rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
==================================================================
BUG: KASAN: slab-use-after-free in ir_raw_event_store_with_filter+0x4f9/0x590 drivers/media/rc/rc-ir-raw.c:178
Read of size 4 at addr ffff88810bb3d0d8 by task udevd/9449
CPU: 1 PID: 9449 Comm: udevd Not tainted 6.5.0-rc3-syzkaller-00067-gba0b3af70630 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
ir_raw_event_store_with_filter+0x4f9/0x590 drivers/media/rc/rc-ir-raw.c:178
sz_push+0x97/0x1d0 drivers/media/rc/streamzap.c:104
sz_push_full_pulse drivers/media/rc/streamzap.c:115 [inline]
sz_push_half_pulse drivers/media/rc/streamzap.c:121 [inline]
streamzap_callback+0x536/0x7e0 drivers/media/rc/streamzap.c:189
__usb_hcd_giveback_urb+0x359/0x5c0 drivers/usb/core/hcd.c:1671
usb_hcd_giveback_urb+0x389/0x430 drivers/usb/core/hcd.c:1754
dummy_timer+0x1415/0x35f0 drivers/usb/gadget/udc/dummy_hcd.c:1987
call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
expire_timers kernel/time/timer.c:1751 [inline]
__run_timers+0x764/0xb10 kernel/time/timer.c:2022
run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
__do_softirq+0x20b/0x94e kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x8e/0xb0 arch/x86/kernel/apic/apic.c:1109
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:stack_trace_consume_entry+0x96/0x160 kernel/stacktrace.c:89
Code: 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 90 00 00 00 8b 43 0c <85> c0 75 53 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 80
RSP: 0018:ffffc9000278f5e0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc9000278f6c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff819dfb80 RDI: ffffc9000278f6cc
RBP: 000000000000000a R08: ffffc9000278f634 R09: ffffffff898d8a62
R10: ffffc9000278f600 R11: 0000000000009df3 R12: ffffffff813a4fb0
R13: ffffc9000278f6c0 R14: 0000000000000000 R15: ffff88811ba53a00
arch_stack_walk+0x7f/0xf0 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x87/0x90 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:196 [inline]
__do_kmalloc_node mm/slab_common.c:985 [inline]
__kmalloc+0x5d/0x100 mm/slab_common.c:998
kmalloc include/linux/slab.h:586 [inline]
kzalloc include/linux/slab.h:703 [inline]
tomoyo_encode2+0x100/0x3d0 security/tomoyo/realpath.c:45
tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x196/0x710 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x271/0x450 security/tomoyo/file.c:822
security_inode_getattr+0xf1/0x150 security/security.c:2114
vfs_getattr fs/stat.c:167 [inline]
vfs_statx+0x180/0x430 fs/stat.c:242
vfs_fstatat+0x90/0xb0 fs/stat.c:276
__do_sys_newfstatat+0x98/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f788b8105f4
Code: 64 c7 00 09 00 00 00 83 c8 ff c3 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 00 00 00 00 41 89 ca b8 06 01 00 00 0f 05 <45> 31 c0 3d 00 f0 ff ff 76 10 48 8b 15 03 a8 0d 00 f7 d8 41 83 c8
RSP: 002b:00007ffe632e3488 EFLAGS: 00000202 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 000055b9c0bc7550 RCX: 00007f788b8105f4
RDX: 00007ffe632e3498 RSI: 00007ffe632e3528 RDI: 00000000ffffff9c
RBP: 000055b9bfdc0df3 R08: 000055b9bfdc0df3 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 0000000000000000
R13: 000055b9c0bc7640 R14: 00007ffe632e3528 R15: 000055b9bfdc0a04
Allocated by task 5505:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0x87/0x90 mm/kasan/common.c:383
kmalloc include/linux/slab.h:582 [inline]
kzalloc include/linux/slab.h:703 [inline]
ir_raw_event_prepare+0x5a/0x320 drivers/media/rc/rc-ir-raw.c:617
rc_register_device+0x1517/0x1bd0 drivers/media/rc/rc-main.c:1921
streamzap_init_rc_dev drivers/media/rc/streamzap.c:249 [inline]
streamzap_probe+0x805/0x1090 drivers/media/rc/streamzap.c:331
usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:798
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:828
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:956
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x11f1/0x1b40 drivers/base/core.c:3625
usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2212
usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x234/0xc90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:798
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:828
__device_attach_driver+0x1d4/0x300 drivers/base/dd.c:956
bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
device_add+0x11f1/0x1b40 drivers/base/core.c:3625
usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2613
hub_port_connect drivers/usb/core/hub.c:5445 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5589 [inline]
port_event drivers/usb/core/hub.c:5749 [inline]
hub_event+0x30fd/0x5330 drivers/usb/core/hub.c:5831
process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
worker_thread+0x687/0x1110 kernel/workqueue.c:2748
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296
Freed by task 9:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x13f/0x190 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1792 [inline]
slab_free_freelist_hook mm/slub.c:1818 [inline]
slab_free mm/slub.c:3801 [inline]
__kmem_cache_free+0xff/0x340 mm/slub.c:3814
ir_raw_event_free drivers/media/rc/rc-ir-raw.c:653 [inline]
ir_raw_event_free drivers/media/rc/rc-ir-raw.c:648 [inline]
ir_raw_event_unregister+0x2e3/0x400 drivers/media/rc/rc-ir-raw.c:676
rc_unregister_device+0x35c/0x410 drivers/media/rc/rc-main.c:2022
streamzap_disconnect+0xa6/0x1f0 drivers/media/rc/streamzap.c:388
usb_unbind_interface+0x1dd/0x8d0 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x11f/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1270 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1293
bus_remove_device+0x22c/0x420 drivers/base/bus.c:574
device_del+0x39a/0xa40 drivers/base/core.c:3814
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1421
usb_disconnect+0x2e1/0x890 drivers/usb/core/hub.c:2276
hub_port_connect drivers/usb/core/hub.c:5284 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5589 [inline]
port_event drivers/usb/core/hub.c:5749 [inline]
hub_event+0x2221/0x5330 drivers/usb/core/hub.c:5831
process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
worker_thread+0x687/0x1110 kernel/workqueue.c:2748
kthread+0x33a/0x430 kernel/kthread.c:389
ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296
The buggy address belongs to the object at ffff88810bb3c000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4312 bytes inside of
freed 8192-byte region [ffff88810bb3c000, ffff88810bb3e000)
The buggy address belongs to the physical page:
page:ffffea00042ece00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bb38
head:ffffea00042ece00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000010200 ffff888100042280 ffffea00047d9000 dead000000000002
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9401092942, free_ts 0
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0x10e1/0x2fd0 mm/page_alloc.c:3221
__alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4477
alloc_page_interleave+0x1e/0x230 mm/mempolicy.c:2112
alloc_pages+0x22a/0x270 mm/mempolicy.c:2274
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x24e/0x380 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0x8bc/0x1570 mm/slub.c:3215
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3314
__slab_alloc_node mm/slub.c:3367 [inline]
slab_alloc_node mm/slub.c:3460 [inline]
__kmem_cache_alloc_node+0x132/0x310 mm/slub.c:3509
__do_kmalloc_node mm/slab_common.c:984 [inline]
__kmalloc+0x4c/0x100 mm/slab_common.c:998
kmalloc_array include/linux/slab.h:619 [inline]
kcalloc include/linux/slab.h:650 [inline]
cache_create_net+0xa0/0x220 net/sunrpc/cache.c:1749
rsc_cache_create_net net/sunrpc/auth_gss/svcauth_gss.c:2065 [inline]
gss_svc_init_net+0x69/0x660 net/sunrpc/auth_gss/svcauth_gss.c:2093
ops_init+0xb9/0x650 net/core/net_namespace.c:136
__register_pernet_operations net/core/net_namespace.c:1165 [inline]
register_pernet_operations+0x34b/0x820 net/core/net_namespace.c:1234
register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1275
init_rpcsec_gss+0x58/0xb0 net/sunrpc/auth_gss/auth_gss.c:2261
page_owner free stack trace missing
Memory state around the buggy address:
ffff88810bb3cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810bb3d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810bb3d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88810bb3d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88810bb3d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 6 bytes skipped:
0: df 48 89 fisttps -0x77(%rax)
3: fa cli
4: 48 c1 ea 03 shr $0x3,%rdx
8: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx
c: 48 89 f8 mov %rdi,%rax
f: 83 e0 07 and $0x7,%eax
12: 83 c0 03 add $0x3,%eax
15: 38 d0 cmp %dl,%al
17: 7c 08 jl 0x21
19: 84 d2 test %dl,%dl
1b: 0f 85 90 00 00 00 jne 0xb1
21: 8b 43 0c mov 0xc(%rbx),%eax
* 24: 85 c0 test %eax,%eax <-- trapping instruction
26: 75 53 jne 0x7b
28: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
2f: fc ff df
32: 48 89 da mov %rbx,%rdx
35: 48 c1 ea 03 shr $0x3,%rdx
39: 80 .byte 0x80