lapbether: lapb_data_request error - 4 lapbether: lapb_data_request error - 4 lapbether: lapb_data_request error - 4 lapbether: lapb_data_request error - 4 ================================================================== BUG: KASAN: use-after-free in list_empty include/linux/list.h:292 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:129 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:163 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2308 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x62e/0x640 net/core/sock.c:3179 Read of size 8 at addr ffff88804c91b080 by task ksoftirqd/0/15 CPU: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 5.18.0-rc5-syzkaller-00114-gc88d3908516d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x495 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 list_empty include/linux/list.h:292 [inline] waitqueue_active include/linux/wait.h:129 [inline] wq_has_sleeper include/linux/wait.h:163 [inline] skwq_has_sleeper include/net/sock.h:2308 [inline] sock_def_write_space+0x62e/0x640 net/core/sock.c:3179 sock_wfree+0x1cc/0x240 net/core/sock.c:2310 skb_release_head_state+0x9f/0x2a0 net/core/skbuff.c:729 skb_release_all net/core/skbuff.c:740 [inline] __kfree_skb net/core/skbuff.c:756 [inline] kfree_skb_reason.part.0+0x8a/0x2f0 net/core/skbuff.c:776 kfree_skb_reason+0x85/0x110 include/linux/refcount.h:279 kfree_skb include/linux/skbuff.h:1250 [inline] llc_rcv+0x62/0xb50 net/llc/llc_input.c:215 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519 process_backlog+0x3a0/0x7c0 net/core/dev.c:5847 __napi_poll+0xb3/0x6e0 net/core/dev.c:6413 napi_poll net/core/dev.c:6480 [inline] net_rx_action+0x8ec/0xc60 net/core/dev.c:6567 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 run_ksoftirqd kernel/softirq.c:921 [inline] run_ksoftirqd+0x2d/0x60 kernel/softirq.c:913 smpboot_thread_fn+0x645/0x9c0 kernel/smpboot.c:164 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Allocated by task 11707: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] __kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:469 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc_lru+0x255/0x720 mm/slub.c:3249 alloc_inode_sb include/linux/fs.h:2966 [inline] sock_alloc_inode+0x23/0x1d0 net/socket.c:304 alloc_inode+0x61/0x230 fs/inode.c:260 new_inode_pseudo+0x14/0xe0 fs/inode.c:1018 sock_alloc+0x3c/0x260 net/socket.c:627 __sock_create+0xb9/0x790 net/socket.c:1432 sock_create net/socket.c:1519 [inline] __sys_socket+0xef/0x200 net/socket.c:1561 __do_sys_socket net/socket.c:1570 [inline] __se_sys_socket net/socket.c:1568 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 15: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x166/0x1a0 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3510 [inline] kmem_cache_free+0xdd/0x5a0 mm/slub.c:3527 i_callback+0x3f/0x70 fs/inode.c:249 rcu_do_batch kernel/rcu/tree.c:2535 [inline] rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3074 destroy_inode+0x129/0x1b0 fs/inode.c:315 iput_final fs/inode.c:1744 [inline] iput.part.0+0x562/0x820 fs/inode.c:1770 iput+0x58/0x70 fs/inode.c:1760 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401 __dentry_kill+0x3c0/0x640 fs/dcache.c:607 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:330 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 get_signal+0x1c5/0x24c0 kernel/signal.c:2641 arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:867 exit_to_user_mode_loop kernel/entry/common.c:166 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 __kasan_record_aux_stack+0xbe/0xd0 mm/kasan/generic.c:348 call_rcu+0x99/0x790 kernel/rcu/tree.c:3074 destroy_inode+0x129/0x1b0 fs/inode.c:315 iput_final fs/inode.c:1744 [inline] iput.part.0+0x562/0x820 fs/inode.c:1770 iput+0x58/0x70 fs/inode.c:1760 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:401 __dentry_kill+0x3c0/0x640 fs/dcache.c:607 dentry_kill fs/dcache.c:733 [inline] dput+0x806/0xdb0 fs/dcache.c:913 __fput+0x39c/0x9d0 fs/file_table.c:330 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88804c91b000 which belongs to the cache sock_inode_cache of size 1408 The buggy address is located 128 bytes inside of 1408-byte region [ffff88804c91b000, ffff88804c91b580) The buggy address belongs to the physical page: page:ffffea0001324600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4c918 head:ffffea0001324600 order:3 compound_mapcount:0 compound_pincount:0 memcg:ffff88801ed7b201 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888015c188c0 raw: 0000000000000000 0000000000150015 00000001ffffffff ffff88801ed7b201 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Reclaimable, gfp_mask 0x1d20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_RECLAIMABLE), pid 10667, tgid 10656 (syz-executor.5), ts 264141530160, free_ts 257237187377 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8df/0xf20 mm/slub.c:3005 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092 slab_alloc_node mm/slub.c:3183 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc_lru+0x504/0x720 mm/slub.c:3249 alloc_inode_sb include/linux/fs.h:2966 [inline] sock_alloc_inode+0x23/0x1d0 net/socket.c:304 alloc_inode+0x61/0x230 fs/inode.c:260 new_inode_pseudo+0x14/0xe0 fs/inode.c:1018 sock_alloc+0x3c/0x260 net/socket.c:627 sock_create_lite+0x7b/0x120 net/socket.c:1267 __netlink_kernel_create+0xde/0x850 net/netlink/af_netlink.c:2044 netlink_kernel_create include/linux/netlink.h:62 [inline] xfrm_user_net_init+0x9f/0x160 net/xfrm/xfrm_user.c:3599 ops_init+0xaf/0x470 net/core/net_namespace.c:134 setup_net+0x5d1/0xc50 net/core/net_namespace.c:325 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:224 [inline] slab_post_alloc_hook mm/slab.h:749 [inline] slab_alloc_node mm/slub.c:3217 [inline] slab_alloc mm/slub.c:3225 [inline] __kmem_cache_alloc_lru mm/slub.c:3232 [inline] kmem_cache_alloc+0x204/0x3b0 mm/slub.c:3242 ptlock_alloc+0x1d/0x70 mm/memory.c:5519 ptlock_init include/linux/mm.h:2300 [inline] pgtable_pte_page_ctor include/linux/mm.h:2327 [inline] __pte_alloc_one include/asm-generic/pgalloc.h:66 [inline] pte_alloc_one+0x68/0x230 arch/x86/mm/pgtable.c:33 __pte_alloc+0x69/0x250 mm/memory.c:465 do_anonymous_page mm/memory.c:3794 [inline] handle_pte_fault mm/memory.c:4625 [inline] __handle_mm_fault+0x3c0a/0x4150 mm/memory.c:4763 handle_mm_fault+0x1c8/0x790 mm/memory.c:4861 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1484 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1540 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:570 Memory state around the buggy address: ffff88804c91af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804c91b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88804c91b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804c91b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804c91b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================