================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x9b/0x1b0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88810fb54c88 by task kworker/1:0/25 CPU: 1 PID: 25 Comm: kworker/1:0 Tainted: G W 6.9.0-rc2-syzkaller-00080-gc85af715cac0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: vsock-loopback vsock_loopback_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x188/0x200 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x163/0x550 mm/kasan/report.c:488 kasan_report+0x14f/0x190 mm/kasan/report.c:601 kasan_check_range+0x23c/0x2c0 mm/kasan/generic.c:189 __kasan_check_write+0x18/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x9b/0x1b0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1451 [inline] virtio_transport_recv_pkt+0xfcc/0x2a10 net/vmw_vsock/virtio_transport_common.c:1594 vsock_loopback_work+0x39e/0x4c0 net/vmw_vsock/vsock_loopback.c:127 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x730/0xff0 kernel/workqueue.c:3335 worker_thread+0x96d/0xe00 kernel/workqueue.c:3416 kthread+0x2e7/0x380 kernel/kthread.c:388 ret_from_fork+0x55/0x90 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Allocated by task 549: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x9d/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x1ac/0x390 mm/slub.c:3997 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] virtio_transport_do_socket_init+0x5a/0x350 net/vmw_vsock/virtio_transport_common.c:878 vsock_assign_transport+0x49b/0x5e0 net/vmw_vsock/af_vsock.c:507 vsock_connect+0x5cf/0xe30 net/vmw_vsock/af_vsock.c:1393 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2da/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7e/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x62/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x71/0x79 Freed by task 549: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x44/0x50 mm/kasan/generic.c:579 poison_slab_object+0xfd/0x140 mm/kasan/common.c:240 __kasan_slab_free+0x3b/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2106 [inline] slab_free mm/slub.c:4280 [inline] kfree+0xf0/0x290 mm/slub.c:4390 virtio_transport_destruct+0x3f/0x50 net/vmw_vsock/virtio_transport_common.c:1089 vsock_deassign_transport net/vmw_vsock/af_vsock.c:422 [inline] vsock_assign_transport+0x343/0x5e0 net/vmw_vsock/af_vsock.c:490 vsock_connect+0x5cf/0xe30 net/vmw_vsock/af_vsock.c:1393 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2da/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7e/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x62/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x71/0x79 The buggy address belongs to the object at ffff88810fb54c80 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 8 bytes inside of freed 96-byte region [ffff88810fb54c80, ffff88810fb54ce0) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10fb54 flags: 0x4000000000000800(slab|zone=1) page_type: 0xffffffff() raw: 4000000000000800 ffff888100041780 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 354, tgid 354 (syz-executor.0), ts 47162164663, free_ts 47161507634 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x227/0x230 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0x35b8/0x3680 mm/page_alloc.c:3317 __alloc_pages+0x3e6/0x8a0 mm/page_alloc.c:4575 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0xe8/0x4c0 mm/slub.c:2391 ___slab_alloc+0x777/0xc50 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] __do_kmalloc_node mm/slub.c:3965 [inline] __kmalloc_node+0x2c5/0x500 mm/slub.c:3973 kmalloc_node include/linux/slab.h:648 [inline] kvmalloc_node+0x76/0x190 mm/util.c:634 kvmalloc include/linux/slab.h:766 [inline] alloc_fdtable+0x163/0x2a0 fs/file.c:141 dup_fd+0x763/0xb10 fs/file.c:354 copy_files+0x150/0x2a0 kernel/fork.c:1791 copy_process+0x11b4/0x30f0 kernel/fork.c:2377 kernel_clone+0x22e/0x890 kernel/fork.c:2796 __do_sys_clone kernel/fork.c:2939 [inline] __se_sys_clone kernel/fork.c:2923 [inline] __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2923 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x62/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x71/0x79 page last free pid 547 tgid 547 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1141 [inline] free_unref_page_prepare+0x4cc/0x700 mm/page_alloc.c:2347 free_unref_page+0x3a/0x3d0 mm/page_alloc.c:2487 free_the_page mm/page_alloc.c:564 [inline] __free_pages+0x65/0x100 mm/page_alloc.c:4661 free_pages+0x80/0x90 mm/page_alloc.c:4672 tlb_batch_list_free mm/mmu_gather.c:159 [inline] tlb_finish_mmu+0x125/0x200 mm/mmu_gather.c:468 exit_mmap+0x510/0xb80 mm/mmap.c:3280 __mmput+0x95/0x310 kernel/fork.c:1345 mmput+0x63/0x80 kernel/fork.c:1367 exit_mm kernel/exit.c:569 [inline] do_exit+0xa9c/0x29e0 kernel/exit.c:865 do_group_exit+0x21f/0x2e0 kernel/exit.c:1027 __do_sys_exit_group kernel/exit.c:1038 [inline] __se_sys_exit_group kernel/exit.c:1036 [inline] __x64_sys_exit_group+0x43/0x50 kernel/exit.c:1036 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x62/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x71/0x79 Memory state around the buggy address: ffff88810fb54b80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88810fb54c00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff88810fb54c80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff88810fb54d00: 00 00 00 00 00 00 00 00 03 fc fc fc fc fc fc fc ffff88810fb54d80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================