================================================================== BUG: KASAN: slab-use-after-free in bq_enqueue kernel/bpf/cpumap.c:710 [inline] BUG: KASAN: slab-use-after-free in cpu_map_enqueue+0x318/0x370 kernel/bpf/cpumap.c:736 Read of size 8 at addr ff6000000eee9208 by task syz.0.1015/10097 CPU: 0 PID: 10097 Comm: syz.0.1015 Not tainted 6.10.0-rc6-syzkaller-gc562ba719df5 #0 Hardware name: riscv-virtio,qemu (DT) Call Trace: [] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130 [] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136 [] __dump_stack lib/dump_stack.c:88 [inline] [] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:114 [] print_address_description mm/kasan/report.c:377 [inline] [] print_report+0x288/0x596 mm/kasan/report.c:488 [] kasan_report+0xec/0x118 mm/kasan/report.c:601 [] __asan_report_load8_noabort+0x12/0x1a mm/kasan/report_generic.c:381 [] bq_enqueue kernel/bpf/cpumap.c:710 [inline] [] cpu_map_enqueue+0x318/0x370 kernel/bpf/cpumap.c:736 [] __xdp_do_redirect_frame net/core/filter.c:4406 [inline] [] xdp_do_redirect+0x6a2/0xa3e net/core/filter.c:4442 [] tun_xdp_act+0x2ac/0xd24 drivers/net/tun.c:1626 [] tun_build_skb.constprop.0+0xec4/0x140e drivers/net/tun.c:1716 [] tun_get_user+0x17e2/0x3efc drivers/net/tun.c:1819 [] tun_chr_write_iter+0xc4/0x1e4 drivers/net/tun.c:2048 [] new_sync_write fs/read_write.c:497 [inline] [] vfs_write+0x4c0/0x9a4 fs/read_write.c:590 [] ksys_write+0x12a/0x270 fs/read_write.c:643 [] __do_sys_write fs/read_write.c:655 [inline] [] __se_sys_write fs/read_write.c:652 [inline] [] __riscv_sys_write+0x6e/0x94 fs/read_write.c:652 [] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 [] do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330 [] ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112 Allocated by task 6226: stack_trace_save+0xa0/0xd2 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x6a mm/kasan/common.c:47 kasan_save_track+0x16/0x28 mm/kasan/common.c:68 kasan_save_alloc_info+0x30/0x3e mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0xa0/0xa6 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:4123 [inline] __kmalloc_noprof+0x28a/0x4e4 mm/slub.c:4136 kmalloc_noprof include/linux/slab.h:664 [inline] kzalloc_noprof include/linux/slab.h:778 [inline] __register_sysctl_table+0xca/0x14aa fs/proc/proc_sysctl.c:1357 setup_mq_sysctls+0x166/0x26c ipc/mq_sysctl.c:146 create_ipc_ns ipc/namespace.c:78 [inline] copy_ipcs+0x38e/0x5d4 ipc/namespace.c:112 create_new_namespaces+0x1d6/0xa3a kernel/nsproxy.c:90 unshare_nsproxy_namespaces+0xb2/0x1c6 kernel/nsproxy.c:228 ksys_unshare+0x3e0/0x8d0 kernel/fork.c:3323 __do_sys_unshare kernel/fork.c:3394 [inline] __se_sys_unshare kernel/fork.c:3392 [inline] __riscv_sys_unshare+0x34/0x48 kernel/fork.c:3392 syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90 do_trap_ecall_u+0x14c/0x214 arch/riscv/kernel/traps.c:330 ret_from_exception+0x0/0x64 arch/riscv/kernel/entry.S:112 Freed by task 6666: stack_trace_save+0xa0/0xd2 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x6a mm/kasan/common.c:47 kasan_save_track+0x16/0x28 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x5a mm/kasan/generic.c:579 poison_slab_object+0x16e/0x234 mm/kasan/common.c:240 __kasan_slab_free+0x2a/0x46 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2196 [inline] slab_free_freelist_hook mm/slub.c:2225 [inline] slab_free_bulk mm/slub.c:4462 [inline] kmem_cache_free_bulk.part.0+0x108/0x3bc mm/slub.c:4676 kmem_cache_free_bulk+0xe/0x18 mm/slub.c:4665 kfree_bulk include/linux/slab.h:568 [inline] kvfree_rcu_bulk+0x378/0x42e kernel/rcu/tree.c:3371 kvfree_rcu_drain_ready kernel/rcu/tree.c:3545 [inline] kfree_rcu_monitor+0x3a2/0x1168 kernel/rcu/tree.c:3563 process_one_work+0x938/0x1d5c kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x5be/0xdec kernel/workqueue.c:3409 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x1c arch/riscv/kernel/entry.S:232 Last potentially related work creation: stack_trace_save+0xa0/0xd2 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x6a mm/kasan/common.c:47 __kasan_record_aux_stack+0x11a/0x166 mm/kasan/generic.c:541 kasan_record_aux_stack_noalloc+0xe/0x16 mm/kasan/generic.c:551 kvfree_call_rcu+0x8a/0x81c kernel/rcu/tree.c:3781 drop_sysctl_table+0x1f6/0x37e fs/proc/proc_sysctl.c:1499 unregister_sysctl_table fs/proc/proc_sysctl.c:1520 [inline] unregister_sysctl_table+0x48/0x6a fs/proc/proc_sysctl.c:1512 retire_mq_sysctls+0x60/0x9c ipc/mq_sysctl.c:164 free_ipc_ns ipc/namespace.c:157 [inline] free_ipc+0x1b8/0x2e6 ipc/namespace.c:179 process_one_work+0x938/0x1d5c kernel/workqueue.c:3248 process_scheduled_works kernel/workqueue.c:3329 [inline] worker_thread+0x5be/0xdec kernel/workqueue.c:3409 kthread+0x28c/0x3a6 kernel/kthread.c:389 ret_from_fork+0xe/0x1c arch/riscv/kernel/entry.S:232 The buggy address belongs to the object at ff6000000eee9200 which belongs to the cache kmalloc-cg-256 of size 256 The buggy address is located 8 bytes inside of freed 256-byte region [ff6000000eee9200, ff6000000eee9300) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xff6000000eee8a00 pfn:0x8eee8 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ff60000029990f01 flags: 0xffe000000000040(head|node=0|zone=0|lastcpupid=0x7ff) page_type: 0xffffefff(slab) raw: 0ffe000000000040 ff6000000b80cdc0 ff1c0000005aa100 0000000000000002 raw: ff6000000eee8a00 000000000010000a 00000001ffffefff ff60000029990f01 head: 0ffe000000000040 ff6000000b80cdc0 ff1c0000005aa100 0000000000000002 head: ff6000000eee8a00 000000000010000a 00000001ffffefff ff60000029990f01 head: 0ffe000000000001 ff1c0000003bba01 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 7674177100, free_ts 0 __set_page_owner+0xa2/0x70c mm/page_owner.c:320 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0xec/0x1e4 mm/page_alloc.c:1473 prep_new_page mm/page_alloc.c:1481 [inline] get_page_from_freelist+0x123c/0x27e8 mm/page_alloc.c:3425 __alloc_pages_noprof+0x1f0/0x213e mm/page_alloc.c:4683 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x52/0x130 mm/slub.c:2265 allocate_slab mm/slub.c:2428 [inline] new_slab+0x242/0x2d4 mm/slub.c:2481 ___slab_alloc+0xa02/0x100a mm/slub.c:3667 __slab_alloc.constprop.0+0x60/0xb2 mm/slub.c:3757 __slab_alloc_node mm/slub.c:3810 [inline] slab_alloc_node mm/slub.c:3990 [inline] __do_kmalloc_node mm/slub.c:4122 [inline] __kmalloc_noprof+0x33a/0x4e4 mm/slub.c:4136 kmalloc_noprof include/linux/slab.h:664 [inline] kzalloc_noprof include/linux/slab.h:778 [inline] __register_sysctl_table+0xca/0x14aa fs/proc/proc_sysctl.c:1357 register_net_sysctl_sz+0x38e/0x488 net/sysctl_net.c:178 ip4_frags_ns_ctl_register net/ipv4/ip_fragment.c:616 [inline] ipv4_frags_init_net net/ipv4/ip_fragment.c:691 [inline] ipv4_frags_init_net+0x23e/0x35e net/ipv4/ip_fragment.c:659 ops_init+0xb6/0x616 net/core/net_namespace.c:139 __register_pernet_operations net/core/net_namespace.c:1252 [inline] register_pernet_operations+0x264/0x630 net/core/net_namespace.c:1325 register_pernet_subsys+0x36/0x50 net/core/net_namespace.c:1366 ipfrag_init+0xe8/0xf2 net/ipv4/ip_fragment.c:758 page_owner free stack trace missing Memory state around the buggy address: ff6000000eee9100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ff6000000eee9180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ff6000000eee9200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ff6000000eee9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ff6000000eee9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================