================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925 Read of size 8 at addr ffff8880474de110 by task syz-executor.5/15718 CPU: 1 PID: 15718 Comm: syz-executor.5 Not tainted 6.1.0-syzkaller-09641-g628050ec952d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 __lock_acquire+0x3ee7/0x56d0 kernel/locking/lockdep.c:4925 lock_acquire kernel/locking/lockdep.c:5668 [inline] lock_acquire+0x1e3/0x630 kernel/locking/lockdep.c:5633 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 skb_queue_tail+0x25/0x150 net/core/skbuff.c:3569 rxrpc_encap_rcv+0x106/0x230 net/rxrpc/io_thread.c:39 udp_queue_rcv_one_skb+0xa93/0x18d0 net/ipv4/udp.c:2164 udp_queue_rcv_skb+0x192/0x9b0 net/ipv4/udp.c:2241 udp_unicast_rcv_skb+0x15c/0x3a0 net/ipv4/udp.c:2401 __udp4_lib_rcv+0x11e9/0x31d0 net/ipv4/udp.c:2473 ip_protocol_deliver_rcu+0x9f/0x460 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2ec/0x4c0 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_local_deliver+0x1ae/0x200 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:454 [inline] ip_rcv_finish+0x1cf/0x2f0 net/ipv4/ip_input.c:449 NF_HOOK include/linux/netfilter.h:302 [inline] NF_HOOK include/linux/netfilter.h:296 [inline] ip_rcv+0xae/0xd0 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5482 __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5596 process_backlog+0x3e4/0x810 net/core/dev.c:5924 __napi_poll+0xb8/0x770 net/core/dev.c:6485 napi_poll net/core/dev.c:6552 [inline] net_rx_action+0xa00/0xde0 net/core/dev.c:6663 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 do_softirq.part.0+0xde/0x130 kernel/softirq.c:472 do_softirq kernel/softirq.c:464 [inline] __local_bh_enable_ip+0x106/0x130 kernel/softirq.c:396 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:834 [inline] ip_finish_output2+0x7dc/0x2180 net/ipv4/ip_output.c:229 __ip_finish_output net/ipv4/ip_output.c:306 [inline] __ip_finish_output+0x396/0x650 net/ipv4/ip_output.c:288 ip_finish_output+0x31/0x280 net/ipv4/ip_output.c:316 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip_output+0x1a3/0x320 net/ipv4/ip_output.c:430 dst_output include/net/dst.h:444 [inline] ip_local_out net/ipv4/ip_output.c:126 [inline] ip_send_skb+0xd8/0x260 net/ipv4/ip_output.c:1586 udp_send_skb+0x73a/0x1490 net/ipv4/udp.c:978 udp_sendmsg+0x1bba/0x2750 net/ipv4/udp.c:1265 udpv6_sendmsg+0x17dc/0x2c80 net/ipv6/udp.c:1400 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:660 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 ____sys_sendmsg+0x334/0x8c0 net/socket.c:2476 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2530 __sys_sendmmsg+0x18f/0x460 net/socket.c:2616 __do_sys_sendmmsg net/socket.c:2645 [inline] __se_sys_sendmmsg net/socket.c:2642 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2642 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f234c88c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f234d54d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f234c9abf80 RCX: 00007f234c88c0d9 RDX: 0000000000000001 RSI: 0000000020001c80 RDI: 0000000000000003 RBP: 00007f234c8e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9b944d9f R14: 00007f234d54d300 R15: 0000000000022000 The buggy address belongs to the physical page: page:ffffea00011d3780 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x474de flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 15363, tgid 15358 (syz-executor.0), ts 351492023439, free_ts 352362866402 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4291 __alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5558 alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285 vm_area_alloc_pages mm/vmalloc.c:2975 [inline] __vmalloc_area_node mm/vmalloc.c:3043 [inline] __vmalloc_node_range+0x978/0x13c0 mm/vmalloc.c:3213 __vmalloc_node mm/vmalloc.c:3278 [inline] vzalloc+0x6b/0x80 mm/vmalloc.c:3351 xt_counters_alloc+0x50/0x70 net/netfilter/x_tables.c:1379 __do_replace+0x9a/0x8e0 net/ipv4/netfilter/ip_tables.c:1049 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline] do_ipt_set_ctl+0x89d/0xb10 net/ipv4/netfilter/ip_tables.c:1630 nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0xf2/0x110 net/ipv4/ip_sockglue.c:1445 tcp_setsockopt+0x9f/0x100 net/ipv4/tcp.c:3801 __sys_setsockopt+0x2c6/0x5b0 net/socket.c:2246 __do_sys_setsockopt net/socket.c:2257 [inline] __se_sys_setsockopt net/socket.c:2254 [inline] __x64_sys_setsockopt+0xbe/0x160 net/socket.c:2254 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1459 [inline] free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509 free_unref_page_prepare mm/page_alloc.c:3387 [inline] free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483 __vunmap+0x85d/0xd30 mm/vmalloc.c:2713 __vfree+0x3c/0xd0 mm/vmalloc.c:2761 __vmalloc_area_node mm/vmalloc.c:3096 [inline] __vmalloc_node_range+0xff8/0x13c0 mm/vmalloc.c:3213 __vmalloc_node mm/vmalloc.c:3278 [inline] vzalloc+0x6b/0x80 mm/vmalloc.c:3351 xt_counters_alloc+0x50/0x70 net/netfilter/x_tables.c:1379 __do_replace+0x9a/0x8e0 net/ipv4/netfilter/ip_tables.c:1049 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline] do_ipt_set_ctl+0x89d/0xb10 net/ipv4/netfilter/ip_tables.c:1630 nf_setsockopt+0x87/0xe0 net/netfilter/nf_sockopt.c:101 ip_setsockopt+0xf2/0x110 net/ipv4/ip_sockglue.c:1445 tcp_setsockopt+0x9f/0x100 net/ipv4/tcp.c:3801 __sys_setsockopt+0x2c6/0x5b0 net/socket.c:2246 __do_sys_setsockopt net/socket.c:2257 [inline] __se_sys_setsockopt net/socket.c:2254 [inline] __x64_sys_setsockopt+0xbe/0x160 net/socket.c:2254 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff8880474de000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880474de080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880474de100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880474de180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880474de200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================