ci starts bisection 2023-08-28 16:51:11.279453975 +0000 UTC m=+37.911100771 bisecting cause commit starting from 5c905279a1b7ebb676d73cec8819533e2b74d646 building syzkaller on 03d9c195daed8fca30b642783f35657aa7e32209 ensuring issue is reproducible on original commit 5c905279a1b7ebb676d73cec8819533e2b74d646 testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0916817a379d2758e42a2478ed30ab09dd75454ece0b6f9ec40745e508dec56f run #0: crashed: KASAN: use-after-free Read in xsk_diag_dump run #1: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #2: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #3: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #4: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #5: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #6: crashed: KASAN: use-after-free Read in xsk_diag_dump run #7: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #8: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #9: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #10: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #11: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #12: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #13: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #14: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #15: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #16: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #17: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #18: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #19: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] check whether we can drop unnecessary instrumentation disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26c1767233ff6870eef9c6d6d7bbb7cbeac3ecb07e9f91295c118c2c908f54fa run #0: crashed: KASAN: use-after-free Read in xsk_diag_dump run #1: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #2: crashed: KASAN: use-after-free Read in xsk_diag_dump run #3: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #4: crashed: KASAN: use-after-free Read in xsk_diag_dump run #5: crashed: KASAN: use-after-free Read in xsk_diag_dump run #6: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #7: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #8: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump run #9: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] the bug reproduces without the instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed kconfig minimization: base=3883 full=7652 leaves diff=1997 split chunks (needed=false): <1997> split chunk #0 of len 1997 into 5 parts testing without sub-chunk 1/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8f4be0b7000a2b5aa3df0b72d8c15d4e3861b5fbff4072f76cc536eb14e8dbb8 all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN BUG], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fe2b0870b301203e2bf3f9ed0776b0af14b5146dfae079c58167379844b4d497 all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [BUG LOCKDEP ATOMIC_SLEEP HANG LEAK UBSAN], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 18b86d796c6b4b31eb0ded1732c7f8f1776d0c4fcba89fac0d81de74751dfa86 all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2505d57ad032dddb70b20dc4f55f34139e5f6ff261ade05c98939bcc2b7427e8 all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 5c905279a1b7ebb676d73cec8819533e2b74d646 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 048ec960051c921506d39030db3556b3127b43e9883bc4255b53914f019aa122 all runs: OK false negative chance: 0.000 minimized to 397 configs; suspects: [ARCH_ENABLE_MEMORY_HOTREMOVE ATM BCMA BLK_DEV_ZONED BPF_SYSCALL CARDBUS CFG80211 CFG80211_WEXT CMA COMMON_CLK CONTIG_ALLOC CRYPTO_842 CRYPTO_LZ4 CRYPTO_LZ4HC CRYPTO_LZO CRYPTO_ZSTD DVB_CORE EXTCON FB GPIOLIB HID_ZEROPLUS I2C_MUX IIO IOMMUFD IRQ_REMAP KVM KVM_INTEL LIBNVDIMM MEDIA_ANALOG_TV_SUPPORT MEDIA_CAMERA_SUPPORT MEDIA_CEC_SUPPORT MEDIA_CONTROLLER MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_VIPERBOARD PARPORT PCCARD PCMCIA PHONET RADIO_ADAPTERS RADIO_SI470X RADIO_SI4713 RC_CORE RFKILL SND SOUND SPI SSB TAP TARGET_CORE TUN USB_AMD5536UDC USB_ATM USB_CONFIGFS USB_CONFIGFS_F_MIDI USB_CONFIGFS_F_PRINTER USB_CONFIGFS_F_TCM USB_CONFIGFS_F_UAC1 USB_CONFIGFS_F_UAC1_LEGACY USB_CONFIGFS_F_UAC2 USB_CONFIGFS_F_UVC USB_CONFIGFS_MASS_STORAGE USB_CONFIGFS_NCM USB_CONFIGFS_OBEX USB_CONFIGFS_PHONET USB_CONFIGFS_RNDIS USB_CONFIGFS_SERIAL USB_CXACRU USB_CYPRESS_CY7C63 USB_CYTHERM USB_DSBR USB_DUMMY_HCD USB_DWC2 USB_DWC2_HOST USB_DWC2_PCI USB_DWC3 USB_DWC3_GADGET USB_DWC3_OF_SIMPLE USB_DWC3_PCI USB_DWC3_ULPI USB_DYNAMIC_MINORS USB_EG20T USB_EHCI_HCD_PLATFORM USB_EHCI_ROOT_HUB_TT USB_EHSET_TEST_FIXTURE USB_EMI26 USB_EMI62 USB_EPSON2888 USB_EZUSB_FX2 USB_FEW_INIT_RETRIES USB_F_ACM USB_F_ECM USB_F_EEM USB_F_FS USB_F_HID USB_F_MASS_STORAGE USB_F_MIDI USB_F_NCM USB_F_OBEX USB_F_PHONET USB_F_PRINTER USB_F_RNDIS USB_F_SERIAL USB_F_SS_LB USB_F_SUBSET USB_F_TCM USB_F_UAC1 USB_F_UAC1_LEGACY USB_F_UAC2 USB_F_UVC USB_GADGET USB_GADGETFS USB_GADGET_DEBUG_FILES USB_GADGET_DEBUG_FS USB_GL860 USB_GOKU USB_GPIO_VBUS USB_GR_UDC USB_GSPCA USB_GSPCA_BENQ USB_GSPCA_CONEX USB_GSPCA_CPIA1 USB_GSPCA_DTCS033 USB_GSPCA_ETOMS USB_GSPCA_FINEPIX USB_GSPCA_JEILINJ USB_GSPCA_JL2005BCD USB_GSPCA_KINECT USB_GSPCA_KONICA USB_GSPCA_MARS USB_GSPCA_MR97310A USB_GSPCA_NW80X USB_GSPCA_OV519 USB_GSPCA_OV534 USB_GSPCA_OV534_9 USB_GSPCA_PAC207 USB_GSPCA_PAC7302 USB_GSPCA_PAC7311 USB_GSPCA_SE401 USB_GSPCA_SN9C2028 USB_GSPCA_SN9C20X USB_GSPCA_SONIXB USB_GSPCA_SONIXJ USB_GSPCA_SPCA1528 USB_GSPCA_SPCA500 USB_GSPCA_SPCA501 USB_GSPCA_SPCA505 USB_GSPCA_SPCA506 USB_GSPCA_SPCA508 USB_GSPCA_SPCA561 USB_GSPCA_SQ905 USB_GSPCA_SQ905C USB_GSPCA_SQ930X USB_GSPCA_STK014 USB_GSPCA_STK1135 USB_GSPCA_STV0680 USB_GSPCA_SUNPLUS USB_GSPCA_T613 USB_GSPCA_TOPRO USB_GSPCA_TOUPTEK USB_GSPCA_TV8532 USB_GSPCA_VC032X USB_GSPCA_VICAM USB_GSPCA_XIRLINK_CIT USB_GSPCA_ZC3XX USB_HACKRF USB_HCD_BCMA USB_HCD_SSB USB_HSIC_USB3503 USB_HSIC_USB4604 USB_HSO USB_HUB_USB251XB USB_IDMOUSE USB_IOWARRIOR USB_IPHETH USB_ISIGHTFW USB_ISP116X_HCD USB_ISP1301 USB_ISP1760 USB_ISP1760_DUAL_ROLE USB_ISP1760_HCD USB_ISP1761_UDC USB_KAWETH USB_KC2190 USB_KEENE USB_LAN78XX USB_LCD USB_LD USB_LEDS_TRIGGER_USBPORT USB_LED_TRIG USB_LEGOTOWER USB_LIBCOMPOSITE USB_LINK_LAYER_TEST USB_M5602 USB_MA901 USB_MAX3421_HCD USB_MDC800 USB_MICROTEK USB_MR800 USB_MSI2500 USB_MUSB_DUAL_ROLE USB_MUSB_HDRC USB_MV_U3D USB_MV_UDC USB_NET2272 USB_NET2272_DMA USB_NET2280 USB_NET_AX88179_178A USB_NET_AX8817X USB_NET_CDCETHER USB_NET_CDC_EEM USB_NET_CDC_MBIM USB_NET_CDC_NCM USB_NET_CDC_SUBSET USB_NET_CDC_SUBSET_ENABLE USB_NET_CH9200 USB_NET_CX82310_ETH USB_NET_DM9601 USB_NET_GL620A USB_NET_HUAWEI_CDC_NCM USB_NET_INT51X1 USB_NET_KALMIA USB_NET_MCS7830 USB_NET_NET1080 USB_NET_PLUSB USB_NET_QMI_WWAN USB_NET_RNDIS_HOST USB_NET_RNDIS_WLAN USB_NET_SMSC75XX USB_NET_SMSC95XX USB_NET_SR9700 USB_NET_SR9800 USB_NET_ZAURUS USB_OHCI_HCD_PLATFORM USB_OTG USB_OTG_FSM USB_OXU210HP_HCD USB_PEGASUS USB_PULSE8_CEC USB_PWC USB_PWC_INPUT_EVDEV USB_PXA27X USB_R8A66597 USB_R8A66597_HCD USB_RAINSHADOW_CEC USB_RAREMONO USB_RAW_GADGET USB_RTL8150 USB_RTL8152 USB_RTL8153_ECM USB_S2255 USB_SERIAL USB_SERIAL_AIRCABLE USB_SERIAL_ARK3116 USB_SERIAL_BELKIN USB_SERIAL_CH341 USB_SERIAL_CONSOLE USB_SERIAL_CP210X USB_SERIAL_CYBERJACK USB_SERIAL_CYPRESS_M8 USB_SERIAL_DEBUG USB_SERIAL_DIGI_ACCELEPORT USB_SERIAL_EDGEPORT USB_SERIAL_EDGEPORT_TI USB_SERIAL_EMPEG USB_SERIAL_F81232 USB_SERIAL_F8153X USB_SERIAL_FTDI_SIO USB_SERIAL_GARMIN USB_SERIAL_GENERIC USB_SERIAL_IPAQ USB_SERIAL_IPW USB_SERIAL_IR USB_SERIAL_IUU USB_SERIAL_KEYSPAN USB_SERIAL_KEYSPAN_PDA USB_SERIAL_KLSI USB_SERIAL_KOBIL_SCT USB_SERIAL_MCT_U232 USB_SERIAL_METRO USB_SERIAL_MOS7715_PARPORT USB_SERIAL_MOS7720 USB_SERIAL_MOS7840 USB_SERIAL_MXUPORT USB_SERIAL_NAVMAN USB_SERIAL_OMNINET USB_SERIAL_OPTICON USB_SERIAL_OPTION USB_SERIAL_OTI6858 USB_SERIAL_PL2303 USB_SERIAL_QCAUX USB_SERIAL_QT2 USB_SERIAL_QUALCOMM USB_SERIAL_SAFE USB_SERIAL_SIERRAWIRELESS USB_SERIAL_SIMPLE USB_SERIAL_SPCP8X5 USB_SERIAL_SSU100 USB_SERIAL_SYMBOL USB_SERIAL_TI USB_SERIAL_UPD78F0730 USB_SERIAL_VISOR USB_SERIAL_WHITEHEAT USB_SERIAL_WISHBONE USB_SERIAL_WWAN USB_SERIAL_XR USB_SERIAL_XSENS_MT USB_SEVSEG USB_SI470X USB_SI4713 USB_SIERRA_NET USB_SISUSBVGA USB_SL811_CS USB_SL811_HCD USB_SL811_HCD_ISO USB_SNP_CORE USB_SPEEDTOUCH USB_STORAGE_ALAUDA USB_STORAGE_CYPRESS_ATACB USB_STORAGE_DATAFAB USB_STORAGE_ENE_UB6250 USB_STORAGE_FREECOM USB_STORAGE_ISD200 USB_STORAGE_JUMPSHOT USB_STORAGE_KARMA USB_STORAGE_ONETOUCH USB_STORAGE_SDDR09 USB_STORAGE_SDDR55 USB_STORAGE_USBAT USB_STV06XX USB_TEST USB_TMC USB_TRANCEVIBRATOR USB_UAS USB_UEAGLEATM USB_ULPI_BUS USB_USBNET USB_USS720 USB_U_AUDIO USB_U_ETHER USB_U_SERIAL USB_VIDEO_CLASS USB_VIDEO_CLASS_INPUT_EVDEV USB_VL600 USB_WDM USB_XHCI_DBGCAP USB_XHCI_PLATFORM USB_XUSBATM USB_YUREX USERFAULTFD USERIO USERMODE_DRIVER USER_RETURN_NOTIFIER UVC_COMMON U_SERIAL_CONSOLE V4L2_MEM2MEM_DEV V4L_TEST_DRIVERS VALIDATE_FS_PARSER VDPA VDPA_SIM VDPA_SIM_BLOCK VDPA_SIM_NET VDPA_USER VETH VFIO VFIO_PCI VFIO_PCI_CORE VFIO_PCI_INTX VFIO_PCI_MMAP VFIO_VIRQFD VGASTATE VHOST VHOST_CROSS_ENDIAN_LEGACY VHOST_IOTLB VHOST_NET VHOST_RING VHOST_TASK VHOST_VDPA VHOST_VSOCK VIDEOBUF2_CORE VIDEOBUF2_DMA_CONTIG VIDEOBUF2_DMA_SG VIDEOBUF2_MEMOPS VIDEOBUF2_V4L2 VIDEOBUF2_VMALLOC VIDEOMODE_HELPERS VIDEO_AU0828 VIDEO_AU0828_RC VIDEO_AU0828_V4L2 VIDEO_CMDLINE VIDEO_CS53L32A VIDEO_CX231XX VIDEO_CX231XX_ALSA VIDEO_CX231XX_DVB VIDEO_CX231XX_RC VIDEO_CX2341X VIDEO_CX25840 VIDEO_DEV VIDEO_EM28XX VIDEO_EM28XX_ALSA VIDEO_EM28XX_DVB VIDEO_EM28XX_RC VIDEO_EM28XX_V4L2 VIDEO_GO7007 VIDEO_GO7007_LOADER VIDEO_GO7007_USB VIDEO_GO7007_USB_S2250_BOARD VIDEO_HDPVR VIDEO_MSP3400 VIDEO_NOMODESET VIDEO_PVRUSB2 VIDEO_PVRUSB2_DVB VIDEO_PVRUSB2_SYSFS VIDEO_SAA711X VIDEO_STK1160 VIDEO_TUNER VIDEO_TVEEPROM VIDEO_USBTV VIDEO_V4L2_I2C VIDEO_V4L2_SUBDEV_API VIDEO_V4L2_TPG VIDEO_VICODEC VIDEO_VIM2M VIDEO_VIMC VIDEO_VIVID VIDEO_VIVID_CEC VIDEO_WM8775 VIPERBOARD_ADC VIRTIO_BALLOON VIRTIO_DMA_SHARED_BUFFER VIRTIO_MEM VIRTIO_MMIO VIRTIO_MMIO_CMDLINE_DEVICES VIRTIO_PMEM VIRTIO_VDPA VIRTIO_VSOCKETS VIRTIO_VSOCKETS_COMMON VIRT_WIFI VLAN_8021Q VLAN_8021Q_GVRP VLAN_8021Q_MVRP VMAP_PFN VMWARE_VMCI VMXNET3 VP_VDPA VSOCKETS VSOCKETS_DIAG VSOCKETS_LOOPBACK VSOCKMON VT_HW_CONSOLE_BINDING VXFS_FS WANT_DEV_COREDUMP WEXT_CORE WEXT_PRIV WEXT_PROC WIREGUARD WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ADMTEK WLAN_VENDOR_PURELIFI WLAN_VENDOR_SILABS X86_SGX X86_SGX_KVM X86_X2APIC X86_X32_ABI XARRAY_MULTI XDP_SOCKETS XDP_SOCKETS_DIAG XFRM_ESPINTCP XFRM_INTERFACE XFRM_IPCOMP XFRM_MIGRATE XFRM_OFFLOAD XFRM_STATISTICS XFRM_SUB_POLICY XFRM_USER_COMPAT XFS_FS XFS_POSIX_ACL XFS_QUOTA XFS_RT XOR_BLOCKS YENTA YENTA_ENE_TUNE YENTA_O2 YENTA_RICOH YENTA_TI YENTA_TOSHIBA ZBUD ZEROPLUS_FF ZLIB_DEFLATE ZONEFS_FS ZPOOL ZRAM ZRAM_DEF_COMP_LZORLE ZSMALLOC ZSTD_COMPRESS ZSWAP ZSWAP_COMPRESSOR_DEFAULT_LZO ZSWAP_DEFAULT_ON ZSWAP_ZPOOL_DEFAULT_ZBUD] disabling configs for [HANG LEAK UBSAN BUG LOCKDEP ATOMIC_SLEEP], they are not needed picked [%!d(string=v6.4) %!d(string=v6.3) %!d(string=v6.2) %!d(string=v6.0) %!d(string=v5.18) %!d(string=v5.16) %!d(string=v5.14) %!d(string=v5.12) %!d(string=v5.9) %!d(string=v5.6) %!d(string=v5.3) %!d(string=v5.0) %!d(string=v4.19)] out of %!d(MISSING) release tags testing release v6.4 testing commit 6995e2de6891c724bfeb2db33d7b87775f913ad1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: a343e6b4b8e02e74416aff20aab917151ee3e17fd8c3896b900922e955bf8ad3 all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 26f303755b6ad31360db2ec684c834e85625d078e40352d3ed169580b215a2eb all runs: crashed: KASAN: slab-use-after-free Read in xsk_diag_dump representative crash: KASAN: slab-use-after-free Read in xsk_diag_dump, types: [KASAN] testing release v6.2 testing commit c9c3395d5e3dcc6daee66c6908354d47bf98cb0c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6c356b4b00bf2d284d59723c7cf6e96ec85159069841f995ce9e75eeccfd6aa1 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] testing release v6.0 testing commit 4fe89d07dcc2804c8b562f6c7896a45643d34b2f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 3ca0b5d05a33720661e8de965fd78ee6db1827fd01987a1568c891b5ab247612 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e401e83b8fb6ea546adfc6d97ff5fe367d22b5c77bc1beac91721cc726508002 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 74ed7ea25e099244df800bb3ecf61e32153e1ba071cbc22436d37f11306e4e1f all runs: OK false negative chance: 0.000 # git bisect start 4b0986a3613c92f4ec1bdc7f60ec66fea135991f df0cc57e057f18e44dac8e6c18aba47ab53202f9 Bisecting: 15200 revisions left to test after this (roughly 14 steps) [616355cc818c6ddadc393fdfd4491f94458cb715] Merge tag 'for-5.18/block-2022-03-18' of git://git.kernel.dk/linux-block testing commit 616355cc818c6ddadc393fdfd4491f94458cb715 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69eab97121cd4093e49cf3248182f51547d554689e276dd0d188d0f52afa338d all runs: OK false negative chance: 0.000 # git bisect good 616355cc818c6ddadc393fdfd4491f94458cb715 Bisecting: 7050 revisions left to test after this (roughly 13 steps) [b14ffae378aa1db993e62b01392e70d1e585fb23] Merge tag 'drm-next-2022-03-24' of git://anongit.freedesktop.org/drm/drm testing commit b14ffae378aa1db993e62b01392e70d1e585fb23 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 22969123c0076fd0dc2d0d53c0fbf8030a3cbed4ccf15354ef9a0af16a843c77 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] # git bisect bad b14ffae378aa1db993e62b01392e70d1e585fb23 Bisecting: 4388 revisions left to test after this (roughly 12 steps) [7403e6d8263937dea206dd201fed1ceed190ca18] Merge tag 'vfio-v5.18-rc1' of https://github.com/awilliam/linux-vfio testing commit 7403e6d8263937dea206dd201fed1ceed190ca18 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: dd527c0259093908db761ddbb9c1c8e3f703dae0ba7a34260783cb7f03c338c4 all runs: OK false negative chance: 0.000 # git bisect good 7403e6d8263937dea206dd201fed1ceed190ca18 Bisecting: 2195 revisions left to test after this (roughly 11 steps) [cb631a6398192f79f33a2480517c272120985020] net: ipa: use struct_size() for the interconnect array testing commit cb631a6398192f79f33a2480517c272120985020 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f12d5f7b8babcfce76f990357550151e641fc599e75bb9edf97bf7e33e0e5607 all runs: OK false negative chance: 0.000 # git bisect good cb631a6398192f79f33a2480517c272120985020 Bisecting: 1098 revisions left to test after this (roughly 10 steps) [54f43c17d681f6d9523fcfaeefc9df77993802e1] Merge tag 'drm-misc-next-2022-02-23' of git://anongit.freedesktop.org/drm/drm-misc into drm-next testing commit 54f43c17d681f6d9523fcfaeefc9df77993802e1 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0d12d9a24625faacff626bc54b65cd0b0d70851e243eaeceaeae62bd704f60fa all runs: OK false negative chance: 0.000 # git bisect good 54f43c17d681f6d9523fcfaeefc9df77993802e1 Bisecting: 545 revisions left to test after this (roughly 9 steps) [0db8640df59512dbd423c32077919f10cf35ebc6] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 0db8640df59512dbd423c32077919f10cf35ebc6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 492618f3e7f5408750a6d1aea633db5375fc41a6957c8c79baa68832fe910451 all runs: OK false negative chance: 0.000 # git bisect good 0db8640df59512dbd423c32077919f10cf35ebc6 Bisecting: 246 revisions left to test after this (roughly 8 steps) [6de7e4f02640fba2ffa6ac04e2be13785d614175] Merge tag 'drm-msm-next-2022-03-01' of https://gitlab.freedesktop.org/drm/msm into drm-next testing commit 6de7e4f02640fba2ffa6ac04e2be13785d614175 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: d5b1b8a12928ab7a6d6fe9d508d2ee6a9b1bf4d63442c9d846c7225fafff9534 all runs: OK false negative chance: 0.000 # git bisect good 6de7e4f02640fba2ffa6ac04e2be13785d614175 Bisecting: 123 revisions left to test after this (roughly 7 steps) [67a359d85ec2679cc8e11b16844df960e3b27c24] drm/amdkfd: CRIU remove sync and TLB flush on restore testing commit 67a359d85ec2679cc8e11b16844df960e3b27c24 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 24d30b4645d9dcc567b3736173ccc679265b8b387626bcd9be2012b701dd0cf0 all runs: OK false negative chance: 0.000 # git bisect good 67a359d85ec2679cc8e11b16844df960e3b27c24 Bisecting: 41 revisions left to test after this (roughly 6 steps) [52deda9551a01879b3562e7b41748e85c591f14c] Merge branch 'akpm' (patches from Andrew) testing commit 52deda9551a01879b3562e7b41748e85c591f14c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: af9af496d128fbb4d77be75d79203306ceea8e26e36fb47329a88cac734d5002 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] # git bisect bad 52deda9551a01879b3562e7b41748e85c591f14c Bisecting: 40 revisions left to test after this (roughly 5 steps) [b027471adaf955efde6153d67f391fe1604b7292] Revert "ubsan, kcsan: Don't combine sanitizer with kcov on clang" testing commit b027471adaf955efde6153d67f391fe1604b7292 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 39ebd873f9c6fbc0bdc9dd2afd4f581611f806f7a7835af2e3ff235ae91da1a0 all runs: OK false negative chance: 0.000 # git bisect good b027471adaf955efde6153d67f391fe1604b7292 Bisecting: 20 revisions left to test after this (roughly 4 steps) [8d3ea3d402db94b61075617e71b67459a714a502] net: bcmgenet: Use stronger register read/writes to assure ordering testing commit 8d3ea3d402db94b61075617e71b67459a714a502 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 2152d0131f76db228ceab0698806293aa65b0917c9b699156d01f9fb34982729 all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] # git bisect bad 8d3ea3d402db94b61075617e71b67459a714a502 Bisecting: 8 revisions left to test after this (roughly 3 steps) [6bd0c76bd70447aedfeafa9e1fcc249991d6c678] Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf testing commit 6bd0c76bd70447aedfeafa9e1fcc249991d6c678 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: fe560c124a7ad5e179c74bb9889e2ee74158ecb72bf7873227ae86ccf85a79fe all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] # git bisect bad 6bd0c76bd70447aedfeafa9e1fcc249991d6c678 Bisecting: 5 revisions left to test after this (roughly 3 steps) [4219196d1f662cb10a462eb9e076633a3fc31a15] ibmvnic: fix race between xmit and reset testing commit 4219196d1f662cb10a462eb9e076633a3fc31a15 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ad13db1a7039a13a38730c3bfb5280a46561d93ef36ef7b797975e783ee0a7aa all runs: OK false negative chance: 0.000 # git bisect good 4219196d1f662cb10a462eb9e076633a3fc31a15 Bisecting: 2 revisions left to test after this (roughly 2 steps) [9905eed48e82dfe265e2b9e57f19f8e0d1b7d0d7] Merge branch 'af_unix-OOB-fixes' testing commit 9905eed48e82dfe265e2b9e57f19f8e0d1b7d0d7 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 85b168175347b3b01a97ea83d1edf09ac91c36a340969e2cbf8d24b8911a1596 all runs: OK false negative chance: 0.000 # git bisect good 9905eed48e82dfe265e2b9e57f19f8e0d1b7d0d7 Bisecting: 0 revisions left to test after this (roughly 1 step) [18b1ab7aa76bde181bdb1ab19a87fa9523c32f21] xsk: Fix race at socket teardown testing commit 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 66b4d9856d2cc4ab1028050f8e07433d4e8221d511ceb7085cc108e22e852efe all runs: crashed: KASAN: use-after-free Read in xsk_diag_dump representative crash: KASAN: use-after-free Read in xsk_diag_dump, types: [KASAN] # git bisect bad 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f54eeae970f4dd4400d8ef3157788fbd3e2dd0e3] bpf: Remove Lorenz Bauer from L7 BPF maintainers testing commit f54eeae970f4dd4400d8ef3157788fbd3e2dd0e3 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 5bd328742efedf5e443b6bf4e2a6ea8d7c4e01210e5f5615818121349158b5ce all runs: OK false negative chance: 0.000 # git bisect good f54eeae970f4dd4400d8ef3157788fbd3e2dd0e3 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 is the first bad commit commit 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 Author: Magnus Karlsson Date: Mon Feb 28 10:45:52 2022 +0100 xsk: Fix race at socket teardown Fix a race in the xsk socket teardown code that can lead to a NULL pointer dereference splat. The current xsk unbind code in xsk_unbind_dev() starts by setting xs->state to XSK_UNBOUND, sets xs->dev to NULL and then waits for any NAPI processing to terminate using synchronize_net(). After that, the release code starts to tear down the socket state and free allocated memory. BUG: kernel NULL pointer dereference, address: 00000000000000c0 PGD 8000000932469067 P4D 8000000932469067 PUD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2 Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015 RIP: 0010:__xsk_sendmsg+0x2c/0x690 [...] RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258 RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800 RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800 R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000 FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0 Call Trace: ? aa_sk_perm+0x43/0x1b0 xsk_sendmsg+0xf0/0x110 sock_sendmsg+0x65/0x70 __sys_sendto+0x113/0x190 ? debug_smp_processor_id+0x17/0x20 ? fpregs_assert_state_consistent+0x23/0x50 ? exit_to_user_mode_prepare+0xa5/0x1d0 __x64_sys_sendto+0x29/0x30 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae There are two problems with the current code. First, setting xs->dev to NULL before waiting for all users to stop using the socket is not correct. The entry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg() are all guarded by a test that xs->state is in the state XSK_BOUND and if not, it returns right away. But one process might have passed this test but still have not gotten to the point in which it uses xs->dev in the code. In this interim, a second process executing xsk_unbind_dev() might have set xs->dev to NULL which will lead to a crash for the first process. The solution here is just to get rid of this NULL assignment since it is not used anymore. Before commit 42fddcc7c64b ("xsk: use state member for socket synchronization"), xs->dev was the gatekeeper to admit processes into the data plane functions, but it was replaced with the state variable xs->state in the aforementioned commit. The second problem is that synchronize_net() does not wait for any process in xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the state they rely on might be cleaned up prematurely. This can happen when the notifier gets called (at driver unload for example) as it uses xsk_unbind_dev(). Solve this by extending the RCU critical region from just the ndo_xsk_wakeup to the whole functions mentioned above, so that both the test of xs->state == XSK_BOUND and the last use of any member of xs is covered by the RCU critical section. This will guarantee that when synchronize_net() completes, there will be no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and state can be cleaned up safely. Note that we need to drop the RCU lock for the skb xmit path as it uses functions that might sleep. Due to this, we have to retest the xs->state after we grab the mutex that protects the skb xmit code from, among a number of things, an xsk_unbind_dev() being executed from the notifier at the same time. Fixes: 42fddcc7c64b ("xsk: use state member for socket synchronization") Reported-by: Elza Mathew Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20220228094552.10134-1-magnus.karlsson@gmail.com net/xdp/xsk.c | 69 +++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 50 insertions(+), 19 deletions(-) accumulated error probability: 0.00 culprit signature: 66b4d9856d2cc4ab1028050f8e07433d4e8221d511ceb7085cc108e22e852efe parent signature: 5bd328742efedf5e443b6bf4e2a6ea8d7c4e01210e5f5615818121349158b5ce revisions tested: 29, total time: 11h48m2.022162413s (build: 5h57m59.108536194s, test: 5h2m9.781398317s) first bad commit: 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 xsk: Fix race at socket teardown recipients (to): ["bjorn@kernel.org" "daniel@iogearbox.net" "magnus.karlsson@intel.com"] recipients (cc): [] crash: KASAN: use-after-free Read in xsk_diag_dump netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. ================================================================== BUG: KASAN: use-after-free in xsk_diag_put_info net/xdp/xsk_diag.c:21 [inline] BUG: KASAN: use-after-free in xsk_diag_fill net/xdp/xsk_diag.c:114 [inline] BUG: KASAN: use-after-free in xsk_diag_dump+0x1477/0x1540 net/xdp/xsk_diag.c:163 Read of size 4 at addr ffff88810d7f80d8 by task syz-executor.0/2031 CPU: 1 PID: 2031 Comm: syz-executor.0 Not tainted 5.17.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x40/0x5c lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x328 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 xsk_diag_put_info net/xdp/xsk_diag.c:21 [inline] xsk_diag_fill net/xdp/xsk_diag.c:114 [inline] xsk_diag_dump+0x1477/0x1540 net/xdp/xsk_diag.c:163 netlink_dump+0x41e/0xab0 net/netlink/af_netlink.c:2268 __netlink_dump_start+0x56f/0x810 net/netlink/af_netlink.c:2373 netlink_dump_start include/linux/netlink.h:254 [inline] xsk_diag_handler_dump+0x163/0x210 net/xdp/xsk_diag.c:190 __sock_diag_cmd net/core/sock_diag.c:235 [inline] sock_diag_rcv_msg+0x295/0x370 net/core/sock_diag.c:266 netlink_rcv_skb+0x125/0x380 net/netlink/af_netlink.c:2494 sock_diag_rcv+0x21/0x30 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x418/0x720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x7ab/0xc40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xae/0xe0 net/socket.c:725 sock_write_iter+0x213/0x370 net/socket.c:1061 call_write_iter include/linux/fs.h:2074 [inline] do_iter_readv_writev+0x390/0x710 fs/read_write.c:725 do_iter_write+0x128/0x6a0 fs/read_write.c:851 vfs_writev+0x1da/0x4e0 fs/read_write.c:924 do_writev+0x20f/0x2c0 fs/read_write.c:967 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x557a7badcae9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f85d5d7d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 0000557a7bbfbf80 RCX: 0000557a7badcae9 RDX: 0000000000000001 RSI: 00000000200003c0 RDI: 0000000000000006 RBP: 0000557a7bb2847a R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 0000557a7bbfbf80 R15: 00007ffcf5f61fb8 Allocated by task 1801: kasan_save_stack+0x2f/0x50 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc+0xa7/0xd0 mm/kasan/common.c:524 kvmalloc include/linux/slab.h:731 [inline] kvzalloc include/linux/slab.h:739 [inline] alloc_netdev_mqs+0x5a/0xf40 net/core/dev.c:10163 rtnl_create_link+0x8e1/0xc10 net/core/rtnetlink.c:3204 veth_newlink+0x1f9/0x980 drivers/net/veth.c:1678 __rtnl_newlink+0xd28/0x1440 net/core/rtnetlink.c:3483 rtnl_newlink+0x59/0x90 net/core/rtnetlink.c:3531 rtnetlink_rcv_msg+0x394/0x900 net/core/rtnetlink.c:5596 netlink_rcv_skb+0x125/0x380 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x418/0x720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x7ab/0xc40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xae/0xe0 net/socket.c:725 __sys_sendto+0x1c4/0x280 net/socket.c:2040 __do_sys_sendto net/socket.c:2052 [inline] __se_sys_sendto net/socket.c:2048 [inline] __x64_sys_sendto+0xd7/0x1b0 net/socket.c:2048 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 2031: kasan_save_stack+0x2f/0x50 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x11c/0x170 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0xae/0x1e0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xc9/0x4f0 mm/slub.c:4562 device_release+0x93/0x190 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put.part.0+0x167/0x3e0 lib/kobject.c:753 netdev_run_todo+0x6b3/0xa10 net/core/dev.c:9973 rtnl_unlock net/core/rtnetlink.c:112 [inline] rtnetlink_rcv_msg+0x39c/0x900 net/core/rtnetlink.c:5597 netlink_rcv_skb+0x125/0x380 net/netlink/af_netlink.c:2494 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x418/0x720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x7ab/0xc40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xae/0xe0 net/socket.c:725 ____sys_sendmsg+0x601/0x810 net/socket.c:2413 ___sys_sendmsg+0xf4/0x170 net/socket.c:2467 __sys_sendmsg+0xd0/0x170 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88810d7f8000 which belongs to the cache kmalloc-cg-4k of size 4096 The buggy address is located 216 bytes inside of 4096-byte region [ffff88810d7f8000, ffff88810d7f9000) The buggy address belongs to the page: page:ffffea000435fe00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d7f8 head:ffffea000435fe00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 0000000000000000 dead000000000001 ffff88810004c280 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1182, ts 6610792588, free_ts 6608130319 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x158/0x200 mm/page_alloc.c:2427 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0x12a2/0x2fa0 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x480 mm/page_alloc.c:5389 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27c/0x3a0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0x8a5/0xe50 mm/slub.c:3018 __slab_alloc.constprop.0+0x45/0x80 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] __kmalloc_node+0x192/0x4f0 mm/slub.c:4468 kvmalloc include/linux/slab.h:731 [inline] seq_buf_alloc fs/seq_file.c:38 [inline] seq_read_iter+0x68c/0x10e0 fs/seq_file.c:210 call_read_iter include/linux/fs.h:2068 [inline] new_sync_read+0x3c6/0x640 fs/read_write.c:400 vfs_read+0x204/0x480 fs/read_write.c:481 ksys_read+0x101/0x1d0 fs/read_write.c:619 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x33c/0x710 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x520 mm/page_alloc.c:3404 __unfreeze_partials+0x2ff/0x320 mm/slub.c:2536 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x176/0x1a0 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:260 [inline] slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc_node mm/slub.c:3230 [inline] slab_alloc mm/slub.c:3238 [inline] kmem_cache_alloc_trace+0x249/0x3b0 mm/slub.c:3255 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] kernfs_fop_open+0x2a1/0xc30 fs/kernfs/file.c:628 do_dentry_open+0x5e1/0xeb0 fs/open.c:824 do_open fs/namei.c:3476 [inline] path_openat+0x19f0/0x2840 fs/namei.c:3609 do_filp_open+0x1b1/0x400 fs/namei.c:3636 do_sys_openat2+0x137/0x410 fs/open.c:1214 do_sys_open fs/open.c:1230 [inline] __do_sys_openat fs/open.c:1246 [inline] __se_sys_openat fs/open.c:1241 [inline] __x64_sys_openat+0x130/0x1d0 fs/open.c:1241 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88810d7f7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88810d7f8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88810d7f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810d7f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88810d7f8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================