==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925
Read of size 8 at addr ffff8880474de110 by task syz-executor.5/15718
CPU: 1 PID: 15718 Comm: syz-executor.5 Not tainted 6.1.0-syzkaller-09641-g628050ec952d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
__lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925
lock_acquire kernel/locking/lockdep.c:5668 [inline]
lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
skb_queue_tail+0x25/0x150 net/core/skbuff.c:3569
rxrpc_encap_rcv+0x106/0x230 net/rxrpc/io_thread.c:39
udp_queue_rcv_one_skb+0xa93/0x18d0 net/ipv4/udp.c:2164
udp_queue_rcv_skb+0x192/0x9b0 net/ipv4/udp.c:2241
udp_unicast_rcv_skb+0x15c/0x3a0 net/ipv4/udp.c:2401
__udp4_lib_rcv+0x11e9/0x31d0 net/ipv4/udp.c:2473
ip_protocol_deliver_rcu+0x9f/0x460 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2ec/0x4c0 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:454 [inline]
ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5482
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5596
process_backlog+0x3e4/0x810 net/core/dev.c:5924
__napi_poll+0xb8/0x770 net/core/dev.c:6485
napi_poll net/core/dev.c:6552 [inline]
net_rx_action+0xa00/0xde0 net/core/dev.c:6663
__do_softirq+0x1fb/0xadc kernel/softirq.c:571
do_softirq.part.0+0xde/0x130 kernel/softirq.c:472
do_softirq kernel/softirq.c:464 [inline]
__local_bh_enable_ip+0x106/0x130 kernel/softirq.c:396
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:834 [inline]
ip_finish_output2+0x7dc/0x2180 net/ipv4/ip_output.c:229
__ip_finish_output net/ipv4/ip_output.c:306 [inline]
__ip_finish_output+0x396/0x650 net/ipv4/ip_output.c:288
ip_finish_output+0x31/0x280 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip_output+0x1a3/0x320 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:444 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
ip_send_skb+0xd8/0x260 net/ipv4/ip_output.c:1586
udp_send_skb+0x73a/0x1490 net/ipv4/udp.c:978
udp_sendmsg+0x1bba/0x2750 net/ipv4/udp.c:1265
udpv6_sendmsg+0x17dc/0x2c80 net/ipv6/udp.c:1400
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:660
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x334/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmmsg+0x18f/0x460 net/socket.c:2616
__do_sys_sendmmsg net/socket.c:2645 [inline]
__se_sys_sendmmsg net/socket.c:2642 [inline]
__x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f234c88c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f234d54d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f234c9abf80 RCX: 00007f234c88c0d9
RDX: 0000000000000001 RSI: 0000000020001c80 RDI: 0000000000000003
RBP: 00007f234c8e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9b944d9f R14: 00007f234d54d300 R15: 0000000000022000
The buggy address belongs to the physical page:
page:ffffea00011d3780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x474de
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 15363, tgid 15358 (syz-executor.0), ts 351492023439, free_ts 352362866402
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4291
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5558
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
vm_area_alloc_pages mm/vmalloc.c:2975 [inline]
__vmalloc_area_node mm/vmalloc.c:3043 [inline]
__vmalloc_node_range+0x978/0x13c0 mm/vmalloc.c:3213
__vmalloc_node mm/vmalloc.c:3278 [inline]
vzalloc+0x6b/0x80 mm/vmalloc.c:3351
xt_counters_alloc+0x50/0x70 net/netfilter/x_tables.c:1379
__do_replace+0x9a/0x8e0 net/ipv4/netfilter/ip_tables.c:1049
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x89d/0xb10 net/ipv4/netfilter/ip_tables.c:1630
nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101
ip_setsockopt+0xf2/0x110 net/ipv4/ip_sockglue.c:1445
tcp_setsockopt+0x9f/0x100 net/ipv4/tcp.c:3801
__sys_setsockopt+0x2c6/0x5b0 net/socket.c:2246
__do_sys_setsockopt net/socket.c:2257 [inline]
__se_sys_setsockopt net/socket.c:2254 [inline]
__x64_sys_setsockopt+0xbe/0x160 net/socket.c:2254
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
__vunmap+0x85d/0xd30 mm/vmalloc.c:2713
__vfree+0x3c/0xd0 mm/vmalloc.c:2761
__vmalloc_area_node mm/vmalloc.c:3096 [inline]
__vmalloc_node_range+0xff8/0x13c0 mm/vmalloc.c:3213
__vmalloc_node mm/vmalloc.c:3278 [inline]
vzalloc+0x6b/0x80 mm/vmalloc.c:3351
xt_counters_alloc+0x50/0x70 net/netfilter/x_tables.c:1379
__do_replace+0x9a/0x8e0 net/ipv4/netfilter/ip_tables.c:1049
do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline]
do_ipt_set_ctl+0x89d/0xb10 net/ipv4/netfilter/ip_tables.c:1630
nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101
ip_setsockopt+0xf2/0x110 net/ipv4/ip_sockglue.c:1445
tcp_setsockopt+0x9f/0x100 net/ipv4/tcp.c:3801
__sys_setsockopt+0x2c6/0x5b0 net/socket.c:2246
__do_sys_setsockopt net/socket.c:2257 [inline]
__se_sys_setsockopt net/socket.c:2254 [inline]
__x64_sys_setsockopt+0xbe/0x160 net/socket.c:2254
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8880474de000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880474de080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8880474de100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8880474de180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8880474de200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================