==================================================================
BUG: KASAN: slab-use-after-free in tcx_entry include/net/tcx.h:36 [inline]
BUG: KASAN: slab-use-after-free in sch_handle_ingress net/core/dev.c:3990 [inline]
BUG: KASAN: slab-use-after-free in __netif_receive_skb_core.constprop.0+0x3790/0x3bf0 net/core/dev.c:5373
Read of size 8 at addr ffff8881313be208 by task dhcpcd-run-hook/4933
CPU: 0 PID: 4933 Comm: dhcpcd-run-hook Not tainted 6.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8e/0xf0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0xc4/0x620 mm/kasan/report.c:475
kasan_report+0xda/0x110 mm/kasan/report.c:588
tcx_entry include/net/tcx.h:36 [inline]
sch_handle_ingress net/core/dev.c:3990 [inline]
__netif_receive_skb_core.constprop.0+0x3790/0x3bf0 net/core/dev.c:5373
__netif_receive_skb_one_core+0xaf/0x180 net/core/dev.c:5511
__netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5627
process_backlog+0x1d8/0x5e0 net/core/dev.c:5955
__napi_poll+0xb4/0x690 net/core/dev.c:6517
napi_poll net/core/dev.c:6584 [inline]
net_rx_action+0x938/0xe60 net/core/dev.c:6717
__do_softirq+0x250/0x672 kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0x85/0xe0 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1109
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:127 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:178 [inline]
RIP: 0010:kasan_check_range+0x10d/0x190 mm/kasan/generic.c:187
Code: 00 00 7c 0b 44 89 c2 e8 61 ef ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 48 83 c0 01 48 39 d0 74 41 80 38 00 <74> f2 eb b6 41 bc 08 00 00 00 45 29 dc 49 8d 14 2c eb 0c 48 83 c0
RSP: 0018:ffffc900026c7688 EFLAGS: 00000246
RAX: ffffed1020f24c33 RBX: ffffed1020f24c34 RCX: ffffffff81bc5318
RDX: ffffed1020f24c34 RSI: 0000000000000008 RDI: ffff888107926198
RBP: ffffed1020f24c33 R08: 0000000000000001 R09: ffffed1020f24c33
R10: ffff88810792619f R11: 0000000000054000 R12: 0000000000000001
R13: dffffc0000000000 R14: 0000001347773b09 R15: 0000000004d500d7
instrument_write include/linux/instrumented.h:40 [inline]
___clear_bit include/asm-generic/bitops/instrumented-non-atomic.h:44 [inline]
__reset_page_owner+0x98/0x160 mm/page_owner.c:151
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x5a2/0xc50 mm/page_alloc.c:2348
free_unref_page_list+0xe6/0xaa0 mm/page_alloc.c:2489
release_pages+0xc0f/0x11b0 mm/swap.c:1042
tlb_batch_pages_flush+0x9a/0x170 mm/mmu_gather.c:97
tlb_flush_mmu_free mm/mmu_gather.c:292 [inline]
tlb_flush_mmu mm/mmu_gather.c:299 [inline]
tlb_finish_mmu+0x14b/0x7e0 mm/mmu_gather.c:391
exit_mmap+0x2db/0x8a0 mm/mmap.c:3214
__mmput+0xdd/0x450 kernel/fork.c:1348
mmput+0x51/0x60 kernel/fork.c:1370
exec_mmap fs/exec.c:1036 [inline]
begin_new_exec+0x1134/0x2e10 fs/exec.c:1295
load_elf_binary+0x847/0x4e80 fs/binfmt_elf.c:1001
search_binary_handler fs/exec.c:1738 [inline]
exec_binprm fs/exec.c:1780 [inline]
bprm_execve fs/exec.c:1855 [inline]
bprm_execve+0x796/0x1770 fs/exec.c:1811
do_execveat_common.isra.0+0x5cb/0x750 fs/exec.c:1963
do_execve fs/exec.c:2037 [inline]
__do_sys_execve fs/exec.c:2113 [inline]
__se_sys_execve fs/exec.c:2108 [inline]
__x64_sys_execve+0x8c/0xb0 fs/exec.c:2108
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f938cde5ef7
Code: Unable to access opcode bytes at 0x7f938cde5ecd.
RSP: 002b:00007ffc2f9ada38 EFLAGS: 00000246 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 000055955f7e4ec0 RCX: 00007f938cde5ef7
RDX: 000055955f7e4f08 RSI: 000055955f7e4ec0 RDI: 000055955f7e4f98
RBP: 000055955f7e4f98 R08: 000055955f7e4f9d R09: 00007ffc2f9b2ed0
R10: 00007f938cfde088 R11: 0000000000000246 R12: 000055955f7e4f08
R13: 00007f938cf93904 R14: 000055955f7e4f08 R15: 0000000000000000
Allocated by task 4829:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
kmalloc include/linux/slab.h:582 [inline]
kzalloc include/linux/slab.h:703 [inline]
tcx_entry_create include/net/tcx.h:85 [inline]
tcx_entry_fetch_or_create include/net/tcx.h:106 [inline]
tcx_entry_fetch_or_create include/net/tcx.h:100 [inline]
ingress_init+0x29b/0x500 net/sched/sch_ingress.c:91
qdisc_create+0x4f4/0x1060 net/sched/sch_api.c:1326
tc_modify_qdisc+0x98f/0x1a00 net/sched/sch_api.c:1703
rtnetlink_rcv_msg+0x48c/0xba0 net/core/rtnetlink.c:6424
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2546
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x932/0xe20 net/netlink/af_netlink.c:1911
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:748
____sys_sendmsg+0x67f/0x880 net/socket.c:2494
___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
__sys_sendmsg+0x117/0x1e0 net/socket.c:2577
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 4256:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1792 [inline]
slab_free_freelist_hook+0x10b/0x1e0 mm/slub.c:1818
slab_free mm/slub.c:3801 [inline]
kmem_cache_free_bulk.part.0+0x289/0x6f0 mm/slub.c:3919
kfree_bulk include/linux/slab.h:499 [inline]
kvfree_rcu_bulk+0x430/0x560 kernel/rcu/tree.c:2958
kvfree_rcu_drain_ready kernel/rcu/tree.c:3132 [inline]
kfree_rcu_monitor+0x463/0x1270 kernel/rcu/tree.c:3150
process_one_work+0xa0f/0x14b0 kernel/workqueue.c:2597
worker_thread+0xf3/0xe00 kernel/workqueue.c:2748
kthread+0x2aa/0x380 kernel/kthread.c:389
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
Last potentially related work creation:
kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492
kvfree_call_rcu+0x63/0x970 kernel/rcu/tree.c:3368
tcx_entry_free include/net/tcx.h:96 [inline]
ingress_destroy+0x29f/0x330 net/sched/sch_ingress.c:127
qdisc_create+0xa04/0x1060 net/sched/sch_api.c:1360
tc_modify_qdisc+0x98f/0x1a00 net/sched/sch_api.c:1703
rtnetlink_rcv_msg+0x48c/0xba0 net/core/rtnetlink.c:6424
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2546
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x539/0x800 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x932/0xe20 net/netlink/af_netlink.c:1911
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:748
____sys_sendmsg+0x67f/0x880 net/socket.c:2494
___sys_sendmsg+0x135/0x1d0 net/socket.c:2548
__sys_sendmsg+0x117/0x1e0 net/socket.c:2577
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The buggy address belongs to the object at ffff8881313be000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 520 bytes inside of
freed 2048-byte region [ffff8881313be000, ffff8881313be800)
The buggy address belongs to the physical page:
page:ffffea0004c4ee00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1313b8
head:ffffea0004c4ee00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000010200 ffff888100042000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 2850, tgid 2850 (klogd), ts 74363736681, free_ts 74351423195
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x281/0x2f0 mm/page_alloc.c:1570
prep_new_page mm/page_alloc.c:1577 [inline]
get_page_from_freelist+0xcff/0x31a0 mm/page_alloc.c:3221
__alloc_pages+0x1d0/0x470 mm/page_alloc.c:4477
alloc_pages+0x21f/0x3e0 mm/mempolicy.c:2279
alloc_slab_page mm/slub.c:1862 [inline]
allocate_slab+0x24e/0x360 mm/slub.c:2009
new_slab mm/slub.c:2062 [inline]
___slab_alloc+0x7a7/0x1000 mm/slub.c:3215
__slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3314
__slab_alloc_node mm/slub.c:3367 [inline]
slab_alloc_node mm/slub.c:3460 [inline]
__kmem_cache_alloc_node+0x143/0x390 mm/slub.c:3509
kmalloc_trace+0x25/0xb0 mm/slab_common.c:1076
kmalloc include/linux/slab.h:582 [inline]
syslog_print+0xf9/0x5b0 kernel/printk/printk.c:1553
do_syslog+0x2d4/0x580 kernel/printk/printk.c:1732
__do_sys_syslog kernel/printk/printk.c:1824 [inline]
__se_sys_syslog kernel/printk/printk.c:1822 [inline]
__x64_sys_syslog+0x74/0xb0 kernel/printk/printk.c:1822
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1161 [inline]
free_unref_page_prepare+0x5a2/0xc50 mm/page_alloc.c:2348
free_unref_page+0x33/0x350 mm/page_alloc.c:2443
__unfreeze_partials+0x1f1/0x210 mm/slub.c:2647
qlink_free mm/kasan/quarantine.c:166 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185
kasan_quarantine_reduce+0x17d/0x1b0 mm/kasan/quarantine.c:292
__kasan_slab_alloc+0x65/0x90 mm/kasan/common.c:305
kasan_slab_alloc include/linux/kasan.h:186 [inline]
slab_post_alloc_hook mm/slab.h:762 [inline]
slab_alloc_node mm/slub.c:3470 [inline]
slab_alloc mm/slub.c:3478 [inline]
__kmem_cache_alloc_lru mm/slub.c:3485 [inline]
kmem_cache_alloc+0x1a1/0x3d0 mm/slub.c:3494
getname_flags.part.0+0x50/0x4d0 fs/namei.c:140
getname_flags+0x9c/0xf0 include/linux/audit.h:319
vfs_fstatat+0x77/0xb0 fs/stat.c:275
__do_sys_newfstatat+0x98/0x110 fs/stat.c:446
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Memory state around the buggy address:
ffff8881313be100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881313be180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8881313be200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881313be280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881313be300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 7c 0b jl 0xf
4: 44 89 c2 mov %r8d,%edx
7: e8 61 ef ff ff call 0xffffef6d
c: 83 f0 01 xor $0x1,%eax
f: 5b pop %rbx
10: 5d pop %rbp
11: 41 5c pop %r12
13: c3 ret
14: 48 85 d2 test %rdx,%rdx
17: 74 4f je 0x68
19: 48 01 ea add %rbp,%rdx
1c: eb 09 jmp 0x27
1e: 48 83 c0 01 add $0x1,%rax
22: 48 39 d0 cmp %rdx,%rax
25: 74 41 je 0x68
27: 80 38 00 cmpb $0x0,(%rax)
* 2a: 74 f2 je 0x1e <-- trapping instruction
2c: eb b6 jmp 0xffffffe4
2e: 41 bc 08 00 00 00 mov $0x8,%r12d
34: 45 29 dc sub %r11d,%r12d
37: 49 8d 14 2c lea (%r12,%rbp,1),%rdx
3b: eb 0c jmp 0x49
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c0 .byte 0xc0