================================================================== BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3142 [inline] BUG: KASAN: double-free or invalid-free in kfree+0xdb/0x360 mm/slub.c:4124 CPU: 1 PID: 4897 Comm: systemd-udevd Not tainted 5.11.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:230 kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 ____kasan_slab_free+0xfd/0x110 mm/kasan/common.c:341 kasan_slab_free include/linux/kasan.h:188 [inline] slab_free_hook mm/slub.c:1547 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1580 slab_free mm/slub.c:3142 [inline] kfree+0xdb/0x360 mm/slub.c:4124 bdev_free_inode+0x57/0x80 fs/block_dev.c:787 i_callback+0x3f/0x70 fs/inode.c:222 rcu_do_batch kernel/rcu/tree.c:2489 [inline] rcu_core+0x5eb/0xf00 kernel/rcu/tree.c:2723 __do_softirq+0x2a5/0x9f7 kernel/softirq.c:343 asm_call_irq_on_stack+0xf/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:226 [inline] __irq_exit_rcu kernel/softirq.c:420 [inline] irq_exit_rcu+0x134/0x200 kernel/softirq.c:432 sysvec_apic_timer_interrupt+0x4d/0x100 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:628 RIP: 0010:tomoyo_domain_quota_is_ok+0x17d/0x550 security/tomoyo/util.c:1059 Code: 89 a8 ec fd 48 8d 7d 18 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 42 0f b6 04 30 38 d0 7f 08 84 c0 0f 85 4a 03 00 00 0f b6 5d 18 <31> ff 89 de e8 da ae ec fd 84 db 0f 85 65 ff ff ff e8 4d a8 ec fd RSP: 0018:ffffc9000151f5b0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8385cc07 RDI: ffff888013202798 RBP: ffff888013202780 R08: 0000000000000000 R09: 0000000000000010 R10: ffffffff8385cdda R11: 0000000000000010 R12: 0000000000000026 R13: 000000000000020f R14: dffffc0000000000 R15: 0000000000000000 tomoyo_supervisor+0x2f2/0xef0 security/tomoyo/common.c:2089 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline] tomoyo_path_permission security/tomoyo/file.c:587 [inline] tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573 tomoyo_check_open_permission+0x33e/0x380 security/tomoyo/file.c:777 tomoyo_file_open security/tomoyo/tomoyo.c:313 [inline] tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:308 security_file_open+0x52/0x4f0 security/security.c:1576 do_dentry_open+0x358/0x11b0 fs/open.c:804 do_open fs/namei.c:3254 [inline] path_openat+0x1b9a/0x2730 fs/namei.c:3371 do_filp_open+0x17e/0x3c0 fs/namei.c:3398 do_sys_openat2+0x16d/0x420 fs/open.c:1172 do_sys_open fs/open.c:1188 [inline] __do_sys_open fs/open.c:1196 [inline] __se_sys_open fs/open.c:1192 [inline] __x64_sys_open+0x119/0x1c0 fs/open.c:1192 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f30ff2d69b1 Code: f7 d8 bf ff ff ff ff 64 89 02 eb cb 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 80 3f 00 74 1b be 00 08 09 00 b8 02 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 1f 89 c7 e9 00 ff ff ff 48 8b 05 b1 54 2e 00 RSP: 002b:00007ffc7b01c228 EFLAGS: 00000202 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 0000558ee271ac40 RCX: 00007f30ff2d69b1 RDX: 00000000000000ff RSI: 0000000000090800 RDI: 0000558ee27154b0 RBP: 00007f310048b710 R08: 0000558ee2722e10 R09: 7269762f73656369 R10: 0000000000000020 R11: 0000000000000202 R12: 0000000000000000 R13: 0000558ee27154b0 R14: 00000000000000ff R15: 0000558ee27154b0 Allocated by task 13204: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:401 [inline] ____kasan_kmalloc.constprop.0+0x82/0xa0 mm/kasan/common.c:429 kasan_krealloc include/linux/kasan.h:235 [inline] __do_krealloc mm/slab_common.c:1077 [inline] krealloc+0x94/0xd0 mm/slab_common.c:1110 nf_ct_ext_add+0x2d3/0x6b0 net/netfilter/nf_conntrack_extend.c:73 nf_ct_ecache_ext_add include/net/netfilter/nf_conntrack_ecache.h:55 [inline] init_conntrack.constprop.0+0x5db/0x1150 net/netfilter/nf_conntrack_core.c:1597 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1674 [inline] nf_conntrack_in+0x9d2/0x1330 net/netfilter/nf_conntrack_core.c:1829 ipv4_conntrack_local+0x11c/0x220 net/netfilter/nf_conntrack_proto.c:200 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline] nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:589 nf_hook+0x2cf/0x5a0 include/linux/netfilter.h:256 __ip_local_out+0x26e/0x530 net/ipv4/ip_output.c:115 ip_local_out net/ipv4/ip_output.c:124 [inline] __ip_queue_xmit+0x85d/0x1a00 net/ipv4/ip_output.c:532 __tcp_transmit_skb+0x18a8/0x3720 net/ipv4/tcp_output.c:1405 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] tcp_send_syn_data net/ipv4/tcp_output.c:3816 [inline] tcp_connect+0x22e8/0x4950 net/ipv4/tcp_output.c:3855 tcp_v4_connect+0x1522/0x1c40 net/ipv4/tcp_ipv4.c:312 __inet_stream_connect+0x86e/0xe80 net/ipv4/af_inet.c:661 tcp_sendmsg_fastopen net/ipv4/tcp.c:1191 [inline] tcp_sendmsg_locked+0x1fd5/0x2d20 net/ipv4/tcp.c:1233 tcp_sendmsg+0x2b/0x40 net/ipv4/tcp.c:1459 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:817 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 __sys_sendto+0x21c/0x320 net/socket.c:1975 __do_sys_sendto net/socket.c:1987 [inline] __se_sys_sendto net/socket.c:1983 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:1983 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88801c8a2800 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffff88801c8a2800, ffff88801c8a2880) The buggy address belongs to the page: page:000000008e840ae1 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801c8a2600 pfn:0x1c8a2 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0000ba7e88 ffffea00008a3348 ffff888010041640 raw: ffff88801c8a2600 0000000000100007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801c8a2700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88801c8a2780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801c8a2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801c8a2880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801c8a2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================