===================================================== BUG: KMSAN: use-after-free in tty_insert_flip_char include/linux/tty_flip.h:30 [inline] BUG: KMSAN: use-after-free in uart_insert_char+0x9a1/0xb50 drivers/tty/serial/serial_core.c:3139 tty_insert_flip_char include/linux/tty_flip.h:30 [inline] uart_insert_char+0x9a1/0xb50 drivers/tty/serial/serial_core.c:3139 serial8250_read_char+0x280/0x820 drivers/tty/serial/8250/8250_port.c:1769 serial8250_rx_chars drivers/tty/serial/8250/8250_port.c:1784 [inline] serial8250_handle_irq+0x532/0x970 drivers/tty/serial/8250/8250_port.c:1927 serial8250_default_handle_irq+0x180/0x380 drivers/tty/serial/8250/8250_port.c:1949 serial8250_interrupt+0x103/0x3f0 drivers/tty/serial/8250/8250_core.c:126 __handle_irq_event_percpu+0x179/0xc50 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:198 [inline] handle_irq_event+0x188/0x420 kernel/irq/handle.c:215 handle_edge_irq+0x465/0x13e0 kernel/irq/chip.c:822 generic_handle_irq_desc include/linux/irqdesc.h:158 [inline] handle_irq arch/x86/kernel/irq.c:231 [inline] __common_interrupt+0xf8/0x360 arch/x86/kernel/irq.c:250 common_interrupt+0x58/0xd0 arch/x86/kernel/irq.c:240 asm_common_interrupt+0x1e/0x40 kmsan_get_shadow_origin_ptr+0x8/0xf0 mm/kmsan/shadow.c:120 get_shadow_origin_ptr mm/kmsan/instrumentation.c:30 [inline] __msan_metadata_ptr_for_load_4+0x20/0x30 mm/kmsan/instrumentation.c:65 stack_trace_consume_entry+0x214/0x300 kernel/stacktrace.c:94 arch_stack_walk+0x2f9/0x3c0 arch/x86/kernel/stacktrace.c:27 stack_trace_save+0x117/0x1a0 kernel/stacktrace.c:122 kmsan_save_stack_with_flags mm/kmsan/core.c:80 [inline] kmsan_internal_chain_origin+0xa9/0x110 mm/kmsan/core.c:217 kmsan_internal_memmove_metadata+0x1f2/0x2e0 mm/kmsan/core.c:165 __msan_memcpy+0x65/0x90 mm/kmsan/instrumentation.c:127 skb_copy_from_linear_data_offset include/linux/skbuff.h:3785 [inline] skb_copy_bits+0x2ec/0x10f0 net/core/skbuff.c:2331 skb_copy+0x54e/0xb90 net/core/skbuff.c:1597 mac80211_hwsim_tx_frame_no_nl+0x1fc3/0x2be0 drivers/net/wireless/mac80211_hwsim.c:1565 mac80211_hwsim_tx_frame+0x453/0x4f0 drivers/net/wireless/mac80211_hwsim.c:1784 mac80211_hwsim_beacon_tx+0x938/0xd10 drivers/net/wireless/mac80211_hwsim.c:1838 __iterate_interfaces net/mac80211/util.c:793 [inline] ieee80211_iterate_active_interfaces_atomic+0x464/0x690 net/mac80211/util.c:829 mac80211_hwsim_beacon+0x11d/0x340 drivers/net/wireless/mac80211_hwsim.c:1861 __run_hrtimer+0x49f/0xc50 kernel/time/hrtimer.c:1685 __hrtimer_run_queues kernel/time/hrtimer.c:1749 [inline] hrtimer_run_softirq+0x4d2/0xe80 kernel/time/hrtimer.c:1766 __do_softirq+0x1ee/0x7c5 kernel/softirq.c:558 invoke_softirq+0xa4/0x130 kernel/softirq.c:432 __irq_exit_rcu kernel/softirq.c:636 [inline] irq_exit_rcu+0x76/0x130 kernel/softirq.c:648 sysvec_apic_timer_interrupt+0xa2/0xc0 arch/x86/kernel/apic/apic.c:1097 asm_sysvec_apic_timer_interrupt+0x12/0x20 kmsan_internal_is_vmalloc_addr+0x20/0x30 mm/kmsan/core.c:426 kmsan_get_metadata+0x27/0x220 mm/kmsan/shadow.c:172 kmsan_get_shadow_origin_ptr+0x9b/0xf0 mm/kmsan/shadow.c:139 get_shadow_origin_ptr mm/kmsan/instrumentation.c:30 [inline] __msan_metadata_ptr_for_load_4+0x20/0x30 mm/kmsan/instrumentation.c:65 tomoyo_pathcmp security/tomoyo/common.h:1168 [inline] tomoyo_path_matches_pattern+0x2bd/0x4e0 security/tomoyo/util.c:946 tomoyo_compare_name_union security/tomoyo/file.c:87 [inline] tomoyo_check_path_acl+0x277/0x360 security/tomoyo/file.c:260 tomoyo_check_acl+0x247/0x5d0 security/tomoyo/domain.c:175 tomoyo_path_permission security/tomoyo/file.c:586 [inline] tomoyo_check_open_permission+0x61f/0xe00 security/tomoyo/file.c:777 tomoyo_file_open+0x24f/0x2d0 security/tomoyo/tomoyo.c:311 security_file_open+0xaa/0x1e0 security/security.c:1635 do_dentry_open+0x4e4/0x1bf0 fs/open.c:809 vfs_open+0xaf/0xe0 fs/open.c:957 do_open fs/namei.c:3426 [inline] path_openat+0x52af/0x5ea0 fs/namei.c:3559 do_filp_open+0x306/0x760 fs/namei.c:3586 do_sys_openat2+0x263/0x8f0 fs/open.c:1212 do_sys_open fs/open.c:1228 [inline] __do_sys_openat fs/open.c:1244 [inline] __se_sys_openat fs/open.c:1239 [inline] __x64_sys_openat+0x35f/0x3c0 fs/open.c:1239 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_free_hook mm/slub.c:1710 [inline] slab_free_freelist_hook+0x27b/0x8e0 mm/slub.c:1766 slab_free mm/slub.c:3530 [inline] kfree+0x2e7/0x9e0 mm/slub.c:4579 skb_free_head net/core/skbuff.c:655 [inline] skb_release_data+0xb30/0xc70 net/core/skbuff.c:677 skb_release_all net/core/skbuff.c:742 [inline] __kfree_skb+0x96/0x330 net/core/skbuff.c:756 consume_skb+0xd1/0x340 net/core/skbuff.c:912 netlink_broadcast+0x2083/0x2330 net/netlink/af_netlink.c:1518 nlmsg_multicast include/net/netlink.h:1033 [inline] nlmsg_notify+0x29e/0x550 net/netlink/af_netlink.c:2534 rtnl_notify+0x193/0x1b0 net/core/rtnetlink.c:730 inet6_rt_notify+0x6ff/0x870 net/ipv6/route.c:6163 fib6_add_rt2node net/ipv6/ip6_fib.c:1250 [inline] fib6_add+0x3ad2/0x6cf0 net/ipv6/ip6_fib.c:1476 __ip6_ins_rt net/ipv6/route.c:1302 [inline] ip6_ins_rt+0x13c/0x1c0 net/ipv6/route.c:1312 __ipv6_ifa_notify+0xffd/0x1f50 net/ipv6/addrconf.c:6114 ipv6_ifa_notify net/ipv6/addrconf.c:6153 [inline] addrconf_dad_completed+0x25c/0x1870 net/ipv6/addrconf.c:4178 addrconf_dad_work+0xaa7/0x2210 process_one_work+0xdb9/0x1820 kernel/workqueue.c:2298 worker_thread+0x10bc/0x21f0 kernel/workqueue.c:2445 kthread+0x721/0x850 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 CPU: 0 PID: 2847 Comm: udevd Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 =====================================================