================================================================== BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1541 [inline] BUG: KASAN: use-after-free in do_page_fault+0x66/0x330 arch/x86/mm/fault.c:1553 Read of size 8 at addr ffff8881e8d24e40 by task syz-executor.3/15276 CPU: 1 PID: 15276 Comm: syz-executor.3 Not tainted 5.4.268-syzkaller-00012-g51cf29fc2bfc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: The buggy address belongs to the page: page:ffffea0007a34900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 ffffea0007970848 ffffea0007ce3a88 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] __pte_alloc_one include/asm-generic/pgalloc.h:63 [inline] pte_alloc_one+0x1b/0xb0 arch/x86/mm/pgtable.c:26 __pte_alloc+0x1d/0x1c0 mm/memory.c:440 copy_pte_range mm/memory.c:830 [inline] copy_pmd_range mm/memory.c:906 [inline] copy_pud_range mm/memory.c:940 [inline] copy_p4d_range mm/memory.c:962 [inline] copy_page_range+0x1c24/0x26f0 mm/memory.c:1024 dup_mmap kernel/fork.c:608 [inline] dup_mm kernel/fork.c:1379 [inline] copy_mm+0xb23/0x10d0 kernel/fork.c:1435 copy_process+0x1291/0x3230 kernel/fork.c:2052 _do_fork+0x197/0x900 kernel/fork.c:2399 __do_sys_clone kernel/fork.c:2557 [inline] __se_sys_clone kernel/fork.c:2538 [inline] __x64_sys_clone+0x26b/0x2c0 kernel/fork.c:2538 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] free_pcp_prepare mm/page_alloc.c:1233 [inline] free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085 free_unref_page_list+0x10a/0x590 mm/page_alloc.c:3154 release_pages+0xad8/0xb20 mm/swap.c:842 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:189 [inline] tlb_flush_mmu mm/mmu_gather.c:196 [inline] tlb_finish_mmu+0x177/0x320 mm/mmu_gather.c:277 exit_mmap+0x2dc/0x520 mm/mmap.c:3193 __mmput+0x8e/0x2c0 kernel/fork.c:1101 exit_mm kernel/exit.c:536 [inline] do_exit+0xc08/0x2bc0 kernel/exit.c:846 do_group_exit+0x138/0x300 kernel/exit.c:982 __do_sys_exit_group kernel/exit.c:993 [inline] __se_sys_exit_group kernel/exit.c:991 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:991 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881e8d24d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881e8d24d80: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 >ffff8881e8d24e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881e8d24e80: ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2 04 f3 f3 f3 ffff8881e8d24f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== PANIC: double fault, error_code: 0x0 CPU: 1 PID: 15276 Comm: syz-executor.3 Tainted: G B 5.4.268-syzkaller-00012-g51cf29fc2bfc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:check_preemption_disabled+0x8/0x320 lib/smp_processor_id.c:13 Code: 90 90 e8 6b e4 32 ff 48 c7 c7 20 43 fa 84 48 c7 c6 60 43 fa 84 eb 0b 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 57 41 56 <41> 55 41 54 53 48 83 e4 e0 48 81 ec 80 00 00 00 49 89 f7 49 89 fc RSP: 0018:ffff8881e84b7000 EFLAGS: 00010093 RAX: ffffffff823162b5 RBX: ffffffff85eb6a98 RCX: ffff8881ed738000 RDX: 0000000000000000 RSI: ffffffff84fa4360 RDI: ffffffff84fa4320 RBP: ffff8881e84b7010 R08: ffffffff8130385e R09: fffffbfff0c96d1e R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff1103d096e10 R13: dffffc0000000000 R14: ffff8881e84b7080 R15: 0000607e08e0cda8 FS: 0000555555a5f480(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881e84b6ff8 CR3: 00000001f5c2a000 CR4: 00000000003406a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: <#DF> ---------------- Code disassembly (best guess): 0: 90 nop 1: 90 nop 2: e8 6b e4 32 ff call 0xff32e472 7: 48 c7 c7 20 43 fa 84 mov $0xffffffff84fa4320,%rdi e: 48 c7 c6 60 43 fa 84 mov $0xffffffff84fa4360,%rsi 15: eb 0b jmp 0x22 17: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1) 1e: 00 00 00 00 22: 55 push %rbp 23: 48 89 e5 mov %rsp,%rbp 26: 41 57 push %r15 28: 41 56 push %r14 * 2a: 41 55 push %r13 <-- trapping instruction 2c: 41 54 push %r12 2e: 53 push %rbx 2f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp 33: 48 81 ec 80 00 00 00 sub $0x80,%rsp 3a: 49 89 f7 mov %rsi,%r15 3d: 49 89 fc mov %rdi,%r12