================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x84/0x130 Read of size 8 at addr ffff8880179f7000 by task syz-executor.2/16824 CPU: 0 PID: 16824 Comm: syz-executor.2 Not tainted 6.2.0-rc7-syzkaller-00002-gd2d11f342b17 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: dump_stack_lvl+0x1b5/0x2a0 print_report+0x163/0x4c0 kasan_report+0xce/0x100 __list_del_entry_valid+0x84/0x130 nfc_llcp_local_put+0x5f/0x180 nfc_unregister_device+0x167/0x2a0 virtual_ncidev_close+0x59/0x90 __fput+0x3b7/0x890 task_work_run+0x24a/0x300 exit_to_user_mode_loop+0xd1/0xf0 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x54/0x2d0 do_syscall_64+0x4d/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f3cb1a3df7b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff7779ad40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f3cb1a3df7b RDX: 00007f3cb1601820 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f3cb1bad980 R08: 0000000000000000 R09: 00007f3cb1600000 R10: 00007f3cb1601828 R11: 0000000000000293 R12: 000000000003ba04 R13: 00007fff7779ae40 R14: 00007f3cb1babf80 R15: 0000000000000032 Allocated by task 16836: kasan_set_track+0x40/0x70 __kasan_kmalloc+0x9b/0xb0 nfc_llcp_register_device+0x55/0x800 nfc_register_device+0x71/0x320 nci_register_device+0x7af/0x8e0 virtual_ncidev_open+0x13c/0x1b0 misc_open+0x308/0x380 chrdev_open+0x530/0x5f0 do_dentry_open+0x7f9/0x10f0 path_openat+0x25f4/0x2e30 do_filp_open+0x26d/0x500 do_sys_openat2+0x128/0x4f0 __x64_sys_openat+0x247/0x290 do_syscall_64+0x41/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 16834: kasan_set_track+0x40/0x70 kasan_save_free_info+0x2b/0x40 ____kasan_slab_free+0xd6/0x120 __kmem_cache_free+0x264/0x3c0 nfc_llcp_local_put+0x150/0x180 nfc_unregister_device+0x167/0x2a0 virtual_ncidev_close+0x59/0x90 __fput+0x3b7/0x890 task_work_run+0x24a/0x300 exit_to_user_mode_loop+0xd1/0xf0 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x54/0x2d0 do_syscall_64+0x4d/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x2f/0x50 __kasan_record_aux_stack+0xb0/0xc0 call_rcu+0x167/0xa70 netlink_release+0x13fe/0x1830 sock_close+0xd1/0x230 __fput+0x3b7/0x890 task_work_run+0x24a/0x300 exit_to_user_mode_loop+0xd1/0xf0 exit_to_user_mode_prepare+0xb1/0x140 syscall_exit_to_user_mode+0x54/0x2d0 do_syscall_64+0x4d/0xc0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff8880179f7000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff8880179f7000, ffff8880179f7800) The buggy address belongs to the physical page: page:ffffea00005e7c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x179f0 head:ffffea00005e7c00 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 ffff888012442000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 2729178060, free_ts 0 get_page_from_freelist+0x3403/0x3580 __alloc_pages+0x291/0x7e0 alloc_page_interleave+0x22/0x1d0 alloc_slab_page+0x6a/0x160 new_slab+0x84/0x2f0 ___slab_alloc+0xa07/0x1000 __kmem_cache_alloc_node+0x1b8/0x2a0 kmalloc_trace+0x2a/0x60 wakeup_source_sysfs_add+0x55/0x270 wakeup_source_register+0x171/0x250 acpi_add_pm_notifier+0x168/0x260 pci_acpi_setup+0x416/0x9d0 acpi_device_notify+0x1e2/0x370 device_add+0x4f1/0x1090 pci_device_add+0x1208/0x1be0 pci_scan_single_device+0x42a/0x540 page_owner free stack trace missing Memory state around the buggy address: ffff8880179f6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880179f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880179f7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880179f7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880179f7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================