RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9 RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003 RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000 ---[ end trace b283e9c563a2f98a ]--- ================================================================== BUG: KASAN: use-after-free in blk_mq_run_hw_queues+0x298/0x450 block/blk-mq.c:1704 Read of size 8 at addr ffff88810b78c050 by task syz-executor.0/411 CPU: 0 PID: 411 Comm: syz-executor.0 Tainted: G W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118 print_address_description+0x81/0x3c0 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report+0x1a4/0x1f0 mm/kasan/report.c:436 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309 blk_mq_run_hw_queues+0x298/0x450 block/blk-mq.c:1704 blk_freeze_queue_start+0xad/0xe0 block/blk-mq.c:143 blk_set_queue_dying block/blk-core.c:357 [inline] blk_cleanup_queue+0x88/0x210 block/blk-core.c:384 loop_add+0x613/0x840 drivers/block/loop.c:2179 loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f3c6e58f0e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3c6e505168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9 RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003 RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000 Allocated by task 411: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:428 [inline] ____kasan_kmalloc+0xdc/0x110 mm/kasan/common.c:507 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:516 kasan_kmalloc include/linux/kasan.h:269 [inline] __kmalloc+0x1f7/0x360 mm/slub.c:4042 __kmalloc_node include/linux/slab.h:418 [inline] kmalloc_array_node include/linux/slab.h:627 [inline] kcalloc_node include/linux/slab.h:632 [inline] blk_mq_realloc_hw_ctxs+0xca/0x1840 block/blk-mq.c:3241 blk_mq_init_allocated_queue+0x41a/0x1a30 block/blk-mq.c:3331 blk_mq_init_queue_data block/blk-mq.c:3150 [inline] blk_mq_init_queue+0x6c/0xc0 block/blk-mq.c:3160 loop_add+0x284/0x840 drivers/block/loop.c:2115 loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 411: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:46 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:357 ____kasan_slab_free+0x121/0x160 mm/kasan/common.c:360 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:1604 [inline] slab_free_freelist_hook+0xcc/0x1a0 mm/slub.c:1630 slab_free mm/slub.c:3212 [inline] kfree+0xc3/0x290 mm/slub.c:4200 blk_mq_release+0x2d0/0x310 block/blk-mq.c:3127 blk_release_queue+0x314/0x430 block/blk-sysfs.c:808 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x163/0x240 lib/kobject.c:753 blk_put_queue+0x19/0x20 block/blk-core.c:344 disk_release+0x231/0x2a0 block/genhd.c:1568 device_release+0x9c/0x1d0 drivers/base/core.c:2114 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x163/0x240 lib/kobject.c:753 put_disk+0x23/0x30 block/genhd.c:1816 loop_add+0x5e6/0x840 drivers/block/loop.c:2177 loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88810b78c050 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of 8-byte region [ffff88810b78c050, ffff88810b78c058) The buggy address belongs to the page: page:ffffea00042de300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b78c flags: 0x8000000000000200(slab) raw: 8000000000000200 ffffea00042de200 0000001900000019 ffff888100043c80 raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2728514769, free_ts 0 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook mm/page_alloc.c:2385 [inline] prep_new_page mm/page_alloc.c:2391 [inline] get_page_from_freelist+0x745/0x760 mm/page_alloc.c:4067 __alloc_pages_nodemask+0x3b6/0x890 mm/page_alloc.c:5117 alloc_slab_page mm/slub.c:1815 [inline] allocate_slab+0x78/0x540 mm/slub.c:1817 new_slab mm/slub.c:1878 [inline] new_slab_objects mm/slub.c:2637 [inline] ___slab_alloc+0x131/0x2e0 mm/slub.c:2800 __slab_alloc+0x63/0xa0 mm/slub.c:2840 slab_alloc_node mm/slub.c:2922 [inline] slab_alloc mm/slub.c:2964 [inline] __kmalloc_track_caller+0x23e/0x350 mm/slub.c:4545 kstrdup+0x34/0x70 mm/util.c:63 get_permissions_callback+0x43/0xa0 security/selinux/ss/services.c:3427 hashtab_map+0x100/0x200 security/selinux/ss/hashtab.c:96 security_get_permissions+0x10d/0x380 security/selinux/ss/services.c:3458 sel_make_perm_files security/selinux/selinuxfs.c:1872 [inline] sel_make_class_dir_entries security/selinux/selinuxfs.c:1933 [inline] sel_make_classes security/selinux/selinuxfs.c:1964 [inline] sel_make_policy_nodes+0xfc5/0x1b40 security/selinux/selinuxfs.c:571 sel_write_load+0x38c/0x540 security/selinux/selinuxfs.c:651 vfs_write+0x369/0xf40 fs/read_write.c:603 ksys_write+0x198/0x2c0 fs/read_write.c:658 __do_sys_write fs/read_write.c:670 [inline] __se_sys_write fs/read_write.c:667 [inline] __x64_sys_write+0x7b/0x90 fs/read_write.c:667 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 page_owner free stack trace missing Memory state around the buggy address: ffff88810b78bf00: fc fc fc fc 00 00 00 00 00 00 00 fc fc fc fc 00 ffff88810b78bf80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff88810b78c000: 00 fc fc fc fc 00 fc fc fc fc fa fc fc fc fc fa ^ ffff88810b78c080: fc fc fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc ffff88810b78c100: fc fc fc 00 fc fc fc fc 00 fc fc fc fc fa fc fc ================================================================== ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 411 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 411 Comm: syz-executor.0 Tainted: G B W 5.10.117-syzkaller-986967-g0974b8411a58-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x165/0x1b0 lib/refcount.c:28 Code: c7 20 be 43 85 31 c0 e8 39 22 f2 fe 0f 0b eb 83 e8 d0 e7 1f ff c6 05 5d 6c 0f 04 01 48 c7 c7 80 be 43 85 31 c0 e8 1b 22 f2 fe <0f> 0b e9 62 ff ff ff e8 af e7 1f ff c6 05 3d 6c 0f 04 01 48 c7 c7 RSP: 0018:ffffc90000c87ca0 EFLAGS: 00010246 RAX: cf2493813e566600 RBX: 0000000000000003 RCX: ffff88810c560000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc90000c87cb0 R08: ffffffff8153a998 R09: ffffed103ee44e83 R10: ffffed103ee44e83 R11: 1ffff1103ee44e82 R12: ffff88810a85e010 R13: ffff88810a85e048 R14: 0000000000000003 R15: dffffc0000000000 FS: 00007f3c6e505700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000556182e1e858 CR3: 000000010d649000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] kobject_put+0x206/0x240 lib/kobject.c:753 blk_put_queue block/blk-core.c:344 [inline] blk_cleanup_queue+0x1ec/0x210 block/blk-core.c:426 loop_add+0x613/0x840 drivers/block/loop.c:2179 loop_control_ioctl+0x564/0x740 drivers/block/loop.c:2298 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl+0x115/0x190 fs/ioctl.c:739 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:739 do_syscall_64+0x34/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f3c6e58f0e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3c6e505168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f3c6e6a1f60 RCX: 00007f3c6e58f0e9 RDX: 0000000000000000 RSI: 0000000000004c80 RDI: 0000000000000003 RBP: 00007f3c6e5051d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 00007ffce774604f R14: 00007f3c6e505300 R15: 0000000000022000 ---[ end trace b283e9c563a2f98b ]---