==================================================================
BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]
BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]
BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]
BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
Read of size 8 at addr ffff888044476c80 by task syz-executor.4/21229
CPU: 0 PID: 21229 Comm: syz-executor.4 Not tainted 6.7.0-syzkaller-04629-g3e7aeb78ab01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:488
kasan_report+0xda/0x110 mm/kasan/report.c:601
list_empty include/linux/list.h:373 [inline]
waitqueue_active include/linux/wait.h:127 [inline]
sock_def_write_space_wfree net/core/sock.c:3384 [inline]
sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468
skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080
skb_release_all net/core/skbuff.c:1092 [inline]
napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404
free_old_xmit_skbs+0xf0/0x370 drivers/net/virtio_net.c:793
virtnet_poll_tx+0x276/0x640 drivers/net/virtio_net.c:2311
__napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x956/0xe90 net/core/dev.c:6778
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
common_interrupt+0xb0/0xd0 arch/x86/kernel/irq.c:247
asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:640
RIP: 0010:deref_stack_reg arch/x86/kernel/unwind_orc.c:406 [inline]
RIP: 0010:unwind_next_frame+0x1ada/0x2390 arch/x86/kernel/unwind_orc.c:648
Code: ff e8 9a c4 4d 00 4c 89 e7 e8 22 da ff ff 48 8d 7b 40 48 89 fa 49 89 c4 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 <0f> 84 64 f6 ff ff e8 eb 3b a5 00 e9 5a f6 ff ff e8 61 c4 4d 00 4c
RSP: 0018:ffffc9000351f8a8 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: ffffc9000351f928 RCX: ffffc9000351f95c
RDX: 1ffff920006a3f2d RSI: ffffffff813a29d9 RDI: ffffc9000351f968
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff8ace31a0 R12: ffff888021d78060
R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000001
arch_stack_walk+0xfa/0x170 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:580
__call_rcu_common.constprop.0+0x9a/0x7a0 kernel/rcu/tree.c:2681
security_inode_free+0x9e/0xc0 security/security.c:1616
__destroy_inode+0x1f8/0x740 fs/inode.c:285
destroy_inode+0x91/0x1b0 fs/inode.c:308
iput_final fs/inode.c:1776 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1802
iput+0x5c/0x80 fs/inode.c:1792
d_delete_notify include/linux/fsnotify.h:282 [inline]
vfs_rmdir fs/namei.c:4198 [inline]
vfs_rmdir+0x454/0x650 fs/namei.c:4162
do_rmdir+0x39e/0x410 fs/namei.c:4244
__do_sys_unlinkat fs/namei.c:4420 [inline]
__se_sys_unlinkat fs/namei.c:4414 [inline]
__x64_sys_unlinkat+0xef/0x130 fs/namei.c:4414
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f2e9ca7c587
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fffc88210f8 EFLAGS: 00000207 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00007f2e9ca7c587
RDX: 0000000000000200 RSI: 00007fffc8822270 RDI: 00000000ffffff9c
RBP: 00007f2e9cac83b9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000207 R12: 00007fffc8822270
R13: 00007f2e9cac83b9 R14: 00000000000f8fb4 R15: 000000000000000c
Allocated by task 20641:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:314 [inline]
__kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879
alloc_inode_sb include/linux/fs.h:3019 [inline]
sock_alloc_inode+0x25/0x1c0 net/socket.c:308
alloc_inode+0x5d/0x220 fs/inode.c:260
new_inode_pseudo+0x16/0x80 fs/inode.c:1005
sock_alloc+0x40/0x270 net/socket.c:634
__sock_create+0xbc/0x800 net/socket.c:1535
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14c/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Freed by task 1097:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:634
poison_slab_object mm/kasan/common.c:241 [inline]
__kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2121 [inline]
slab_free mm/slub.c:4299 [inline]
kmem_cache_free+0x129/0x350 mm/slub.c:4363
i_callback+0x43/0x70 fs/inode.c:249
rcu_do_batch kernel/rcu/tree.c:2158 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2431
__do_softirq+0x21a/0x8de kernel/softirq.c:553
Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:580
__call_rcu_common.constprop.0+0x9a/0x7a0 kernel/rcu/tree.c:2681
destroy_inode+0x129/0x1b0 fs/inode.c:315
iput_final fs/inode.c:1776 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1802
iput+0x5c/0x80 fs/inode.c:1792
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x3b8/0x640 fs/dcache.c:608
dentry_kill fs/dcache.c:734 [inline]
dput+0x7eb/0xd90 fs/dcache.c:914
__fput+0x3b9/0xb70 fs/file_table.c:389
task_work_run+0x14d/0x240 kernel/task_work.c:180
get_signal+0x106f/0x2790 kernel/signal.c:2669
arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
The buggy address belongs to the object at ffff888044476c00
which belongs to the cache sock_inode_cache of size 1408
The buggy address is located 128 bytes inside of
freed 1408-byte region [ffff888044476c00, ffff888044477180)
The buggy address belongs to the physical page:
page:ffffea0001111c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44470
head:ffffea0001111c00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88807a9a0661
ksm flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff88801769cb40 ffffea000231f400 dead000000000003
raw: 0000000000000000 0000000000150015 00000001ffffffff ffff88807a9a0661
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 9391, tgid 9391 (syz-executor.1), ts 362225161569, free_ts 332984055830
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
__alloc_pages_node include/linux/gfp.h:238 [inline]
alloc_pages_node include/linux/gfp.h:261 [inline]
alloc_slab_page mm/slub.c:2190 [inline]
allocate_slab mm/slub.c:2354 [inline]
new_slab+0xcc/0x3a0 mm/slub.c:2407
___slab_alloc+0x4af/0x19a0 mm/slub.c:3540
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3625
__slab_alloc_node mm/slub.c:3678 [inline]
slab_alloc_node mm/slub.c:3850 [inline]
kmem_cache_alloc_lru+0x379/0x6f0 mm/slub.c:3879
alloc_inode_sb include/linux/fs.h:3019 [inline]
sock_alloc_inode+0x25/0x1c0 net/socket.c:308
alloc_inode+0x5d/0x220 fs/inode.c:260
new_inode_pseudo+0x16/0x80 fs/inode.c:1005
sock_alloc+0x40/0x270 net/socket.c:634
__sock_create+0xbc/0x800 net/socket.c:1535
sock_create net/socket.c:1622 [inline]
__sys_socket_create net/socket.c:1659 [inline]
__sys_socket+0x14c/0x260 net/socket.c:1706
__do_sys_socket net/socket.c:1720 [inline]
__se_sys_socket net/socket.c:1718 [inline]
__x64_sys_socket+0x72/0xb0 net/socket.c:1718
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
page last free pid 5149 tgid 5149 stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
__put_partials+0x14c/0x160 mm/slub.c:2922
qlink_free mm/kasan/quarantine.c:160 [inline]
qlist_free_all+0x58/0x150 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x18e/0x1d0 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:324
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3813 [inline]
slab_alloc_node mm/slub.c:3860 [inline]
kmalloc_trace+0x148/0x340 mm/slub.c:4007
kmalloc include/linux/slab.h:590 [inline]
kzalloc include/linux/slab.h:711 [inline]
keypair_create drivers/net/wireguard/noise.c:100 [inline]
wg_noise_handshake_begin_session+0xe1/0xe70 drivers/net/wireguard/noise.c:827
wg_receive_handshake_packet+0x74a/0xbf0 drivers/net/wireguard/receive.c:176
wg_packet_handshake_receive_worker+0x17f/0x3a0 drivers/net/wireguard/receive.c:213
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
Memory state around the buggy address:
ffff888044476b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888044476c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888044476c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888044476d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888044476d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
0: e8 9a c4 4d 00 call 0x4dc49f
5: 4c 89 e7 mov %r12,%rdi
8: e8 22 da ff ff call 0xffffda2f
d: 48 8d 7b 40 lea 0x40(%rbx),%rdi
11: 48 89 fa mov %rdi,%rdx
14: 49 89 c4 mov %rax,%r12
17: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
1e: fc ff df
21: 48 c1 ea 03 shr $0x3,%rdx
25: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
* 29: 0f 84 64 f6 ff ff je 0xfffff693 <-- trapping instruction
2f: e8 eb 3b a5 00 call 0xa53c1f
34: e9 5a f6 ff ff jmp 0xfffff693
39: e8 61 c4 4d 00 call 0x4dc49f
3e: 4c rex.WR