IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready ================================================================== BUG: KASAN: use-after-free in relay_switch_subbuf+0x8be/0x920 /kernel/relay.c:755 Read of size 8 at addr ffff888072ee8d38 by task blkid/27732 CPU: 1 PID: 27732 Comm: blkid Not tainted 4.19.59 #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack /lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 /lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d /mm/kasan/report.c:256 kasan_report_error /mm/kasan/report.c:354 [inline] kasan_report /mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba /mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 /mm/kasan/report.c:433 relay_switch_subbuf+0x8be/0x920 /kernel/relay.c:755 relay_reserve /./include/linux/relay.h:261 [inline] trace_note.isra.0+0x5b8/0x6e0 /kernel/trace/blktrace.c:93 trace_note_tsk /kernel/trace/blktrace.c:124 [inline] __blk_add_trace+0xb70/0xe10 /kernel/trace/blktrace.c:264 blk_add_trace_bio.isra.0+0x166/0x1e0 /kernel/trace/blktrace.c:870 blk_add_trace_bio_queue+0x46/0x60 /kernel/trace/blktrace.c:907 trace_block_bio_queue /./include/trace/events/block.h:357 [inline] generic_make_request_checks+0x1cc2/0x24c0 /block/blk-core.c:2337 generic_make_request+0x24c/0x12d0 /block/blk-core.c:2403 submit_bio+0xba/0x480 /block/blk-core.c:2567 mpage_bio_submit /fs/mpage.c:66 [inline] mpage_readpages+0x469/0x630 /fs/mpage.c:410 blkdev_readpages+0x2d/0x40 /fs/block_dev.c:592 read_pages+0x101/0x530 /mm/readahead.c:123 __do_page_cache_readahead+0x626/0x720 /mm/readahead.c:211 force_page_cache_readahead+0x1e9/0x360 /mm/readahead.c:242 page_cache_sync_readahead /mm/readahead.c:523 [inline] page_cache_sync_readahead+0x4b9/0x520 /mm/readahead.c:510 generic_file_buffered_read /mm/filemap.c:2092 [inline] generic_file_read_iter+0x168c/0x2ac0 /mm/filemap.c:2362 blkdev_read_iter+0x120/0x190 /fs/block_dev.c:1944 call_read_iter /./include/linux/fs.h:1814 [inline] new_sync_read /fs/read_write.c:406 [inline] __vfs_read+0x584/0x800 /fs/read_write.c:418 vfs_read+0x194/0x3d0 /fs/read_write.c:452 ksys_read+0x14f/0x2d0 /fs/read_write.c:579 __do_sys_read /fs/read_write.c:589 [inline] __se_sys_read /fs/read_write.c:587 [inline] __x64_sys_read+0x73/0xb0 /fs/read_write.c:587 do_syscall_64+0xfd/0x620 /arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fcf4092d310 Code: 73 01 c3 48 8b 0d 28 4b 2b 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 83 3d e5 a2 2b 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 6e 8a 01 00 48 89 04 24 RSP: 002b:00007ffd9d9c8a18 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcf4092d310 RDX: 0000000000000400 RSI: 00000000024fdc58 RDI: 0000000000000003 RBP: 00000000024fdc30 R08: 0000000000000028 R09: 0000000001680000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000024fd030 R13: 0000000000000400 R14: 00000000024fd080 R15: 00000000024fdc48 Allocated by task 7855: save_stack+0x45/0xd0 /mm/kasan/kasan.c:448 set_track /mm/kasan/kasan.c:460 [inline] kasan_kmalloc /mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 /mm/kasan/kasan.c:531 kasan_slab_alloc+0xf/0x20 /mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x700 /mm/slab.c:3559 __d_alloc+0x2e/0x9c0 /fs/dcache.c:1610 d_alloc+0x4d/0x280 /fs/dcache.c:1694 __lookup_hash+0xcd/0x190 /fs/namei.c:1542 filename_create+0x1a7/0x4f0 /fs/namei.c:3636 user_path_create /fs/namei.c:3693 [inline] do_mkdirat+0xb5/0x2a0 /fs/namei.c:3831 __do_sys_mkdir /fs/namei.c:3855 [inline] __se_sys_mkdir /fs/namei.c:3853 [inline] __x64_sys_mkdir+0x5c/0x80 /fs/namei.c:3853 do_syscall_64+0xfd/0x620 /arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x45/0xd0 /mm/kasan/kasan.c:448 set_track /mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 /mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 /mm/kasan/kasan.c:528 __cache_free /mm/slab.c:3503 [inline] kmem_cache_free+0x86/0x260 /mm/slab.c:3765 __d_free+0x20/0x30 /fs/dcache.c:257 __rcu_reclaim /kernel/rcu/rcu.h:236 [inline] rcu_do_batch /kernel/rcu/tree.c:2584 [inline] invoke_rcu_callbacks /kernel/rcu/tree.c:2897 [inline] __rcu_process_callbacks /kernel/rcu/tree.c:2864 [inline] rcu_process_callbacks+0xba0/0x1a30 /kernel/rcu/tree.c:2881 __do_softirq+0x25c/0x921 /kernel/softirq.c:292 The buggy address belongs to the object at ffff888072ee8ce0 which belongs to the cache dentry(97:syz4) of size 288 The buggy address is located 88 bytes inside of 288-byte region [ffff888072ee8ce0, ffff888072ee8e00) The buggy address belongs to the page: page:ffffea0001cbba00 count:1 mapcount:0 mapping:ffff888090c470c0 index:0xffff888072ee88c0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea00012f9dc8 ffffea0000fe0488 ffff888090c470c0 raw: ffff888072ee88c0 ffff888072ee8080 0000000100000002 ffff88805c9da200 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88805c9da200 Memory state around the buggy address: ffff888072ee8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888072ee8c80: 00 00 00 00 fc fc fc fc fc fc fc fc fb fb fb fb >ffff888072ee8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888072ee8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888072ee8e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================