================================================================== ====================================================== WARNING: possible circular locking dependency detected 5.14.0-syzkaller #0 Not tainted ------------------------------------------------------ kworker/1:7/10460 is trying to acquire lock: ffffffff8b96ef58 ((console_sem).lock){-...}-{2:2}, at: down_trylock+0xe/0x60 kernel/locking/semaphore.c:138 but task is already holding lock: ffffffff8bac3e98 (report_lock){....}-{2:2}, at: start_report mm/kasan/report.c:109 [inline] ffffffff8bac3e98 (report_lock){....}-{2:2}, at: __kasan_report mm/kasan/report.c:434 [inline] ffffffff8bac3e98 (report_lock){....}-{2:2}, at: kasan_report+0x8e/0x100 mm/kasan/report.c:459 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (report_lock){....}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 start_report mm/kasan/report.c:109 [inline] __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x8e/0x100 mm/kasan/report.c:459 cgroup_rstat_cpu kernel/cgroup/rstat.c:13 [inline] cgroup_rstat_cpu_pop_updated kernel/cgroup/rstat.c:106 [inline] cgroup_rstat_flush_locked+0xa19/0xdc0 kernel/cgroup/rstat.c:161 cgroup_rstat_flush+0x3a/0x50 kernel/cgroup/rstat.c:203 css_release_work_fn+0x440/0x920 kernel/cgroup/cgroup.c:5120 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 -> #3 (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 cgroup_rstat_updated+0xe0/0x390 kernel/cgroup/rstat.c:41 cgroup_base_stat_cputime_account_end kernel/cgroup/rstat.c:364 [inline] __cgroup_account_cputime+0xae/0x120 kernel/cgroup/rstat.c:375 cgroup_account_cputime include/linux/cgroup.h:797 [inline] update_curr+0x3c4/0x850 kernel/sched/fair.c:853 enqueue_entity+0x235/0x2080 kernel/sched/fair.c:4293 enqueue_task_fair+0x20e/0x1b40 kernel/sched/fair.c:5616 enqueue_task kernel/sched/core.c:1976 [inline] activate_task kernel/sched/core.c:2001 [inline] ttwu_do_activate+0x18b/0x640 kernel/sched/core.c:3577 ttwu_queue kernel/sched/core.c:3774 [inline] try_to_wake_up+0x4db/0x1350 kernel/sched/core.c:4097 autoremove_wake_function+0x12/0x140 kernel/sched/wait.c:409 __wake_up_common+0x147/0x650 kernel/sched/wait.c:108 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138 wake_up_klogd_work_func kernel/printk/printk.c:3225 [inline] wake_up_klogd_work_func+0xc6/0xf0 kernel/printk/printk.c:3214 irq_work_single+0x120/0x1f0 kernel/irq_work.c:155 irq_work_run_list+0x91/0xc0 kernel/irq_work.c:177 update_process_times+0x1a6/0x200 kernel/time/timer.c:1788 tick_sched_handle+0x9b/0x180 kernel/time/tick-sched.c:226 tick_sched_timer+0x1b0/0x2d0 kernel/time/tick-sched.c:1421 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x1c0/0xe50 kernel/time/hrtimer.c:1749 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline] __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638 __sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:917 console_unlock+0x6c2/0xb70 kernel/printk/printk.c:2715 vprintk_emit+0x198/0x4f0 kernel/printk/printk.c:2244 vprintk+0x80/0x90 kernel/printk/printk_safe.c:50 _printk+0xba/0xed kernel/printk/printk.c:2265 addrconf_notify.cold+0x29/0x6b net/ipv6/addrconf.c:3578 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1996 netdev_state_change net/core/dev.c:1387 [inline] netdev_state_change+0x100/0x130 net/core/dev.c:1380 linkwatch_do_dev+0x10e/0x150 net/core/link_watch.c:167 __linkwatch_run_queue+0x233/0x6a0 net/core/link_watch.c:213 linkwatch_event+0x4a/0x60 net/core/link_watch.c:252 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 -> #2 (&rq->__lock){-.-.}-{2:2}: _raw_spin_lock_nested+0x30/0x40 kernel/locking/spinlock.c:368 raw_spin_rq_lock_nested+0x1e/0x30 kernel/sched/core.c:474 raw_spin_rq_lock kernel/sched/sched.h:1317 [inline] rq_lock kernel/sched/sched.h:1620 [inline] task_fork_fair+0x76/0x4d0 kernel/sched/fair.c:11091 sched_fork+0x401/0xbe0 kernel/sched/core.c:4393 copy_process+0x2074/0x7580 kernel/fork.c:2165 kernel_clone+0xe7/0xac0 kernel/fork.c:2585 kernel_thread+0xb5/0xf0 kernel/fork.c:2637 rest_init+0x23/0x3e0 init/main.c:684 start_kernel+0x47a/0x49b init/main.c:1125 secondary_startup_64_no_verify+0xb0/0xbb -> #1 (&p->pi_lock){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 try_to_wake_up+0xab/0x1350 kernel/sched/core.c:3981 up+0x75/0xb0 kernel/locking/semaphore.c:190 __up_console_sem+0xa4/0xc0 kernel/printk/printk.c:254 console_unlock+0x567/0xb70 kernel/printk/printk.c:2726 con_install+0x15c/0x620 drivers/tty/vt/vt.c:3411 tty_driver_install_tty drivers/tty/tty_io.c:1315 [inline] tty_init_dev.part.0+0x9e/0x610 drivers/tty/tty_io.c:1429 tty_init_dev include/linux/err.h:36 [inline] tty_open_by_driver drivers/tty/tty_io.c:2098 [inline] tty_open+0xb16/0x1000 drivers/tty/tty_io.c:2146 chrdev_open+0x266/0x770 fs/char_dev.c:414 do_dentry_open+0x4c8/0x11d0 fs/open.c:822 do_open fs/namei.c:3426 [inline] path_openat+0x1c9a/0x2740 fs/namei.c:3559 do_filp_open+0x1aa/0x400 fs/namei.c:3586 do_sys_openat2+0x16d/0x4d0 fs/open.c:1200 do_sys_open fs/open.c:1216 [inline] __do_sys_open fs/open.c:1224 [inline] __se_sys_open fs/open.c:1220 [inline] __x64_sys_open+0x119/0x1c0 fs/open.c:1220 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae -> #0 ((console_sem).lock){-...}-{2:2}: check_prev_add kernel/locking/lockdep.c:3051 [inline] check_prevs_add kernel/locking/lockdep.c:3174 [inline] validate_chain kernel/locking/lockdep.c:3789 [inline] __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015 lock_acquire kernel/locking/lockdep.c:5625 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 down_trylock+0xe/0x60 kernel/locking/semaphore.c:138 __down_trylock_console_sem+0x40/0x120 kernel/printk/printk.c:237 console_trylock kernel/printk/printk.c:2541 [inline] console_trylock_spinning kernel/printk/printk.c:1843 [inline] vprintk_emit+0x146/0x4f0 kernel/printk/printk.c:2243 vprintk+0x80/0x90 kernel/printk/printk_safe.c:50 _printk+0xba/0xed kernel/printk/printk.c:2265 start_report mm/kasan/report.c:110 [inline] __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x9e/0x100 mm/kasan/report.c:459 cgroup_rstat_cpu kernel/cgroup/rstat.c:13 [inline] cgroup_rstat_cpu_pop_updated kernel/cgroup/rstat.c:106 [inline] cgroup_rstat_flush_locked+0xa19/0xdc0 kernel/cgroup/rstat.c:161 cgroup_rstat_flush+0x3a/0x50 kernel/cgroup/rstat.c:203 css_release_work_fn+0x440/0x920 kernel/cgroup/cgroup.c:5120 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 other info that might help us debug this: Chain exists of: (console_sem).lock --> per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu) --> report_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(report_lock); lock(per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)); lock(report_lock); lock((console_sem).lock); *** DEADLOCK *** 6 locks held by kworker/1:7/10460: #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888010e1ed38 ((wq_completion)cgroup_destroy){+.+.}-{0:0}, at: process_one_work+0x8a3/0x16b0 kernel/workqueue.c:2268 #1: ffffc90017027db0 ((work_completion)(&css->destroy_work)#2){+.+.}-{0:0}, at: process_one_work+0x8d7/0x16b0 kernel/workqueue.c:2272 #2: ffffffff8b9c13e8 (cgroup_mutex){+.+.}-{3:3}, at: css_release_work_fn+0x6a/0x920 kernel/cgroup/cgroup.c:5099 #3: ffffffff8b9c9318 (cgroup_rstat_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:388 [inline] #3: ffffffff8b9c9318 (cgroup_rstat_lock){....}-{2:2}, at: cgroup_rstat_flush+0x2d/0x50 kernel/cgroup/rstat.c:202 #4: ffff8880b9c22ef8 (per_cpu_ptr(&cgroup_rstat_cpu_lock, cpu)){-.-.}-{2:2}, at: cgroup_rstat_flush_locked+0x146/0xdc0 kernel/cgroup/rstat.c:160 #5: ffffffff8bac3e98 (report_lock){....}-{2:2}, at: start_report mm/kasan/report.c:109 [inline] #5: ffffffff8bac3e98 (report_lock){....}-{2:2}, at: __kasan_report mm/kasan/report.c:434 [inline] #5: ffffffff8bac3e98 (report_lock){....}-{2:2}, at: kasan_report+0x8e/0x100 mm/kasan/report.c:459 stack backtrace: CPU: 1 PID: 10460 Comm: kworker/1:7 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: cgroup_destroy css_release_work_fn Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2131 check_prev_add kernel/locking/lockdep.c:3051 [inline] check_prevs_add kernel/locking/lockdep.c:3174 [inline] validate_chain kernel/locking/lockdep.c:3789 [inline] __lock_acquire+0x2a07/0x54a0 kernel/locking/lockdep.c:5015 lock_acquire kernel/locking/lockdep.c:5625 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5590 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 down_trylock+0xe/0x60 kernel/locking/semaphore.c:138 __down_trylock_console_sem+0x40/0x120 kernel/printk/printk.c:237 console_trylock kernel/printk/printk.c:2541 [inline] console_trylock_spinning kernel/printk/printk.c:1843 [inline] vprintk_emit+0x146/0x4f0 kernel/printk/printk.c:2243 vprintk+0x80/0x90 kernel/printk/printk_safe.c:50 _printk+0xba/0xed kernel/printk/printk.c:2265 start_report mm/kasan/report.c:110 [inline] __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x9e/0x100 mm/kasan/report.c:459 cgroup_rstat_cpu kernel/cgroup/rstat.c:13 [inline] cgroup_rstat_cpu_pop_updated kernel/cgroup/rstat.c:106 [inline] cgroup_rstat_flush_locked+0xa19/0xdc0 kernel/cgroup/rstat.c:161 cgroup_rstat_flush+0x3a/0x50 kernel/cgroup/rstat.c:203 css_release_work_fn+0x440/0x920 kernel/cgroup/cgroup.c:5120 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 BUG: KASAN: use-after-free in cgroup_rstat_cpu kernel/cgroup/rstat.c:13 [inline] BUG: KASAN: use-after-free in cgroup_rstat_cpu_pop_updated kernel/cgroup/rstat.c:106 [inline] BUG: KASAN: use-after-free in cgroup_rstat_flush_locked+0xa19/0xdc0 kernel/cgroup/rstat.c:161 Read of size 8 at addr ffff88807c27dc38 by task kworker/1:7/10460 CPU: 1 PID: 10460 Comm: kworker/1:7 Not tainted 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: cgroup_destroy css_release_work_fn Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 cgroup_rstat_cpu kernel/cgroup/rstat.c:13 [inline] cgroup_rstat_cpu_pop_updated kernel/cgroup/rstat.c:106 [inline] cgroup_rstat_flush_locked+0xa19/0xdc0 kernel/cgroup/rstat.c:161 cgroup_rstat_flush+0x3a/0x50 kernel/cgroup/rstat.c:203 css_release_work_fn+0x440/0x920 kernel/cgroup/cgroup.c:5120 process_one_work+0x9bf/0x16b0 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 11040: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xa4/0xd0 mm/kasan/common.c:522 kmalloc_node include/linux/slab.h:614 [inline] kvmalloc_node+0x61/0x120 mm/util.c:587 kvmalloc include/linux/mm.h:805 [inline] kvzalloc include/linux/mm.h:813 [inline] netif_alloc_netdev_queues net/core/dev.c:10150 [inline] alloc_netdev_mqs+0x774/0xe80 net/core/dev.c:10845 __tun_chr_ioctl.isra.0+0x239f/0x4230 drivers/net/tun.c:2690 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 11038: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xff/0x130 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1628 [inline] slab_free_freelist_hook+0xe3/0x250 mm/slub.c:1653 slab_free mm/slub.c:3213 [inline] kfree+0xe4/0x540 mm/slub.c:4267 kvfree+0x42/0x50 mm/util.c:620 netif_free_tx_queues net/core/dev.c:10138 [inline] free_netdev+0xa9/0x5b0 net/core/dev.c:10902 netdev_run_todo+0x882/0xa80 net/core/dev.c:10591 tun_detach drivers/net/tun.c:690 [inline] tun_chr_close+0xe0/0x180 drivers/net/tun.c:3397 __fput+0x288/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88807c27dc00 which belongs to the cache kmalloc-cg-512 of size 512 The buggy address is located 56 bytes inside of 512-byte region [ffff88807c27dc00, ffff88807c27de00) The buggy address belongs to the page: page:ffffea0001f09f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c27c head:ffffea0001f09f00 order:2 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 0000000000000000 0000000100000001 ffff888010c42dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10655, ts 143074030187, free_ts 143019096563 prep_new_page mm/page_alloc.c:2436 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4168 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5390 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2291 alloc_slab_page mm/slub.c:1691 [inline] allocate_slab+0x32e/0x4b0 mm/slub.c:1831 new_slab mm/slub.c:1894 [inline] new_slab_objects mm/slub.c:2640 [inline] ___slab_alloc+0x473/0x7b0 mm/slub.c:2803 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2843 slab_alloc_node mm/slub.c:2925 [inline] __kmalloc_node_track_caller+0x2e3/0x360 mm/slub.c:4653 kmalloc_reserve net/core/skbuff.c:355 [inline] __alloc_skb+0xde/0x340 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1116 [inline] alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6073 sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2475 unix_dgram_sendmsg+0x3ec/0x1950 net/unix/af_unix.c:1774 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:724 sock_write_iter+0x289/0x3c0 net/socket.c:1057 call_write_iter include/linux/fs.h:2163 [inline] new_sync_write+0x429/0x660 fs/read_write.c:507 vfs_write+0x7cf/0xae0 fs/read_write.c:594 ksys_write+0x1ee/0x250 fs/read_write.c:647 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1346 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1397 free_unref_page_prepare mm/page_alloc.c:3332 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3411 qlink_free mm/kasan/quarantine.c:146 [inline] qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444 kasan_slab_alloc include/linux/kasan.h:254 [inline] slab_post_alloc_hook mm/slab.h:519 [inline] slab_alloc_node mm/slub.c:2959 [inline] slab_alloc mm/slub.c:2967 [inline] __kmalloc+0x1f4/0x330 mm/slub.c:4111 kmalloc include/linux/slab.h:596 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822 security_inode_getattr+0xcf/0x140 security/security.c:1333 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0x164/0x390 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] vfs_stat include/linux/fs.h:3352 [inline] __do_sys_newstat+0x91/0x110 fs/stat.c:385 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88807c27db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807c27db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88807c27dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807c27dc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807c27dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================