================================================================== BUG: KASAN: use-after-free in cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline] BUG: KASAN: use-after-free in cleancache_invalidate_page include/linux/cleancache.h:108 [inline] BUG: KASAN: use-after-free in unaccount_page_cache_page+0x639/0x6b0 mm/filemap.c:169 Read of size 4 at addr ffff8881da24c488 by task syz-executor.1/1819 CPU: 1 PID: 1819 Comm: syz-executor.1 Not tainted 5.4.225-syzkaller-00008-g07edbcca3d39 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 cleancache_fs_enabled_mapping include/linux/cleancache.h:54 [inline] cleancache_invalidate_page include/linux/cleancache.h:108 [inline] unaccount_page_cache_page+0x639/0x6b0 mm/filemap.c:169 __delete_from_page_cache+0xc3/0x510 mm/filemap.c:237 __remove_mapping+0x46e/0x550 mm/vmscan.c:978 shrink_page_list+0x2467/0x3e70 mm/vmscan.c:1482 shrink_inactive_list+0x4f6/0xfd0 mm/vmscan.c:2001 shrink_list mm/vmscan.c:2293 [inline] shrink_node_memcg+0xc42/0x2430 mm/vmscan.c:2623 shrink_node+0x396/0x12b0 mm/vmscan.c:2836 shrink_zones mm/vmscan.c:3053 [inline] do_try_to_free_pages+0x625/0x1280 mm/vmscan.c:3111 try_to_free_mem_cgroup_pages+0x3f6/0x9b0 mm/vmscan.c:3412 memory_max_write+0x235/0x3c0 mm/memcontrol.c:6209 cgroup_file_write+0x275/0x5c0 kernel/cgroup/cgroup.c:3898 kernfs_fop_write+0x2e2/0x3e0 fs/kernfs/file.c:315 __vfs_write+0x103/0x750 fs/read_write.c:494 vfs_write+0x206/0x4e0 fs/read_write.c:558 ksys_write+0x199/0x2c0 fs/read_write.c:611 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 The buggy address belongs to the page: page:ffffea0007689300 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2ce8/0x2d70 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891 __vmalloc_area_node mm/vmalloc.c:2431 [inline] __vmalloc_node_range+0x384/0x710 mm/vmalloc.c:2499 __vmalloc_node mm/vmalloc.c:2554 [inline] __vmalloc_node_flags mm/vmalloc.c:2568 [inline] vzalloc+0x70/0x80 mm/vmalloc.c:2613 __do_replace+0xc7/0xa60 net/ipv4/netfilter/ip_tables.c:1049 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline] do_ipt_set_ctl+0x404/0x600 net/ipv4/netfilter/ip_tables.c:1674 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x28f/0x2b0 net/netfilter/nf_sockopt.c:115 __sys_setsockopt+0x4b4/0x840 net/socket.c:2074 __do_sys_setsockopt net/socket.c:2090 [inline] __se_sys_setsockopt net/socket.c:2087 [inline] __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2087 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] free_pcp_prepare mm/page_alloc.c:1233 [inline] free_unref_page_prepare+0x297/0x380 mm/page_alloc.c:3085 free_unref_page mm/page_alloc.c:3134 [inline] free_the_page mm/page_alloc.c:4951 [inline] __free_pages+0xaf/0x140 mm/page_alloc.c:4959 __vunmap+0x75b/0x890 mm/vmalloc.c:2260 __do_replace+0x7fe/0xa60 net/ipv4/netfilter/ip_tables.c:1088 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline] do_ipt_set_ctl+0x404/0x600 net/ipv4/netfilter/ip_tables.c:1674 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x28f/0x2b0 net/netfilter/nf_sockopt.c:115 __sys_setsockopt+0x4b4/0x840 net/socket.c:2074 __do_sys_setsockopt net/socket.c:2090 [inline] __se_sys_setsockopt net/socket.c:2087 [inline] __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2087 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Memory state around the buggy address: ffff8881da24c380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881da24c400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8881da24c480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881da24c500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881da24c580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== syz-executor.1 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0 CPU: 1 PID: 1819 Comm: syz-executor.1 Tainted: G B 5.4.225-syzkaller-00008-g07edbcca3d39 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 dump_header+0xd5/0x670 mm/oom_kill.c:460 oom_kill_process+0xeb/0x2c0 mm/oom_kill.c:974 out_of_memory+0x5e1/0x890 mm/oom_kill.c:1111 mem_cgroup_out_of_memory+0x211/0x270 mm/memcontrol.c:1611 memory_max_write+0x331/0x3c0 mm/memcontrol.c:6216 cgroup_file_write+0x275/0x5c0 kernel/cgroup/cgroup.c:3898 kernfs_fop_write+0x2e2/0x3e0 fs/kernfs/file.c:315 __vfs_write+0x103/0x750 fs/read_write.c:494 vfs_write+0x206/0x4e0 fs/read_write.c:558 ksys_write+0x199/0x2c0 fs/read_write.c:611 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 memory: usage 44584kB, limit 0kB, failcnt 0 swap: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz1: anon 35319808 file 10452992 kernel_stack 0 slab 0 sock 139264 shmem 10412032 file_mapped 270336 file_dirty 0 file_writeback 0 anon_thp 0 inactive_anon 135168 active_anon 45551616 inactive_file 0 active_file 0 unevictable 0 slab_reclaimable 0 slab_unreclaimable 0 pgfault 1638912 pgmajfault 4290 workingset_refault 330 workingset_activate 0 workingset_nodereclaim 0 pgrefill 98 pgscan 91 pgsteal 87 pgactivate 2904 oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz1,mems_allowed=0,oom_memcg=/syz1,task_memcg=/syz1,task=syz-executor.1,pid=9314,uid=0 Memory cgroup out of memory: Killed process 9314 (syz-executor.1) total-vm:55188kB, anon-rss:4648kB, file-rss:14336kB, shmem-rss:0kB, UID:0 pgtables:92kB oom_score_adj:1000 syz-executor.1 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0 CPU: 1 PID: 1819 Comm: syz-executor.1 Tainted: G B 5.4.225-syzkaller-00008-g07edbcca3d39 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 dump_header+0xd5/0x670 mm/oom_kill.c:460 oom_kill_process+0xeb/0x2c0 mm/oom_kill.c:974 out_of_memory+0x5e1/0x890 mm/oom_kill.c:1111 mem_cgroup_out_of_memory+0x211/0x270 mm/memcontrol.c:1611 memory_max_write+0x331/0x3c0 mm/memcontrol.c:6216 cgroup_file_write+0x275/0x5c0 kernel/cgroup/cgroup.c:3898 kernfs_fop_write+0x2e2/0x3e0 fs/kernfs/file.c:315 __vfs_write+0x103/0x750 fs/read_write.c:494 vfs_write+0x206/0x4e0 fs/read_write.c:558 ksys_write+0x199/0x2c0 fs/read_write.c:611 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 memory: usage 40344kB, limit 0kB, failcnt 0 swap: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz1: anon 31162368 file 10452992 kernel_stack 0 slab 0 sock 139264 shmem 10412032 file_mapped 270336 file_dirty 0 file_writeback 0 anon_thp 0 inactive_anon 135168 active_anon 41361408 inactive_file 0 active_file 0 unevictable 0 slab_reclaimable 0 slab_unreclaimable 0 pgfault 1638912 pgmajfault 4290 workingset_refault 330 workingset_activate 0 workingset_nodereclaim 0 pgrefill 98 pgscan 91 pgsteal 87 pgactivate 2904 oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz1,mems_allowed=0,oom_memcg=/syz1,task_memcg=/syz1,task=syz-executor.1,pid=31993,uid=0 Memory cgroup out of memory: Killed process 31993 (syz-executor.1) total-vm:54660kB, anon-rss:4644kB, file-rss:14336kB, shmem-rss:0kB, UID:0 pgtables:92kB oom_score_adj:0 syz-executor.1 invoked oom-killer: gfp_mask=0xcc0(GFP_KERNEL), order=0, oom_score_adj=0 CPU: 1 PID: 1819 Comm: syz-executor.1 Tainted: G B 5.4.225-syzkaller-00008-g07edbcca3d39 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 dump_header+0xd5/0x670 mm/oom_kill.c:460 oom_kill_process+0xeb/0x2c0 mm/oom_kill.c:974 out_of_memory+0x5e1/0x890 mm/oom_kill.c:1111 mem_cgroup_out_of_memory+0x211/0x270 mm/memcontrol.c:1611 memory_max_write+0x331/0x3c0 mm/memcontrol.c:6216 cgroup_file_write+0x275/0x5c0 kernel/cgroup/cgroup.c:3898 kernfs_fop_write+0x2e2/0x3e0 fs/kernfs/file.c:315 __vfs_write+0x103/0x750 fs/read_write.c:494 vfs_write+0x206/0x4e0 fs/read_write.c:558 ksys_write+0x199/0x2c0 fs/read_write.c:611 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 memory: usage 36124kB, limit 0kB, failcnt 0 swap: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for /syz1: anon 26836992 file 10452992 kernel_stack 0 slab 0 sock 139264 shmem 10412032 file_mapped 270336 file_dirty 0 file_writeback 0 anon_thp 0 inactive_anon 135168 active_anon 37036032 inactive_file 0 active_file 12288 unevictable 0 slab_reclaimable 0 slab_unreclaimable 0 pgfault 1638912 pgmajfault 4290 workingset_refault 330 workingset_activate 0 workingset_nodereclaim 0 pgrefill 98 pgscan 91 pgsteal 87 pgactivate 2904 oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=syz1,mems_allowed=0,oom_memcg=/syz1,task_memcg=/syz1,task=syz-executor.1,pid=9465,uid=0 Memory cgroup out of memory: Killed process 9465 (syz-executor.1) total-vm:55056kB, anon-rss:4644kB, file-rss:14336kB, shmem-rss:0kB, UID:0 pgtables:92kB oom_score_adj:1000