==================================================================
BUG: KASAN: use-after-free in bcm_can_tx+0x6be/0x800 net/can/bcm.c:303
Read of size 4 at addr ffff8880a526dc50 by task syz-executor.1/26375
CPU: 1 PID: 26375 Comm: syz-executor.1 Not tainted 4.19.204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
kasan_report mm/kasan/report.c:412 [inline]
__asan_report_load4_noabort+0x88/0x90 mm/kasan/report.c:432
bcm_can_tx+0x6be/0x800 net/can/bcm.c:303
bcm_tx_timeout_tsklet+0x1f0/0x3a0 net/can/bcm.c:414
tasklet_action_common.constprop.0+0x265/0x360 kernel/softirq.c:522
__do_softirq+0x265/0x980 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:372 [inline]
irq_exit+0x215/0x260 kernel/softirq.c:412
call_function_single_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:916
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x50/0x80 kernel/locking/spinlock.c:192
Code: c0 d8 82 f1 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 31 48 83 3d 61 65 d8 01 00 74 25 fb 66 0f 1f 44 00 00 01 00 00 00 e8 a6 5d 28 f9 65 8b 05 7f c1 e8 77 85 c0 74 02 5d
RSP: 0018:ffff888048427b10 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff04
RAX: 1ffffffff13e305b RBX: ffff88809dbd8540 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88809dbd8dc4
RBP: ffff8880ba12b040 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880ba12b040
R13: ffff8880af5e62c0 R14: 0000000000000000 R15: 0000000000000000
finish_lock_switch kernel/sched/core.c:2578 [inline]
finish_task_switch+0x146/0x760 kernel/sched/core.c:2678
context_switch kernel/sched/core.c:2831 [inline]
__schedule+0x88f/0x2040 kernel/sched/core.c:3517
schedule+0x8d/0x1b0 kernel/sched/core.c:3561
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x264/0x6c0 kernel/time/hrtimer.c:1709
hrtimer_nanosleep+0x24d/0x570 kernel/time/hrtimer.c:1763
common_nsleep+0x23/0x30 kernel/time/posix-timers.c:1204
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1231 [inline]
__se_sys_clock_nanosleep+0x261/0x360 kernel/time/posix-timers.c:1209
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x48a7b1
Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 aa e7 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 e3 e7 ff ff 48 8b 04 24 eb 97 66 2e 0f 1f
RSP: 002b:00007fffb36b1900 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 0000000000000203 RCX: 000000000048a7b1
RDX: 00007fffb36b1940 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fffb36b19dc R08: 0000000000000000 R09: 000000c4426f2fd7
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000032
R13: 00000000000b19b5 R14: 0000000000000006 R15: 00007fffb36b1a40
Allocated by task 2199:
kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
kmalloc include/linux/slab.h:515 [inline]
kzalloc include/linux/slab.h:709 [inline]
bcm_tx_setup net/can/bcm.c:947 [inline]
bcm_sendmsg+0x25d7/0x4150 net/can/bcm.c:1386
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xc3/0x120 net/socket.c:661
___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2225
__sys_sendmsg net/socket.c:2263 [inline]
__do_sys_sendmsg net/socket.c:2272 [inline]
__se_sys_sendmsg net/socket.c:2270 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2270
do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2195:
__cache_free mm/slab.c:3503 [inline]
kfree+0xcc/0x210 mm/slab.c:3822
bcm_release+0x260/0x950 net/can/bcm.c:1561
__sock_release+0xcd/0x2a0 net/socket.c:599
sock_close+0x15/0x20 net/socket.c:1212
__fput+0x2ce/0x890 fs/file_table.c:278
task_work_run+0x148/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167
prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a526db00
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 336 bytes inside of
1024-byte region [ffff8880a526db00, ffff8880a526df00)
The buggy address belongs to the page:
page:ffffea0002949b00 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea0002a4df08 ffffea0002c94888 ffff88813bff0ac0
raw: 0000000000000000 ffff8880a526c000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a526db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a526db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a526dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880a526dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a526dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 5 bytes skipped:
0: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
7: fc ff df
a: 48 c1 e8 03 shr $0x3,%rax
e: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1)
12: 75 31 jne 0x45
14: 48 83 3d 61 65 d8 01 cmpq $0x0,0x1d86561(%rip) # 0x1d8657d
1b: 00
1c: 74 25 je 0x43
1e: fb sti
1f: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
* 25: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2a: e8 a6 5d 28 f9 callq 0xf9285dd5
2f: 65 8b 05 7f c1 e8 77 mov %gs:0x77e8c17f(%rip),%eax # 0x77e8c1b5
36: 85 c0 test %eax,%eax
38: 74 02 je 0x3c
3a: 5d pop %rbp