================================================================== BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:803 [inline] BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline] BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline] BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660 Read at addr fcff000004792ff0 by task rm/3068 Pointer tag: [fc], memory tag: [fe] CPU: 1 PID: 3068 Comm: rm Not tainted 6.6.0-rc6-syzkaller-00182-gce55c22ec8b2 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x108/0x618 mm/kasan/report.c:475 kasan_report+0x88/0xac mm/kasan/report.c:588 report_tag_fault arch/arm64/mm/fault.c:334 [inline] do_tag_recovery arch/arm64/mm/fault.c:346 [inline] __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393 do_bad_area arch/arm64/mm/fault.c:493 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590 __update_min_deadline kernel/sched/fair.c:803 [inline] min_deadline_update kernel/sched/fair.c:819 [inline] min_deadline_cb_propagate kernel/sched/fair.c:825 [inline] reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660 update_cfs_group+0x80/0x98 kernel/sched/fair.c:3826 entity_tick kernel/sched/fair.c:5317 [inline] task_tick_fair+0x64/0x280 kernel/sched/fair.c:12392 scheduler_tick+0xcc/0x170 kernel/sched/core.c:5657 update_process_times+0xa0/0xb4 kernel/time/timer.c:2076 tick_sched_handle+0x34/0x58 kernel/time/tick-sched.c:254 tick_sched_timer+0x50/0xa8 kernel/time/tick-sched.c:1492 __run_hrtimer kernel/time/hrtimer.c:1688 [inline] __hrtimer_run_queues+0x138/0x1d8 kernel/time/hrtimer.c:1752 hrtimer_interrupt+0xe8/0x244 kernel/time/hrtimer.c:1814 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline] arch_timer_handler_phys+0x2c/0x44 drivers/clocksource/arm_arch_timer.c:692 handle_percpu_devid_irq+0x84/0x130 kernel/irq/chip.c:942 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline] handle_irq_desc kernel/irq/irqdesc.c:672 [inline] generic_handle_domain_irq+0x2c/0x44 kernel/irq/irqdesc.c:728 gic_handle_irq+0x44/0xc8 drivers/irqchip/irq-gic.c:373 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886 do_interrupt_handler+0x80/0x84 arch/arm64/kernel/entry-common.c:276 __el1_irq arch/arm64/kernel/entry-common.c:502 [inline] el1_interrupt+0x34/0x64 arch/arm64/kernel/entry-common.c:517 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:522 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:591 format_decode+0x70/0x598 lib/vsprintf.c:2558 vsnprintf+0x74/0x6dc lib/vsprintf.c:2770 tomoyo_supervisor+0x84/0x65c security/tomoyo/common.c:2061 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0xa0/0xd8 security/tomoyo/file.c:573 tomoyo_check_open_permission+0x174/0x188 security/tomoyo/file.c:777 tomoyo_file_open security/tomoyo/tomoyo.c:332 [inline] tomoyo_file_open+0x34/0x40 security/tomoyo/tomoyo.c:327 security_file_open+0x38/0x68 security/security.c:2836 do_dentry_open+0xe8/0x570 fs/open.c:916 vfs_open+0x2c/0x38 fs/open.c:1063 do_open fs/namei.c:3640 [inline] path_openat+0x9c4/0xf10 fs/namei.c:3797 do_filp_open+0x9c/0x14c fs/namei.c:3824 do_sys_openat2+0xc0/0xf4 fs/open.c:1422 do_sys_open fs/open.c:1437 [inline] __do_sys_openat fs/open.c:1453 [inline] __se_sys_openat fs/open.c:1448 [inline] __arm64_sys_openat+0x64/0xa4 fs/open.c:1448 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Allocated by task 3063: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523 alloc_task_struct_node kernel/fork.c:173 [inline] dup_task_struct kernel/fork.c:1110 [inline] copy_process+0x1b4/0x147c kernel/fork.c:2327 kernel_clone+0x64/0x360 kernel/fork.c:2909 __do_sys_clone+0x70/0xa8 kernel/fork.c:3052 __se_sys_clone kernel/fork.c:3020 [inline] __arm64_sys_clone+0x20/0x2c kernel/fork.c:3020 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Freed by task 3062: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0x18c/0x314 mm/slub.c:3831 free_task_struct kernel/fork.c:178 [inline] free_task+0x54/0x80 kernel/fork.c:627 __put_task_struct+0x100/0x154 kernel/fork.c:981 put_task_struct include/linux/sched/task.h:136 [inline] delayed_put_task_struct+0x7c/0xa8 kernel/exit.c:226 rcu_do_batch kernel/rcu/tree.c:2139 [inline] rcu_core+0x250/0x638 kernel/rcu/tree.c:2403 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420 __do_softirq+0x10c/0x284 kernel/softirq.c:553 The buggy address belongs to the object at ffff000004792f40 which belongs to the cache task_struct of size 4032 The buggy address is located 176 bytes inside of 4032-byte region [ffff000004792f40, ffff000004793f00) The buggy address belongs to the physical page: page:0000000041f1decc refcount:1 mapcount:0 mapping:0000000000000000 index:0xfcff000004792f40 pfn:0x44790 head:0000000041f1decc order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffffff() raw: 01ffc00000000840 f7ff000002c0cf00 fffffc00000dca00 dead000000000003 raw: fcff000004792f40 0000000080080007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000004792d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff000004792e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe >ffff000004792f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffff000004793000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff000004793100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ==================================================================