================================================================== BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:884 [inline] BUG: KASAN: use-after-free in hlist_del_init_rcu include/linux/rculist.h:184 [inline] BUG: KASAN: use-after-free in rxrpc_destroy_local+0x2ad/0x2f0 net/rxrpc/local_object.c:389 Write of size 8 at addr ffff888047973820 by task krxrpcio/7001/5113 CPU: 1 PID: 5113 Comm: krxrpcio/7001 Not tainted 6.1.0-syzkaller-13409-g2f26e424552e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __hlist_del include/linux/list.h:884 [inline] hlist_del_init_rcu include/linux/rculist.h:184 [inline] rxrpc_destroy_local+0x2ad/0x2f0 net/rxrpc/local_object.c:389 rxrpc_io_thread+0xcde/0xfa0 net/rxrpc/io_thread.c:492 kthread+0x2e8/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 The buggy address belongs to the physical page: page:ffffea00011e5cc0 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x47973 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001d56f08 ffffea0001e60c88 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 5104, tgid 5104 (syz-executor.5), ts 1738373991890, free_ts 1741290448772 prep_new_page mm/page_alloc.c:2531 [inline] get_page_from_freelist+0x119c/0x2ce0 mm/page_alloc.c:4283 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5549 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 __get_free_pages+0xc/0x40 mm/page_alloc.c:5599 kasan_populate_vmalloc_pte mm/kasan/shadow.c:271 [inline] kasan_populate_vmalloc_pte+0x27/0x150 mm/kasan/shadow.c:262 apply_to_pte_range mm/memory.c:2600 [inline] apply_to_pmd_range mm/memory.c:2644 [inline] apply_to_pud_range mm/memory.c:2680 [inline] apply_to_p4d_range mm/memory.c:2716 [inline] __apply_to_page_range+0x68c/0x1030 mm/memory.c:2750 alloc_vmap_area+0x512/0x1ed0 mm/vmalloc.c:1647 __get_vm_area_node+0x142/0x3f0 mm/vmalloc.c:2515 __vmalloc_node_range+0x25b/0x13c0 mm/vmalloc.c:3187 __vmalloc_node mm/vmalloc.c:3292 [inline] vzalloc+0x6b/0x80 mm/vmalloc.c:3365 xt_counters_alloc+0x50/0x70 net/netfilter/x_tables.c:1379 __do_replace+0x9a/0x900 net/ipv4/netfilter/arp_tables.c:894 do_replace net/ipv6/netfilter/ip6_tables.c:1157 [inline] do_ip6t_set_ctl+0x8a9/0xb30 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x12b/0x190 net/ipv6/ipv6_sockglue.c:1028 tcp_setsockopt+0x9f/0x100 net/ipv4/tcp.c:3801 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1446 [inline] free_pcp_prepare+0x65c/0xc00 mm/page_alloc.c:1496 free_unref_page_prepare mm/page_alloc.c:3369 [inline] free_unref_page+0x1d/0x490 mm/page_alloc.c:3464 kasan_depopulate_vmalloc_pte+0x60/0x80 mm/kasan/shadow.c:372 apply_to_pte_range mm/memory.c:2600 [inline] apply_to_pmd_range mm/memory.c:2644 [inline] apply_to_pud_range mm/memory.c:2680 [inline] apply_to_p4d_range mm/memory.c:2716 [inline] __apply_to_page_range+0x68c/0x1030 mm/memory.c:2750 kasan_release_vmalloc+0xab/0xc0 mm/kasan/shadow.c:486 __purge_vmap_area_lazy+0x897/0x1f80 mm/vmalloc.c:1776 _vm_unmap_aliases.part.0+0x420/0x550 mm/vmalloc.c:2187 _vm_unmap_aliases mm/vmalloc.c:2161 [inline] vm_unmap_aliases+0x49/0x50 mm/vmalloc.c:2210 change_page_attr_set_clr+0x226/0x470 arch/x86/mm/pat/set_memory.c:1837 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1885 [inline] set_memory_ro+0x7c/0xa0 arch/x86/mm/pat/set_memory.c:2076 bpf_prog_lock_ro include/linux/filter.h:855 [inline] bpf_prog_select_runtime+0x508/0x650 kernel/bpf/core.c:2202 bpf_prog_load+0x1577/0x2220 kernel/bpf/syscall.c:2623 __sys_bpf+0x1436/0x4ff0 kernel/bpf/syscall.c:4979 __do_sys_bpf kernel/bpf/syscall.c:5083 [inline] __se_sys_bpf kernel/bpf/syscall.c:5081 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5081 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff888047973700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047973780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888047973800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888047973880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888047973900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================