audit: type=1804 audit(1668276855.773:316): pid=4998 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=ToMToU comm="syz-executor.4" name="/root/syzkaller-testdir44574570/syzkaller.PnSgdQ/898/file0" dev="sda1" ino=15731 res=1 ================================================================== BUG: KASAN: use-after-free in d_inode include/linux/dcache.h:516 [inline] BUG: KASAN: use-after-free in relay_switch_subbuf+0x8cc/0x940 kernel/relay.c:761 Read of size 8 at addr ffff8880b544e238 by task kworker/0:1H/2836 CPU: 0 PID: 2836 Comm: kworker/0:1H Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: kblockd blk_mq_run_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 d_inode include/linux/dcache.h:516 [inline] relay_switch_subbuf+0x8cc/0x940 kernel/relay.c:761 relay_reserve include/linux/relay.h:261 [inline] trace_note+0x5eb/0x750 kernel/trace/blktrace.c:96 trace_note_tsk kernel/trace/blktrace.c:127 [inline] __blk_add_trace+0xb86/0xe20 kernel/trace/blktrace.c:267 blk_add_trace_rq+0x36e/0x470 kernel/trace/blktrace.c:858 trace_block_rq_issue include/trace/events/block.h:207 [inline] blk_mq_start_request+0x39b/0x620 block/blk-mq.c:636 scsi_mq_prep_fn drivers/scsi/scsi_lib.c:2062 [inline] scsi_queue_rq+0xfef/0x1aa0 drivers/scsi/scsi_lib.c:2124 blk_mq_dispatch_rq_list+0xca7/0x1980 block/blk-mq.c:1203 blk_mq_do_dispatch_sched+0x187/0x400 block/blk-mq-sched.c:117 blk_mq_sched_dispatch_requests+0x38c/0x5b0 block/blk-mq-sched.c:213 __blk_mq_run_hw_queue+0x185/0x290 block/blk-mq.c:1324 blk_mq_run_work_fn+0x48/0x60 block/blk-mq.c:1557 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 4478: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 __d_alloc+0x2b/0xa10 fs/dcache.c:1612 d_alloc+0x4a/0x230 fs/dcache.c:1696 d_alloc_parallel+0xeb/0x19e0 fs/dcache.c:2443 __lookup_slow+0x18d/0x4a0 fs/namei.c:1655 lookup_one_len+0x163/0x190 fs/namei.c:2544 start_creating+0xc9/0x220 fs/debugfs/inode.c:313 __debugfs_create_file+0x5e/0x480 fs/debugfs/inode.c:352 add_files net/mac80211/debugfs_netdev.c:784 [inline] ieee80211_debugfs_add_netdev+0x281/0x1240 net/mac80211/debugfs_netdev.c:828 ieee80211_runtime_change_iftype net/mac80211/iface.c:1560 [inline] ieee80211_if_change_type+0x609/0x7a0 net/mac80211/iface.c:1581 ieee80211_change_iface+0x26/0x220 net/mac80211/cfg.c:157 rdev_change_virtual_intf net/wireless/rdev-ops.h:69 [inline] cfg80211_change_iface+0x2e1/0x1520 net/wireless/util.c:979 nl80211_set_interface+0x661/0x830 net/wireless/nl80211.c:3205 genl_family_rcv_msg+0x642/0xc40 net/netlink/genetlink.c:602 genl_rcv_msg+0xbf/0x160 net/netlink/genetlink.c:627 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2463 genl_rcv+0x24/0x40 net/netlink/genetlink.c:638 netlink_unicast_kernel net/netlink/af_netlink.c:1325 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1351 netlink_sendmsg+0x6c3/0xc50 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:661 __sys_sendto+0x21a/0x320 net/socket.c:1899 __do_sys_sendto net/socket.c:1911 [inline] __se_sys_sendto net/socket.c:1907 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1907 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 18: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0x8ff/0x18b0 kernel/rcu/tree.c:2881 __do_softirq+0x265/0x980 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880b544e1e0 which belongs to the cache dentry of size 288 The buggy address is located 88 bytes inside of 288-byte region [ffff8880b544e1e0, ffff8880b544e300) The buggy address belongs to the page: page:ffffea0002d51380 count:1 mapcount:0 mapping:ffff88813be45200 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea0002394e48 ffffea0002c69fc8 ffff88813be45200 raw: 0000000000000000 ffff8880b544e080 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b544e100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880b544e180: 00 00 00 00 fc fc fc fc fc fc fc fc fb fb fb fb ieee802154 phy0 wpan0: encryption failed: -22 >ffff8880b544e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880b544e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b544e300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================