==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
Read of size 8 at addr ffff888019d8ae58 by task swapper/1/0
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.9.0-syzkaller-12277-g56fb6f92854f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
__lock_acquire+0x2dd6/0x3b30 kernel/locking/lockdep.c:5005
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553 [inline]
try_to_wake_up+0x9a/0x13e0 kernel/sched/core.c:4262
call_timer_fn+0x1a0/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0xf/0x20 arch/x86/kernel/process.c:743
Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 63 48 4a 00 fb f4 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffc90000477e08 EFLAGS: 00000246
RAX: 000000000016184d RBX: 0000000000000001 RCX: ffffffff8adc2c49
RDX: 0000000000000000 RSI: ffffffff8b2cb740 RDI: ffffffff8b8fb1e0
RBP: ffffed1002c7a910 R08: 0000000000000001 R09: ffffed1005826fe5
R10: ffff88802c137f2b R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880163d4880 R14: ffffffff8fe2add0 R15: 0000000000000000
default_idle_call+0x6d/0xb0 kernel/sched/idle.c:117
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x32c/0x3f0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x148
Allocated by task 9347:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3940 [inline]
slab_alloc_node mm/slub.c:4000 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4043
alloc_task_struct_node kernel/fork.c:176 [inline]
dup_task_struct kernel/fork.c:1107 [inline]
copy_process+0x4a3/0x6f50 kernel/fork.c:2220
create_io_thread+0xaa/0xf0 kernel/fork.c:2745
create_io_worker+0x1c2/0x590 io_uring/io-wq.c:845
io_wq_create_worker io_uring/io-wq.c:323 [inline]
io_wq_enqueue+0x695/0xbc0 io_uring/io-wq.c:956
io_queue_iowq+0x248/0x4e0 io_uring/io_uring.c:525
io_queue_sqe_fallback+0xcd/0xaa0 io_uring/io_uring.c:1990
io_submit_sqe io_uring/io_uring.c:2215 [inline]
io_submit_sqes+0x14f9/0x24d0 io_uring/io_uring.c:2335
__do_sys_io_uring_enter+0xbd8/0x1130 io_uring/io_uring.c:3244
do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]
__do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386
do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411
entry_SYSENTER_compat_after_hwframe+0x84/0x8e
Freed by task 5189:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2195 [inline]
slab_free mm/slub.c:4436 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4511
put_task_struct include/linux/sched/task.h:138 [inline]
put_task_struct include/linux/sched/task.h:125 [inline]
delayed_put_task_struct+0x22c/0x300 kernel/exit.c:228
rcu_do_batch kernel/rcu/tree.c:2535 [inline]
rcu_core+0x828/0x16b0 kernel/rcu/tree.c:2809
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
do_softirq kernel/softirq.c:455 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:442
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
lock_sock include/net/sock.h:1602 [inline]
tcp_recvmsg+0x113/0x680 net/ipv4/tcp.c:2586
inet_recvmsg+0x12b/0x6a0 net/ipv4/af_inet.c:885
sock_recvmsg_nosec net/socket.c:1046 [inline]
sock_recvmsg+0x1b2/0x250 net/socket.c:1068
sock_read_iter+0x2c7/0x3c0 net/socket.c:1138
new_sync_read fs/read_write.c:395 [inline]
vfs_read+0xa39/0xbd0 fs/read_write.c:476
ksys_read+0x1f8/0x260 fs/read_write.c:619
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
__call_rcu_common.constprop.0+0x9a/0x790 kernel/rcu/tree.c:3072
put_task_struct_rcu_user kernel/exit.c:234 [inline]
put_task_struct_rcu_user+0x87/0xd0 kernel/exit.c:231
context_switch kernel/sched/core.c:5411 [inline]
__schedule+0xf1d/0x5d00 kernel/sched/core.c:6745
schedule_idle+0x59/0x90 kernel/sched/core.c:6863
do_idle+0x287/0x3f0 kernel/sched/idle.c:360
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x220/0x2b0 arch/x86/kernel/smpboot.c:313
common_startup_64+0x13e/0x148
The buggy address belongs to the object at ffff888019d8a440
which belongs to the cache task_struct of size 9024
The buggy address is located 2584 bytes inside of
freed 9024-byte region [ffff888019d8a440, ffff888019d8c780)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19d88
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888024c19dc1
ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffefff(slab)
raw: 00fff00000000040 ffff8880166a2140 ffffea000080ee00 dead000000000003
raw: 0000000000000000 0000000000030003 00000001ffffefff ffff888024c19dc1
head: 00fff00000000040 ffff8880166a2140 ffffea000080ee00 dead000000000003
head: 0000000000000000 0000000000030003 00000001ffffefff ffff888024c19dc1
head: 00fff00000000003 ffffea0000676201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 2, tgid 2 (kthreadd), ts 4735705719, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1468
prep_new_page mm/page_alloc.c:1476 [inline]
get_page_from_freelist+0x136a/0x2df0 mm/page_alloc.c:3402
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4660
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x56/0x110 mm/slub.c:2264
allocate_slab mm/slub.c:2427 [inline]
new_slab+0x84/0x260 mm/slub.c:2480
___slab_alloc+0xdac/0x1870 mm/slub.c:3666
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3756
__slab_alloc_node mm/slub.c:3809 [inline]
slab_alloc_node mm/slub.c:3988 [inline]
kmem_cache_alloc_node_noprof+0xed/0x310 mm/slub.c:4043
alloc_task_struct_node kernel/fork.c:176 [inline]
dup_task_struct kernel/fork.c:1107 [inline]
copy_process+0x4a3/0x6f50 kernel/fork.c:2220
kernel_clone+0xfd/0x980 kernel/fork.c:2797
kernel_thread+0xc0/0x100 kernel/fork.c:2859
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x4ef/0x7d0 kernel/kthread.c:765
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page_owner free stack trace missing
Memory state around the buggy address:
ffff888019d8ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888019d8ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888019d8ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888019d8ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888019d8af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 4c 01 c7 add %r8,%rdi
3: 4c 29 c2 sub %r8,%rdx
6: e9 72 ff ff ff jmp 0xffffff7d
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d 63 48 4a 00 verw 0x4a4863(%rip) # 0x4a488b
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 ret
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
37: 00 00 00 00
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop