================================================================== BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3213 [inline] BUG: KASAN: double-free or invalid-free in kfree+0xcf/0x2e0 mm/slub.c:4267 CPU: 0 PID: 27459 Comm: syz-executor.2 Not tainted 5.14.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1ae/0x29f lib/dump_stack.c:105 print_address_description+0x66/0x3b0 mm/kasan/report.c:233 kasan_report_invalid_free+0x54/0xe0 mm/kasan/report.c:358 ____kasan_slab_free+0x129/0x150 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1628 [inline] slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kfree+0xcf/0x2e0 mm/slub.c:4267 bdev_free_inode+0xc0/0xf0 fs/block_dev.c:816 rcu_do_batch kernel/rcu/tree.c:2550 [inline] rcu_core+0x906/0x14b0 kernel/rcu/tree.c:2785 __do_softirq+0x372/0x783 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x21b/0x260 kernel/softirq.c:636 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:finish_lock_switch+0xf0/0x1c0 kernel/sched/core.c:4436 Code: 61 0c 00 74 11 48 89 df be ff ff ff ff e8 08 13 80 08 85 c0 74 27 4d 85 ff 75 44 4c 89 f7 e8 87 bd 82 08 e8 82 40 2d 00 fb 5b <41> 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 4d 85 ff 75 92 eb a8 0f 0b 4d RSP: 0018:ffffc90002edfa30 EFLAGS: 00000282 RAX: ca963c47bc9ed900 RBX: ffff888072fa8034 RCX: ffffffff9070b703 RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 1ffff1101738a400 R08: ffffffff8186a4c0 R09: ffffed101738a2a9 R10: ffffed101738a2a9 R11: 0000000000000000 R12: ffff8880b9c52000 R13: dffffc0000000000 R14: ffff8880b9c51540 R15: 0000000000000000 finish_task_switch+0x140/0x630 kernel/sched/core.c:4553 context_switch kernel/sched/core.c:4684 [inline] __schedule+0xc0f/0x11f0 kernel/sched/core.c:5938 schedule+0x14b/0x210 kernel/sched/core.c:6017 freezable_schedule include/linux/freezer.h:172 [inline] do_nanosleep+0x1b6/0x7b0 kernel/time/hrtimer.c:1896 hrtimer_nanosleep+0x239/0x470 kernel/time/hrtimer.c:1949 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1267 [inline] __se_sys_clock_nanosleep kernel/time/posix-timers.c:1245 [inline] __x64_sys_clock_nanosleep+0x344/0x3d0 kernel/time/posix-timers.c:1245 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x48a7b1 Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 aa e7 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 e3 e7 ff ff 48 8b 04 24 eb 97 66 2e 0f 1f RSP: 002b:00007fff4a4f8650 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6 RAX: ffffffffffffffda RBX: 00000000000008e2 RCX: 000000000048a7b1 RDX: 00007fff4a4f8690 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4a4f872c R08: 0000000000000000 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032 R13: 0000000000330ee6 R14: 0000000000000007 R15: 00007fff4a4f8790 Allocated by task 17804: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xc4/0xf0 mm/kasan/common.c:513 kasan_kmalloc include/linux/kasan.h:264 [inline] kmem_cache_alloc_node_trace+0x26b/0x390 mm/slub.c:3014 kmalloc_node include/linux/slab.h:609 [inline] kzalloc_node include/linux/slab.h:732 [inline] __alloc_disk_node+0x56/0x2c0 block/genhd.c:1246 __blk_mq_alloc_disk+0xce/0x170 block/blk-mq.c:3147 loop_add+0x276/0x7f0 drivers/block/loop.c:2345 blk_request_module+0x19d/0x1c0 block/genhd.c:660 blkdev_get_no_open+0x44/0x1f0 fs/block_dev.c:1334 blkdev_get_by_dev+0x89/0xdc0 fs/block_dev.c:1397 blkdev_get_by_path+0x1d1/0x2c0 fs/block_dev.c:1481 mount_bdev+0x47/0x3a0 fs/super.c:1326 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x86/0x270 fs/super.c:1498 do_new_mount fs/namespace.c:2919 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3249 do_mount fs/namespace.c:3262 [inline] __do_sys_mount fs/namespace.c:3470 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3447 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 17804: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:46 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360 ____kasan_slab_free+0x109/0x150 mm/kasan/common.c:366 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1628 [inline] slab_free_freelist_hook+0x1d8/0x290 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kfree+0xcf/0x2e0 mm/slub.c:4267 __alloc_disk_node+0x1b3/0x2c0 block/genhd.c:1271 __blk_mq_alloc_disk+0xce/0x170 block/blk-mq.c:3147 loop_add+0x276/0x7f0 drivers/block/loop.c:2345 blk_request_module+0x19d/0x1c0 block/genhd.c:660 blkdev_get_no_open+0x44/0x1f0 fs/block_dev.c:1334 blkdev_get_by_dev+0x89/0xdc0 fs/block_dev.c:1397 blkdev_get_by_path+0x1d1/0x2c0 fs/block_dev.c:1481 mount_bdev+0x47/0x3a0 fs/super.c:1326 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x86/0x270 fs/super.c:1498 do_new_mount fs/namespace.c:2919 [inline] path_mount+0x196f/0x2be0 fs/namespace.c:3249 do_mount fs/namespace.c:3262 [inline] __do_sys_mount fs/namespace.c:3470 [inline] __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3447 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Last potentially related work creation: kasan_save_stack+0x27/0x50 mm/kasan/common.c:38 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:348 kvfree_call_rcu+0x114/0x8a0 kernel/rcu/tree.c:3594 drop_sysctl_table+0x2cd/0x430 fs/proc/proc_sysctl.c:1647 drop_sysctl_table+0x2eb/0x430 fs/proc/proc_sysctl.c:1650 unregister_sysctl_table+0x88/0x130 fs/proc/proc_sysctl.c:1685 mpls_dev_sysctl_unregister net/mpls/af_mpls.c:1441 [inline] mpls_dev_notify+0x548/0x7d0 net/mpls/af_mpls.c:1621 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xe7/0x170 kernel/notifier.c:410 call_netdevice_notifiers_info net/core/dev.c:2123 [inline] call_netdevice_notifiers_extack net/core/dev.c:2135 [inline] call_netdevice_notifiers net/core/dev.c:2149 [inline] unregister_netdevice_many+0xf7e/0x1980 net/core/dev.c:11093 default_device_exit_batch+0x43b/0x4c0 net/core/dev.c:11623 ops_exit_list net/core/net_namespace.c:178 [inline] cleanup_net+0x7ec/0xc60 net/core/net_namespace.c:595 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276 worker_thread+0xac1/0x1320 kernel/workqueue.c:2422 kthread+0x453/0x480 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff888053e41c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff888053e41c00, ffff888053e41e00) The buggy address belongs to the page: page:ffffea00014f9000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53e40 head:ffffea00014f9000 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888011041c80 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 26526, ts 2638425244718, free_ts 2633491055646 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0x779/0xa30 mm/page_alloc.c:4169 __alloc_pages+0x26c/0x5f0 mm/page_alloc.c:5391 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0xf1/0x540 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x1cf/0x350 mm/slub.c:2803 __slab_alloc mm/slub.c:2843 [inline] slab_alloc_node mm/slub.c:2925 [inline] slab_alloc mm/slub.c:2967 [inline] __kmalloc+0x2e7/0x390 mm/slub.c:4111 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] new_dir fs/proc/proc_sysctl.c:953 [inline] get_subdir fs/proc/proc_sysctl.c:998 [inline] __register_sysctl_table+0xa32/0x12a0 fs/proc/proc_sysctl.c:1347 __devinet_sysctl_register+0x269/0x350 net/ipv4/devinet.c:2572 devinet_sysctl_register+0x139/0x1a0 net/ipv4/devinet.c:2612 inetdev_init+0x257/0x4a0 net/ipv4/devinet.c:276 inetdev_event+0x1c5/0x14d0 net/ipv4/devinet.c:1530 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xe7/0x170 kernel/notifier.c:410 call_netdevice_notifiers_info net/core/dev.c:2123 [inline] call_netdevice_notifiers_extack net/core/dev.c:2135 [inline] call_netdevice_notifiers net/core/dev.c:2149 [inline] register_netdevice+0x160e/0x1c20 net/core/dev.c:10380 veth_newlink+0x8ac/0xc50 drivers/net/veth.c:1547 __rtnl_newlink net/core/rtnetlink.c:3460 [inline] rtnl_newlink+0x13f6/0x1cd0 net/core/rtnetlink.c:3508 rtnetlink_rcv_msg+0x91c/0xe50 net/core/rtnetlink.c:5574 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2504 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0xc29/0xd20 mm/page_alloc.c:1397 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x7e/0x550 mm/page_alloc.c:3411 __vunmap+0x926/0xa70 mm/vmalloc.c:2587 kcov_put kernel/kcov.c:408 [inline] kcov_close+0x27/0x50 kernel/kcov.c:510 __fput+0x352/0x7b0 fs/file_table.c:280 task_work_run+0x146/0x1c0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0x72b/0x2510 kernel/exit.c:825 do_group_exit+0x168/0x2d0 kernel/exit.c:922 __do_sys_exit_group+0x13/0x20 kernel/exit.c:933 __ia32_sys_exit_group+0x0/0x40 kernel/exit.c:931 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:931 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff888053e41b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888053e41b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888053e41c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888053e41c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888053e41d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 0c 00 or $0x0,%al 2: 74 11 je 0x15 4: 48 89 df mov %rbx,%rdi 7: be ff ff ff ff mov $0xffffffff,%esi c: e8 08 13 80 08 callq 0x8801319 11: 85 c0 test %eax,%eax 13: 74 27 je 0x3c 15: 4d 85 ff test %r15,%r15 18: 75 44 jne 0x5e 1a: 4c 89 f7 mov %r14,%rdi 1d: e8 87 bd 82 08 callq 0x882bda9 22: e8 82 40 2d 00 callq 0x2d40a9 27: fb sti 28: 5b pop %rbx 29: 41 5c pop %r12 <-- trapping instruction 2b: 41 5d pop %r13 2d: 41 5e pop %r14 2f: 41 5f pop %r15 31: 5d pop %rbp 32: c3 retq 33: 0f 0b ud2 35: 4d 85 ff test %r15,%r15 38: 75 92 jne 0xffffffcc 3a: eb a8 jmp 0xffffffe4 3c: 0f 0b ud2 3e: 4d rex.WRB