program: r0 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0x40186f40, 0x20000502) r1 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x80, 0x0) r2 = socket$can_bcm(0x1d, 0x2, 0x2) connect$can_bcm(r2, &(0x7f0000000080), 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f0000000000)={'vcan0\x00', 0x0}) sendmsg$can_bcm(r2, &(0x7f00000001c0)={&(0x7f0000000040)={0x1d, r3}, 0x10, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="05"], 0x48}}, 0x0) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) ioctl$FS_IOC_GETFSMAP(r4, 0xc0c0583b, &(0x7f0000000280)={0x0, 0x2904c, 0x1, 0x10003, '\x00', [{0x0, 0x0, 0x0, 0xffffffffffffffff}, {0xffffffff, 0x0, 0x0, 0x0, 0x400000000}], ['\x00']}) bpf$MAP_CREATE(0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="1e00000002000000080000000500000000000c00", @ANYRES32=r1, @ANYBLOB='\f\x00'/20, @ANYRES32=r3, @ANYRES32=r4, @ANYBLOB="03000000020000000500000004000000008000"/28], 0x50) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r1, 0x40046f41, 0x20000502) openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) (async) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r0, 0x40186f40, 0x20000502) (async) openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x80, 0x0) (async) socket$can_bcm(0x1d, 0x2, 0x2) (async) connect$can_bcm(r2, &(0x7f0000000080), 0x10) (async) ioctl$ifreq_SIOCGIFINDEX_vcan(r2, 0x8933, &(0x7f0000000000)={'vcan0\x00'}) (async) sendmsg$can_bcm(r2, &(0x7f00000001c0)={&(0x7f0000000040)={0x1d, r3}, 0x10, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="05"], 0x48}}, 0x0) (async) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cpu.stat\x00', 0x275a, 0x0) (async) ioctl$FS_IOC_GETFSMAP(r4, 0xc0c0583b, &(0x7f0000000280)={0x0, 0x2904c, 0x1, 0x10003, '\x00', [{0x0, 0x0, 0x0, 0xffffffffffffffff}, {0xffffffff, 0x0, 0x0, 0x0, 0x400000000}], ['\x00']}) (async) bpf$MAP_CREATE(0x0, &(0x7f0000000040)=ANY=[@ANYBLOB="1e00000002000000080000000500000000000c00", @ANYRES32=r1, @ANYBLOB='\f\x00'/20, @ANYRES32=r3, @ANYRES32=r4, @ANYBLOB="03000000020000000500000004000000008000"/28], 0x50) (async) ioctl$F2FS_IOC_START_VOLATILE_WRITE(r1, 0x40046f41, 0x20000502) (async) [ 69.901759][ T5304] Bluetooth: hci0: command tx timeout [ 69.942726][ T5319] ubi0: attaching mtd0 [ 69.963365][ T5319] ubi0: scanning is finished [ 69.965283][ T5319] ubi0: empty MTD device detected [ 70.012794][ T5319] ubi0: attached mtd0 (name "mtdram test device", size 0 MiB) [ 70.015738][ T5319] ubi0: PEB size: 4096 bytes (4 KiB), LEB size: 3968 bytes [ 70.018513][ T5319] ubi0: min./max. I/O unit sizes: 1/64, sub-page size 1 [ 70.021130][ T5319] ubi0: VID header offset: 64 (aligned 64), data offset: 128 [ 70.025674][ T5319] ubi0: good PEBs: 32, bad PEBs: 0, corrupted PEBs: 0 [ 70.028102][ T5319] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 23 [ 70.031218][ T5319] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 2966973039 [ 70.036283][ T5319] ubi0: available PEBs: 28, total reserved PEBs: 4, PEBs reserved for bad PEB handling: 0 [ 70.041210][ T5321] ubi0: background thread "ubi_bgt0d" started, PID 5321 [ 70.044740][ T5320] ubi0: detaching mtd0 [ 70.055673][ T5320] ubi0: mtd0 is detached [ 70.057642][ T5322] ubi0: attaching mtd0 [ 70.059875][ T5322] ubi0: scanning is finished [ 70.063128][ T5322] ================================================================== [ 70.066117][ T5322] BUG: KASAN: slab-use-after-free in notifier_chain_register+0x141/0x3f0 [ 70.069029][ T5322] Read of size 4 at addr ffff8880348998d8 by task syz.0.0/5322 [ 70.071684][ T5322] [ 70.072704][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-09485-g72deda0abee6 #0 [ 70.072718][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.072724][ T5322] Call Trace: [ 70.072731][ T5322] [ 70.072736][ T5322] dump_stack_lvl+0x241/0x360 [ 70.072752][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.072762][ T5322] ? __pfx__printk+0x10/0x10 [ 70.072777][ T5322] ? _printk+0xd5/0x120 [ 70.072790][ T5322] ? __virt_addr_valid+0x183/0x530 [ 70.072803][ T5322] ? __virt_addr_valid+0x183/0x530 [ 70.072817][ T5322] print_report+0x169/0x550 [ 70.072833][ T5322] ? __virt_addr_valid+0x183/0x530 [ 70.072852][ T5322] ? __virt_addr_valid+0x183/0x530 [ 70.072864][ T5322] ? __virt_addr_valid+0x45f/0x530 [ 70.072871][ T5322] ? __phys_addr+0xba/0x170 [ 70.072879][ T5322] ? notifier_chain_register+0x141/0x3f0 [ 70.072887][ T5322] kasan_report+0x143/0x180 [ 70.072896][ T5322] ? notifier_chain_register+0x141/0x3f0 [ 70.072903][ T5322] notifier_chain_register+0x141/0x3f0 [ 70.072911][ T5322] blocking_notifier_chain_register+0x61/0xc0 [ 70.072920][ T5322] ubi_wl_init+0x3396/0x3720 [ 70.075365][ T5322] ubi_attach+0x3e01/0x5b80 [ 70.075385][ T5322] ? __pfx_ubi_attach+0x10/0x10 [ 70.075403][ T5322] ? ubi_attach_mtd_dev+0x19fa/0x3540 [ 70.075419][ T5322] ubi_attach_mtd_dev+0x1a3a/0x3540 [ 70.075437][ T5322] ctrl_cdev_ioctl+0x346/0x570 [ 70.075458][ T5322] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 70.075478][ T5322] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 70.075494][ T5322] __se_sys_ioctl+0xf5/0x170 [ 70.075508][ T5322] do_syscall_64+0xf3/0x230 [ 70.075690][ T5322] ? clear_bhb_loop+0x35/0x90 [ 70.075709][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.075723][ T5322] RIP: 0033:0x7f048a98cda9 [ 70.075733][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.075747][ T5322] RSP: 002b:00007f048b771038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.075759][ T5322] RAX: ffffffffffffffda RBX: 00007f048aba6160 RCX: 00007f048a98cda9 [ 70.075765][ T5322] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000003 [ 70.075772][ T5322] RBP: 00007f048aa0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.075778][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.075784][ T5322] R13: 0000000000000001 R14: 00007f048aba6160 R15: 00007fffc33aea78 [ 70.075794][ T5322] [ 70.075798][ T5322] [ 70.161145][ T5322] Allocated by task 5319: [ 70.162621][ T5322] kasan_save_track+0x3f/0x80 [ 70.164284][ T5322] __kasan_kmalloc+0x98/0xb0 [ 70.166026][ T5322] __kmalloc_cache_noprof+0x243/0x390 [ 70.168017][ T5322] ubi_attach_mtd_dev+0x552/0x3540 [ 70.169906][ T5322] ctrl_cdev_ioctl+0x346/0x570 [ 70.171695][ T5322] __se_sys_ioctl+0xf5/0x170 [ 70.173443][ T5322] do_syscall_64+0xf3/0x230 [ 70.175265][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.177534][ T5322] [ 70.178492][ T5322] Freed by task 5320: [ 70.180102][ T5322] kasan_save_track+0x3f/0x80 [ 70.181918][ T5322] kasan_save_free_info+0x40/0x50 [ 70.183804][ T5322] __kasan_slab_free+0x59/0x70 [ 70.185563][ T5322] kfree+0x196/0x430 [ 70.187019][ T5322] device_release+0x99/0x1c0 [ 70.188609][ T5322] kobject_put+0x22f/0x480 [ 70.190214][ T5322] ubi_detach_mtd_dev+0x347/0x480 [ 70.192099][ T5322] ctrl_cdev_ioctl+0x231/0x570 [ 70.193879][ T5322] __se_sys_ioctl+0xf5/0x170 [ 70.195475][ T5322] do_syscall_64+0xf3/0x230 [ 70.197124][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.199344][ T5322] [ 70.200267][ T5322] The buggy address belongs to the object at ffff888034898000 [ 70.200267][ T5322] which belongs to the cache kmalloc-8k of size 8192 [ 70.204973][ T5322] The buggy address is located 6360 bytes inside of [ 70.204973][ T5322] freed 8192-byte region [ffff888034898000, ffff88803489a000) [ 70.210009][ T5322] [ 70.210967][ T5322] The buggy address belongs to the physical page: [ 70.213091][ T5322] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34898 [ 70.215917][ T5322] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 70.218937][ T5322] ksm flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 70.221645][ T5322] page_type: f5(slab) [ 70.223100][ T5322] raw: 04fff00000000040 ffff88801ac42280 ffffea00010d0000 0000000000000003 [ 70.225996][ T5322] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 70.229172][ T5322] head: 04fff00000000040 ffff88801ac42280 ffffea00010d0000 0000000000000003 [ 70.232420][ T5322] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 70.235522][ T5322] head: 04fff00000000003 ffffea0000d22601 ffffffffffffffff 0000000000000000 [ 70.238679][ T5322] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 70.241866][ T5322] page dumped because: kasan: bad access detected [ 70.244202][ T5322] page_owner tracks the page as allocated [ 70.246363][ T5322] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5294, tgid 5294 (nohup), ts 54870757081, free_ts 54580547595 [ 70.253736][ T5322] post_alloc_hook+0x1f4/0x240 [ 70.255590][ T5322] get_page_from_freelist+0x365c/0x37a0 [ 70.257733][ T5322] __alloc_frozen_pages_noprof+0x292/0x710 [ 70.259973][ T5322] alloc_pages_mpol+0x311/0x660 [ 70.261817][ T5322] allocate_slab+0x8f/0x3a0 [ 70.263582][ T5322] ___slab_alloc+0xc27/0x14a0 [ 70.265409][ T5322] __slab_alloc+0x58/0xa0 [ 70.267179][ T5322] __kmalloc_cache_noprof+0x27b/0x390 [ 70.269266][ T5322] tomoyo_init_log+0x11cd/0x2050 [ 70.271180][ T5322] tomoyo_supervisor+0x3a4/0x1770 [ 70.273152][ T5322] tomoyo_env_perm+0x178/0x210 [ 70.275095][ T5322] tomoyo_find_next_domain+0x1495/0x1dd0 [ 70.277263][ T5322] tomoyo_bprm_check_security+0x117/0x180 [ 70.279537][ T5322] security_bprm_check+0x86/0x250 [ 70.281516][ T5322] bprm_execve+0x8d3/0x1430 [ 70.283256][ T5322] do_execveat_common+0x57f/0x710 [ 70.285208][ T5322] page last free pid 5291 tgid 5291 stack trace: [ 70.287685][ T5322] free_frozen_pages+0xe0d/0x10e0 [ 70.289621][ T5322] __slab_free+0x2c2/0x380 [ 70.291324][ T5322] qlist_free_all+0x9a/0x140 [ 70.292882][ T5322] kasan_quarantine_reduce+0x14f/0x170 [ 70.294630][ T5322] __kasan_slab_alloc+0x23/0x80 [ 70.296204][ T5322] kmem_cache_alloc_noprof+0x1d9/0x380 [ 70.298227][ T5322] getname_flags+0xb7/0x540 [ 70.300026][ T5322] vfs_fstatat+0x3f/0x130 [ 70.301765][ T5322] __x64_sys_newfstatat+0x11d/0x1a0 [ 70.303798][ T5322] do_syscall_64+0xf3/0x230 [ 70.305580][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.307683][ T5322] [ 70.308393][ T5322] Memory state around the buggy address: [ 70.310061][ T5322] ffff888034899780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.312600][ T5322] ffff888034899800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.315295][ T5322] >ffff888034899880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.318345][ T5322] ^ [ 70.321037][ T5322] ffff888034899900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.324097][ T5322] ffff888034899980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.327224][ T5322] ================================================================== [ 70.343078][ T5322] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 70.345853][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.13.0-syzkaller-09485-g72deda0abee6 #0 [ 70.349576][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.353797][ T5322] Call Trace: [ 70.355062][ T5322] [ 70.356342][ T5322] dump_stack_lvl+0x241/0x360 [ 70.358216][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.360045][ T5322] ? __pfx__printk+0x10/0x10 [ 70.361711][ T5322] ? preempt_schedule+0xe1/0xf0 [ 70.363436][ T5322] ? vscnprintf+0x5d/0x90 [ 70.364925][ T5322] panic+0x349/0x880 [ 70.366424][ T5322] ? check_panic_on_warn+0x21/0xb0 [ 70.368186][ T5322] ? __pfx_panic+0x10/0x10 [ 70.369914][ T5322] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 70.371965][ T5322] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 70.374417][ T5322] ? print_report+0x502/0x550 [ 70.376260][ T5322] check_panic_on_warn+0x86/0xb0 [ 70.378205][ T5322] ? notifier_chain_register+0x141/0x3f0 [ 70.380294][ T5322] end_report+0x77/0x160 [ 70.381864][ T5322] kasan_report+0x154/0x180 [ 70.383643][ T5322] ? notifier_chain_register+0x141/0x3f0 [ 70.385831][ T5322] notifier_chain_register+0x141/0x3f0 [ 70.387977][ T5322] blocking_notifier_chain_register+0x61/0xc0 [ 70.390371][ T5322] ubi_wl_init+0x3396/0x3720 [ 70.392092][ T5322] ubi_attach+0x3e01/0x5b80 [ 70.393642][ T5322] ? __pfx_ubi_attach+0x10/0x10 [ 70.395533][ T5322] ? ubi_attach_mtd_dev+0x19fa/0x3540 [ 70.397548][ T5322] ubi_attach_mtd_dev+0x1a3a/0x3540 [ 70.399450][ T5322] ctrl_cdev_ioctl+0x346/0x570 [ 70.401267][ T5322] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 70.403245][ T5322] ? __pfx_ctrl_cdev_ioctl+0x10/0x10 [ 70.405243][ T5322] __se_sys_ioctl+0xf5/0x170 [ 70.407019][ T5322] do_syscall_64+0xf3/0x230 [ 70.408677][ T5322] ? clear_bhb_loop+0x35/0x90 [ 70.410454][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.412650][ T5322] RIP: 0033:0x7f048a98cda9 [ 70.414240][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.420976][ T5322] RSP: 002b:00007f048b771038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.423837][ T5322] RAX: ffffffffffffffda RBX: 00007f048aba6160 RCX: 00007f048a98cda9 [ 70.426606][ T5322] RDX: 0000000020000502 RSI: 0000000040186f40 RDI: 0000000000000003 [ 70.429581][ T5322] RBP: 00007f048aa0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.432394][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.434911][ T5322] R13: 0000000000000001 R14: 00007f048aba6160 R15: 00007fffc33aea78 [ 70.437774][ T5322] [ 70.439130][ T5322] Kernel Offset: disabled [ 70.440705][ T5322] Rebooting in 86400 seconds..