================================================================== BUG: KASAN: slab-use-after-free in __bpf_trace_run kernel/trace/bpf_trace.c:2382 [inline] BUG: KASAN: slab-use-after-free in bpf_trace_run4+0x143/0x580 kernel/trace/bpf_trace.c:2439 Read of size 8 at addr ffff888023ce7518 by task syz-executor.3/6994 CPU: 0 PID: 6994 Comm: syz-executor.3 Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __bpf_trace_run kernel/trace/bpf_trace.c:2382 [inline] bpf_trace_run4+0x143/0x580 kernel/trace/bpf_trace.c:2439 __traceiter_sched_switch+0x98/0xd0 include/trace/events/sched.h:222 trace_sched_switch include/trace/events/sched.h:222 [inline] __schedule+0x255d/0x4a20 kernel/sched/core.c:6733 preempt_schedule_irq+0xfb/0x1c0 kernel/sched/core.c:7058 irqentry_exit+0x5e/0x90 kernel/entry/common.c:348 asm_sysvec_reschedule_ipi+0x1a/0x20 arch/x86/include/asm/idtentry.h:707 RIP: 0010:__sanitizer_cov_trace_pc+0x55/0x70 kernel/kcov.c:221 Code: 16 00 00 00 74 2c 8b 91 f0 15 00 00 83 fa 02 75 21 48 8b 91 f8 15 00 00 48 8b 32 48 8d 7e 01 8b 89 f4 15 00 00 48 39 cf 73 08 <48> 89 3a 48 89 44 f2 08 c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ffffc9000e86ee80 EFLAGS: 00000283 RAX: ffffffff848ee547 RBX: 0000000000000000 RCX: 0000000000040000 RDX: ffffc9000a11c000 RSI: 0000000000004660 RDI: 0000000000004661 RBP: dffffc0000000000 R08: ffffffff848eda1b R09: 1ffffffff2598ea0 R10: dffffc0000000000 R11: fffffbfff2598ea1 R12: dffffc0000000000 R13: dffffc0000000000 R14: ffff888078c75000 R15: ffff88807a31e000 bio_associate_blkg_from_css+0x27/0xc70 block/blk-cgroup.c:2041 bio_associate_blkg+0x170/0x230 block/blk-cgroup.c:2077 bio_init block/bio.c:265 [inline] bio_alloc_bioset+0x57a/0x1130 block/bio.c:571 bio_alloc_clone block/bio.c:853 [inline] bio_split+0xe6/0x430 block/bio.c:1633 bio_split_rw+0x8bc/0xab0 block/blk-merge.c:333 __bio_split_to_limits+0x59a/0xad0 block/blk-merge.c:366 blk_mq_submit_bio+0x7d3/0x1fd0 block/blk-mq.c:2978 __submit_bio+0x23e/0x2f0 block/blk-core.c:619 __submit_bio_noacct_mq block/blk-core.c:698 [inline] submit_bio_noacct_nocheck+0xa25/0xd90 block/blk-core.c:727 iomap_dio_submit_bio fs/iomap/direct-io.c:80 [inline] iomap_dio_bio_iter+0x1000/0x1670 fs/iomap/direct-io.c:418 __iomap_dio_rw+0x1271/0x2320 fs/iomap/direct-io.c:660 iomap_dio_rw+0x46/0xa0 fs/iomap/direct-io.c:749 ext4_dio_write_iter fs/ext4/file.c:577 [inline] ext4_file_write_iter+0x15e5/0x1a10 fs/ext4/file.c:696 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa84/0xcb0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fe12c67de69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe12d4bc0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fe12c7abf80 RCX: 00007fe12c67de69 RDX: 0000000000043400 RSI: 0000000020000200 RDI: 0000000000000006 RBP: 00007fe12c6ca47a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fe12c7abf80 R15: 00007ffd9bce09b8 Allocated by task 6990: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x1d9/0x360 mm/slub.c:4012 kmalloc include/linux/slab.h:590 [inline] kzalloc include/linux/slab.h:711 [inline] bpf_raw_tp_link_attach+0x2a0/0x6e0 kernel/bpf/syscall.c:3816 bpf_raw_tracepoint_open+0x1c2/0x240 kernel/bpf/syscall.c:3863 __sys_bpf+0x3c0/0x810 kernel/bpf/syscall.c:5673 __do_sys_bpf kernel/bpf/syscall.c:5738 [inline] __se_sys_bpf kernel/bpf/syscall.c:5736 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5736 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Freed by task 6988: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:589 poison_slab_object+0xa6/0xe0 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2121 [inline] slab_free mm/slub.c:4299 [inline] kfree+0x14a/0x380 mm/slub.c:4409 bpf_link_release+0x3b/0x50 kernel/bpf/syscall.c:3071 __fput+0x429/0x8a0 fs/file_table.c:423 __do_sys_close fs/open.c:1557 [inline] __se_sys_close fs/open.c:1542 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1542 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 The buggy address belongs to the object at ffff888023ce7500 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of freed 128-byte region [ffff888023ce7500, ffff888023ce7580) The buggy address belongs to the physical page: page:ffffea00008f39c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23ce7 flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888014c418c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 4521, tgid 4521 (udevd), ts 65889977646, free_ts 65820750840 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c:1540 [inline] get_page_from_freelist+0x33ea/0x3580 mm/page_alloc.c:3311 __alloc_pages+0x256/0x680 mm/page_alloc.c:4569 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page+0x5f/0x160 mm/slub.c:2190 allocate_slab mm/slub.c:2354 [inline] new_slab+0x84/0x2f0 mm/slub.c:2407 ___slab_alloc+0xd1b/0x13e0 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] __do_kmalloc_node mm/slub.c:3980 [inline] __kmalloc_node+0x2d9/0x4e0 mm/slub.c:3988 kmalloc_array_node include/linux/slab.h:688 [inline] kcalloc_node include/linux/slab.h:693 [inline] memcg_alloc_slab_cgroups+0x81/0x120 mm/memcontrol.c:3014 account_slab mm/slub.c:2317 [inline] allocate_slab mm/slub.c:2372 [inline] new_slab+0xc0/0x2f0 mm/slub.c:2407 ___slab_alloc+0xd1b/0x13e0 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] kmem_cache_alloc+0x250/0x350 mm/slub.c:3867 kmem_cache_zalloc include/linux/slab.h:701 [inline] seq_open+0x62/0x140 fs/seq_file.c:63 kernfs_fop_open+0x602/0xcd0 do_dentry_open+0x907/0x15a0 fs/open.c:956 do_open fs/namei.c:3643 [inline] path_openat+0x2860/0x3240 fs/namei.c:3800 do_filp_open+0x235/0x490 fs/namei.c:3827 page last free pid 5318 tgid 5315 stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1140 [inline] free_unref_page_prepare+0x968/0xa90 mm/page_alloc.c:2346 free_unref_page_list+0x5a3/0x850 mm/page_alloc.c:2532 release_pages+0x2744/0x2a80 mm/swap.c:1042 tlb_batch_pages_flush mm/mmu_gather.c:98 [inline] tlb_flush_mmu_free mm/mmu_gather.c:293 [inline] tlb_flush_mmu+0x34d/0x4e0 mm/mmu_gather.c:300 tlb_finish_mmu+0xd4/0x200 mm/mmu_gather.c:392 exit_mmap+0x4b6/0xd40 mm/mmap.c:3300 __mmput+0x115/0x3c0 kernel/fork.c:1345 exit_mm+0x220/0x310 kernel/exit.c:569 do_exit+0x99e/0x27e0 kernel/exit.c:865 do_group_exit+0x207/0x2c0 kernel/exit.c:1027 get_signal+0x176e/0x1850 kernel/signal.c:2907 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:105 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline] syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212 do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Memory state around the buggy address: ffff888023ce7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ffff888023ce7480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888023ce7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888023ce7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888023ce7600: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ================================================================== ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 00 00 add %al,(%rax) 2: 00 74 2c 8b add %dh,-0x75(%rsp,%rbp,1) 6: 91 xchg %eax,%ecx 7: f0 15 00 00 83 fa lock adc $0xfa830000,%eax d: 02 75 21 add 0x21(%rbp),%dh 10: 48 8b 91 f8 15 00 00 mov 0x15f8(%rcx),%rdx 17: 48 8b 32 mov (%rdx),%rsi 1a: 48 8d 7e 01 lea 0x1(%rsi),%rdi 1e: 8b 89 f4 15 00 00 mov 0x15f4(%rcx),%ecx 24: 48 39 cf cmp %rcx,%rdi 27: 73 08 jae 0x31 * 29: 48 89 3a mov %rdi,(%rdx) <-- trapping instruction 2c: 48 89 44 f2 08 mov %rax,0x8(%rdx,%rsi,8) 31: c3 ret 32: cc int3 33: cc int3 34: cc int3 35: cc int3 36: 66 data16 37: 2e cs 38: 0f .byte 0xf 39: 1f (bad) 3a: 84 00 test %al,(%rax) 3c: 00 00 add %al,(%rax)