================================================================== BUG: KASAN: slab-use-after-free in generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] BUG: KASAN: slab-use-after-free in cpumask_test_cpu include/linux/cpumask.h:562 [inline] BUG: KASAN: slab-use-after-free in profile_tick+0x128/0x12c kernel/profile.c:338 Read of size 8 at addr ffff00000ea4a6c0 by task syz.1.13100/1746 CPU: 0 UID: 0 PID: 1746 Comm: syz.1.13100 Not tainted 6.10.0-syzkaller-12881-g6342649c33d2 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:317 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:324 __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xf4/0x5a4 mm/kasan/report.c:488 kasan_report+0xc8/0x108 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline] cpumask_test_cpu include/linux/cpumask.h:562 [inline] profile_tick+0x128/0x12c kernel/profile.c:338 tick_sched_handle kernel/time/tick-sched.c:277 [inline] tick_nohz_handler+0x1a0/0x40c kernel/time/tick-sched.c:297 __run_hrtimer kernel/time/hrtimer.c:1689 [inline] __hrtimer_run_queues+0x55c/0xb28 kernel/time/hrtimer.c:1753 hrtimer_interrupt+0x2a4/0x76c kernel/time/hrtimer.c:1815 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline] arch_timer_handler_phys+0x40/0x6c drivers/clocksource/arm_arch_timer.c:692 handle_percpu_devid_irq+0x19c/0x30c kernel/irq/chip.c:942 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline] handle_irq_desc kernel/irq/irqdesc.c:691 [inline] generic_handle_domain_irq+0x78/0xa4 kernel/irq/irqdesc.c:747 gic_handle_irq+0x54/0x184 drivers/irqchip/irq-gic.c:370 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:889 do_interrupt_handler+0x12c/0x150 arch/arm64/kernel/entry-common.c:310 __el1_irq arch/arm64/kernel/entry-common.c:536 [inline] el1_interrupt+0x34/0x54 arch/arm64/kernel/entry-common.c:551 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:556 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:594 __daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline] arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline] lock_acquire kernel/locking/lockdep.c:5762 [inline] lock_acquire+0x4e0/0x7a4 kernel/locking/lockdep.c:5724 rcu_lock_acquire include/linux/rcupdate.h:326 [inline] rcu_read_lock_sched include/linux/rcupdate.h:930 [inline] pfn_valid include/linux/mmzone.h:2024 [inline] page_table_check_clear mm/page_table_check.c:70 [inline] __page_table_check_pte_clear+0x154/0x3f0 mm/page_table_check.c:169 page_table_check_pte_clear include/linux/page_table_check.h:49 [inline] __ptep_get_and_clear arch/arm64/include/asm/pgtable.h:1223 [inline] __get_and_clear_full_ptes arch/arm64/include/asm/pgtable.h:1246 [inline] get_and_clear_full_ptes+0x98/0xc8 arch/arm64/include/asm/pgtable.h:1643 zap_present_folio_ptes mm/memory.c:1493 [inline] zap_present_ptes mm/memory.c:1576 [inline] zap_pte_range mm/memory.c:1618 [inline] zap_pmd_range mm/memory.c:1736 [inline] zap_pud_range mm/memory.c:1765 [inline] zap_p4d_range mm/memory.c:1786 [inline] unmap_page_range+0xa88/0x22bc mm/memory.c:1807 unmap_single_vma.constprop.0+0xb4/0x188 mm/memory.c:1853 unmap_vmas+0x194/0x318 mm/memory.c:1897 exit_mmap+0x12c/0x94c mm/mmap.c:3412 __mmput+0xa8/0x340 kernel/fork.c:1345 mmput+0x88/0x98 kernel/fork.c:1367 exit_mm kernel/exit.c:571 [inline] do_exit+0x6d4/0x1fc4 kernel/exit.c:869 do_group_exit+0xa4/0x208 kernel/exit.c:1031 get_signal+0x1ae8/0x1b90 kernel/signal.c:2917 do_signal+0x22c/0x2be8 arch/arm64/kernel/signal.c:1308 do_notify_resume+0x190/0x25c arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc_compat+0xfc/0x17c arch/arm64/kernel/entry-common.c:853 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:862 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:603 Allocated by task 1746: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __kmalloc_cache_node_noprof+0x1a8/0x324 mm/slub.c:4201 kmalloc_node_noprof include/linux/slab.h:704 [inline] alloc_cpumask_var_node+0x8c/0x154 lib/cpumask.c:62 alloc_cpumask_var include/linux/cpumask.h:944 [inline] profile_init+0x68/0x16c kernel/profile.c:117 profiling_store+0x54/0xa8 kernel/ksysfs.c:104 kobj_attr_store+0x3c/0x70 lib/kobject.c:840 sysfs_kf_write+0xe0/0x12c fs/sysfs/file.c:136 kernfs_fop_write_iter+0x238/0x3c8 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x4a8/0xacc fs/read_write.c:590 ksys_write+0xf0/0x1dc fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x6c/0x9c fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xa4/0x234 arch/arm64/kernel/syscall.c:132 do_el0_svc_compat+0x44/0x68 arch/arm64/kernel/syscall.c:157 el0_svc_compat+0x4c/0x17c arch/arm64/kernel/entry-common.c:852 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:862 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:603 Freed by task 1746: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:579 poison_slab_object+0x114/0x15c mm/kasan/common.c:240 __kasan_slab_free+0x1c/0x44 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x10c/0x378 mm/slub.c:4594 free_cpumask_var+0x10/0x1c lib/cpumask.c:100 profile_init+0x108/0x16c kernel/profile.c:135 profiling_store+0x54/0xa8 kernel/ksysfs.c:104 kobj_attr_store+0x3c/0x70 lib/kobject.c:840 sysfs_kf_write+0xe0/0x12c fs/sysfs/file.c:136 kernfs_fop_write_iter+0x238/0x3c8 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:497 [inline] vfs_write+0x4a8/0xacc fs/read_write.c:590 ksys_write+0xf0/0x1dc fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __arm64_sys_write+0x6c/0x9c fs/read_write.c:652 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xa4/0x234 arch/arm64/kernel/syscall.c:132 do_el0_svc_compat+0x44/0x68 arch/arm64/kernel/syscall.c:157 el0_svc_compat+0x4c/0x17c arch/arm64/kernel/entry-common.c:852 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:862 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:603 The buggy address belongs to the object at ffff00000ea4a6c0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of freed 8-byte region [ffff00000ea4a6c0, ffff00000ea4a6c8) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000ea4ada0 pfn:0x4ea4a anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 01ffc00000000000 ffff00000a001500 0000000000000000 dead000000000001 raw: ffff00000ea4ada0 000000000080007a 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00000ea4a580: 05 fc fc fc 05 fc fc fc 05 fc fc fc 05 fc fc fc ffff00000ea4a600: 07 fc fc fc 07 fc fc fc 07 fc fc fc 00 fc fc fc >ffff00000ea4a680: 00 fc fc fc 00 fc fc fc fa fc fc fc 05 fc fc fc ^ ffff00000ea4a700: fa fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc ffff00000ea4a780: 00 fc fc fc fa fc fc fc 04 fc fc fc 06 fc fc fc ==================================================================