==================================================================
BUG: KASAN: use-after-free in tasklet_action+0x2aa/0x360 kernel/softirq.c:506
Read of size 8 at addr ffff8881d79672d0 by task syz-executor.4/7854
CPU: 0 PID: 7854 Comm: syz-executor.4 Not tainted 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x14b/0x1e7 lib/dump_stack.c:58
print_address_description.cold.6+0x9/0x1ca mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report mm/kasan/report.c:409 [inline]
kasan_report.cold.7+0x11a/0x2d3 mm/kasan/report.c:393
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
tasklet_action+0x2aa/0x360 kernel/softirq.c:506
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1016
do_softirq kernel/softirq.c:332 [inline]
do_softirq+0xee/0x160 kernel/softirq.c:319
__local_bh_enable_ip+0x130/0x150 kernel/softirq.c:185
__raw_write_unlock_bh include/linux/rwlock_api_smp.h:275 [inline]
_raw_write_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:352
sock_orphan include/net/sock.h:1715 [inline]
bcm_release+0x3cf/0x500 net/can/bcm.c:1582
__sock_release+0xc2/0x2a0 net/socket.c:602
sock_close+0x10/0x20 net/socket.c:1139
__fput+0x232/0x740 fs/file_table.c:210
____fput+0x9/0x10 fs/file_table.c:244
task_work_run+0xe5/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x98b/0x2c90 kernel/exit.c:868
do_group_exit+0xf8/0x2c0 kernel/exit.c:965
get_signal+0x2f6/0x1a90 kernel/signal.c:2423
do_signal+0x7f/0x18b0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x11e/0x190 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x465849
RSP: 002b:00007f7c852be188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000080 RBX: 000000000055bf00 RCX: 0000000000465849
RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00000000004af675 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bf00
R13: 00007ffc2251e0df R14: 00007f7c852be300 R15: 0000000000022000
Allocated by task 7854:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:551
kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:536
kmem_cache_alloc_trace+0x152/0x3f0 mm/slab.c:3618
kmalloc include/linux/slab.h:488 [inline]
kzalloc include/linux/slab.h:661 [inline]
bcm_tx_setup net/can/bcm.c:952 [inline]
bcm_sendmsg+0x1a3a/0x4680 net/can/bcm.c:1388
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xac/0xf0 net/socket.c:656
___sys_sendmsg+0x625/0x920 net/socket.c:2062
__sys_sendmsg+0xc1/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0xd/0x20 net/socket.c:2103
do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
Freed by task 7854:
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0xab/0x190 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3496 [inline]
kfree+0xcc/0x270 mm/slab.c:3815
bcm_remove_op+0x1cd/0x240 net/can/bcm.c:781
bcm_release+0xe7/0x500 net/can/bcm.c:1540
__sock_release+0xc2/0x2a0 net/socket.c:602
sock_close+0x10/0x20 net/socket.c:1139
__fput+0x232/0x740 fs/file_table.c:210
____fput+0x9/0x10 fs/file_table.c:244
task_work_run+0xe5/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x98b/0x2c90 kernel/exit.c:868
do_group_exit+0xf8/0x2c0 kernel/exit.c:965
get_signal+0x2f6/0x1a90 kernel/signal.c:2423
do_signal+0x7f/0x18b0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x11e/0x190 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
The buggy address belongs to the object at ffff8881d7967200
which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 208 bytes inside of
1024-byte region [ffff8881d7967200, ffff8881d7967600)
The buggy address belongs to the page:
page:ffffea00075e5980 count:1 mapcount:0 mapping:ffff8881d7966000 index:0x0 compound_mapcount: 0
flags: 0x17ffe0000008100(slab|head)
raw: 017ffe0000008100 ffff8881d7966000 0000000000000000 0000000100000007
raw: ffffea00075998a0 ffffea000756b620 ffff8881f6000ac0 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881d7967180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8881d7967200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881d7967280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881d7967300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881d7967380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
ODEBUG: activate not available (active state 0) object type: hrtimer hint: bcm_tx_timeout_handler+0x0/0x30 include/net/sock.h:2300
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7854 at lib/debugobjects.c:290 debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
Modules linked in:
CPU: 0 PID: 7854 Comm: syz-executor.4 Tainted: G B 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8881ae914100 task.stack: ffff8881c65d0000
RIP: 0010:debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
RSP: 0018:ffff8881f6607c38 EFLAGS: 00010082
RAX: 000000000000006a RBX: 0000000000000005 RCX: 0000000000000000
RDX: 000000000000006a RSI: ffffffff86cbec60 RDI: ffffed103ecc0f7e
RBP: ffff8881f6607c60 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff13446cb R11: dffffc0000000000 R12: ffffffff86cba500
R13: ffffffff85ad1030 R14: 0000000000000000 R15: ffffffff89b41788
FS: 00007f7c852be700(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000536198 CR3: 0000000007e6a004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
debug_object_activate+0x26d/0x4b0 lib/debugobjects.c:477
debug_hrtimer_activate kernel/time/hrtimer.c:401 [inline]
debug_activate kernel/time/hrtimer.c:447 [inline]
enqueue_hrtimer+0x1f/0x330 kernel/time/hrtimer.c:844
hrtimer_start_range_ns+0x4d5/0x1040 kernel/time/hrtimer.c:970
hrtimer_start include/linux/hrtimer.h:377 [inline]
bcm_tx_start_timer+0xd4/0x150 net/can/bcm.c:393
bcm_tx_timeout_tsklet+0x125/0x260 net/can/bcm.c:424
tasklet_action+0x19e/0x360 kernel/softirq.c:513
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1016
do_softirq kernel/softirq.c:332 [inline]
do_softirq+0xee/0x160 kernel/softirq.c:319
__local_bh_enable_ip+0x130/0x150 kernel/softirq.c:185
__raw_write_unlock_bh include/linux/rwlock_api_smp.h:275 [inline]
_raw_write_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:352
sock_orphan include/net/sock.h:1715 [inline]
bcm_release+0x3cf/0x500 net/can/bcm.c:1582
__sock_release+0xc2/0x2a0 net/socket.c:602
sock_close+0x10/0x20 net/socket.c:1139
__fput+0x232/0x740 fs/file_table.c:210
____fput+0x9/0x10 fs/file_table.c:244
task_work_run+0xe5/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x98b/0x2c90 kernel/exit.c:868
do_group_exit+0xf8/0x2c0 kernel/exit.c:965
get_signal+0x2f6/0x1a90 kernel/signal.c:2423
do_signal+0x7f/0x18b0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x11e/0x190 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x465849
RSP: 002b:00007f7c852be188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000080 RBX: 000000000055bf00 RCX: 0000000000465849
RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00000000004af675 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bf00
R13: 00007ffc2251e0df R14: 00007f7c852be300 R15: 0000000000022000
Code: 87 48 89 fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 14 dd a0 19 04 87 4d 89 e9 4d 89 e0 44 89 f1 48 c7 c7 c0 0f 04 87 e8 f5 85 f9 ff <0f> 0b e9 c3 a7 a5 fc 48 89 75 d8 e8 67 83 27 fb 48 8b 75 d8 eb
---[ end trace a6637d7cdc692b0d ]---
ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: bcm_tx_timeout_handler+0x0/0x30 include/net/sock.h:2300
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7854 at lib/debugobjects.c:290 debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
Modules linked in:
CPU: 0 PID: 7854 Comm: syz-executor.4 Tainted: G B W 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8881ae914100 task.stack: ffff8881c65d0000
RIP: 0010:debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
RSP: 0018:ffff8881f66079c8 EFLAGS: 00010082
RAX: 000000000000006c RBX: 0000000000000005 RCX: 0000000000000000
RDX: 000000000000006c RSI: ffffffff87040ba0 RDI: ffffed103ecc0f30
RBP: ffff8881f66079f0 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff13446cb R11: dffffc0000000000 R12: ffffffff86cba500
R13: ffffffff85ad1030 R14: 0000000000000000 R15: ffff8881f6607aa0
FS: 00007f7c852be700(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000536198 CR3: 0000000007e6a004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
debug_object_deactivate lib/debugobjects.c:527 [inline]
debug_object_deactivate+0x1eb/0x300 lib/debugobjects.c:491
debug_hrtimer_deactivate kernel/time/hrtimer.c:406 [inline]
debug_deactivate kernel/time/hrtimer.c:453 [inline]
__run_hrtimer kernel/time/hrtimer.c:1193 [inline]
__hrtimer_run_queues+0x1ba/0xad0 kernel/time/hrtimer.c:1287
hrtimer_interrupt+0x1ae/0x600 kernel/time/hrtimer.c:1321
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1079 [inline]
smp_apic_timer_interrupt+0x11f/0x5d0 arch/x86/kernel/apic/apic.c:1104
apic_timer_interrupt+0x9a/0xa0 arch/x86/entry/entry_64.S:793
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xaf/0xd0 kernel/locking/spinlock.c:192
RSP: 0018:ffff8881f6607d68 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: ffffffff814cd2db
RDX: 1ffffffff0fe2bd1 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8881f6607d78 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed1047fff001 R11: 000000583281dde4 R12: ffff8881f6625b80
R13: 00000056a824cc94 R14: 0000000000000000 R15: ffff8881f6625c40
unlock_hrtimer_base kernel/time/hrtimer.c:778 [inline]
hrtimer_start_range_ns+0x5b7/0x1040 kernel/time/hrtimer.c:985
hrtimer_start include/linux/hrtimer.h:377 [inline]
bcm_tx_start_timer+0xd4/0x150 net/can/bcm.c:393
bcm_tx_timeout_tsklet+0x125/0x260 net/can/bcm.c:424
tasklet_action+0x19e/0x360 kernel/softirq.c:513
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1016
do_softirq kernel/softirq.c:332 [inline]
do_softirq+0xee/0x160 kernel/softirq.c:319
__local_bh_enable_ip+0x130/0x150 kernel/softirq.c:185
__raw_write_unlock_bh include/linux/rwlock_api_smp.h:275 [inline]
_raw_write_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:352
sock_orphan include/net/sock.h:1715 [inline]
bcm_release+0x3cf/0x500 net/can/bcm.c:1582
__sock_release+0xc2/0x2a0 net/socket.c:602
sock_close+0x10/0x20 net/socket.c:1139
__fput+0x232/0x740 fs/file_table.c:210
____fput+0x9/0x10 fs/file_table.c:244
task_work_run+0xe5/0x170 kernel/task_work.c:113
exit_task_work include/linux/task_work.h:22 [inline]
do_exit+0x98b/0x2c90 kernel/exit.c:868
do_group_exit+0xf8/0x2c0 kernel/exit.c:965
get_signal+0x2f6/0x1a90 kernel/signal.c:2423
do_signal+0x7f/0x18b0 arch/x86/kernel/signal.c:814
exit_to_usermode_loop+0x11e/0x190 arch/x86/entry/common.c:160
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
do_syscall_64+0x416/0x5b0 arch/x86/entry/common.c:297
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x465849
RSP: 002b:00007f7c852be188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: 0000000000000080 RBX: 000000000055bf00 RCX: 0000000000465849
RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000004
RBP: 00000000004af675 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000055bf00
R13: 00007ffc2251e0df R14: 00007f7c852be300 R15: 0000000000022000
Code: 87 48 89 fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 14 dd a0 19 04 87 4d 89 e9 4d 89 e0 44 89 f1 48 c7 c7 c0 0f 04 87 e8 f5 85 f9 ff <0f> 0b e9 c3 a7 a5 fc 48 89 75 d8 e8 67 83 27 fb 48 8b 75 d8 eb
---[ end trace a6637d7cdc692b0e ]---
ODEBUG: activate not available (active state 0) object type: hrtimer hint: bcm_tx_timeout_handler+0x0/0x30 include/net/sock.h:2300
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7505 at lib/debugobjects.c:290 debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
Modules linked in:
CPU: 0 PID: 7505 Comm: systemd-udevd Tainted: G B W 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8881b6bac480 task.stack: ffff8881b8248000
RIP: 0010:debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
RSP: 0018:ffff8881f6607c38 EFLAGS: 00010082
RAX: 000000000000006a RBX: 0000000000000005 RCX: 0000000000000000
RDX: 000000000000006a RSI: ffffffff86cbec60 RDI: ffffed103ecc0f7e
RBP: ffff8881f6607c60 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff13446cb R11: dffffc0000000000 R12: ffffffff86cba500
R13: ffffffff85ad1030 R14: 0000000000000000 R15: ffffffff89b41788
FS: 00007f152fb3d8c0(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000536198 CR3: 00000001b64cc004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
debug_object_activate+0x26d/0x4b0 lib/debugobjects.c:477
debug_hrtimer_activate kernel/time/hrtimer.c:401 [inline]
debug_activate kernel/time/hrtimer.c:447 [inline]
enqueue_hrtimer+0x1f/0x330 kernel/time/hrtimer.c:844
hrtimer_start_range_ns+0x4d5/0x1040 kernel/time/hrtimer.c:970
hrtimer_start include/linux/hrtimer.h:377 [inline]
bcm_tx_start_timer+0xd4/0x150 net/can/bcm.c:393
bcm_tx_timeout_tsklet+0x125/0x260 net/can/bcm.c:424
tasklet_action+0x19e/0x360 kernel/softirq.c:513
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1016
do_softirq kernel/softirq.c:332 [inline]
do_softirq+0xee/0x160 kernel/softirq.c:319
__local_bh_enable_ip+0x130/0x150 kernel/softirq.c:185
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
_raw_spin_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:208
spin_unlock_bh include/linux/spinlock.h:362 [inline]
peernet2id+0x83/0xb0 net/core/net_namespace.c:245
do_one_broadcast net/netlink/af_netlink.c:1440 [inline]
netlink_broadcast_filtered+0x3b4/0x8c0 net/netlink/af_netlink.c:1487
netlink_broadcast net/netlink/af_netlink.c:1511 [inline]
netlink_sendmsg+0xa19/0xbe0 net/netlink/af_netlink.c:1876
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xac/0xf0 net/socket.c:656
___sys_sendmsg+0x625/0x920 net/socket.c:2062
__sys_sendmsg+0xc1/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0xd/0x20 net/socket.c:2103
do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f152ec83e67
RSP: 002b:00007ffc24ed9ef8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000008010 RCX: 00007f152ec83e67
RDX: 0000000000000000 RSI: 00007ffc24ed9f10 RDI: 000000000000000e
RBP: 00007ffc24ed9f10 R08: 0000562c22fbfc54 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000000d3 R14: 0000562c22fcb840 R15: 0000000000000000
Code: 87 48 89 fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 14 dd a0 19 04 87 4d 89 e9 4d 89 e0 44 89 f1 48 c7 c7 c0 0f 04 87 e8 f5 85 f9 ff <0f> 0b e9 c3 a7 a5 fc 48 89 75 d8 e8 67 83 27 fb 48 8b 75 d8 eb
---[ end trace a6637d7cdc692b0f ]---
ODEBUG: deactivate not available (active state 0) object type: hrtimer hint: bcm_tx_timeout_handler+0x0/0x30 include/net/sock.h:2300
------------[ cut here ]------------
WARNING: CPU: 0 PID: 7505 at lib/debugobjects.c:290 debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
Modules linked in:
CPU: 0 PID: 7505 Comm: systemd-udevd Tainted: G B W 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8881b6bac480 task.stack: ffff8881b8248000
RIP: 0010:debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
RSP: 0018:ffff8881f66079c8 EFLAGS: 00010082
RAX: 000000000000006c RBX: 0000000000000005 RCX: 0000000000000000
RDX: 000000000000006c RSI: ffffffff87040ba0 RDI: ffffed103ecc0f30
RBP: ffff8881f66079f0 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff13446cb R11: dffffc0000000000 R12: ffffffff86cba500
R13: ffffffff85ad1030 R14: 0000000000000000 R15: ffff8881f6607aa0
FS: 00007f152fb3d8c0(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000536198 CR3: 00000001b64cc004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
debug_object_deactivate lib/debugobjects.c:527 [inline]
debug_object_deactivate+0x1eb/0x300 lib/debugobjects.c:491
debug_hrtimer_deactivate kernel/time/hrtimer.c:406 [inline]
debug_deactivate kernel/time/hrtimer.c:453 [inline]
__run_hrtimer kernel/time/hrtimer.c:1193 [inline]
__hrtimer_run_queues+0x1ba/0xad0 kernel/time/hrtimer.c:1287
hrtimer_interrupt+0x1ae/0x600 kernel/time/hrtimer.c:1321
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1079 [inline]
smp_apic_timer_interrupt+0x11f/0x5d0 arch/x86/kernel/apic/apic.c:1104
apic_timer_interrupt+0x9a/0xa0 arch/x86/entry/entry_64.S:793
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xaf/0xd0 kernel/locking/spinlock.c:192
RSP: 0018:ffff8881f6607d68 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: dffffc0000000000 RBX: 0000000000000282 RCX: ffffffff814cd2db
RDX: 1ffffffff0fe2bd1 RSI: 0000000000000001 RDI: 0000000000000282
RBP: ffff8881f6607d78 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed1047fff001 R11: 000000587568769c R12: ffff8881f6625b80
R13: 00000056ec696c01 R14: 0000000000000000 R15: ffff8881f6625c40
unlock_hrtimer_base kernel/time/hrtimer.c:778 [inline]
hrtimer_start_range_ns+0x5b7/0x1040 kernel/time/hrtimer.c:985
hrtimer_start include/linux/hrtimer.h:377 [inline]
bcm_tx_start_timer+0xd4/0x150 net/can/bcm.c:393
bcm_tx_timeout_tsklet+0x125/0x260 net/can/bcm.c:424
tasklet_action+0x19e/0x360 kernel/softirq.c:513
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1016
do_softirq kernel/softirq.c:332 [inline]
do_softirq+0xee/0x160 kernel/softirq.c:319
__local_bh_enable_ip+0x130/0x150 kernel/softirq.c:185
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:176 [inline]
_raw_spin_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:208
spin_unlock_bh include/linux/spinlock.h:362 [inline]
peernet2id+0x83/0xb0 net/core/net_namespace.c:245
do_one_broadcast net/netlink/af_netlink.c:1440 [inline]
netlink_broadcast_filtered+0x3b4/0x8c0 net/netlink/af_netlink.c:1487
netlink_broadcast net/netlink/af_netlink.c:1511 [inline]
netlink_sendmsg+0xa19/0xbe0 net/netlink/af_netlink.c:1876
sock_sendmsg_nosec net/socket.c:646 [inline]
sock_sendmsg+0xac/0xf0 net/socket.c:656
___sys_sendmsg+0x625/0x920 net/socket.c:2062
__sys_sendmsg+0xc1/0x140 net/socket.c:2096
SYSC_sendmsg net/socket.c:2107 [inline]
SyS_sendmsg+0xd/0x20 net/socket.c:2103
do_syscall_64+0x1c7/0x5b0 arch/x86/entry/common.c:292
entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f152ec83e67
RSP: 002b:00007ffc24ed9ef8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000008010 RCX: 00007f152ec83e67
RDX: 0000000000000000 RSI: 00007ffc24ed9f10 RDI: 000000000000000e
RBP: 00007ffc24ed9f10 R08: 0000562c22fbfc54 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000000d3 R14: 0000562c22fcb840 R15: 0000000000000000
Code: 87 48 89 fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 14 dd a0 19 04 87 4d 89 e9 4d 89 e0 44 89 f1 48 c7 c7 c0 0f 04 87 e8 f5 85 f9 ff <0f> 0b e9 c3 a7 a5 fc 48 89 75 d8 e8 67 83 27 fb 48 8b 75 d8 eb
---[ end trace a6637d7cdc692b10 ]---
ODEBUG: activate not available (active state 0) object type: hrtimer hint: bcm_tx_timeout_handler+0x0/0x30 include/net/sock.h:2300
------------[ cut here ]------------
WARNING: CPU: 0 PID: 5794 at lib/debugobjects.c:290 debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
Modules linked in:
CPU: 0 PID: 5794 Comm: kworker/0:3 Tainted: G B W 4.14.226-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_power_efficient fb_flashcursor
task: ffff8881d10ea600 task.stack: ffff8881d1418000
RIP: 0010:debug_print_object.cold.8+0xa7/0xdb lib/debugobjects.c:287
RSP: 0018:ffff8881f6607be8 EFLAGS: 00010082
RAX: 000000000000006a RBX: 0000000000000005 RCX: 0000000000000000
RDX: 000000000000006a RSI: 0000000000000001 RDI: ffffed103ecc0f74
RBP: ffff8881f6607c10 R08: 0000000000000000 R09: 0000000000000000
R10: fffffbfff134b909 R11: ffff8881d10ea600 R12: ffffffff86cba500
R13: ffffffff85ad1030 R14: 0000000000000000 R15: ffffffff89b41788
FS: 0000000000000000(0000) GS:ffff8881f6600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000536198 CR3: 0000000007e6a005 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
debug_object_activate+0x26d/0x4b0 lib/debugobjects.c:477
debug_hrtimer_activate kernel/time/hrtimer.c:401 [inline]
debug_activate kernel/time/hrtimer.c:447 [inline]
enqueue_hrtimer+0x1f/0x330 kernel/time/hrtimer.c:844
hrtimer_start_range_ns+0x4d5/0x1040 kernel/time/hrtimer.c:970
hrtimer_start include/linux/hrtimer.h:377 [inline]
bcm_tx_start_timer+0xd4/0x150 net/can/bcm.c:393
bcm_tx_timeout_tsklet+0x125/0x260 net/can/bcm.c:424
tasklet_action+0x19e/0x360 kernel/softirq.c:513
__do_softirq+0x247/0x9a2 kernel/softirq.c:288
invoke_softirq kernel/softirq.c:368 [inline]
irq_exit+0x15f/0x1a0 kernel/softirq.c:409
exiting_irq arch/x86/include/asm/apic.h:638 [inline]
do_IRQ+0x116/0x1d0 arch/x86/kernel/irq.c:242
common_interrupt+0x9a/0x9a arch/x86/entry/entry_64.S:576
RIP: 0010:slow_down_io arch/x86/include/asm/paravirt.h:268 [inline]
RIP: 0010:outb_p arch/x86/include/asm/io.h:309 [inline]
RIP: 0010:vga_io_w include/video/vga.h:209 [inline]
RIP: 0010:vga_io_rgfx include/video/vga.h:388 [inline]
RIP: 0010:setcolor drivers/video/fbdev/vga16fb.c:170 [inline]
RIP: 0010:vga_imageblit_expand drivers/video/fbdev/vga16fb.c:1165 [inline]
RIP: 0010:vga16fb_imageblit+0x879/0x2380 drivers/video/fbdev/vga16fb.c:1261
RSP: 0018:ffff8881d141fa90 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc5
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 1ffffffff0fe2bc2
RDX: 00000000000003ce RSI: ffff8881ef71e0a0 RDI: ffff8881ef71e090
RBP: ffff8881d141fb20 R08: ffff8881ef278818 R09: ffff8881ef71e080
R10: 00000000ffffffff R11: ffff8881ef71e0e0 R12: ffff8881ef2787d0
R13: ffffffff81270ed0 R14: ffff8881ef35d650 R15: ffff8881ef71e080
soft_cursor+0x4f6/0xc70 drivers/video/fbdev/core/softcursor.c:74
bit_cursor+0xd71/0x1aa0 drivers/video/fbdev/core/bitblit.c:377
fb_flashcursor+0x31e/0x3c0 drivers/video/fbdev/core/fbcon.c:373
process_one_work+0x74f/0x1620 kernel/workqueue.c:2116
worker_thread+0xcc/0xee0 kernel/workqueue.c:2250
kthread+0x338/0x400 kernel/kthread.c:232
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: 87 48 89 fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 14 dd a0 19 04 87 4d 89 e9 4d 89 e0 44 89 f1 48 c7 c7 c0 0f 04 87 e8 f5 85 f9 ff <0f> 0b e9 c3 a7 a5 fc 48 89 75 d8 e8 67 83 27 fb 48 8b 75 d8 eb
---[ end trace a6637d7cdc692b11 ]---