ C1] which belongs to the cache task_struct of size 4032 [ 93.024272][ C1] The buggy address is located 176 bytes inside of [ 93.024272][ C1] 4032-byte region [ffff000004792f40, ffff000004793f00) [ 93.025145][ C1] [ 93.025661][ C1] The buggy address belongs to the physical page: [ 93.026581][ C1] page:0000000041f1decc refcount:1 mapcount:0 mapping:0000000000000000 index:0xfcff000004792f40 pfn:0x44790 [ 93.027676][ C1] head:0000000041f1decc order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.028341][ C1] ksm flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 93.029562][ C1] page_type: 0xffffffff() [ 93.030590][ C1] raw: 01ffc00000000840 f7ff000002c0cf00 fffffc00000dca00 dead000000000003 [ 93.031279][ C1] raw: fcff000004792f40 0000000080080007 00000001ffffffff 0000000000000000 [ 93.031941][ C1] page dumped because: kasan: bad access detected [ 93.032463][ C1] [ 93.032817][ C1] Memory state around the buggy address: [ 93.033591][ C1] ffff000004792d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 93.034243][ C1] ffff000004792e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 93.034836][ C1] >ffff000004792f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 93.035447][ C1] ^ [ 93.036142][ C1] ffff000004793000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 93.036767][ C1] ffff000004793100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 93.037429][ C1] ================================================================== [ 93.038163][ C1] Disabling lock debugging due to kernel taint Warning: Permanently added '[localhost]:52113' (ED25519) to the list of known hosts. 1970/01/01 00:01:57 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:01:59 parsed 1 programs [ 120.213424][ T3102] cgroup: Unknown subsys name 'net' [ 120.536890][ T3102] cgroup: Unknown subsys name 'rlimit' [ 121.256559][ T3102] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 121.305891][ T3100] syz-execprog[3100]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set 1970/01/01 00:02:01 executed programs: 0 [ 125.599794][ T3112] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 125.706290][ T3112] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 125.731726][ T3113] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 125.804229][ T3113] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 127.294524][ T3112] hsr_slave_0: entered promiscuous mode [ 127.334604][ T3112] hsr_slave_1: entered promiscuous mode [ 127.627659][ T3113] hsr_slave_0: entered promiscuous mode [ 127.665030][ T3113] hsr_slave_1: entered promiscuous mode [ 127.722904][ T3113] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 127.724148][ T3113] Cannot create hsr debugfs directory [ 128.768933][ T3112] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 128.839177][ T3112] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 128.936901][ T3112] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 128.996747][ T3112] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 129.415693][ T3113] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 129.498631][ T3113] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 129.580690][ T3113] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 129.658881][ T3113] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 130.414096][ T3112] 8021q: adding VLAN 0 to HW filter on device bond0 [ 131.122294][ T3113] 8021q: adding VLAN 0 to HW filter on device bond0 [ 135.060240][ T3112] veth0_vlan: entered promiscuous mode [ 135.097032][ T3112] veth1_vlan: entered promiscuous mode [ 135.239985][ T3112] veth0_macvtap: entered promiscuous mode [ 135.262376][ T3112] veth1_macvtap: entered promiscuous mode [ 135.555924][ T3112] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 135.557241][ T3112] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 135.558191][ T3112] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 135.559070][ T3112] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 136.249625][ T3247] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 136.267094][ T3247] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 136.556484][ T3113] veth0_vlan: entered promiscuous mode [ 136.686982][ T3113] veth1_vlan: entered promiscuous mode [ 136.878754][ T3113] veth0_macvtap: entered promiscuous mode [ 136.919709][ T3113] veth1_macvtap: entered promiscuous mode [ 137.197526][ T3113] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 137.198758][ T3113] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 137.208298][ T3113] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 137.209423][ T3113] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:02:17 executed programs: 2 [ 138.192945][ T3254] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 138.195094][ T3254] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 138.215564][ T8] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 138.605653][ T8] usb 1-1: New USB device found, idVendor=047d, idProduct=5002, bcdDevice=b9.5b [ 138.607282][ T8] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 138.646695][ T8] usb 1-1: config 0 descriptor?? [ 139.946583][ T3256] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 139.954897][ T3256] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 141.686364][ T3259] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 141.688728][ T3259] misc raw-gadget: fail, usb_gadget_register_driver returned -16 1970/01/01 00:02:23 executed programs: 5 VM DIAGNOSIS: 01:48:00 Registers: info registers vcpu 0 CPU#0 PC=0000ffffa0f14ab8 X00=0000000000000001 X01=0000fffff3243e58 X02=0000fffff3243ed8 X03=0000000000000008 X04=0000000000010000 X05=0000000000000000 X06=0000000000000000 X07=0000000000000000 X08=0000000000000087 X09=0000000000000000 X10=0000000000000000 X11=0000000000000000 X12=0000000000000000 X13=0000000000000000 X14=0000000000000000 X15=0000000000000000 X16=0000aaaacd2422d8 X17=0000ffffa0ed814c X18=0000000000000000 X19=0000aaaae1b7f400 X20=0000aaaacd201000 X21=0000aaaacd200000 X22=0000aaaacd245000 X23=0000000000000073 X24=0000000000000004 X25=0000fffff3243e58 X26=0000aaaacd242000 X27=0000fffff3243ed8 X28=0000000000000001 X29=0000fffff3243d80 X30=0000ffffa0ed8158 SP=0000fffff3243d80 PSTATE=40001000 -Z-- EL0t SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081898a8c X00=ffff800081898a88 X01=ffff8000811db8b0 X02=0000000000000001 X03=ffff7ffffd5d5000 X04=ffff8000823fb7c8 X05=ffff00007f9d07c8 X06=ffff8000823fb7c8 X07=00000000000000c0 X08=faff000002d72f08 X09=9fc66af2304eaa8e X10=f4c587405977f625 X11=0000000000000001 X12=ffff80008241fee8 X13=00000000000002a9 X14=00000000000002a9 X15=0000ffff8fe8d000 X16=ffff800081cfb4b8 X17=0000000000000000 X18=ffff800082b1bc38 X19=ffff8000826c3500 X20=0000000000005776 X21=0000001ac688be00 X22=ffff800081898d4c X23=ffff00007f9cec08 X24=0000000000000000 X25=faff000002d71f80 X26=0000000000000000 X27=0000000000000000 X28=faff000002d71f80 X29=ffff80008287bbf0 X30=ffff8000811db8c8 SP=ffff80008287bbf0 PSTATE=004000c9 ---- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000