KASAN: slab-use-after-free Read in lockref_get
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
Read of size 8 at addr ffff88806345db40 by task kworker/u8:0/11
CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.13.0-rc4-syzkaller-gd6ef8b40d075-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: netns cleanup_net
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:489
kasan_report+0xd9/0x110 mm/kasan/report.c:602
__lock_acquire+0x2d90/0x3c40 kernel/locking/lockdep.c:5089
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
lockref_get+0x15/0x50 lib/lockref.c:50
dget include/linux/dcache.h:340 [inline]
simple_recursive_removal+0x45/0x8e0 fs/libfs.c:618
debugfs_remove+0x5d/0x80 fs/debugfs/inode.c:812
nsim_destroy+0x6a/0x6b0 drivers/net/netdevsim/netdev.c:814
__nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428
nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline]
nsim_dev_reload_destroy+0x158/0x540 drivers/net/netdevsim/dev.c:1661
nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:968
devlink_reload+0x17f/0x760 net/devlink/dev.c:461
devlink_pernet_pre_exit+0x1a1/0x2b0 net/devlink/core.c:509
ops_pre_exit_list net/core/net_namespace.c:162 [inline]
cleanup_net+0x488/0xbd0 net/core/net_namespace.c:628
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 5866:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4119 [inline]
slab_alloc_node mm/slub.c:4168 [inline]
kmem_cache_alloc_lru_noprof+0x1c8/0x3b0 mm/slub.c:4187
__d_alloc+0x35/0x8c0 fs/dcache.c:1646
d_alloc+0x4a/0x1e0 fs/dcache.c:1726
d_alloc_parallel+0xe9/0x12b0 fs/dcache.c:2490
__lookup_slow+0x194/0x460 fs/namei.c:1776
lookup_one_len+0x181/0x1b0 fs/namei.c:2905
start_creating.part.0+0x12f/0x3a0 fs/debugfs/inode.c:378
start_creating fs/debugfs/inode.c:351 [inline]
__debugfs_create_file+0xa5/0x660 fs/debugfs/inode.c:423
debugfs_create_file_full+0x6d/0xa0 fs/debugfs/inode.c:462
nsim_create+0x372/0xb20 drivers/net/netdevsim/netdev.c:799
__nsim_dev_port_add+0x3bf/0x700 drivers/net/netdevsim/dev.c:1393
nsim_dev_port_add_all drivers/net/netdevsim/dev.c:1449 [inline]
nsim_drv_probe+0xdbf/0x1490 drivers/net/netdevsim/dev.c:1607
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3665
nsim_bus_dev_new drivers/net/netdevsim/bus.c:442 [inline]
new_device_store+0x41d/0x730 drivers/net/netdevsim/bus.c:173
bus_attr_store+0x71/0xb0 drivers/base/bus.c:172
sysfs_kf_write+0x117/0x170 fs/sysfs/file.c:139
kernfs_fop_write_iter+0x33d/0x500 fs/kernfs/file.c:334
new_sync_write fs/read_write.c:586 [inline]
vfs_write+0x5ae/0x1150 fs/read_write.c:679
ksys_write+0x12b/0x250 fs/read_write.c:731
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 16:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2353 [inline]
slab_free mm/slub.c:4613 [inline]
kmem_cache_free+0x152/0x4c0 mm/slub.c:4715
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0x79d/0x14d0 kernel/rcu/tree.c:2823
handle_softirqs+0x213/0x8f0 kernel/softirq.c:561
run_ksoftirqd kernel/softirq.c:950 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:942
smpboot_thread_fn+0x661/0xa30 kernel/smpboot.c:164
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:544
__call_rcu_common.constprop.0+0x99/0x7a0 kernel/rcu/tree.c:3086
dentry_free+0xc2/0x160 fs/dcache.c:398
__dentry_kill+0x498/0x600 fs/dcache.c:644
dput.part.0+0x4b1/0x9b0 fs/dcache.c:867
dput+0x1f/0x30 fs/dcache.c:857
find_next_child fs/libfs.c:611 [inline]
simple_recursive_removal+0x131/0x8e0 fs/libfs.c:626
debugfs_remove+0x5d/0x80 fs/debugfs/inode.c:812
nsim_dev_debugfs_exit drivers/net/netdevsim/dev.c:366 [inline]
nsim_dev_reload_destroy+0xa1/0x540 drivers/net/netdevsim/dev.c:1653
nsim_dev_reload_down+0x6e/0xd0 drivers/net/netdevsim/dev.c:968
devlink_reload+0x17f/0x760 net/devlink/dev.c:461
devlink_pernet_pre_exit+0x1a1/0x2b0 net/devlink/core.c:509
ops_pre_exit_list net/core/net_namespace.c:162 [inline]
cleanup_net+0x488/0xbd0 net/core/net_namespace.c:628
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff88806345da70
which belongs to the cache dentry of size 312
The buggy address is located 208 bytes inside of
freed 312-byte region [ffff88806345da70, ffff88806345dba8)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6345c
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888034732a01
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
head: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
head: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
head: 00fff00000000001 ffffea00018d1701 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5866, tgid 5866 (syz-executor), ts 72492801701, free_ts 19664769086
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
prep_new_page mm/page_alloc.c:1566 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
__alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
alloc_slab_page mm/slub.c:2423 [inline]
allocate_slab mm/slub.c:2589 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2642
___slab_alloc+0xce2/0x1650 mm/slub.c:3830
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
__slab_alloc_node mm/slub.c:3995 [inline]
slab_alloc_node mm/slub.c:4156 [inline]
kmem_cache_alloc_lru_noprof+0xf0/0x3b0 mm/slub.c:4187
__d_alloc+0x35/0x8c0 fs/dcache.c:1646
d_alloc+0x4a/0x1e0 fs/dcache.c:1726
d_alloc_parallel+0xe9/0x12b0 fs/dcache.c:2490
__lookup_slow+0x194/0x460 fs/namei.c:1776
lookup_one_len+0x181/0x1b0 fs/namei.c:2905
start_creating.part.0+0x12f/0x3a0 fs/debugfs/inode.c:378
start_creating fs/debugfs/inode.c:351 [inline]
__debugfs_create_file+0xa5/0x660 fs/debugfs/inode.c:423
debugfs_create_mode_unsafe fs/debugfs/file.c:559 [inline]
debugfs_create_bool+0x70/0xa0 fs/debugfs/file.c:995
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2659
free_contig_range+0x133/0x3f0 mm/page_alloc.c:6632
destroy_args+0x802/0xa50 mm/debug_vm_pgtable.c:1017
debug_vm_pgtable+0x16d8/0x3230 mm/debug_vm_pgtable.c:1397
do_one_initcall+0x128/0x630 init/main.c:1266
do_initcall_level init/main.c:1328 [inline]
do_initcalls init/main.c:1344 [inline]
do_basic_setup init/main.c:1363 [inline]
kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
kernel_init+0x1c/0x2b0 init/main.c:1466
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff88806345da00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
ffff88806345da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88806345db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88806345db80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
ffff88806345dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Warning: Permanently added '10.128.15.215' (ED25519) to the list of known hosts.
2024/12/27 01:41:06 ignoring optional flag "sandboxArg"="0"
2024/12/27 01:41:07 parsed 1 programs
[ 65.490508][ T5829] cgroup: Unknown subsys name 'net'
[ 65.637930][ T5829] cgroup: Unknown subsys name 'cpuset'
[ 65.646563][ T5829] cgroup: Unknown subsys name 'rlimit'
[ 67.000067][ T5829] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 69.431079][ T5842] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 69.473911][ T11] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 69.482197][ T11] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 69.493884][ T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 69.501979][ T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 69.806857][ T5867] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 69.825008][ T5867] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 69.835880][ T5867] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 69.854355][ T5867] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 69.863355][ T5867] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 69.871394][ T5867] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 70.393159][ T5866] chnl_net:caif_netlink_parms(): no params data found
[ 71.030938][ T5866] bridge0: port 1(bridge_slave_0) entered blocking state
[ 71.039568][ T5866] bridge0: port 1(bridge_slave_0) entered disabled state
[ 71.046947][ T5866] bridge_slave_0: entered allmulticast mode
[ 71.054147][ T5866] bridge_slave_0: entered promiscuous mode
[ 71.126277][ T5866] bridge0: port 2(bridge_slave_1) entered blocking state
[ 71.133497][ T5866] bridge0: port 2(bridge_slave_1) entered disabled state
[ 71.141169][ T5866] bridge_slave_1: entered allmulticast mode
[ 71.148729][ T5866] bridge_slave_1: entered promiscuous mode
[ 71.342069][ T5866] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 71.360897][ T5866] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 71.400039][ T5866] team0: Port device team_slave_0 added
[ 71.469354][ T5866] team0: Port device team_slave_1 added
[ 71.611720][ T5866] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 71.629549][ T5866] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.705649][ T5866] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 71.718321][ T1296] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.735986][ T1296] ieee802154 phy1 wpan1: encryption failed: -22
[ 71.755046][ T5866] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 71.762043][ T5866] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 71.824955][ T5866] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 71.896958][ T5866] hsr_slave_0: entered promiscuous mode
[ 71.903438][ T5866] hsr_slave_1: entered promiscuous mode
[ 72.507960][ T5866] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 72.541148][ T5866] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 72.560279][ T5866] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 72.576552][ T5866] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 72.653803][ T5866] 8021q: adding VLAN 0 to HW filter on device bond0
[ 72.672726][ T5866] 8021q: adding VLAN 0 to HW filter on device team0
[ 72.684566][ T52] bridge0: port 1(bridge_slave_0) entered blocking state
[ 72.691910][ T52] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 72.707984][ T52] bridge0: port 2(bridge_slave_1) entered blocking state
[ 72.715151][ T52] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 72.837593][ T5866] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 72.869833][ T5866] veth0_vlan: entered promiscuous mode
[ 72.879667][ T5866] veth1_vlan: entered promiscuous mode
[ 72.902658][ T5866] veth0_macvtap: entered promiscuous mode
[ 72.912095][ T5866] veth1_macvtap: entered promiscuous mode
[ 72.926612][ T5866] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 72.940073][ T5866] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 72.949470][ T5866] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 72.959412][ T5866] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 72.968759][ T5866] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 72.977503][ T5866] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2024/12/27 01:41:17 executed programs: 0
[ 73.095472][ T54] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 73.104239][ T54] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 73.118258][ T54] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 73.126653][ T11] ==================================================================
[ 73.128242][ T54] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 73.134727][ T11] BUG: KASAN: slab-use-after-free in __lock_acquire+0x2d90/0x3c40
[ 73.142977][ T54] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 73.149434][ T11] Read of size 8 at addr ffff88806345db40 by task kworker/u8:0/11
[ 73.149454][ T11]
[ 73.149480][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.13.0-rc4-syzkaller-gd6ef8b40d075-dirty #0
[ 73.149507][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 73.149524][ T11] Workqueue: netns cleanup_net
[ 73.149566][ T11] Call Trace:
[ 73.149574][ T11]
[ 73.149583][ T11] dump_stack_lvl+0x116/0x1f0
[ 73.159932][ T54] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 73.164474][ T11] print_report+0xc3/0x620
[ 73.214818][ T11] ? __virt_addr_valid+0x5e/0x590
[ 73.219872][ T11] ? __phys_addr+0xc6/0x150
[ 73.224411][ T11] kasan_report+0xd9/0x110
[ 73.228866][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 73.233893][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 73.238967][ T11] __lock_acquire+0x2d90/0x3c40
[ 73.243816][ T11] ? hlock_class+0x4e/0x130
[ 73.248322][ T11] ? __lock_acquire+0x15a9/0x3c40
[ 73.253407][ T11] ? __pfx___lock_acquire+0x10/0x10
[ 73.258607][ T11] lock_acquire.part.0+0x11b/0x380
[ 73.263722][ T11] ? lockref_get+0x15/0x50
[ 73.268145][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 73.273863][ T11] ? rcu_is_watching+0x12/0xc0
[ 73.278633][ T11] ? trace_lock_acquire+0x14e/0x1f0
[ 73.283930][ T11] ? lockref_get+0x15/0x50
[ 73.288359][ T11] ? lock_acquire+0x2f/0xb0
[ 73.292861][ T11] ? lockref_get+0x15/0x50
[ 73.297287][ T11] _raw_spin_lock+0x2e/0x40
[ 73.301800][ T11] ? lockref_get+0x15/0x50
[ 73.306219][ T11] lockref_get+0x15/0x50
[ 73.310464][ T11] simple_recursive_removal+0x45/0x8e0
[ 73.315922][ T11] ? __pfx_remove_one+0x10/0x10
[ 73.320787][ T11] ? mntput+0x10/0x90
[ 73.324767][ T11] debugfs_remove+0x5d/0x80
[ 73.329278][ T11] nsim_destroy+0x6a/0x6b0
[ 73.333699][ T11] __nsim_dev_port_del+0x189/0x240
[ 73.338818][ T11] nsim_dev_reload_destroy+0x158/0x540
[ 73.344671][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 73.349704][ T11] devlink_reload+0x17f/0x760
[ 73.354385][ T11] ? __pfx_devlink_reload+0x10/0x10
[ 73.359590][ T11] ? devlinks_xa_find_get+0x39/0x260
[ 73.364883][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 73.370347][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 73.376332][ T11] ? up_write+0x1b2/0x520
[ 73.380750][ T11] ? kobject_put+0xab/0x5a0
[ 73.385257][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 73.391241][ T11] cleanup_net+0x488/0xbd0
[ 73.395667][ T11] ? __pfx_cleanup_net+0x10/0x10
[ 73.400620][ T11] ? lock_acquire+0x2f/0xb0
[ 73.405125][ T11] ? process_one_work+0x8bb/0x1b30
[ 73.410423][ T11] process_one_work+0x958/0x1b30
[ 73.415361][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 73.420992][ T11] ? __pfx_process_one_work+0x10/0x10
[ 73.426364][ T11] ? rcu_is_watching+0x12/0xc0
[ 73.431135][ T11] ? assign_work+0x1a0/0x250
[ 73.435742][ T11] worker_thread+0x6c8/0xf00
[ 73.440332][ T11] ? __pfx_worker_thread+0x10/0x10
[ 73.445443][ T11] kthread+0x2c1/0x3a0
[ 73.449601][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 73.454797][ T11] ? __pfx_kthread+0x10/0x10
[ 73.459394][ T11] ret_from_fork+0x45/0x80
[ 73.463809][ T11] ? __pfx_kthread+0x10/0x10
[ 73.468399][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.473173][ T11]
[ 73.476187][ T11]
[ 73.478512][ T11] Allocated by task 5866:
[ 73.482828][ T11] kasan_save_stack+0x33/0x60
[ 73.487513][ T11] kasan_save_track+0x14/0x30
[ 73.492189][ T11] __kasan_slab_alloc+0x89/0x90
[ 73.497052][ T11] kmem_cache_alloc_lru_noprof+0x1c8/0x3b0
[ 73.502950][ T11] __d_alloc+0x35/0x8c0
[ 73.507109][ T11] d_alloc+0x4a/0x1e0
[ 73.511095][ T11] d_alloc_parallel+0xe9/0x12b0
[ 73.515951][ T11] __lookup_slow+0x194/0x460
[ 73.520548][ T11] lookup_one_len+0x181/0x1b0
[ 73.525318][ T11] start_creating.part.0+0x12f/0x3a0
[ 73.530652][ T11] __debugfs_create_file+0xa5/0x660
[ 73.535944][ T11] debugfs_create_file_full+0x6d/0xa0
[ 73.541328][ T11] nsim_create+0x372/0xb20
[ 73.545749][ T11] __nsim_dev_port_add+0x3bf/0x700
[ 73.550864][ T11] nsim_drv_probe+0xdbf/0x1490
[ 73.555634][ T11] really_probe+0x23e/0xa90
[ 73.560147][ T11] __driver_probe_device+0x1de/0x440
[ 73.565435][ T11] driver_probe_device+0x4c/0x1b0
[ 73.570466][ T11] __device_attach_driver+0x1df/0x310
[ 73.575880][ T11] bus_for_each_drv+0x157/0x1e0
[ 73.580732][ T11] __device_attach+0x1e8/0x4b0
[ 73.585497][ T11] bus_probe_device+0x17f/0x1c0
[ 73.590350][ T11] device_add+0x114b/0x1a70
[ 73.594857][ T11] new_device_store+0x41d/0x730
[ 73.599708][ T11] bus_attr_store+0x71/0xb0
[ 73.604211][ T11] sysfs_kf_write+0x117/0x170
[ 73.608893][ T11] kernfs_fop_write_iter+0x33d/0x500
[ 73.614186][ T11] vfs_write+0x5ae/0x1150
[ 73.618534][ T11] ksys_write+0x12b/0x250
[ 73.622971][ T11] do_syscall_64+0xcd/0x250
[ 73.627486][ T11] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.633411][ T11]
[ 73.635737][ T11] Freed by task 16:
[ 73.639535][ T11] kasan_save_stack+0x33/0x60
[ 73.644221][ T11] kasan_save_track+0x14/0x30
[ 73.648898][ T11] kasan_save_free_info+0x3b/0x60
[ 73.653921][ T11] __kasan_slab_free+0x51/0x70
[ 73.658686][ T11] kmem_cache_free+0x152/0x4c0
[ 73.663538][ T11] rcu_core+0x79d/0x14d0
[ 73.667785][ T11] handle_softirqs+0x213/0x8f0
[ 73.672552][ T11] run_ksoftirqd+0x3a/0x60
[ 73.676972][ T11] smpboot_thread_fn+0x661/0xa30
[ 73.681928][ T11] kthread+0x2c1/0x3a0
[ 73.686021][ T11] ret_from_fork+0x45/0x80
[ 73.690446][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.695223][ T11]
[ 73.697582][ T11] Last potentially related work creation:
[ 73.703289][ T11] kasan_save_stack+0x33/0x60
[ 73.707970][ T11] __kasan_record_aux_stack+0xba/0xd0
[ 73.713341][ T11] __call_rcu_common.constprop.0+0x99/0x7a0
[ 73.719236][ T11] dentry_free+0xc2/0x160
[ 73.723579][ T11] __dentry_kill+0x498/0x600
[ 73.728177][ T11] dput.part.0+0x4b1/0x9b0
[ 73.732598][ T11] dput+0x1f/0x30
[ 73.736237][ T11] simple_recursive_removal+0x131/0x8e0
[ 73.741784][ T11] debugfs_remove+0x5d/0x80
[ 73.746317][ T11] nsim_dev_reload_destroy+0xa1/0x540
[ 73.751728][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 73.756756][ T11] devlink_reload+0x17f/0x760
[ 73.761439][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 73.766985][ T11] cleanup_net+0x488/0xbd0
[ 73.771404][ T11] process_one_work+0x958/0x1b30
[ 73.776379][ T11] worker_thread+0x6c8/0xf00
[ 73.780965][ T11] kthread+0x2c1/0x3a0
[ 73.785207][ T11] ret_from_fork+0x45/0x80
[ 73.789619][ T11] ret_from_fork_asm+0x1a/0x30
[ 73.794473][ T11]
[ 73.796792][ T11] The buggy address belongs to the object at ffff88806345da70
[ 73.796792][ T11] which belongs to the cache dentry of size 312
[ 73.810432][ T11] The buggy address is located 208 bytes inside of
[ 73.810432][ T11] freed 312-byte region [ffff88806345da70, ffff88806345dba8)
[ 73.824332][ T11]
[ 73.826756][ T11] The buggy address belongs to the physical page:
[ 73.833168][ T11] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6345c
[ 73.841931][ T11] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 73.850425][ T11] memcg:ffff888034732a01
[ 73.854745][ T11] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 73.862281][ T11] page_type: f5(slab)
[ 73.866292][ T11] raw: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
[ 73.874892][ T11] raw: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
[ 73.883473][ T11] head: 00fff00000000040 ffff88801baff8c0 dead000000000122 0000000000000000
[ 73.892232][ T11] head: 0000000000000000 0000000000150015 00000001f5000000 ffff888034732a01
[ 73.900903][ T11] head: 00fff00000000001 ffffea00018d1701 ffffffffffffffff 0000000000000000
[ 73.909572][ T11] head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
[ 73.918234][ T11] page dumped because: kasan: bad access detected
[ 73.924649][ T11] page_owner tracks the page as allocated
[ 73.930360][ T11] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_RECLAIMABLE), pid 5866, tgid 5866 (syz-executor), ts 72492801701, free_ts 19664769086
[ 73.953550][ T11] post_alloc_hook+0x2d1/0x350
[ 73.958334][ T11] get_page_from_freelist+0xfce/0x2f80
[ 73.963798][ T11] __alloc_pages_noprof+0x223/0x25b0
[ 73.969095][ T11] alloc_pages_mpol_noprof+0x2c9/0x610
[ 73.974566][ T11] new_slab+0x2c9/0x410
[ 73.978721][ T11] ___slab_alloc+0xce2/0x1650
[ 73.983484][ T11] __slab_alloc.constprop.0+0x56/0xb0
[ 73.988854][ T11] kmem_cache_alloc_lru_noprof+0xf0/0x3b0
[ 73.994575][ T11] __d_alloc+0x35/0x8c0
[ 73.998734][ T11] d_alloc+0x4a/0x1e0
[ 74.002734][ T11] d_alloc_parallel+0xe9/0x12b0
[ 74.007592][ T11] __lookup_slow+0x194/0x460
[ 74.012233][ T11] lookup_one_len+0x181/0x1b0
[ 74.016920][ T11] start_creating.part.0+0x12f/0x3a0
[ 74.022215][ T11] __debugfs_create_file+0xa5/0x660
[ 74.027430][ T11] debugfs_create_bool+0x70/0xa0
[ 74.032377][ T11] page last free pid 1 tgid 1 stack trace:
[ 74.038171][ T11] free_unref_page+0x661/0x1080
[ 74.043026][ T11] free_contig_range+0x133/0x3f0
[ 74.047964][ T11] destroy_args+0x802/0xa50
[ 74.052471][ T11] debug_vm_pgtable+0x16d8/0x3230
[ 74.057498][ T11] do_one_initcall+0x128/0x630
[ 74.062264][ T11] kernel_init_freeable+0x58f/0x8b0
[ 74.067461][ T11] kernel_init+0x1c/0x2b0
[ 74.071796][ T11] ret_from_fork+0x45/0x80
[ 74.076236][ T11] ret_from_fork_asm+0x1a/0x30
[ 74.081002][ T11]
[ 74.083315][ T11] Memory state around the buggy address:
[ 74.088935][ T11] ffff88806345da00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[ 74.096991][ T11] ffff88806345da80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.105047][ T11] >ffff88806345db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.113184][ T11] ^
[ 74.119412][ T11] ffff88806345db80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[ 74.127556][ T11] ffff88806345dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.135715][ T11] ==================================================================
[ 74.143793][ T11] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.151069][ T11] CPU: 0 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.13.0-rc4-syzkaller-gd6ef8b40d075-dirty #0
[ 74.161758][ T11] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 74.171817][ T11] Workqueue: netns cleanup_net
[ 74.176618][ T11] Call Trace:
[ 74.179893][ T11]
[ 74.182819][ T11] dump_stack_lvl+0x3d/0x1f0
[ 74.187421][ T11] panic+0x71d/0x800
[ 74.191322][ T11] ? __pfx_panic+0x10/0x10
[ 74.195742][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.200518][ T11] ? __pfx_lock_release+0x10/0x10
[ 74.205542][ T11] ? check_panic_on_warn+0x1f/0xb0
[ 74.210659][ T11] check_panic_on_warn+0xab/0xb0
[ 74.215610][ T11] end_report+0x117/0x180
[ 74.219957][ T11] kasan_report+0xe9/0x110
[ 74.224376][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 74.229399][ T11] ? __lock_acquire+0x2d90/0x3c40
[ 74.234421][ T11] __lock_acquire+0x2d90/0x3c40
[ 74.239269][ T11] ? hlock_class+0x4e/0x130
[ 74.243775][ T11] ? __lock_acquire+0x15a9/0x3c40
[ 74.248800][ T11] ? __pfx___lock_acquire+0x10/0x10
[ 74.254087][ T11] lock_acquire.part.0+0x11b/0x380
[ 74.259197][ T11] ? lockref_get+0x15/0x50
[ 74.263621][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 74.269256][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.274027][ T11] ? trace_lock_acquire+0x14e/0x1f0
[ 74.279231][ T11] ? lockref_get+0x15/0x50
[ 74.283651][ T11] ? lock_acquire+0x2f/0xb0
[ 74.288155][ T11] ? lockref_get+0x15/0x50
[ 74.292589][ T11] _raw_spin_lock+0x2e/0x40
[ 74.297089][ T11] ? lockref_get+0x15/0x50
[ 74.301508][ T11] lockref_get+0x15/0x50
[ 74.305759][ T11] simple_recursive_removal+0x45/0x8e0
[ 74.311228][ T11] ? __pfx_remove_one+0x10/0x10
[ 74.316086][ T11] ? mntput+0x10/0x90
[ 74.320070][ T11] debugfs_remove+0x5d/0x80
[ 74.324667][ T11] nsim_destroy+0x6a/0x6b0
[ 74.329086][ T11] __nsim_dev_port_del+0x189/0x240
[ 74.334203][ T11] nsim_dev_reload_destroy+0x158/0x540
[ 74.339673][ T11] nsim_dev_reload_down+0x6e/0xd0
[ 74.344702][ T11] devlink_reload+0x17f/0x760
[ 74.349434][ T11] ? __pfx_devlink_reload+0x10/0x10
[ 74.354638][ T11] ? devlinks_xa_find_get+0x39/0x260
[ 74.359925][ T11] devlink_pernet_pre_exit+0x1a1/0x2b0
[ 74.365391][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 74.371461][ T11] ? up_write+0x1b2/0x520
[ 74.375797][ T11] ? kobject_put+0xab/0x5a0
[ 74.380315][ T11] ? __pfx_devlink_pernet_pre_exit+0x10/0x10
[ 74.386298][ T11] cleanup_net+0x488/0xbd0
[ 74.390727][ T11] ? __pfx_cleanup_net+0x10/0x10
[ 74.395705][ T11] ? lock_acquire+0x2f/0xb0
[ 74.400211][ T11] ? process_one_work+0x8bb/0x1b30
[ 74.405320][ T11] process_one_work+0x958/0x1b30
[ 74.410308][ T11] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 74.415943][ T11] ? __pfx_process_one_work+0x10/0x10
[ 74.421325][ T11] ? rcu_is_watching+0x12/0xc0
[ 74.426099][ T11] ? assign_work+0x1a0/0x250
[ 74.431048][ T11] worker_thread+0x6c8/0xf00
[ 74.435650][ T11] ? __pfx_worker_thread+0x10/0x10
[ 74.440765][ T11] kthread+0x2c1/0x3a0
[ 74.444852][ T11] ? _raw_spin_unlock_irq+0x23/0x50
[ 74.450053][ T11] ? __pfx_kthread+0x10/0x10
[ 74.454716][ T11] ret_from_fork+0x45/0x80
[ 74.459144][ T11] ? __pfx_kthread+0x10/0x10
[ 74.463741][ T11] ret_from_fork_asm+0x1a/0x30
[ 74.468521][ T11]
[ 74.471810][ T11] Kernel Offset: disabled
[ 74.476133][ T11] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1782442588=/tmp/go-build -gno-record-gcc-switches'
git status (err=)
HEAD detached at 7cbfbb3ab4
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=7cbfbb3ab457b0a8ecf525a27a65a2078c5dcaa8 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241213-162906'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"7cbfbb3ab457b0a8ecf525a27a65a2078c5dcaa8\"
/usr/bin/ld: /tmp/ccPml299.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking