================================================================== BUG: KASAN: use-after-free in smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664 Read of size 8 at addr ffff888049343028 by task kworker/1:33/31463 CPU: 1 PID: 31463 Comm: kworker/1:33 Not tainted 5.17.0-rc3-syzkaller-00125-g525de9a79349 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events pwq_unbound_release_workfn Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 smc_fback_error_report+0x96/0xa0 net/smc/af_smc.c:664 sk_error_report+0x35/0x310 net/core/sock.c:340 tcp_write_err net/ipv4/tcp_timer.c:71 [inline] tcp_write_timeout net/ipv4/tcp_timer.c:276 [inline] tcp_retransmit_timer+0x20c2/0x3320 net/ipv4/tcp_timer.c:512 tcp_write_timer_handler+0x5e6/0xbc0 net/ipv4/tcp_timer.c:622 tcp_write_timer+0xa2/0x2b0 net/ipv4/tcp_timer.c:642 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1466 [inline] __run_timers.part.0+0x67c/0xa30 kernel/time/timer.c:1734 __run_timers kernel/time/timer.c:1715 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1747 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 RIP: 0010:lockdep_unregister_key+0x1c9/0x250 kernel/locking/lockdep.c:6328 Code: 00 00 00 48 89 ee e8 46 fd ff ff 4c 89 f7 e8 4e c9 ff ff e8 f9 cb ff ff 9c 58 f6 c4 02 75 26 41 f7 c4 00 02 00 00 74 01 fb 5b <5d> 41 5c 41 5d 41 5e 41 5f e9 99 4d 08 00 0f 0b 5b 5d 41 5c 41 5d RSP: 0000:ffffc9000b45fcb8 EFLAGS: 00000206 RAX: 0000000000000046 RBX: ffff8880291a2c98 RCX: 0000000000000001 RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88805154e928 R08: 0000000000000001 R09: ffffffff8f213696 R10: fffffbfff1ff7b1b R11: 000000000002804b R12: 0000000000000246 R13: 0000000000000000 R14: ffffffff8ffbb908 R15: ffffffff90143428 wq_unregister_lockdep kernel/workqueue.c:3508 [inline] pwq_unbound_release_workfn+0x254/0x340 kernel/workqueue.c:3746 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307 worker_thread+0x657/0x1110 kernel/workqueue.c:2454 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea000124d0c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x49343 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea000124d108 ffffea000124d088 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 29704, ts 2674089458734, free_ts 2674305866099 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271 __get_free_pages+0x8/0x40 mm/page_alloc.c:5438 kasan_populate_vmalloc_pte mm/kasan/shadow.c:271 [inline] kasan_populate_vmalloc_pte+0x25/0x160 mm/kasan/shadow.c:262 apply_to_pte_range mm/memory.c:2541 [inline] apply_to_pmd_range mm/memory.c:2585 [inline] apply_to_pud_range mm/memory.c:2621 [inline] apply_to_p4d_range mm/memory.c:2657 [inline] __apply_to_page_range+0x686/0x1030 mm/memory.c:2691 alloc_vmap_area+0xa7a/0x1dc0 mm/vmalloc.c:1571 __get_vm_area_node.constprop.0+0x128/0x380 mm/vmalloc.c:2436 __vmalloc_node_range+0x150/0x1060 mm/vmalloc.c:3092 __vmalloc_node+0x6f/0x90 mm/vmalloc.c:3157 kvmalloc_node+0xd7/0x100 mm/util.c:593 kvmalloc include/linux/slab.h:732 [inline] xt_alloc_table_info+0x3c/0xa0 net/netfilter/x_tables.c:1192 do_replace net/ipv4/netfilter/ip_tables.c:1125 [inline] do_ipt_set_ctl+0x500/0xb80 net/ipv4/netfilter/ip_tables.c:1630 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0x3c3/0x3a90 net/ipv4/ip_sockglue.c:1444 tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3694 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:380 apply_to_pte_range mm/memory.c:2541 [inline] apply_to_pmd_range mm/memory.c:2585 [inline] apply_to_pud_range mm/memory.c:2621 [inline] apply_to_p4d_range mm/memory.c:2657 [inline] __apply_to_page_range+0x686/0x1030 mm/memory.c:2691 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:490 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1710 try_purge_vmap_area_lazy mm/vmalloc.c:1729 [inline] free_vmap_area_noflush+0xa57/0xd00 mm/vmalloc.c:1771 free_unmap_vmap_area mm/vmalloc.c:1784 [inline] remove_vm_area+0x1ca/0x230 mm/vmalloc.c:2530 free_vm_area mm/vmalloc.c:3551 [inline] __vmalloc_area_node mm/vmalloc.c:2955 [inline] __vmalloc_node_range+0xe98/0x1060 mm/vmalloc.c:3107 __vmalloc_node+0x6f/0x90 mm/vmalloc.c:3157 kvmalloc_node+0xd7/0x100 mm/util.c:593 kvmalloc include/linux/slab.h:732 [inline] xt_alloc_table_info+0x3c/0xa0 net/netfilter/x_tables.c:1192 do_replace net/ipv4/netfilter/ip_tables.c:1125 [inline] do_ipt_set_ctl+0x500/0xb80 net/ipv4/netfilter/ip_tables.c:1630 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0x3c3/0x3a90 net/ipv4/ip_sockglue.c:1444 tcp_setsockopt+0x136/0x2520 net/ipv4/tcp.c:3694 Memory state around the buggy address: ffff888049342f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888049342f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888049343000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888049343080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888049343100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 48 89 add %cl,-0x77(%rax) 5: ee out %al,(%dx) 6: e8 46 fd ff ff callq 0xfffffd51 b: 4c 89 f7 mov %r14,%rdi e: e8 4e c9 ff ff callq 0xffffc961 13: e8 f9 cb ff ff callq 0xffffcc11 18: 9c pushfq 19: 58 pop %rax 1a: f6 c4 02 test $0x2,%ah 1d: 75 26 jne 0x45 1f: 41 f7 c4 00 02 00 00 test $0x200,%r12d 26: 74 01 je 0x29 28: fb sti 29: 5b pop %rbx * 2a: 5d pop %rbp <-- trapping instruction 2b: 41 5c pop %r12 2d: 41 5d pop %r13 2f: 41 5e pop %r14 31: 41 5f pop %r15 33: e9 99 4d 08 00 jmpq 0x84dd1 38: 0f 0b ud2 3a: 5b pop %rbx 3b: 5d pop %rbp 3c: 41 5c pop %r12 3e: 41 5d pop %r13