================================================================== BUG: KASAN: use-after-free in virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704 Read of size 1 at addr ffff8881e3adfd38 by task klogd/152 CPU: 0 PID: 152 Comm: klogd Not tainted 5.4.284-syzkaller-04988-g137306201ec6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704 virtqueue_add_sgs+0xf8/0x110 drivers/virtio/virtio_ring.c:1740 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:447 [inline] virtscsi_add_cmd+0x589/0x6d0 drivers/scsi/virtio_scsi.c:481 virtscsi_queuecommand+0x35f/0x5a0 drivers/scsi/virtio_scsi.c:578 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1568 [inline] scsi_queue_rq+0x1b41/0x2860 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0x8f4/0x16f0 block/blk-mq.c:1320 blk_mq_do_dispatch_sched+0x389/0x480 block/blk-mq-sched.c:132 __blk_mq_sched_dispatch_requests+0x3d8/0x4d0 block/blk-mq-sched.c:235 blk_mq_sched_dispatch_requests+0xec/0x160 block/blk-mq-sched.c:266 __blk_mq_run_hw_queue+0x15f/0x270 block/blk-mq.c:1451 __blk_mq_delay_run_hw_queue+0x12b/0x5b0 block/blk-mq.c:1519 blk_mq_run_hw_queue+0x1d1/0x320 block/blk-mq.c:1556 blk_mq_sched_insert_requests+0x22b/0x380 block/blk-mq-sched.c:522 blk_mq_flush_plug_list+0x8b4/0xb00 block/blk-mq.c:1824 blk_flush_plug_list+0x47e/0x4d0 block/blk-core.c:1790 blk_finish_plug+0x59/0x80 block/blk-core.c:1807 read_pages+0x39d/0x400 mm/readahead.c:142 __do_page_cache_readahead+0x448/0x4f0 mm/readahead.c:212 ra_submit mm/internal.h:62 [inline] do_sync_mmap_readahead mm/filemap.c:2580 [inline] filemap_fault+0xb5d/0x16b0 mm/filemap.c:2666 ext4_filemap_fault+0x7b/0x90 fs/ext4/inode.c:6510 __do_fault mm/memory.c:3259 [inline] do_read_fault mm/memory.c:3668 [inline] do_fault mm/memory.c:3797 [inline] handle_pte_fault mm/memory.c:4028 [inline] __handle_mm_fault mm/memory.c:4152 [inline] handle_mm_fault+0x33b4/0x4920 mm/memory.c:4189 do_user_addr_fault arch/x86/mm/fault.c:1444 [inline] __do_page_fault+0x509/0xbb0 arch/x86/mm/fault.c:1505 page_fault+0x2f/0x40 arch/x86/entry/entry_64.S:1206 RIP: 0033:0x7f9985cd49b3 Code: Bad RIP value. RSP: 002b:00007ffcbe4d02f8 EFLAGS: 00010246 RAX: 000000000000002c RBX: 0000000000000000 RCX: 00007f9985cd49b5 RDX: 000000000000005d RSI: 00005562b1ebaeb0 RDI: 0000000000000003 RBP: 00005562b1eb12c0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000004000 R11: 0000000000000246 R12: 0000000000000013 R13: 00007f9985e62212 R14: 00007ffcbe4d03f8 R15: 0000000000000000 Allocated by task 541: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529 kmalloc include/linux/slab.h:556 [inline] __vring_new_virtqueue+0x13c/0xd50 drivers/virtio/virtio_ring.c:2071 vring_create_virtqueue_split drivers/virtio/virtio_ring.c:894 [inline] vring_create_virtqueue+0x11a3/0x1d20 drivers/virtio/virtio_ring.c:2152 setup_vq+0x153/0x350 drivers/virtio/virtio_pci_legacy.c:137 vp_setup_vq+0xbc/0x330 drivers/virtio/virtio_pci_common.c:189 vp_find_vqs_msix+0x890/0xe90 drivers/virtio/virtio_pci_common.c:322 vp_find_vqs+0x4f/0x470 drivers/virtio/virtio_pci_common.c:401 virtio_find_vqs include/linux/virtio_config.h:198 [inline] virtscsi_init+0x490/0xb70 drivers/scsi/virtio_scsi.c:807 virtscsi_restore+0x4f/0x190 drivers/scsi/virtio_scsi.c:941 virtio_device_restore+0x39d/0x5a0 drivers/virtio/virtio.c:433 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487 device_resume+0x551/0x620 drivers/base/power/main.c:1029 async_resume+0x23/0x170 drivers/base/power/main.c:1049 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Freed by task 508: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook mm/slub.c:1494 [inline] slab_free mm/slub.c:3080 [inline] kfree+0x123/0x370 mm/slub.c:4071 vp_del_vq drivers/virtio/virtio_pci_common.c:221 [inline] vp_del_vqs+0x35a/0x890 drivers/virtio/virtio_pci_common.c:243 virtscsi_remove_vqs drivers/scsi/virtio_scsi.c:772 [inline] virtscsi_freeze+0x8d/0xa0 drivers/scsi/virtio_scsi.c:931 virtio_device_freeze+0x138/0x300 drivers/virtio/virtio.c:390 virtio_pci_freeze+0x39/0x70 drivers/virtio/virtio_pci_common.c:467 pci_pm_suspend+0x2a5/0x930 drivers/pci/pci-driver.c:794 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487 __device_suspend+0xa18/0xff0 drivers/base/power/main.c:1816 async_suspend+0x25/0x230 drivers/base/power/main.c:1848 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 The buggy address belongs to the object at ffff8881e3adfd00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 56 bytes inside of 192-byte region [ffff8881e3adfd00, ffff8881e3adfdc0) The buggy address belongs to the page: page:ffffea00078eb7c0 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea0007951540 0000000500000002 ffff8881f5c02a00 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893 alloc_slab_page+0x39/0x3c0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x440 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x2fe/0x490 mm/slub.c:2667 __slab_alloc+0x62/0xa0 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc_trace+0x12d/0x260 mm/slub.c:2854 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] alloc_pipe_info+0xdf/0x400 fs/pipe.c:674 get_pipe_inode fs/pipe.c:753 [inline] create_pipe_files+0x85/0x610 fs/pipe.c:785 __do_pipe_flags+0x46/0x200 fs/pipe.c:822 do_pipe2+0xd0/0x300 fs/pipe.c:870 __do_sys_pipe2 fs/pipe.c:888 [inline] __se_sys_pipe2 fs/pipe.c:886 [inline] __x64_sys_pipe2+0x56/0x60 fs/pipe.c:886 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page_owner free stack trace missing Memory state around the buggy address: ffff8881e3adfc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881e3adfc80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881e3adfd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881e3adfd80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881e3adfe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================