================================================================== BUG: KASAN: slab-use-after-free in __update_min_deadline kernel/sched/fair.c:803 [inline] BUG: KASAN: slab-use-after-free in min_deadline_update kernel/sched/fair.c:819 [inline] BUG: KASAN: slab-use-after-free in min_deadline_cb_propagate kernel/sched/fair.c:825 [inline] BUG: KASAN: slab-use-after-free in reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660 Read at addr fcff000006829070 by task syz-executor.0/20694 Pointer tag: [fc], memory tag: [fe] CPU: 0 PID: 20694 Comm: syz-executor.0 Not tainted 6.6.0-rc6-syzkaller-00312-g4d7b04c0cda3 #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x94/0xec arch/arm64/kernel/stacktrace.c:233 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x48/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x108/0x618 mm/kasan/report.c:475 kasan_report+0x88/0xac mm/kasan/report.c:588 report_tag_fault arch/arm64/mm/fault.c:334 [inline] do_tag_recovery arch/arm64/mm/fault.c:346 [inline] __do_kernel_fault+0x17c/0x1e8 arch/arm64/mm/fault.c:393 do_bad_area arch/arm64/mm/fault.c:493 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:770 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:846 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:398 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:458 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:590 __update_min_deadline kernel/sched/fair.c:803 [inline] min_deadline_update kernel/sched/fair.c:819 [inline] min_deadline_cb_propagate kernel/sched/fair.c:825 [inline] reweight_entity+0x248/0x2b8 kernel/sched/fair.c:3660 update_cfs_group+0x80/0x98 kernel/sched/fair.c:3826 entity_tick kernel/sched/fair.c:5317 [inline] task_tick_fair+0x64/0x280 kernel/sched/fair.c:12392 scheduler_tick+0xcc/0x170 kernel/sched/core.c:5657 update_process_times+0xa0/0xb4 kernel/time/timer.c:2076 tick_sched_handle+0x34/0x58 kernel/time/tick-sched.c:254 tick_sched_timer+0x50/0xa8 kernel/time/tick-sched.c:1492 __run_hrtimer kernel/time/hrtimer.c:1688 [inline] __hrtimer_run_queues+0x138/0x1d8 kernel/time/hrtimer.c:1752 hrtimer_interrupt+0xe8/0x244 kernel/time/hrtimer.c:1814 timer_handler drivers/clocksource/arm_arch_timer.c:674 [inline] arch_timer_handler_phys+0x2c/0x44 drivers/clocksource/arm_arch_timer.c:692 handle_percpu_devid_irq+0x84/0x130 kernel/irq/chip.c:942 generic_handle_irq_desc include/linux/irqdesc.h:161 [inline] handle_irq_desc kernel/irq/irqdesc.c:672 [inline] generic_handle_domain_irq+0x2c/0x44 kernel/irq/irqdesc.c:728 gic_handle_irq+0x44/0xc8 drivers/irqchip/irq-gic.c:373 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:886 do_interrupt_handler+0x80/0x84 arch/arm64/kernel/entry-common.c:276 __el1_irq arch/arm64/kernel/entry-common.c:502 [inline] el1_interrupt+0x34/0x64 arch/arm64/kernel/entry-common.c:517 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:522 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:591 save_stack_info+0x0/0x118 mm/kasan/report_hw_tags.c:71 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] slab_alloc mm/slub.c:3486 [inline] __kmem_cache_alloc_lru mm/slub.c:3493 [inline] kmem_cache_alloc+0x144/0x290 mm/slub.c:3502 kmem_cache_zalloc include/linux/slab.h:710 [inline] __kernfs_new_node+0x6c/0x234 fs/kernfs/dir.c:615 kernfs_new_node+0x48/0x70 fs/kernfs/dir.c:679 __kernfs_create_file+0x30/0xf0 fs/kernfs/file.c:1047 sysfs_add_file_mode_ns+0x70/0x134 fs/sysfs/file.c:294 create_files fs/sysfs/group.c:64 [inline] internal_create_group+0xf8/0x39c fs/sysfs/group.c:152 sysfs_create_group+0x18/0x24 fs/sysfs/group.c:178 netdev_queue_add_kobject net/core/net-sysfs.c:1701 [inline] netdev_queue_update_kobjects+0xe0/0x210 net/core/net-sysfs.c:1747 register_queue_kobjects net/core/net-sysfs.c:1808 [inline] netdev_register_kobject+0xe8/0x178 net/core/net-sysfs.c:2048 register_netdevice+0x2bc/0x500 net/core/dev.c:10165 __ip_tunnel_create+0x128/0x1a8 net/ipv4/ip_tunnel.c:267 ip_tunnel_init_net+0xbc/0x180 net/ipv4/ip_tunnel.c:1091 ipgre_tap_init_net+0x28/0x34 net/ipv4/ip_gre.c:1694 ops_init+0x40/0x148 net/core/net_namespace.c:136 setup_net+0x178/0x3a0 net/core/net_namespace.c:339 copy_net_ns+0x130/0x380 net/core/net_namespace.c:491 create_new_namespaces+0x114/0x348 kernel/nsproxy.c:110 copy_namespaces+0xd0/0x128 kernel/nsproxy.c:179 copy_process+0xae0/0x147c kernel/fork.c:2504 kernel_clone+0x64/0x360 kernel/fork.c:2909 __do_sys_clone+0x70/0xa8 kernel/fork.c:3052 __se_sys_clone kernel/fork.c:3020 [inline] __arm64_sys_clone+0x20/0x2c kernel/fork.c:3020 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Allocated by task 2914: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_alloc_info+0x14/0x20 mm/kasan/tags.c:138 __kasan_slab_alloc+0x94/0xcc mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:762 [inline] slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x150/0x2b8 mm/slub.c:3523 alloc_task_struct_node kernel/fork.c:173 [inline] dup_task_struct kernel/fork.c:1110 [inline] copy_process+0x1b4/0x147c kernel/fork.c:2327 kernel_clone+0x64/0x360 kernel/fork.c:2909 __do_sys_clone+0x70/0xa8 kernel/fork.c:3052 __se_sys_clone kernel/fork.c:3020 [inline] __arm64_sys_clone+0x20/0x2c kernel/fork.c:3020 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 Freed by task 22: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:45 save_stack_info+0x38/0x118 mm/kasan/tags.c:104 kasan_save_free_info+0x18/0x24 mm/kasan/tags.c:143 ____kasan_slab_free.constprop.0+0x180/0x1c8 mm/kasan/common.c:236 __kasan_slab_free+0x10/0x1c mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1800 [inline] slab_free_freelist_hook+0xac/0x1c4 mm/slub.c:1826 slab_free mm/slub.c:3809 [inline] kmem_cache_free+0x18c/0x314 mm/slub.c:3831 free_task_struct kernel/fork.c:178 [inline] free_task+0x54/0x80 kernel/fork.c:627 __put_task_struct+0x100/0x154 kernel/fork.c:981 put_task_struct include/linux/sched/task.h:136 [inline] delayed_put_task_struct+0x7c/0xa8 kernel/exit.c:226 rcu_do_batch kernel/rcu/tree.c:2139 [inline] rcu_core+0x250/0x638 kernel/rcu/tree.c:2403 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2420 __do_softirq+0x10c/0x284 kernel/softirq.c:553 The buggy address belongs to the object at ffff000006828fc0 which belongs to the cache task_struct of size 4032 The buggy address is located 176 bytes inside of 4032-byte region [ffff000006828fc0, ffff000006829f80) The buggy address belongs to the physical page: page:0000000072fcc8c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xfcff000006828fc0 pfn:0x46828 head:0000000072fcc8c0 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:f5ff0000414c7d81 flags: 0x1ffc00000000840(slab|head|node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) page_type: 0xffffffff() raw: 01ffc00000000840 f7ff000002c0cf00 fffffc0000f07000 dead000000000006 raw: fcff000006828fc0 0000000080080006 00000001ffffffff f5ff0000414c7d81 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000006828e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa ffff000006828f00: fa fa fa fa fa fa fa fa fa fa fa fa fe fe fe fe >ffff000006829000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ^ ffff000006829100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ffff000006829200: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe ==================================================================