================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: use-after-free in sock_hold include/net/sock.h:726 [inline] BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89 Write of size 4 at addr ffff88801ec17080 by task kworker/0:1/14 CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 5.18.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events sco_sock_timeout Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:116 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] sock_hold include/net/sock.h:726 [inline] sco_sock_timeout+0x64/0x290 net/bluetooth/sco.c:89 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 The buggy address belongs to the physical page: page:ffffea00007b05c0 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x1ec17 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001dbf688 ffffea0001f15648 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 11781, tgid 11774 (syz-executor.4), ts 392384541601, free_ts 392530290333 prep_new_page mm/page_alloc.c:2441 [inline] get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272 __get_free_pages+0x8/0x40 mm/page_alloc.c:5457 kasan_populate_vmalloc_pte mm/kasan/shadow.c:271 [inline] kasan_populate_vmalloc_pte+0x25/0x160 mm/kasan/shadow.c:262 apply_to_pte_range mm/memory.c:2547 [inline] apply_to_pmd_range mm/memory.c:2591 [inline] apply_to_pud_range mm/memory.c:2627 [inline] apply_to_p4d_range mm/memory.c:2663 [inline] __apply_to_page_range+0x686/0x1030 mm/memory.c:2697 alloc_vmap_area+0xb0f/0x1f00 mm/vmalloc.c:1594 __get_vm_area_node+0x142/0x3f0 mm/vmalloc.c:2466 __vmalloc_node_range+0x264/0x13c0 mm/vmalloc.c:3132 __bpf_map_area_alloc+0xd5/0x150 kernel/bpf/syscall.c:330 bloom_map_alloc+0x322/0x620 kernel/bpf/bloom_filter.c:144 find_and_alloc_map kernel/bpf/syscall.c:129 [inline] map_create kernel/bpf/syscall.c:864 [inline] __sys_bpf+0xbfc/0x55d0 kernel/bpf/syscall.c:4645 __do_sys_bpf kernel/bpf/syscall.c:4767 [inline] __se_sys_bpf kernel/bpf/syscall.c:4765 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4765 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1356 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1406 free_unref_page_prepare mm/page_alloc.c:3328 [inline] free_unref_page+0x19/0x6a0 mm/page_alloc.c:3423 kasan_depopulate_vmalloc_pte+0x5c/0x70 mm/kasan/shadow.c:359 apply_to_pte_range mm/memory.c:2547 [inline] apply_to_pmd_range mm/memory.c:2591 [inline] apply_to_pud_range mm/memory.c:2627 [inline] apply_to_p4d_range mm/memory.c:2663 [inline] __apply_to_page_range+0x686/0x1030 mm/memory.c:2697 kasan_release_vmalloc+0xa7/0xc0 mm/kasan/shadow.c:469 __purge_vmap_area_lazy+0x8f9/0x1c50 mm/vmalloc.c:1733 drain_vmap_area_work+0x52/0xe0 mm/vmalloc.c:1762 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 Memory state around the buggy address: ffff88801ec16f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801ec17000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88801ec17080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88801ec17100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88801ec17180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================