==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff88806c2e0008 by task syz-executor/12736
CPU: 0 UID: 0 PID: 12736 Comm: syz-executor Not tainted 6.12.0-rc7-syzkaller-00042-gf1b785f4c787 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
__rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 76 fd 52 f6 48 89 df e8 7e 7a 53 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 c5 8c 44 f6 65 8b 05 06 aa ec 74 85 c0 74 16 5b
RSP: 0018:ffffc900042ff4f8 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff9a5cf1c8 RCX: 1ffffffff2d3aeb6
RDX: 0000000000000000 RSI: ffffffff8b4cc860 RDI: ffffffff8bb136e0
RBP: 0000000000000282 R08: 0000000000000001 R09: fffffbfff2d3299d
R10: ffffffff96994cef R11: 0000000000000000 R12: ffff888055de0000
R13: 000000000000000b R14: 000000000000000b R15: ffff888055de0000
__debug_check_no_obj_freed lib/debugobjects.c:998 [inline]
debug_check_no_obj_freed+0x328/0x600 lib/debugobjects.c:1019
free_pages_prepare mm/page_alloc.c:1119 [inline]
free_unref_folios+0x29f/0x1220 mm/page_alloc.c:2689
folios_put_refs+0x551/0x750 mm/swap.c:1007
folio_batch_release include/linux/pagevec.h:101 [inline]
shmem_undo_range+0x586/0x1170 mm/shmem.c:1032
shmem_truncate_range mm/shmem.c:1144 [inline]
shmem_evict_inode+0x3a3/0xba0 mm/shmem.c:1274
evict+0x409/0x970 fs/inode.c:725
iput_final fs/inode.c:1877 [inline]
iput fs/inode.c:1903 [inline]
iput+0x530/0x890 fs/inode.c:1889
do_unlinkat+0x5c3/0x760 fs/namei.c:4540
__do_sys_unlink fs/namei.c:4581 [inline]
__se_sys_unlink fs/namei.c:4579 [inline]
__x64_sys_unlink+0xc5/0x110 fs/namei.c:4579
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fda2d37dcc7
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcb5faa538 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fda2d37dcc7
RDX: 00007ffcb5faa560 RSI: 00007ffcb5faa5f0 RDI: 00007ffcb5faa5f0
RBP: 00007ffcb5faa5f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffcb5fab670
R13: 00007fda2d3f15fc R14: 00000000000743b0 R15: 00007ffcb5fab6b0
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806c2e6000 pfn:0x6c2e0
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001b0b8c8 ffffea0001f4ebc8 0000000000000000
raw: ffff88806c2e6000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x440dc0(GFP_KERNEL_ACCOUNT|__GFP_COMP|__GFP_ZERO), pid 13131, tgid 13131 (syz.4.1292), ts 480744145984, free_ts 480687333672
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1541
prep_new_page mm/page_alloc.c:1549 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3459
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4735
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
vm_area_alloc_pages mm/vmalloc.c:3568 [inline]
__vmalloc_area_node mm/vmalloc.c:3646 [inline]
__vmalloc_node_range_noprof+0x724/0x15a0 mm/vmalloc.c:3828
alloc_thread_stack_node kernel/fork.c:315 [inline]
dup_task_struct kernel/fork.c:1116 [inline]
copy_process+0x29b4/0x6ee0 kernel/fork.c:2204
kernel_clone+0xfd/0x960 kernel/fork.c:2786
__do_sys_clone3+0x1f9/0x270 kernel/fork.c:3090
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 13144 tgid 13144 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1112 [inline]
free_unref_folios+0x898/0x1220 mm/page_alloc.c:2689
folios_put_refs+0x551/0x750 mm/swap.c:1007
free_pages_and_swap_cache+0x36d/0x510 mm/swap_state.c:332
__tlb_batch_free_encoded_pages+0xf9/0x290 mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x168/0x7b0 mm/mmu_gather.c:465
exit_mmap+0x3df/0xb30 mm/mmap.c:1936
__mmput+0x12a/0x480 kernel/fork.c:1348
mmput+0x62/0x70 kernel/fork.c:1370
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2d70 kernel/exit.c:926
do_group_exit+0xd3/0x2a0 kernel/exit.c:1088
__do_sys_exit_group kernel/exit.c:1099 [inline]
__se_sys_exit_group kernel/exit.c:1097 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1097
x64_sys_call+0x14a9/0x16a0 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88806c2dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806c2dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806c2e0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
^
ffff88806c2e0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88806c2e0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: f5 cmc
1: 53 push %rbx
2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
7: 48 89 fb mov %rdi,%rbx
a: 48 83 c7 18 add $0x18,%rdi
e: e8 76 fd 52 f6 call 0xf652fd89
13: 48 89 df mov %rbx,%rdi
16: e8 7e 7a 53 f6 call 0xf6537a99
1b: f7 c5 00 02 00 00 test $0x200,%ebp
21: 75 23 jne 0x46
23: 9c pushf
24: 58 pop %rax
25: f6 c4 02 test $0x2,%ah
28: 75 37 jne 0x61
* 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2f: e8 c5 8c 44 f6 call 0xf6448cf9
34: 65 8b 05 06 aa ec 74 mov %gs:0x74ecaa06(%rip),%eax # 0x74ecaa41
3b: 85 c0 test %eax,%eax
3d: 74 16 je 0x55
3f: 5b pop %rbx